Deployment
Rack Gateway can be deployed using Docker, Convox, or any container orchestration platform. This section covers deployment options, infrastructure setup, and production best practices.
Deployment Options
Section titled “Deployment Options”Architecture Overview
Section titled “Architecture Overview”Deployment Model
Section titled “Deployment Model”Rack Gateway follows a single-tenant, per-rack deployment model:
| Aspect | Description |
|---|---|
| One gateway per rack | Each Convox rack has its own gateway instance |
| No multi-tenancy | Gateway manages exactly one rack |
| Shared database | Gateway uses its own PostgreSQL database |
| Private network | Recommended: Deploy behind Tailscale/VPN |
Prerequisites
Section titled “Prerequisites”Before deploying, ensure you have:
Required
Section titled “Required”- PostgreSQL 14+ - Database for users, tokens, audit logs
- Google Workspace - OAuth provider for authentication
- Domain name - For gateway API and web UI
Recommended
Section titled “Recommended”- Tailscale - Private network access
- Postmark - Email notifications
- Slack - Real-time notifications
- S3 bucket - WORM storage for audit anchoring
Quick Start Path
Section titled “Quick Start Path”-
Set up infrastructure
Create PostgreSQL database and S3 bucket (if using audit anchoring).
-
Configure OAuth
Create Google OAuth client with correct redirect URIs.
-
Set environment variables
Configure all required environment variables for your deployment method.
-
Deploy
Choose Docker for testing, Convox for production.
-
Verify
Check health endpoints and log in to web UI.
-
Harden
Follow the production checklist for security hardening.
Environment Configuration
Section titled “Environment Configuration”All deployments use the same environment variables. Key categories:
| Category | Variables | Purpose |
|---|---|---|
| Core | APP_SECRET_KEY, DOMAIN | Security and routing |
| OAuth | GOOGLE_CLIENT_*, GOOGLE_ALLOWED_DOMAIN | Authentication |
| Database | DATABASE_URL, DB_* | PostgreSQL connection |
| Rack | RACK_TOKEN, RACK_HOST | Convox connectivity |
POSTMARK_* | Email notifications | |
| Audit | AUDIT_*, S3 settings | Audit log anchoring |
See Environment Variables for the complete reference.
Deployment Guides
Section titled “Deployment Guides”By Platform
Section titled “By Platform”| Platform | Use Case | Guide |
|---|---|---|
| Docker | Development, testing | Docker Deployment |
| Convox | Production deployments | Convox Deployment |
| Kubernetes | Custom orchestration | Use Docker image directly |
By Security Level
Section titled “By Security Level”| Level | Setup | When to Use |
|---|---|---|
| Standard | Public gateway + OAuth | Internal tools, low-risk |
| Private | Tailscale + OAuth | Sensitive infrastructure |
| Maximum | Private + MFA + Audit anchoring | Compliance requirements |
Infrastructure Components
Section titled “Infrastructure Components”Required
Section titled “Required”| Component | Purpose | Sizing |
|---|---|---|
| PostgreSQL | User data, audit logs | 10GB minimum, scale with logs |
| Gateway container | API server | 256MB RAM, 0.25 CPU minimum |
| Web container | Static SPA | 64MB RAM, minimal CPU |
Optional (Recommended)
Section titled “Optional (Recommended)”| Component | Purpose | Guide |
|---|---|---|
| S3 WORM bucket | Audit anchoring | S3 WORM Storage |
| KMS key | Encryption at rest | AWS Infrastructure |
| Tailscale | Private networking | Private Network |
Production Readiness
Section titled “Production Readiness”Key production requirements:
- Strong
APP_SECRET_KEY(256-bit random) - HTTPS with valid certificates
- Database backups configured
- Audit log retention set (
LOG_RETENTION_DAYS) - Admin users configured
- MFA policies enforced
- Monitoring and alerting enabled
Next Steps
Section titled “Next Steps”- Docker Deployment - Quick start with Docker
- Convox Deployment - Production deployment
- Database Setup - PostgreSQL configuration
- Production Checklist - Go-live preparation