Self-Hosting Flarelight with Docker: Complete Setup Guide

Not every organisation wants their data in the cloud. Whether it's regulatory requirements, security policies, or simply a preference for full control, there are plenty of good reasons to run software on your own infrastructure. That's why Flarelight supports on-premises deployment via Docker.

In this guide, we'll walk through the complete process of deploying Flarelight on your own servers using Docker Compose — from initial setup to production-ready configuration with TLS certificates.

What You'll Need

Before getting started, make sure you have the following:

• Docker Engine 24.0+ with Docker Compose V2
• A Flarelight licence key — get one for free at control.flarelight.cloud
• Minimum hardware: 4 CPU cores, 16 GB RAM, 100 GB storage

Architecture Overview

Flarelight's Docker deployment includes several interconnected services:

Application services:

Service	Description	Port
Subscription App	Main application interface	6100
Control Centre	Admin dashboard for managing subscriptions	4000
Subscription API	Backend API for the application	5001
Control Centre API	Backend API for admin functions	5000
Background Service	Background job processor	—
Scheduler	Scheduled task executor	—
Report Generator	PDF report generation	5002
Integration Service	External API integration	5003

Infrastructure services:

Service	Description	Port
PostgreSQL 16	Primary database	5432
ActiveMQ Classic	Message broker	61616, 8161
SEQ	Centralised logging	5341, 8082
Keycloak	Identity and access management	8081
ClamAV	Antivirus scanning	—

Step 1: Clone and Configure

Start by cloning the deployment repository and running the setup script:

git clone https://github.com/flarelight-io/flarelight-onprem-docker.git
cd flarelight-onprem-docker

Run the setup script for your platform:

# Linux / Mac
./scripts/setup.sh

# Windows PowerShell
.\scripts\setup.ps1

This creates a .env file from the provided template with all the configuration options you'll need.

Step 2: Configure Your Environment

Open the .env file and fill in the required settings:

# Your Flarelight licence key
FLARELIGHT_LICENCE=XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX-XXXX

# Secure passwords (generate unique values for each)
POSTGRES_PASSWORD=<your-secure-password>
KC_BOOTSTRAP_ADMIN_PASSWORD=<your-secure-password>
ACTIVEMQ_PASSWORD=<your-secure-password>
NEXTAUTH_SECRET=<your-random-secret>

To generate secure passwords, use:

openssl rand -base64 32 | tr -dc 'a-zA-Z0-9' | head -c 32

For the SEQ logging password hash:

echo 'YourPassword' | docker run --rm -i datalust/seq config hash

Email Configuration (Optional)

If you want Flarelight to send emails (notifications, reports, invitations), configure your SMTP settings:

FLARELIGHT_EMAIL_PROVIDER=SMTP
FLARELIGHT_EMAIL_SMTP_HOST=smtp.yourserver.com
FLARELIGHT_EMAIL_SMTP_PORT=587
FLARELIGHT_EMAIL_SMTP_USER=your-smtp-username
FLARELIGHT_EMAIL_SMTP_PASSWORD=your-smtp-password
FLARELIGHT_EMAIL_SENDER=noreply@yourdomain.com

Step 3: Start Flarelight

With your configuration in place, start all services:

docker compose up -d

Docker will pull the required images and start everything up. The first run may take a few minutes as images are downloaded.

Step 4: Access Your Instance

Once all services are running, you can access Flarelight at these URLs:

Service	URL
Subscription App	http://localhost:6100
Control Centre	http://localhost:4000
Subscription API	http://localhost:5001
Control Centre API	http://localhost:5000
Keycloak Admin	http://localhost:8081
SEQ Logs	http://localhost:8082
ActiveMQ Console	http://localhost:8161

Going to Production

For a real deployment, you'll want a proper domain with HTTPS. Flarelight's Docker setup includes a production overlay that adds a Traefik reverse proxy with automatic Let's Encrypt TLS certificates.

Configure Your Domain

Add these settings to your .env:

FLARELIGHT_DOMAIN=example.com
TRAEFIK_ACME_EMAIL=admin@example.com

Set Up DNS Records

Point the following subdomains to your server's IP address:

Record	Type	Value
app.your-domain.com	A	Your server IP
admin.your-domain.com	A	Your server IP
api.your-domain.com	A	Your server IP
auth.your-domain.com	A	Your server IP
logs.your-domain.com	A	Your server IP

Alternatively, use a single wildcard DNS record:

Record	Type	Value
*.your-domain.com	A	Your server IP

Start with the Production Overlay

docker compose -f docker-compose.yml -f docker-compose.production.yml up -d

Traefik will automatically obtain and renew SSL certificates from Let's Encrypt. Your services will then be available at:

Service	URL
Subscription App	https://app.your-domain.com
Control Centre	https://admin.your-domain.com
API	https://api.your-domain.com
Authentication	https://auth.your-domain.com
Logs	https://logs.your-domain.com

Day-to-Day Operations

Viewing Logs

# Follow logs for all services
docker compose logs -f

# Follow logs for a specific service
docker compose logs -f subscription-api

You can also view structured logs via the SEQ web interface at http://localhost:8082 (or https://logs.your-domain.com in production).

Backups

Use the included backup script to back up your data:

# Run a backup
./scripts/backup.sh

# Run a backup with automatic cleanup of backups older than 7 days
./scripts/backup.sh ./backups --cleanup

Updating

When a new version of Flarelight is released, updating is straightforward:

# Pull the latest images
docker compose pull

# Restart services with the new images
docker compose up -d

Stopping Services

# Stop all services (data is preserved in volumes)
docker compose down

# Stop and remove all data (WARNING: destructive)
docker compose down -v

Data Storage

All persistent data is stored in mounted volumes within the project directory:

Data	Location
PostgreSQL data	./volumes/postgres-data/
ActiveMQ data	./volumes/activemq-data/
SEQ logs	./volumes/seq-data/
ClamAV signatures	./volumes/clamav-data/
Uploaded files	./volumes/uploads/
SSL certificates	traefik-certs Docker volume

Security Checklist

Before exposing your instance to the network, make sure you've addressed these items:

1. Change all default passwords — every password in .env should be unique and strong
2. Secure the .env file — never commit it to version control
3. Set up regular backups — use the included backup script on a schedule
4. Keep images up to date — pull the latest images regularly
5. Configure your firewall — in production, only expose ports 80 and 443 through Traefik
6. Rely on network isolation — all inter-service communication happens over an internal Docker network

Troubleshooting

Services won't start? Check that Docker is running (docker info), review the logs (docker compose logs), and verify your .env configuration.

Database connection issues? Confirm PostgreSQL is running (docker compose ps postgres), check the password in .env, and review PostgreSQL logs (docker compose logs postgres).

Authentication problems? Verify Keycloak is running (docker compose ps keycloak), check that redirect URIs are correct in the Keycloak admin console, and ensure KEYCLOAK_CLIENT_SECRET matches the realm configuration.

SSL certificate issues? Ensure DNS records are correctly configured, check Traefik logs (docker compose logs traefik), verify the ACME email is set, and be aware of Let's Encrypt rate limits.

Get Started

Ready to deploy? Grab a free licence key at control.flarelight.cloud and head over to the GitHub repository to get started.

If you run into any issues, reach out to us at support@flarelight.io or open an issue on GitHub.