@connectai/selfhost

@connectai/selfhost

One-command self-host installer for ConnectAI. Takes a clean machine (only Docker + Node) to a running, health-checked company-brain in one command, with no source clone and no local image build.

npx @connectai/selfhost run
# or:
npm i -g @connectai/selfhost && connectai run

That is the entire happy path. The CLI pulls prebuilt images, writes a hardened .env, boots the stack, and prints the console URL + your single next step. It does not bundle or pull Ollama.

What run does

• Pre-flight (Node-native): verifies a running Docker daemon + Compose v2. Warns (does not block) if RAM/disk is below the ~8 GB footprint. Errors are copy-pasteable.
• Materialize the bundled deploy assets into a working dir (default ~/.connectai, override --dir): BackendEngineer's canonical image-based docker-compose.selfhost.images.yml, .env.example, and the boot scripts. You never fetch source.
• Generate .env: copies the example, then fills the secrets with a CSPRNG (crypto.randomBytes): INFISICAL_*, ENCRYPTION_SECRET (32 bytes / 64 hex), and a strong POSTGRES_PASSWORD (with DATABASE_URL updated to match). Written chmod 600. Idempotent: it never overwrites a value you already set, and a second run is a no-op. Secrets are local-only: never logged, never transmitted.
• Boot: delegates to the bundled up.sh, which docker compose pulls the prebuilt GHCR images (default tag v0.1.1), brings up Infisical, provisions the vault identity, brings up the full stack, and waits for the API /health + the console.
• Inference: the installer never starts Ollama or downloads models. You point the stack at an inference endpoint with --inference-url; if you also provide --inference-api-key, the installer wires that endpoint as a hosted OpenAI-compatible provider. Without a key, it treats the endpoint as Ollama and defaults to http://host.docker.internal:11434 unless you already set OLLAMA_BASE_URL. --model sets the chat-model slug for the endpoint you supply. --no-pull still brings up db + api + console only, so the brain is reachable while you finish inference setup.
• Print the console URL, the setup-token command, and the next step.

Commands

Command	What it does
run (default)	the full install + boot above
down	stop the stack (down -v also removes volumes / wipes the brain)
logs	tail stack logs (e.g. connectai logs api)
token	print the one-time first-run setup token (from the api logs)
help / version	usage / version

Flags

Flag	Meaning
--dir <path>	working directory (default ~/.connectai)
--inference-url <url>	inference endpoint URL
--inference-api-key <key>	hosted endpoint API key; when set, the installer wires hosted/BYO inference
--inference-chat-model, --inference-embed-model	model slugs for the endpoint
--model <name>	legacy alias for the chat-model slug (default qwen2.5:1.5b)
--no-pull	skip the loop worker (brings up db + api + console only)
--tag <tag>	GHCR image tag to run (default: the pinned bundled tag; also CONNECTAI_IMAGE_TAG)
--yes, -y	non-interactive (already the default; accepted for CI)

Inference modes

Inference is external by design. The installer ships no Ollama image and downloads no models.

• Ollama: pass --inference-url http://host.docker.internal:11434, or omit it and let the installer seed that default when OLLAMA_BASE_URL is still unset.
• Hosted OpenAI-compatible: pass --inference-url ... --inference-api-key ... and, optionally, the model slugs. The installer derives the internal BYO wiring from the presence of the key; you do not need a separate mode flag.

Under either mode, docker images shows no ollama/ollama, because the installer never declares an Ollama service.

Requirements

• Docker with the Compose v2 plugin, daemon running.
• Node >= 18 (for npx).
• That is it. No git, no clone, no source, no local image build.

Notes

• localhost is the v1 target. The prebuilt console image bakes its API base URL at publish time to http://localhost:4000. The canonical compose ships a runtime API-base seam (the console entrypoint writes /config.js from CONSOLE_API_BASE_URL at container start and prefers it over the baked value), so a remote origin is a config change, not a rebuild; full remote serving is the documented follow-up.
• The first run downloads several GB of service images and can take a few minutes; re-runs are fast and idempotent.
• This is a thin front door over the same hardened up.sh boot engine and the canonical docker-compose.selfhost.images.yml; it does not re-implement orchestration or fork the compose. The bundled compose is BackendEngineer's file verbatim (CON-130), consumed through the ${CONNECTAI_IMAGE_TAG} / ${CONNECTAI_ENV_FILE} seams.

License

BUSL-1.1. Development, testing, and evaluation use need no license; production use requires a commercial license. The self-host runtime guard fail-closes at run time, so a public image gives nothing away.