Self-hosted deployment
Deploy EvenTier on your own infrastructure with the Helm chart: PostgreSQL, secrets, SMTP, S3-compatible attachments, optional ClamAV scanning, and a bring-your-own AI provider.
- Where:
- deploy/helm/eventier · values-self-hosted.yaml
- Permission:
- Cluster admin (Kubernetes) · signed EvenTier license
- Updated:
- July 2026
Before you start
- You need: a Kubernetes cluster with Helm 3, PostgreSQL (EvenTier tests against Postgres 16 — or enable the chart's in-cluster instance for evaluation), an SMTP relay for outbound email, and the license from your EvenTier order.
- Production deployments also want an S3-compatible bucket for attachments, and optionally a ClamAV service to scan uploads.
- Generate six independent auth/encryption secrets before first boot — they're listed in the values reference below. Escrow SECRET_ENCRYPTION_KEY with your database backups: it encrypts stored integration credentials, and there is no recovery without it.
- Decide your AI posture up front: pick a provider or set AI_DISABLED=true for airgap. Disabled means the provider is never initialized and no AI surface renders.
Step by step
- 01
Prepare the database and secrets
Provision PostgreSQL and generate the six secrets (`openssl rand -hex 32` each). Store copies in your secret manager — they go under `env.secretValues` in the next step.
- 02
Configure your values file
Start from deploy/helm/eventier/values-self-hosted.yaml and fill in the example below — your external URL, SMTP relay, secrets, and license key. FIPS-constrained environments start from values-fips.yaml instead.
- 03
Install
Run the install command below. The chart runs database migrations as a Kubernetes Job (`prisma migrate deploy`) before the app and worker deployments start. Watch the migration job and pod logs until ready, then sign in and create the first organization.
- 04
Wire storage, scanning, and AI
Switch attachments to S3 and set your AI posture using the values reference below. Each organization gets its own key prefix in the bucket automatically.
- 05
Plan backups and upgrades
Back up PostgreSQL (all product data lives there) and your attachment bucket on your normal schedule. Upgrades are `helm upgrade` with the new chart version — migrations run forward automatically; snapshot the database first.
Examples
app:
edition: self-hosted
url: https://eventier.internal.example.com
env:
config:
SMTP_HOST: smtp.internal.example.com
SMTP_PORT: "587"
SMTP_FROM: "EvenTier <no-reply@example.com>"
secretValues:
DATABASE_URL: postgresql://eventier:<password>@db.internal:5432/eventier
NEXTAUTH_SECRET: "<openssl rand -hex 32>"
ORG_AUTH_SECRET: "<openssl rand -hex 32>"
PLATFORM_AUTH_SECRET: "<openssl rand -hex 32>"
AUTH_SECURITY_SECRET: "<openssl rand -hex 32>"
AUTH_MFA_SECRET: "<openssl rand -hex 32>"
SECRET_ENCRYPTION_KEY: "<openssl rand -hex 32>"
LICENSE_PUBLIC_KEY: |
-----BEGIN PUBLIC KEY-----
<from your EvenTier order>
-----END PUBLIC KEY-----helm install eventier deploy/helm/eventier -f my-values.yaml
# Later — snapshot the database first:
helm upgrade eventier deploy/helm/eventier -f my-values.yamlValues reference
Secrets render into a Kubernetes Secret; config renders into the ConfigMap. app.* values are mapped to env vars by the chart.
| Key | Kind | Purpose |
|---|---|---|
| app.url | Chart value | External URL — mapped to NEXTAUTH_URL and NEXT_PUBLIC_APP_URL |
| app.edition | Chart value | self-hosted — disables the SaaS operator console |
| env.secretValues.DATABASE_URL | Secret | PostgreSQL connection string |
| env.secretValues.NEXTAUTH_SECRET | Secret | Session token signing |
| env.secretValues.ORG_AUTH_SECRET | Secret | Org SSO token signing |
| env.secretValues.PLATFORM_AUTH_SECRET | Secret | Platform session signing |
| env.secretValues.AUTH_SECURITY_SECRET | Secret | Auth-hardening tokens |
| env.secretValues.AUTH_MFA_SECRET | Secret | MFA secret encryption |
| env.secretValues.SECRET_ENCRYPTION_KEY | Secret | Encrypts stored integration credentials — unrecoverable if lost |
| env.secretValues.LICENSE_PUBLIC_KEY | Secret | Verifies your signed license |
| env.config.SMTP_HOST · SMTP_PORT · SMTP_USER · SMTP_PASS · SMTP_FROM | Config | Outbound email relay |
| env.config.ATTACHMENT_STORAGE_DRIVER | Config | local (default) or s3 |
| env.config.ATTACHMENT_S3_ENDPOINT · _BUCKET · _REGION · access keys | Config | S3-compatible attachment store |
| env.config.CLAMAV_HOST · CLAMAV_PORT | Config | Optional upload scanning |
| env.config.ATTACHMENT_SCAN_REQUIRED | Config | true rejects unscanned uploads |
| env.config.AI_PROVIDER · AI_DISABLED | Config | anthropic · bedrock · openai_compatible — or AI_DISABLED=true for airgap |
| env.secretValues.SAML_SP_PRIVATE_KEY · SAML_SP_CERTIFICATE | Secret | Optional — signs SAML AuthnRequests (PEM) |
Good to know
- SSO in self-hosted works the same as SaaS; to sign SAML AuthnRequests, mount SAML_SP_PRIVATE_KEY and SAML_SP_CERTIFICATE (PEM) as deployment-wide secrets.
- The license is verified offline against LICENSE_PUBLIC_KEY with an offline grace period — an airgapped cluster does not need to phone home.
- Keep a staging namespace on the same chart version and run upgrades there first; the migration set is identical.