Production Recommendations
Hardening and operational best practices for self-hosted GitPier.
Use this checklist before running GitPier in production.
Networking and Exposure
- Put an HTTP reverse proxy (Nginx, Traefik, or Caddy) in front of port
8828 - Terminate TLS for all browser traffic
- Expose only the ports users need:
8828for the web app, or your reverse-proxy entry point2424for Git over SSH
- Keep
postgres,redis,dind, andtrusted-builderinternal-only
Secrets and Access Control
- Replace every
{SECRET}placeholder before first boot - Generate secrets with a strong random source such as
openssl rand -base64 48 - Protect the generated
/data/secrets.jsonfile as sensitive application material - Rotate database credentials and application secrets after compromise or planned recovery work
- Limit administrative access to trusted operators only
Data Durability and Backups
- Back up
postgres_data,redis_data,dind_data, and the bind-mounted./datadirectory - Test restore procedures regularly in a staging environment
- Keep backup retention and encryption policies aligned with your compliance requirements
Build and Workflow Isolation
- Keep
dindandtrusted-builderoff public networks - Monitor Docker-in-Docker disk usage and image growth
- Enable the
trusted-buildsprofile only when required by your workflow design - Review the implications of running
dindas a privileged service before production rollout
Operations and Upgrades
- Pin image tags (
gitpier/gitpier,postgres,redis,docker:29-dind,docker:29-cli) and upgrade intentionally - Roll out upgrades in staging before production
- Monitor logs and disk usage for repositories, runtime data, and Docker volumes
- Define alerting for container restarts, database failures, Redis failures, and low disk space
- Keep
HOST_UID,HOST_GID, andSSH_CLONE_HOSTexplicitly set when your environment requires predictable ownership or clone endpoints
Next: see Troubleshooting for common failure patterns and fixes.
