Self-Hosting Guide

For enterprise organizations requiring strict data compliance, SOC-2/HIPAA boundaries, and private network isolates, Datafuse offers a comprehensive Self-Hosted VPC Option.

This guide outlines how to deploy the FastAPI gateway services, OAuth proxies, and secure credential vaults completely within your own secure perimeter using Docker Compose or K3s.

VPC Deployment Architecture

Deploying self-hosted Datafuse wraps all platform services inside your private network, ensuring that no sensitive API payloads, transaction data, or client keys route through third-party servers.

               ┌─────────────────────────────────────────────────┐
               │              YOUR PRIVATE VPC                   │
               │                                                 │
   LLM Client ─┼─> [ Private Load Balancer ]                     │
   (Vercel/    │            │                                    │
   Claude Code)│            ▼                                    │
               │   [ Datafuse Gateway API ] <──> [ Redis Cache ] │
               │            │                                    │
               │            ▼                                    │
               │   [ Encrypted PostgreSQL ]                      │
               └────────────┬────────────────────────────────────┘
                            │ (Secure Bound Outbound Requests)
                            ▼
               Slack / GitHub / Jira APIs

Docker Compose Setup

For quick local testing or single-instance cloud servers, deploy Datafuse using Docker Compose.

Create a docker-compose.yml file in your hosting environment:

version: '3.8'

services:
  datafuse-api:
    image: datafuse/platform-api:latest
    ports:
      - "8080:8080"
    environment:
      - PORT=8080
      - DATABASE_URL=postgresql+asyncpg://postgres:secretpassword@db:5432/datafuse
      - REDIS_URL=redis://redis:6379/0
      - SECRET_KEY=your_global_encryption_secret_key_here
      - CORS_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
    depends_on:
      - db
      - redis

  db:
    image: postgres:15-alpine
    environment:
      - POSTGRES_USER=postgres
      - POSTGRES_PASSWORD=secretpassword
      - POSTGRES_DB=datafuse
    volumes:
      - pgdata:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine
    volumes:
      - redisdata:/data

volumes:
  pgdata:
  redisdata:

Environment Configuration Variables

Ensure the following variables are configured in your container environments:

• SECRET_KEY: A secure cryptographic key used to encrypt access tokens inside the credentials vault database (never rotate this key post-deployment without backup procedures).
• DATABASE_URL: High-availability PostgreSQL connection string. Must support the asyncpg Python database driver.
• REDIS_URL: Caching and event broker address used for rate limiting and live log streaming.

Running the Containers

Deploy the services in background daemon mode:

docker compose up -d

Verify that the platform health checks report operational success:

curl http://localhost:8080/health
# Response: {"status": "ok"}

Production Security Checklist

When deploying to a production enterprise VPC:

1. Transport Encryption (HTTPS): Terminate TLS/SSL on your cloud load balancer (e.g. AWS ALB, Cloudflare, Nginx) so raw HTTP payloads are encrypted in transit.
2. Database Backups: Schedule regular automated snapshots of your PostgreSQL vault to avoid loss of connected user accounts.
3. Strict Security Groups: Restrict inbound security groups to only accept HTTP requests from your internal AI agent runners or authorized edge networks.
4. Zero-Retention Logging: Enable zero-retention logging configurations inside the FastAPI containers to prevent caching raw inputs on local storage nodes.