Installation & Deployment Guidance
Deploy CyberTax Across AWS, On-Prem, or Hybrid Environments
This guide summarizes infrastructure minimums, environment dependencies, identity setup, AI integration, and secure deployment patterns for CyberTax operations.
High-Level Installation Guide
- Provision PostgreSQL, Redis, and artifact storage according to target security boundary.
- Configure environment variables and secrets for backend, worker, and frontend services.
- Deploy with container orchestration using the provided compose baseline and hardened ingress.
- Configure identity providers in the Administration area (SAML, OIDC, or LDAP).
- Enable Bedrock model access and verify AI scoring and report generation workflows.
Single-Instance (EC2 / VM) Quick Start
Validated baseline for a single host deployment uses Git + Docker Engine + Docker Compose v2 plugin.
gitto pull the repository.dockerengine (24+) to run containers.docker composev2 plugin to orchestrate services.
# Clone and enter the repository git clone <repo-url> cyberease cd cyberease # Set bootstrap admin credentials (required for first deployment) export BOOTSTRAP_ADMIN_EMAIL=admin@example.com export BOOTSTRAP_ADMIN_PASSWORD='change-me-now' export BOOTSTRAP_ADMIN_ORG='CyberTax' # Build and start all 7 services docker compose up -d --build
Post-Deployment Verification
# 1. Verify all services are running (expect 7 services)
docker compose ps
# 2. Check backend health endpoint
curl http://localhost:8000/health
# Expected: {"status":"ok"}
# 3. Check frontend is serving
curl -s -o /dev/null -w "%{http_code}" http://localhost:3000
# Expected: 200
# 4. Verify Celery worker is connected
docker compose logs worker --tail=20
# Look for: "celery@... ready" and "connected to redis://..."
# 5. Log in with bootstrap admin credentials
# Open http://localhost:3000/login in browser
# Use the BOOTSTRAP_ADMIN_EMAIL and BOOTSTRAP_ADMIN_PASSWORD set above
Caddy listens on ports 80/443 and provides automatic HTTPS. For local development without TLS, access the frontend directly at http://localhost:3000 and the API at http://localhost:8000.
Docker Compose Service Inventory
The docker-compose.yml baseline starts 7 services. All services are configured with restart: unless-stopped.
| Service | Image | Port(s) | Purpose |
|---|---|---|---|
postgres | postgres:16 | 5432 | Relational data store (users, assessments, controls, audit logs) |
redis | redis:7 | 6379 | Message broker and cache for Celery workers |
backend | backend (built) | 8000 | FastAPI application server (REST API) |
mcp | backend (built) | 8001 | MCP server for AI agent integrations |
worker | backend (built) | none | Celery task worker for async jobs |
frontend | frontend (built) | 3000 | Next.js application (UI) |
caddy | caddy:2 | 80, 443 | TLS termination and reverse proxy |
The backend container also loads AWS credentials from ./backend/bedrock-server/.env via env_file. The worker and MCP services share the same backend image but run different commands.