Deploy Runbooks
What this runbook covers
The Docker Compose reference deployment โ the only Stable deployment
surface in v0.9.0a1. Other surfaces (Fly, Helm, systemd, PaaS,
Grafana) have been moved to experimental/deploy-*/ and are gated by
the ADR-008 reintroduction process.
Audience: operators deploying Stigmem for the first time or migrating between environments.
Spec reference: none โ this is operational, not protocol.
Source recipes: deploy/compose/ in the repo.
The only Stable deployment surface in v0.9.0a1 is the Docker Compose reference deployment. Fly.io, Helm/Kubernetes, systemd, Grafana dashboards, and PaaS templates have been moved to experimental/deploy-*/ per ADR-002 and are gated by the ADR-008 reintroduction process. Recipes still exist as starting points but are unsupported until they pass ADR-008 promotion. See Features โ Deployment for the full disposition.
Docker Composeโ
Best for: local development, single-server self-hosting, air-gapped environments, evaluation deployments. Backend: SQLite (default) or libSQL.
Prerequisitesโ
Docker โฅ 24
Docker Compose v2 โฅ 2.20
Step 1 โ Clone and configureโ
git clone https://github.com/eidetic-labs/stigmem
cd stigmem
cp deploy/compose/.env.example deploy/compose/.env
Edit deploy/compose/.env:
# Required
STIGMEM_FEDERATION_PUBKEY=<your-pub>
STIGMEM_FEDERATION_PRIVKEY=<your-priv>
# SQLite (default) โ no additional vars needed
STIGMEM_STORAGE_BACKEND=sqlite
# libSQL (optional)
# STIGMEM_STORAGE_BACKEND=libsql
# STIGMEM_LIBSQL_URL=libsql://your-db.turso.io
# STIGMEM_LIBSQL_AUTH_TOKEN=<token>
To generate a federation keypair:
python3 -c "
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
import base64
priv = Ed25519PrivateKey.generate()
priv_bytes = priv.private_bytes_raw()
pub_bytes = priv.public_key().public_bytes_raw()
print('STIGMEM_FEDERATION_PRIVKEY=' + base64.urlsafe_b64encode(priv_bytes).decode())
print('STIGMEM_FEDERATION_PUBKEY=' + base64.urlsafe_b64encode(pub_bytes).decode())
"
Store both values in your secrets manager โ the runtime requires both.
Step 2 โ Startโ
docker compose -f deploy/compose/docker-compose.yml up --build -d
This starts a single node on port 8765. To start two federated nodes:
docker compose up --build -d # uses root docker-compose.yml
Step 3 โ Health checkโ
curl -s http://localhost:8765/healthz
# โ {"status":"ok","backend":"sqlite"}
Step 4 โ Persist keypairs across container recreationโ
Add the keypair vars to deploy/compose/.env (Step 1) before the first start, or set them in the environment: block of your docker-compose.yml. Without persisting them, a new container auto-generates a new identity and existing peers will not recognize it.
Updatingโ
git pull
docker compose up --build -d
Migrations run automatically on startup.
Deferred deployment surfacesโ
The recipes below are not part of the v0.9.0a1 supported surface. They live under experimental/deploy-*/ and may be reintroduced in a later release once they pass the ADR-008 gates (threat-model delta โ ADR โ conformance vectors โ 30-day operator soak โ documentation parity).
features/deploy-systemdexperimental/deploy-systemd/.features/deploy-paasexperimental/deploy-paas/.features/deploy-grafanaexperimental/deploy-grafana/.Each experimental/deploy-*/ directory contains a STATUS.md describing what would be required to graduate the surface.
After deploying: what's next?โ
- Connect to peers โ Federation peer setup
- Schedule backups โ Backup & restore
- Set up monitoring โ Monitoring & debugging