Skip to content

Documentation

Self-hosted deployment

Deploy EvenTier on your own infrastructure with the Helm chart: PostgreSQL, secrets, SMTP, S3-compatible attachments, optional ClamAV scanning, and a bring-your-own AI provider.

Where:
deploy/helm/eventier · values-self-hosted.yaml
Permission:
Cluster admin (Kubernetes) · signed EvenTier license
Updated:
July 2026

Before you start

  • You need: a Kubernetes cluster with Helm 3, PostgreSQL (EvenTier tests against Postgres 16 — or enable the chart's in-cluster instance for evaluation), an SMTP relay for outbound email, and the license from your EvenTier order.
  • Production deployments also want an S3-compatible bucket for attachments, and optionally a ClamAV service to scan uploads.
  • Generate six independent auth/encryption secrets before first boot — they're listed in the values reference below. Escrow SECRET_ENCRYPTION_KEY with your database backups: it encrypts stored integration credentials, and there is no recovery without it.
  • Decide your AI posture up front: pick a provider or set AI_DISABLED=true for airgap. Disabled means the provider is never initialized and no AI surface renders.

Step by step

  1. 01

    Prepare the database and secrets

    Provision PostgreSQL and generate the six secrets (`openssl rand -hex 32` each). Store copies in your secret manager — they go under `env.secretValues` in the next step.

  2. 02

    Configure your values file

    Start from deploy/helm/eventier/values-self-hosted.yaml and fill in the example below — your external URL, SMTP relay, secrets, and license key. FIPS-constrained environments start from values-fips.yaml instead.

  3. 03

    Install

    Run the install command below. The chart runs database migrations as a Kubernetes Job (`prisma migrate deploy`) before the app and worker deployments start. Watch the migration job and pod logs until ready, then sign in and create the first organization.

  4. 04

    Wire storage, scanning, and AI

    Switch attachments to S3 and set your AI posture using the values reference below. Each organization gets its own key prefix in the bucket automatically.

  5. 05

    Plan backups and upgrades

    Back up PostgreSQL (all product data lives there) and your attachment bucket on your normal schedule. Upgrades are `helm upgrade` with the new chart version — migrations run forward automatically; snapshot the database first.

Examples

Minimal values fileyaml
app:
  edition: self-hosted
  url: https://eventier.internal.example.com

env:
  config:
    SMTP_HOST: smtp.internal.example.com
    SMTP_PORT: "587"
    SMTP_FROM: "EvenTier <no-reply@example.com>"
  secretValues:
    DATABASE_URL: postgresql://eventier:<password>@db.internal:5432/eventier
    NEXTAUTH_SECRET: "<openssl rand -hex 32>"
    ORG_AUTH_SECRET: "<openssl rand -hex 32>"
    PLATFORM_AUTH_SECRET: "<openssl rand -hex 32>"
    AUTH_SECURITY_SECRET: "<openssl rand -hex 32>"
    AUTH_MFA_SECRET: "<openssl rand -hex 32>"
    SECRET_ENCRYPTION_KEY: "<openssl rand -hex 32>"
    LICENSE_PUBLIC_KEY: |
      -----BEGIN PUBLIC KEY-----
      <from your EvenTier order>
      -----END PUBLIC KEY-----
Install and upgradebash
helm install eventier deploy/helm/eventier -f my-values.yaml

# Later — snapshot the database first:
helm upgrade eventier deploy/helm/eventier -f my-values.yaml

Values reference

Secrets render into a Kubernetes Secret; config renders into the ConfigMap. app.* values are mapped to env vars by the chart.

KeyKindPurpose
app.urlChart valueExternal URL — mapped to NEXTAUTH_URL and NEXT_PUBLIC_APP_URL
app.editionChart valueself-hosted — disables the SaaS operator console
env.secretValues.DATABASE_URLSecretPostgreSQL connection string
env.secretValues.NEXTAUTH_SECRETSecretSession token signing
env.secretValues.ORG_AUTH_SECRETSecretOrg SSO token signing
env.secretValues.PLATFORM_AUTH_SECRETSecretPlatform session signing
env.secretValues.AUTH_SECURITY_SECRETSecretAuth-hardening tokens
env.secretValues.AUTH_MFA_SECRETSecretMFA secret encryption
env.secretValues.SECRET_ENCRYPTION_KEYSecretEncrypts stored integration credentials — unrecoverable if lost
env.secretValues.LICENSE_PUBLIC_KEYSecretVerifies your signed license
env.config.SMTP_HOST · SMTP_PORT · SMTP_USER · SMTP_PASS · SMTP_FROMConfigOutbound email relay
env.config.ATTACHMENT_STORAGE_DRIVERConfiglocal (default) or s3
env.config.ATTACHMENT_S3_ENDPOINT · _BUCKET · _REGION · access keysConfigS3-compatible attachment store
env.config.CLAMAV_HOST · CLAMAV_PORTConfigOptional upload scanning
env.config.ATTACHMENT_SCAN_REQUIREDConfigtrue rejects unscanned uploads
env.config.AI_PROVIDER · AI_DISABLEDConfiganthropic · bedrock · openai_compatible — or AI_DISABLED=true for airgap
env.secretValues.SAML_SP_PRIVATE_KEY · SAML_SP_CERTIFICATESecretOptional — signs SAML AuthnRequests (PEM)

Good to know

  • SSO in self-hosted works the same as SaaS; to sign SAML AuthnRequests, mount SAML_SP_PRIVATE_KEY and SAML_SP_CERTIFICATE (PEM) as deployment-wide secrets.
  • The license is verified offline against LICENSE_PUBLIC_KEY with an offline grace period — an airgapped cluster does not need to phone home.
  • Keep a staging namespace on the same chart version and run upgrades there first; the migration set is identical.