RuleSmith
Log in

Self Hosting

Setup

Get the RuleSmith service deployed in your own infrastructure and necessary dependencies configured.

Prerequisites

  • You have an enterprise RuleSmith license. Self-hosting is not available on our normal plans.
  • You're able to run an OCI container, for example via Docker or Kubernetes.
  • You have an existing Postgres database running where RuleSmith can store its data.

Overview

RuleSmith is designed to be simple to deploy. At minimum, you can deploy it as a single container talking to a Postgres database. Additional components (like Redis) are optional.

Setup

Generating secrets

RuleSmith depends on some secrets which you'll need to generate before deploying:

  • A Tink encryption keyset (used for encrypting sensitive data within the database).
  • GitHub App credentials, including:
    • A client ID and secret
    • A private key
    • A webhook secret

Generating a Tink key

The simplest method to generate a Tink key is using the tinkey cli.

Once installed, you can generate the keyset using this command:

tinkey create-keyset \
 --key-template AES256_GCM \
 --out-format json \
 --out aead_keyset.json

Consult with support or your security team for additional options.

Creating the GitHub App

Create GitHub App

Enter your GitHub organization slug and the hostname where RuleSmith runs.

Leave blank to create the app within a personal account.

The hostname where your users will access RuleSmith.

Configuring RuleSmith

RuleSmith can be configured in three ways:

  • Command line flags
  • Environment variables
  • A .env file (containing environment variables)

In these instructions we'll use a .env file, but see the full reference for other options.

This is the minimal required configuration:

# GitHub App config
RULESMITH_GITHUB_CLIENT_ID=Iv23li0mSl1wiWeE9vbZ
RULESMITH_GITHUB_CLIENT_SECRET=a582e6a693edb79c85035292ffad5a0f9f2748df
RULESMITH_GITHUB_APP_ID=1697256
RULESMITH_GITHUB_APP_PRIVATE_KEY=private-key.pem
RULESMITH_GITHUB_WEBHOOK_SECRET=5B762E14-5A6B-435A-8151-29E25C37AEC1
RULESMITH_GITHUB_APP_SLUG=rulesmith-dev

# Tink encryption key
# This can either be:
#  * a path to your keyset stored as JSON (e.g. the aead_keyset.json output by the tinkey command)
#  * the contents of that JSON file, base64 encoded
# We've used the base64 approach here for simplicity.
RULESMITH_TINK_AEAD_KEYSET=eyJwcmlt......

# Database connection
# Either specify a DSN directly, or the standard environment variables will be used: https://www.postgresql.org/docs/current/libpq-envars.html
RULESMITH_DB_DSN=postgresql://user:password@localhost/mydatabase