Docker Compose
Deploy Rhesis on your own infrastructure with proper security, authentication, and production configuration.
Production Deployment
This guide is for production environments. For quick local testing, see the Quick Start guide.
Production Setup
The steps below are the recommended path for a production self-hosted deployment: you supply your own secrets, public URLs, and infrastructure, and run the stack directly with Docker Compose. (For a throwaway local instance, use the one-command Quick Start instead.)
Changing DB_ENCRYPTION_KEY on an existing deployment makes data already encrypted with the old
key (such as stored provider credentials) permanently undecryptable. Back it up and keep it stable.
The other three secrets can be rotated safely.
Access the applications
- Frontend: http://localhost:3000
- Backend API: http://localhost:8080/docs
This starts a self-contained stack with a built-in Postgres and Redis. From here you can customize the deployment — for example, pointing at an external database, setting your public URLs, or enabling OAuth and email — as described in Environment Configuration below.
Environment Configuration
This section covers the variables you need to set for a production deployment. For the complete list — every variable, its default, and whether it is required — see the Environment Variables reference.
Required secrets
Four secrets are required and have no safe default; the stack refuses to start if any is unset. Generate them as shown in Production Setup (step 3) and set them in .env.docker.
| Secret | Protects |
|---|---|
DB_ENCRYPTION_KEY | Sensitive database fields (such as stored provider credentials) at rest |
JWT_SECRET_KEY | Backend-issued JWTs |
NEXTAUTH_SECRET | NextAuth (frontend) sessions |
SESSION_SECRET_KEY | Backend session cookies |
Public URLs
Set FRONTEND_URL and API_BASE_URL to the public origins your users reach. When either starts with https://, the stack issues secure (HTTPS-only) cookies. FRONTEND_PORT and BACKEND_PORT are the host ports Docker publishes and are independent of these URLs — behind a reverse proxy the published port and the public URL usually differ.
Database
By default the stack runs a built-in postgres container. To use your own PostgreSQL instead, set the variables below and grant the role read/write privileges on the database.
The database name and user are fixed — some scripts reference them by name — so when you provision your own database you must create it with exactly these names:
| Variable | Value | Notes |
|---|---|---|
DB_NAME | rhesis-db (fixed) | Create your database with this exact name |
APP_DB_USER | rhesis-user (fixed) | Create the runtime role with this exact name |
APP_DB_PASS | your choice | Password for the runtime role |
DB_HOST, DB_PORT | your values | Where your database is reachable |
ADMIN_DB_USER, ADMIN_DB_PASS | optional | Separate migration role; falls back to the app role |
To use an external Redis, set BROKER_URL and CELERY_RESULT_BACKEND.
AI Models
Rhesis provides the models used for test generation, evaluation, multi-turn execution, and embeddings. By default the stack uses rhesis/rhesis-default for generation, evaluation, and execution, and rhesis/rhesis-embedding for embeddings. These models are hosted by Rhesis and require a RHESIS_API_KEY — without it, generation, execution, and Explorer embedding workflows will fail.
To run against your own model provider instead, see the Environment Variables reference.
Optional configuration
The variables above get a deployment running. Everything else is optional — see the Environment Variables reference for the details:
- Configure an OAuth provider (Google or GitHub) for social login — Authentication and OAuth
- Configure email (SMTP) for notifications and invitations — SMTP and email
- Configure object storage for files (GCS or S3) — Object storage
- Tune the Celery worker for throughput — Logging and tuning
Enterprise Features
Enterprise Edition features are discovered at runtime through GET /features; the frontend hides gated UI until a feature appears there. Without the Enterprise package, Rhesis runs in Community mode and all three are unavailable.
Two features need their own secret — set it in .env.docker (see Enterprise features for how to generate each). The feature stays disabled until its secret is present and valid.
| Feature | Feature name | Secret | Docs |
|---|---|---|---|
| Role-Based Access Control | rbac | — | Roles & Permissions |
| Single Sign-On | sso | SSO_ENCRYPTION_KEY | Single Sign-On |
| API Clients | api_clients | AUDIT_HASH_KEY | API Clients |
Keep SSO_ENCRYPTION_KEY stable once set — like DB_ENCRYPTION_KEY, changing it makes already-stored SSO credentials undecryptable.
Telemetry & Privacy
For self-hosted deployments: Telemetry is ENABLED by default (opt-out).
To opt-out, add to your .env.docker file:
Details of exactly what is and isn’t collected, and how the data is used, are in the Telemetry System Documentation.
Management Commands
Service Management
Monitoring and Logs
View logs:
Check service status:
Building and Updates
Rebuild services:
Backup and Recovery
Database Backup
Full System Backup
System Requirements
Production Environment
For production deployment with real users:
| Resource | Minimum | Recommended | High-Scale |
|---|---|---|---|
| RAM | 8 GB | 16 GB | 32 GB+ |
| Storage | 20 GB SSD | 50 GB SSD | 100 GB+ SSD |
| CPU | 4 cores | 8 cores | 16+ cores |
| Network | 50 Mbps | 100 Mbps | 1 Gbps+ |
Detailed Resource Breakdown
| Service | Production |
|---|---|
| PostgreSQL | ~1-2 GB |
| Redis | ~500 MB - 1 GB |
| Backend | ~500 MB - 1 GB |
| Worker | ~1-2 GB |
| Frontend | ~200-400 MB |
| Docker Overhead | ~500 MB - 1 GB |
| Total Estimated | ~3.7-7.1 GB |
| Component | Production |
|---|---|
| Application Code | ~2 GB |
| Database | ~5-50 GB+ |
| Docker Images | ~3-4 GB |
| Logs & Cache | ~2-10 GB |
| Working Space | ~3-5 GB |
| Total Estimated | ~15-75 GB+ |