Installation
Quick Start
curl -fsSL <download-url> -o install.sh
chmod +x install.sh
./install.sh
docker compose up -d
Replace <download-url> with the URL provided by your vendor.
What the Installer Creates
Running install.sh scaffolds all the files and directories RAG-DocBot needs:
| Path / Name | Type | Purpose |
|---|---|---|
.env | File | All runtime configuration (tokens, secrets, settings) |
docker-compose.yml | File | Service definitions |
license.key | File | License validation |
docs/ | Directory | Drop documents here for indexing |
branding/ | Directory | Custom logos and branding assets |
models/ | Directory | Place your GGUF model file here |
postgres_data | Docker volume | All application data |
redis_data | Docker volume | Live job state |
qdrant_storage | Docker volume | Vector index data |
All application data lives in Docker named volumes — data survives container recreation and updates. Database migrations run automatically on every startup, so no manual schema management is needed.
Services
docker compose up -d starts the following services:
| Service | Description |
|---|---|
nginx | Reverse proxy, rate limiter, and optional TLS termination — routes traffic to the backend and UI. Rate limits apply on /api/auth, /api/chat, and /api/upload. SSE streaming is preserved end-to-end. Enable HTTPS with TLS_ENABLED=1 — see TLS / HTTPS. |
backend | FastAPI application — the main API server |
ui | RAG-DocBot frontend |
inference | llama-cpp-python inference server (serves the GGUF model) |
qdrant | Vector database for the document index |
postgres | Relational database for application state |
redis | Live job state |
pgadmin | PostgreSQL admin UI (port 5050 — for dev/admin use) |
Secrets Management
Starting from v1.7.0 sensitive secrets (JWT secret key, database password, Qdrant API key) should be supplied via Docker secrets or Podman secrets instead of plain .env values.
v1.8.0 adds the following required and optional secrets:
| Secret name | Required | Description |
|---|---|---|
mfa_encryption_key | Yes | Fernet key for encrypting TOTP secrets and OIDC client secrets at rest. The stack will not start without this. |
oidc_entra_client_secret | No | Client secret for Microsoft Entra ID OIDC provider |
oidc_google_client_secret | No | Client secret for Google Workspace OIDC provider |
Docker Swarm / Compose secrets example:
# Required from v1.7.0
echo "$(openssl rand -hex 32)" | docker secret create jwt_secret_key -
echo "strongpassword" | docker secret create db_password -
echo "qdrantkey" | docker secret create qdrant_api_key -
# Required from v1.8.0
python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())" \
| docker secret create mfa_encryption_key -
# Optional — only if using OIDC providers
echo "<your-entra-client-secret>" | docker secret create oidc_entra_client_secret -
echo "<your-google-client-secret>" | docker secret create oidc_google_client_secret -
Reference the secrets in docker-compose.yml using the secrets: block. The installer generates a suitable template automatically — see the comments inside docker-compose.yml for the exact variable names to map.
If you prefer to keep secrets in .env for local / development deployments, this is still supported. For production environments the Docker/Podman secrets workflow is strongly recommended.
Enabling HTTPS (v1.8.0+)
The bundled nginx can terminate TLS directly. HTTP-only mode (TLS_ENABLED=0) remains the default.
To opt in, set TLS_ENABLED=1 in your .env (or pass it explicitly — see the caution below) and provide your certificate files. See the TLS / HTTPS guide for full instructions, including helper scripts for self-signed, internal CA, and Let's Encrypt deployments.
Docker Compose only auto-loads a file literally named .env. If your TLS variables live in .env.local or a similar file, pass --env-file .env.local explicitly: docker compose --env-file .env.local up -d
After Installation
- Place your GGUF model file in the
models/directory. See Placing a Model. - Open the app in your browser. See Accessing the App.
- Log in with the default admin credentials and change the password immediately. See Changing Password.