Self-Hosting Overview
Llamenos is designed to run on your own infrastructure. Self-hosting gives you full control over data residency, network isolation, and infrastructure choices — critical for organizations protecting against well-funded adversaries.
Deployment options
| Option | Best for | Complexity | Scaling |
|---|---|---|---|
| Docker Compose | Single-server, recommended start | Low | Single node |
| Kubernetes (Helm) | Multi-service orchestration | Medium | Horizontal (multi-replica) |
| Co-op Cloud | Co-op hosting collectives | Low | Single node (Swarm) |
Docker Compose files
Docker Compose uses a layered approach:
| File | Purpose |
|---|---|
docker-compose.yml | Base configuration — all services, networks, volumes |
docker-compose.production.yml | Production overlay — TLS via Let’s Encrypt, log rotation, resource limits, strict CSP |
docker-compose.test.yml | Test overlay — exposes app port directly, development mode |
For local development, use the base file only. For production, stack the production overlay:
# Local
docker compose -f docker-compose.yml up -d
# Production
docker compose -f docker-compose.yml -f docker-compose.production.yml up -dOr use the setup script, which handles this automatically:
./scripts/docker-setup.sh # local
./scripts/docker-setup.sh --domain hotline.org --email a@b # productionCore services
All deployment targets run these core services:
| Component | Purpose |
|---|---|
| Bun application | Hono API server + static file serving |
| PostgreSQL | Primary database |
| RustFS | S3-compatible blob storage (voicemail, attachments, exports) |
| strfry | Nostr relay for real-time events |
| Caddy | Reverse proxy + automatic TLS (Docker Compose) |
| Authentik | Identity provider — SSO, invite-based onboarding, MFA |
What you need
Minimum requirements
- A Linux server (2 CPU cores, 2 GB RAM minimum)
- Docker and Docker Compose v2 (or a Kubernetes cluster for Helm)
- A domain name pointing to your server
openssl(for generating secrets during setup)- At least one communication channel (voice provider, SMS, etc.)
Optional components
- Whisper transcription — requires 4 GB+ RAM (CPU) or a GPU for faster processing
- Asterisk — for self-hosted SIP telephony (see Asterisk setup)
- Signal bridge — for Signal messaging (see Signal setup)
Quick comparison
Choose Docker Compose if:
- You’re running on a single server or VPS
- You want the simplest possible self-hosted setup
- You’re comfortable with Docker basics
Choose Kubernetes (Helm) if:
- You already have a K8s cluster
- You need horizontal scaling (multiple replicas)
- You want to integrate with existing K8s tooling (cert-manager, external-secrets, etc.)
Choose Co-op Cloud if:
- You’re part of a tech co-op or hosting collective
- You already use Docker Swarm + Traefik via abra
- You want standardized recipe management with
abraCLI - You need integrated backup via backupbot
Security considerations
Self-hosting gives you more control but also more responsibility:
- Data at rest: PostgreSQL data is stored unencrypted by default. Use full-disk encryption (LUKS, dm-crypt) on your server, or enable PostgreSQL TDE if available. Note that call notes and transcriptions are already E2EE — the server never sees plaintext.
- Network security: Use a firewall to restrict access. Only ports 80/443 should be publicly accessible.
- Secrets: Never put secrets in Docker Compose files or version control. Use
.envfiles (excluded from images) or Docker/Kubernetes secrets. - Updates: Pull new images regularly. Watch the changelog for security fixes.
- Backups: Back up the PostgreSQL database and RustFS storage regularly. See the backup section in each deployment guide.
Next steps
- Getting Started — quick start with Docker
- Docker Compose deployment — full production deployment guide
- Kubernetes deployment — deploy with Helm
- Co-op Cloud deployment — deploy with abra