Deployment
Orkestra ships as a Go binary plus a React SPA. Three deployment shapes are documented in this section, in increasing order of operational complexity:
| Shape | When to use | Guide |
|---|---|---|
| Single VM, Docker Compose | Solo operator, small team, internal tooling, evaluation | Single VM |
| VM + Caddy reverse-proxy | Same as above but with TLS, automatic Let's Encrypt, and the per-audience host split (ADR-0003) wired correctly | Reverse-proxy with Caddy |
| Kubernetes | Multi-replica, autoscaling, integration with existing K8s tooling | Kubernetes overview |
Orkestra does not ship a Helm chart today — see the Kubernetes overview for the YAML you'd write and the roadmap.
Compose-file inventory
Regardless of shape, you'll be reading one or more of these compose files. They live in docker/:
| File | Purpose |
|---|---|
docker-compose.infra.yml | Always-on infra: MongoDB, Redis, RustFS |
docker-compose.dev.yml | Source-build + AIR hot reload — local development |
docker-compose.staging.yml | Staging-like behavior + AIR hot reload — long-lived dev VMs |
docker-compose.prod.yml | Optimized production stack — pulls a pre-built image from GHCR (ghcr.io/orkestra-cc/orkestra/backend:latest or :<sha>) |
docker-compose.observability.yml | Optional: self-hosted Tempo + Prometheus + Loki + Grafana |
What lives in .env vs /admin/modules
Process-scoped infrastructure (Mongo URI, Redis URL, JWT keys, cookies, encryption keys) lives in docker/.env, read by the backend at boot.
Module configuration (OAuth credentials, SMTP, per-module enable flags — plus whatever config keys a fork's addons declare, e.g. payment or API-provider keys) lives in MongoDB (module_configs collection) and is edited at /admin/modules. Secrets are AES-256-GCM-encrypted at rest.
A module's ConfigSchema().EnvVar is consulted only on first-boot seeding — env-var changes after that boot have no effect. The single source of truth is the admin UI. See docker/CLAUDE.md "What belongs in .env / compose vs /admin/modules" for the full bucket split.
Related guides
- Backup and restore
- Cookie hardening across tiers
- Troubleshooting
- OAuth Providers — provider-specific setup