Self-Hosting Guide

Deploy BastionAuth to your own infrastructure for complete data sovereignty.

Deployment Options

Docker Compose - Simplest setup for single-server deployments
Kubernetes - For scalable, production deployments
Cloud Platforms - Railway, Render, Fly.io, etc.

Prerequisites

A server with Docker installed
Domain name (recommended)
SSL certificate (required for production)
PostgreSQL 15+ database
Redis 7+ instance

Docker Compose Deployment

1. Prepare Environment

Contact support@bastionauth.dev to get access to the self-hosted deployment package.

Once you have the package:

cd bastionauth
cp env.example .env.production

2. Configure Environment

Edit .env.production:

# Application
NODE_ENV=production
API_URL=https://auth-api.yourdomain.com
APP_URL=https://app.yourdomain.com

# Database
DATABASE_URL=postgresql://user:password@db:5432/bastionauth

# Redis
REDIS_URL=redis://redis:6379

# Security
JWT_PRIVATE_KEY_PATH=/app/keys/private.pem
JWT_PUBLIC_KEY_PATH=/app/keys/public.pem
ENCRYPTION_KEY=your-32-byte-hex-key

# Email
RESEND_API_KEY=re_production_key
FROM_EMAIL=noreply@yourdomain.com

# OAuth (configure each provider)
GOOGLE_CLIENT_ID=...
GOOGLE_CLIENT_SECRET=...

3. Generate Production Keys

openssl genrsa -out keys/private.pem 4096
openssl rsa -in keys/private.pem -pubout -out keys/public.pem
chmod 600 keys/private.pem
chmod 644 keys/public.pem

4. Deploy

docker-compose -f docker/docker-compose.prod.yml up -d
docker-compose -f docker/docker-compose.prod.yml exec api pnpm db:migrate:prod

Kubernetes Deployment

Helm Chart

helm repo add bastionauth https://charts.bastionauth.dev
helm install bastionauth bastionauth/bastionauth -f values.yaml

Sample values.yaml

api:
  replicas: 3
  resources:
    requests:
      memory: "256Mi"
      cpu: "200m"
    limits:
      memory: "512Mi"
      cpu: "500m"
 
database:
  external: true
  url: postgresql://user:pass@db.example.com:5432/bastionauth
 
redis:
  external: true
  url: redis://redis.example.com:6379
 
ingress:
  enabled: true
  hosts:
    - auth-api.yourdomain.com
  tls:
    - secretName: bastionauth-tls
      hosts:
        - auth-api.yourdomain.com

Security Checklist

HTTPS enabled with valid SSL certificate
Strong database passwords
Encrypted database connections
JWT private key secured (600 permissions)
Rate limiting configured
Firewall rules in place
Regular backups configured

Scaling

Horizontal Scaling

BastionAuth is stateless and scales horizontally:

services:
  api:
    deploy:
      replicas: 3

Connection Pooling

For high traffic, use PgBouncer:

DATABASE_URL=postgresql://user:pass@pgbouncer:6432/bastionauth

Redis Clustering

For high availability:

REDIS_URL=redis://redis-cluster:6379
REDIS_CLUSTER=true

Monitoring

Health Checks

curl https://auth-api.yourdomain.com/health

Prometheus Metrics

METRICS_ENABLED=true
METRICS_PORT=9090

Logging

LOG_LEVEL=info
LOG_FORMAT=json

Backup Strategy

Database

pg_dump $DATABASE_URL | gzip > backup_$(date +%Y%m%d).sql.gz

Keys

Store key backups securely, separate from regular backups.

OAuth Setup Enterprise Features