Skip to content

Run it yourself

Lex Custis is designed to run on any EU-sovereign host. The install.sh bootstrap handles software; this section covers provisioning.

What you need

  • A Linux VM with at least 8 GB RAM and 30 GB disk.
  • A public IP (for TLS later) or a tailscale/wireguard tunnel.
  • A DNS record pointing at the VM if you want TLS.

Recommended sizes:

Use case Recommended size EU hosts
Dev / single-tenant demo 4 vCPU / 8 GB / 40 GB SSD Hetzner CPX31, Scaleway DEV1-L, OVH B2-7
Small production (≤100 users) 4 vCPU / 16 GB / 80 GB NVMe Hetzner CCX13 (dedicated), Scaleway PLAY2-NANO, OVH B2-15
With Ollama self-hosted LLM 8 vCPU / 32 GB / 160 GB NVMe + GPU for 7B+ models Hetzner GPU line, Scaleway Render-S, OVH AI Training

Supported EU-sovereign hosts

  • Hetzner Cloud (Germany / Finland) — cheapest, solid.
  • Scaleway (Paris / Amsterdam / Warsaw) — the "sovereign AI" brand; pairs well with Mistral.
  • OVHcloud (France) — large EU footprint, less Terraform love.
  • IONOS (Germany) — part of the ionos-group, GDPR-friendly.
  • UpCloud (Finland) — fast NVMe, clean API.
  • Exoscale (Switzerland / Austria) — good for non-EU-but-EU-adjacent deployments.

All of the above can run the install.sh bootstrap end-to-end. The two walkthroughs below cover the two most common choices — Hetzner (commodity) and Scaleway (EU-sovereign brand fit).

Commercial one-click

Not in OSS v0.1

Tested public Terraform modules for one-click provisioning to Hetzner and Scaleway live in the commercial managed-infra repo. OSS self-hosters should expect to run the commodity VM install flow below. We're publishing OSS Terraform modules as v0.2.

TLS

For a production deploy you want HTTPS. Options:

  • Caddy + DNS-01 with Let's Encrypt (recommended). Caddy is already in the stack and auto-provisions certs if $DOMAIN is set in .env.
  • nginx + certbot — traditional, works fine.
  • Cloudflare in front — TLS termination at Cloudflare's edge, tunnel back to the origin.

Backups

You are responsible for backups in OSS v0.1. Commercial edition ships managed Postgres and Qdrant snapshots to object storage with 10-year retention.

Minimum viable backup strategy:

# Nightly Postgres dump
docker compose exec -T postgres pg_dump -U lexcustis lexcustis \
  | gzip > /srv/backups/pg_$(date +\%Y\%m\%d).sql.gz

# Nightly Qdrant snapshot
curl -X POST http://localhost:6333/collections/*/snapshots
# Copy backend/uploads/ and backend/reports/ too

Upload to an EU-region S3-compatible bucket (Scaleway Object Storage, Hetzner Storage Box, OVH Object Storage).

Do not back up the .env. Store it in a separate secret-manager (Bitwarden, 1Password, doppler). If it leaks, you lose the integrity claim on the HMAC chain.

Monitoring

OSS v0.1 has no built-in monitoring. Minimum:

  • docker compose ps on a cron to verify services are up.
  • UptimeRobot / StatusCake on https://<domain>/health.
  • Sentry if you want exception tracking (backend supports SENTRY_DSN but doesn't ship with one configured).

Commercial edition ships Prometheus + Grafana + Loki + Tempo + Alertmanager + PagerDuty + status page.