Skip to content

docker.md

Latest commit

 

History

History
270 lines (173 loc) · 10 KB

docker.md

File metadata and controls

270 lines (173 loc) · 10 KB

Self Hosting Sure with Docker

This guide will help you setup, update, and maintain your self-hosted Sure application with Docker Compose. Docker Compose is the most popular and recommended way to self-host the Sure app.

Setup Guide

Follow the guide below to get your app running.

Step 1: Install Docker

Complete the following steps:

  1. Install Docker Engine by following the official guide
  2. Start the Docker service on your machine
  3. Verify that Docker is installed correctly and is running by opening up a terminal and running the following command:
# If Docker is setup correctly, this command will succeed
docker run hello-world

Step 2: Configure your Docker Compose file and environment

Create a directory for your app to run

Open your terminal and create a directory where your app will run. Below is an example command with a recommended directory:

# Create a directory on your computer for Docker files (name it whatever you like)
mkdir -p ~/docker-apps/sure

# Once created, navigate your current working directory to the new folder
cd ~/docker-apps/sure

Copy our sample Docker Compose file

Make sure you are in the directory you just created and run the following command:

# Download the sample compose.yml file from the GitHub repository
curl -o compose.yml https://raw.githubusercontent.com/we-promise/sure/main/compose.example.yml

This command will do the following:

  1. Fetch the sample docker compose file from our public Github repository
  2. Creates a file in your current directory called compose.yml with the contents of the example file

At this point, the only file in your current working directory should be compose.yml.

Step 3 (optional): Configure your environment

By default, our compose.example.yml file runs without any configuration.
That said, if you would like extra security (important if you're running outside of a local network), you can follow the steps below to set things up.

If you're running the app locally and don't care much about security, you can skip this step.

Create your environment file

In order to configure the app, you will need to create a file called .env, which is where Docker will read environment variables from.

To do this, you should get our .env.example as a starting point:

curl -o .env https://raw.githubusercontent.com/we-promise/sure/main/.env.example

Generate the app secret key

The app requires an environment variable called SECRET_KEY_BASE to run.

We will first need to generate this in the terminal. If you have openssl installed on your computer, you can generate it with the following command:

openssl rand -hex 64

Alternatively, you can generate a key without openssl or any external dependencies by pasting the following bash command in your terminal and running it:

head -c 64 /dev/urandom | od -An -tx1 | tr -d ' \n' && echo

Once you have generated a key, save it and move on to the next step.

Fill in your environment file

Open the file named .env that we created in a prior step using your favorite text editor.

Fill in this file with the following variables:

SECRET_KEY_BASE="replacemewiththegeneratedstringfromthepriorstep"
POSTGRES_PASSWORD="replacemewithyourdesireddatabasepassword"

Using HTTPS

Assuming you want to access your instance from the internet, you should have secured your URL address with an SSL certificate.
The Docker instance runs in plain HTTP and you need to tell it that you are redirecting your HTTPS stream to the HTTP one.
To do this, edit the compose.yml file and find the line stating:

RAILS_ASSUME_SSL: "false"

and change it to true

RAILS_ASSUME_SSL: "true"

Step 4: Run the app

You are now ready to run the app. Start with the following command to make sure everything is working:

docker compose up

This will pull our official Docker image and start the app. You will see logs in your terminal.

Open your browser, and navigate to http://localhost:3000.

If everything is working, you will see the Sure login screen.

Step 5: Create your account

The first time you run the app, you will need to register a new account by hitting "create your account" on the login page.

  1. Enter your email
  2. Enter a password

Step 6: Run the app in the background

Most self-hosting users will want the Sure app to run in the background on their computer so they can access it at all times. To do this, hit Ctrl+C to stop the running process, and then run the following command:

docker compose up -d

The -d flag will run Docker Compose in "detached" mode. To verify it is running, you can run the following command:

docker compose ls

Step 7: Enjoy!

Your app is now set up. You can visit it at http://localhost:3000 in your browser.

If you find bugs or have a feature request, be sure to read through our contributing guide here.

AI features, external assistant, and Pipelock

Sure ships with a separate compose file for AI-related features: compose.example.ai.yml. It adds:

  • Pipelock (always on): AI agent security proxy that scans outbound LLM calls and inbound MCP traffic
  • Ollama + Open WebUI (optional --profile ai): local LLM inference

Using the AI compose file

# Download both compose files
curl -o compose.yml https://raw.githubusercontent.com/we-promise/sure/main/compose.example.yml
curl -o compose.ai.yml https://raw.githubusercontent.com/we-promise/sure/main/compose.example.ai.yml
curl -o pipelock.example.yaml https://raw.githubusercontent.com/we-promise/sure/main/pipelock.example.yaml

# Run with Pipelock (no local LLM)
docker compose -f compose.ai.yml up -d

# Run with Pipelock + Ollama
docker compose -f compose.ai.yml --profile ai up -d

Setting up the external AI assistant

The external assistant delegates chat to a remote AI agent instead of calling LLMs directly. The agent calls back to Sure's /mcp endpoint for financial data (accounts, transactions, balance sheet).

  1. Set the MCP endpoint credentials in your .env:

    MCP_API_TOKEN=generate-a-random-token-here
MCP_USER_EMAIL=your@email.com   # must match an existing Sure user

  2. Set the external assistant connection:

    EXTERNAL_ASSISTANT_URL=https://your-agent/v1/chat/completions
EXTERNAL_ASSISTANT_TOKEN=your-agent-api-token

  3. Choose how to activate:

    • Per-family (UI): Go to Settings > Self-Hosting > AI Assistant, select "External"
    • Global (env): Set ASSISTANT_TYPE=external to force all families to use external

See docs/hosting/ai.md for full configuration details including agent ID, session keys, and email allowlisting.

Pipelock security proxy

Pipelock sits between Sure and external services, scanning AI traffic for:

  • Secret exfiltration (DLP): catches API keys, tokens, or personal data leaking in prompts
  • Prompt injection: detects attempts to override system instructions
  • Tool poisoning: validates MCP tool calls against known-safe patterns

When using compose.example.ai.yml, Pipelock is always running. External AI agents should connect to port 8889 (MCP reverse proxy) instead of directly to Sure's /mcp on port 3000.

For full Pipelock configuration, see docs/hosting/pipelock.md.

How to update your app

The mechanism that updates your self-hosted Sure app is the GHCR (Github Container Registry) Docker image that you see in the compose.yml file:

image: ghcr.io/we-promise/sure:latest

We recommend using one of the following images, but you can pin your app to whatever version you'd like (see packages):

  • ghcr.io/we-promise/sure:latest (latest alpha)
  • ghcr.io/we-promise/sure:stable (latest release)

By default, your app will NOT automatically update. To update your self-hosted app, run the following commands in your terminal:

cd ~/docker-apps/sure # Navigate to whatever directory you configured the app in
docker compose pull # This pulls the "latest" published image from GHCR
docker compose build # This rebuilds the app with updates
docker compose up --no-deps -d web worker # This restarts the app using the newest version

How to change which updates your app receives

If you'd like to pin the app to a specific version or tag, all you need to do is edit the compose.yml file:

image: ghcr.io/we-promise/sure:stable

After doing this, make sure and restart the app:

docker compose pull # This pulls the "latest" published image from GHCR
docker compose build # This rebuilds the app with updates
docker compose up --no-deps -d web worker # This restarts the app using the newest version

Troubleshooting

ActiveRecord::DatabaseConnectionError

If you are trying to get Sure started for the first time and run into database connection issues, it is likely because Docker has already initialized the Postgres database with a different default role (usually from a previous attempt to start the app).

If you run into this issue, you can optionally reset the database.

PLEASE NOTE: this will delete any existing data that you have in your Sure database, so proceed with caution. For first-time users of the app just trying to get started, you're generally safe to run the commands below.

By running the commands below, you will delete your existing Sure database and "reset" it.

docker compose down
docker volume rm sure_postgres-data # this is the name of the volume the DB is mounted to
docker compose up
docker compose exec db psql -U sure_user -d sure_development -c "SELECT 1;" # This will verify that the issue is fixed

Slow .csv import (processing rows taking longer than expected)

Importing comma-separated-value file(s) requires the sure-worker container to communicate with Redis. Check your worker logs for any unexpected errors, such as connection timeouts or Redis communication failures.