On-Premises Setup Considerations

[aronmolnar]

Self-hosted setup: What should we consider?

You need an Ubuntu machine (VM or physical) with at least 4 (better 8 for more users) GB memory. Docker must be installed, preferably according to the official instructions (as described here): https://docs.sysreptor.com/setup/installation/#server

Database

Optionally, you can decide to not run the database on the host as a container, but use an already existing database server (can be adapted in the docker compose file).

Outsourcing the rendering process

What can also be improved in terms of security is to outsource the rendering process.
By default, it runs (as a Chromium and Weasyprint process) in the webapp container. Anyone who can break out of Chromium with their report, e.g. with JavaScript, can compromise the webapp in this case. This can be prevented with an alternative setup by starting two additional containers: 1x Celery as message broker and 1x rendering container. We would not care about compromising a rendering container because it would be restarted after each job and could not fetch any more data.
(see also: https://docs.sysreptor.com/insights/security-considerations/#template-injection and https://docs.sysreptor.com/insights/security-considerations/#server-side-request-forgery-prevention).

If you want to do this, we would be happy to help you with it - this setup is not (yet) documented.

Backups

And of course you should not forget a backup job.
In SysReptor Professional, you can pull the backup via CLI (https://docs.sysreptor.com/setup/backups/#create-backups-via-cli) or via API (https://docs.sysreptor.com/setup/backups/#create-backups-via-api).
Via API you can also specify an S3 bucket and a subkey with write access, as well as an AES key. SysReptor then encrypts the backup locally and streams it directly into the S3 bucket.
However, the AES key must be managed somewhere.
(In our cloud installation, we encrypt the AES key with the public keys of our hardware tokens and add the keys to the backups).

If you need any support, just open a ticket. We're happy to help.

[mlec1]

Maybe having some kubernetes manifest files and an Helm Chart might be a nice to have

[aronmolnar]

Are you planning to host it on Kubernetes?
We'd happy to provide it and it would be best if we could set it up together to have it tested.

[unixerius]

Late to the party, but if we were to start using Sysreptor at one of my customers, then yes we would be running on K8S.

With the distinction that the Postgres database would be hosted off-cluster on a dedicated Postgres server. That means we should have an option to configure a remote server, instead of a container in the same pod.