# Self-Hosting
> Deploy Syntropic137 on your own infrastructure — from bare metal to Kubernetes

## Deployment Architecture

Syntropic137 runs as a set of Docker services connected through a shared network:

<DeploymentArchitectureFlow />

## Quick Start with Docker Compose

```bash
npx @syntropic137/setup init
```

The setup wizard handles everything — Docker validation, secret generation, API key configuration, image pulls, and starting the stack. See [Getting Started](/docs/guide/getting-started) for the full walkthrough.

The dashboard will be available at `http://localhost:8137`.

## Services

| Service | Port | Description |
|---------|------|-------------|
| `api` | 8000 | FastAPI backend — REST API, SSE |
| `gateway` | 80 | nginx reverse proxy + React dashboard frontend |
| `event-store` | 50051 | gRPC event sourcing server |
| `event-collector` | 8080 | High-throughput event ingestion |
| `timescaledb` | 5432 | PostgreSQL + TimescaleDB for events and metrics |
| `redis` | 6379 | Caching, pub/sub, projection store |
| `minio` | 9000 | S3-compatible artifact storage |

## Workspace Isolation

Each agent execution runs in an isolated Docker workspace with a two-phase security model:

<WorkspaceIsolationFlow />

**Setup Phase** — Secrets are available briefly to configure credential helpers. Raw tokens are cleared before the agent starts.

**Agent Phase** — The agent runs with only `ANTHROPIC_API_KEY` in its environment. Git operations use cached credentials from the setup phase.

## Environment Variables

| Variable | Default | Description |
|----------|---------|-------------|
| `APP_ENVIRONMENT` | `development` | Environment mode (`development`, `production`) |
| `TIMESCALEDB_HOST` | `localhost` | TimescaleDB hostname |
| `TIMESCALEDB_PORT` | `5432` | TimescaleDB port |
| `REDIS_URL` | `redis://localhost:6379` | Redis connection URL |
| `MINIO_ENDPOINT` | `localhost:9000` | MinIO S3 endpoint |
| `MINIO_ACCESS_KEY` | — | MinIO access key |
| `MINIO_SECRET_KEY` | — | MinIO secret key |
| `GITHUB_APP_ID` | — | GitHub App ID for webhook triggers |
| `GITHUB_APP_PRIVATE_KEY` | — | GitHub App private key (PEM) |
| `ANTHROPIC_API_KEY` | — | API key for Claude agent execution |

## Scaling Options

### Single Server (Self-Host)

Recommended for **10–100 concurrent agents**:
- 4+ CPU cores, 8GB+ RAM (16GB recommended)
- 500GB NVMe storage
- Docker with workspace pooling (10–50 containers)

### Multi-Server

For **100–1,000 concurrent agents**, run multiple Syntropic137 instances behind a load balancer:

<ScalingFlow />

### Kubernetes

For **1,000+ concurrent agents** with auto-scaling:
- Use Kata Containers runtime for workspace isolation
- HPA with 70% CPU target, 3–20 replicas
- PersistentVolume for artifact storage

## Tunnels (Optional)

For secure external access and GitHub Actions webhook delivery, set up a tunnel. Syntropic137 includes built-in Cloudflare Tunnel support via a Docker Compose profile.

See the [Tunnels guide](/docs/guide/tunnels) for setup instructions.

## Secrets

Infrastructure secrets (database, Redis, MinIO) are stored as `chmod 600` files and mounted via Docker Compose's secrets mechanism — never baked into image layers. Application-level API keys (e.g. `ANTHROPIC_API_KEY`) are supplied via environment variables.

See [Secrets Management](/docs/guide/secrets) for details on how secrets work and optional 1Password integration.