Self-hosted HASH

What it is

Self-hosting HASH involves running the same core technology as Local HASH, albeit set up on cloud infrastructure you operate, or servers on-prem, with production-grade configuration.

You can find this Docker Compose stack in our open-source HASH monorepo at infra/compose/.

In addition to the setup steps required for running HASH locally, at a minimum self-hosting HASH in a production environment requires setting up:

• A reverse proxy with TLS in front of the stack (Caddy, Traefik, Nginx). HASH's auth flow requires HTTPS in production mode.
• Persistent object storage for uploads. Use AWS S3, Cloudflare R2, Backblaze B2, or any S3-compatible service. The bundled MinIO is a development convenience.
• Real SMTP for verification, password-recovery and notification mail (SES, Mailgun, Postmark, …). The bundled MailSlurper only captures mail locally for inspection.
• Secrets for Kratos cookie/cipher, Hydra system secret, OAuth client credentials, and database passwords. The values shipped in the repo are dev sentinels and need to be replaced.
• Backups for Postgres and the upload store (not included in the default Docker Compose stack).

Beyond this, you'll need to think about scalability across nodes, inter-instance communication, and your deployment and upgrade strategies.

If you have questions or require help, we offer commercial support to organizations looking to self-host HASH via our HASH solutions practice. To learn more, contact us.