Self-Hosting Requirements
Overview
Agent Action Firewall can be self-hosted for maximum control, data sovereignty, and compliance requirements. This guide covers the system requirements for different deployment scenarios.
Minimum Requirements
Development/Testing
| Component | Requirement |
|---|
| CPU | 2 cores |
| RAM | 4 GB |
| Storage | 20 GB SSD |
| OS | Linux, macOS, or Windows with WSL2 |
Production (Small)
For up to 1,000 actions/day:
| Component | Requirement |
|---|
| CPU | 4 cores |
| RAM | 8 GB |
| Storage | 50 GB SSD |
| Network | 100 Mbps |
Production (Medium)
For up to 100,000 actions/day:
| Component | Requirement |
|---|
| CPU | 8 cores |
| RAM | 16 GB |
| Storage | 200 GB SSD |
| Network | 1 Gbps |
Production (Large)
For 100,000+ actions/day:
| Component | Requirement |
|---|
| CPU | 16+ cores |
| RAM | 32+ GB |
| Storage | 500+ GB SSD (NVMe recommended) |
| Network | 10 Gbps |
Software Requirements
Runtime
| Software | Version | Notes |
|---|
| Node.js | 20 LTS | Required for API and Worker |
| PostgreSQL | 16+ | Primary database |
| OPA | Latest | Policy engine |
| Redis | 7+ | Optional, for caching |
Container Runtime (if using Docker/K8s)
| Software | Version |
|---|
| Docker Engine | 24.0+ |
| Docker Compose | 2.20+ |
| Kubernetes | 1.28+ |
Build Tools (for source installation)
| Software | Version |
|---|
| pnpm | 8+ |
| Git | 2.40+ |
| TypeScript | 5.7+ |
Network Requirements
Ports
| Port | Service | Direction |
|---|
| 3001 | API | Inbound |
| 3000 | Web Dashboard | Inbound |
| 5432 | PostgreSQL | Internal |
| 8181 | OPA | Internal |
| 6379 | Redis (optional) | Internal |
Firewall Rules
# Minimum required
Allow TCP 3001 (API)
Allow TCP 3000 (Web)
Allow TCP 443 (HTTPS)
# Internal only
Block external access to 5432 (PostgreSQL)
Block external access to 8181 (OPA)
Block external access to 6379 (Redis)
TLS/SSL
- Valid TLS certificate required for production
- Supports Let's Encrypt, commercial CAs, or self-signed for internal use
- Minimum TLS 1.2, recommended TLS 1.3
Database Requirements
PostgreSQL Configuration
Recommended postgresql.conf settings:
# Memory
shared_buffers = 256MB # 25% of RAM
effective_cache_size = 768MB # 75% of RAM
work_mem = 16MB
maintenance_work_mem = 128MB
# Connections
max_connections = 200
# WAL
wal_level = replica
max_wal_senders = 3
# Query planning
random_page_cost = 1.1 # For SSD
effective_io_concurrency = 200 # For SSD
Storage Estimates
| Data Type | Growth Rate | Retention |
|---|
| Actions | ~1 KB/action | 90 days |
| Audit events | ~500 B/event | 1 year |
| Policies | ~5 KB/policy | Indefinite |
| Approvals | ~2 KB/approval | 90 days |
Example: 10,000 actions/day = ~1 GB/month of action data
Scaling Guidelines
Horizontal Scaling
| Component | Scaling Strategy |
|---|
| API | Stateless, add replicas behind load balancer |
| Worker | Stateless, add replicas for throughput |
| Web | Stateless, CDN recommended |
| PostgreSQL | Primary-replica for reads, connection pooling |
Vertical Scaling Triggers
| Metric | Threshold | Action |
|---|
| CPU | >70% sustained | Add cores or instances |
| Memory | >80% | Increase RAM |
| Disk I/O | >80% | Upgrade to NVMe |
| DB connections | >150 | Add connection pooler |
High Availability
Minimum HA Setup
- 3 API replicas
- 2 Worker replicas
- PostgreSQL primary + 1 replica
- Load balancer with health checks
Geographic Redundancy
For multi-region deployments:
- Active-passive database replication
- DNS-based failover
- Regional load balancers
- Cross-region latency: consider <100ms for real-time approvals
Compliance Considerations
Data Residency
All data can be self-hosted within your infrastructure:
- Database stores all action data
- Audit logs stored locally
- No external telemetry by default
Encryption
- Encryption at rest: PostgreSQL TDE or disk encryption
- Encryption in transit: TLS 1.2+
- Encryption key management: ENCRYPTION_MASTER_KEY environment variable
Audit Requirements
- Tamper-evident audit trail with hash chaining
- Exportable proof packs for compliance
- Configurable retention policies