Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Kevin2523/nextAuditAi/llms.txt

Use this file to discover all available pages before exploring further.

Production deployments pull every service from pinned, registry-hosted images rather than building from source. The docker-compose.prod.yml file is structurally identical to docker-compose.test.yml, but it is intended for persistent, customer-facing infrastructure where image immutability, TLS enforcement, and secret hygiene are mandatory. Before you start, review the security callouts in this guide carefully.
Never reuse development credentials in production. Generate new values for FLEET_SERVER_PRIVATE_KEY, MYSQL_ROOT_PASSWORD, MYSQL_PASSWORD, and POSTGRES_PASSWORD before deploying.

Prerequisites

  • Docker 24.0 or later with the Compose v2 plugin
  • Access to the jjsotom2k4/ image registry
  • A valid VERSION tag for the release you are deploying
  • TLS certificate and private key for the Fleet server
  • A FleetDM license key (required for premium features)

Steps

1

Clone the repository

git clone https://github.com/Kevin2523/nextAuditAi.git
cd nextAuditAi
2

Copy and configure the production environment file

cp src/ai-sentinel/prod.env.example src/ai-sentinel/.env
Open src/ai-sentinel/.env and set the VERSION variable to the image tag you want to deploy. This value pins both jjsotom2k4/ollama-ai and jjsotom2k4/postgres-ai to the same release:
VERSION=1.2.0
3

Generate the Fleet server private key

Fleet requires a random base64-encoded 32-byte secret. Generate one and add it to .env:
openssl rand -base64 32
Store the output in a secrets manager (Vault, AWS Secrets Manager, etc.). Do not commit this value to version control.
4

Place TLS certificates for Fleet

Fleet’s Compose configuration mounts certificates from src/ai-sentinel/certs/. Place your CA-signed certificate and key there:
mkdir -p src/ai-sentinel/certs
cp /path/to/your/fleet.crt src/ai-sentinel/certs/fleet.crt
cp /path/to/your/fleet.key src/ai-sentinel/certs/fleet.key
Then set the corresponding environment variables in .env:
FLEET_SERVER_TLS=true
FLEET_SERVER_CERT=/fleet/fleet.crt
FLEET_SERVER_KEY=/fleet/fleet.key
The paths above (/fleet/fleet.crt, /fleet/fleet.key) are the container-internal paths defined in the Compose volume mount. Do not use the host paths here.
5

Set your Fleet license key

FLEET_LICENSE_KEY=your-fleet-license-key
The license key enables premium FleetDM features. Keep it confidential and rotate it if it is ever exposed.
6

Start the production stack

docker compose -f src/ai-sentinel/docker-compose.prod.yml up -d
7

Verify services are healthy

docker compose -f src/ai-sentinel/docker-compose.prod.yml ps
Wait for all services to reach running (healthy) status. Fleet, MySQL, and Redis have health checks configured with up to 12 retries each.

Key differences from development

AspectDevelopmentProduction
Ollama imageBuilt from ./ollama contextjjsotom2k4/ollama-ai:${VERSION}
PostgreSQL imageBuilt from ./postgres contextjjsotom2k4/postgres-ai:${VERSION}
VERSION variableNot requiredRequired
TLSOptional (self-signed acceptable)Required (CA-signed certificate)
SecretsCan use placeholder valuesMust use strong, unique secrets

Health check endpoints

All three stateful services expose health checks that Docker monitors automatically. You can also query Fleet directly: 
# Fleet health endpoint (replace 8080 with your FLEET_SERVER_PORT)
curl -k https://localhost:8080/healthz
A healthy Fleet instance returns HTTP 200. MySQL and Redis health is checked internally by the Compose dependency chain before Fleet starts.

Production-specific environment variables

The following variables have particular security implications in production. See Environment variables reference for descriptions of every variable.
VariableNotes
VERSIONRequired. Pins Ollama and PostgreSQL to a specific registry release.
FLEET_SERVER_TLSSet to true. Disabling TLS in production exposes the Fleet API over plain HTTP.
FLEET_SERVER_CERTContainer path to the CA-signed TLS certificate.
FLEET_SERVER_KEYContainer path to the TLS private key.
FLEET_SERVER_PRIVATE_KEYGenerate with openssl rand -base64 32. Rotate on any suspected exposure.
FLEET_LICENSE_KEYYour FleetDM license. Required for premium features.
FLEET_SESSION_DURATIONControls how long authenticated sessions remain valid.
FLEET_VULNERABILITIES_PERIODICITYHow often Fleet scans for vulnerabilities in the enrolled fleet.

Build docs developers (and LLMs) love

Get started for freeTalk to us