Deploy: Self-Hosted
Overview
Deploy the TruthVouch Firewall on your own infrastructure (Docker, Kubernetes, on-premises) for maximum control, data residency, and customization. Ideal for high-security, high-volume, or regulated environments.
System Requirements
Minimum
- CPU: 2 cores
- RAM: 4 GB
- Disk: 20 GB (logs + cache)
- Network: 10 Mbps (depends on request volume)
Recommended
- CPU: 4+ cores
- RAM: 8+ GB
- Disk: 100+ GB
- Network: 100 Mbps (for high throughput)
Runtime
- Docker: 20.10+ or Kubernetes 1.24+
- Database: PostgreSQL 14+ (shared with TruthVouch backend)
- Redis: 6.0+ (for caching, optional but recommended)
Quick Start (Docker Compose)
1. Create Config File
firewall: version: "2.0" pipeline: enabled: true stages: - name: "rate-limiter" enabled: true config: requests_per_minute: 100
- name: "input-pii-scanner" enabled: true config: entity_types: ["email", "ssn", "credit_card"] action: "mask"
- name: "injection-detector" enabled: true config: sensitivity: "high"
- name: "truth-scanner" enabled: true config: similarity_threshold: 0.75
- name: "output-pii-scanner" enabled: true config: action: "mask"
- name: "content-safety" enabled: true config: toxicity_threshold: 0.7 bias_threshold: 0.62. Docker Compose Stack
version: "3.8"
services: truthvouch-firewall: image: truthvouch/firewall:latest container_name: firewall ports: - "5003:5003" # Firewall service port environment: TRUTHVOUCH_FIREWALL_CONFIG: /etc/truthvouch/firewall-config.yaml TRUTHVOUCH_REDIS_URL: redis://redis:6379 TRUTHVOUCH_DATABASE_URL: postgresql://user:pass@postgres:5432/truthvouch TRUTHVOUCH_FIREWALL_LOG_LEVEL: info TRUTHVOUCH_FIREWALL_AUDIT_ENABLED: "true" volumes: - ./firewall-config.yaml:/etc/truthvouch/firewall-config.yaml:ro - firewall-logs:/var/log/truthvouch depends_on: - redis - postgres networks: - truthvouch
redis: image: redis:7-alpine container_name: firewall-cache ports: - "6379:6379" volumes: - redis-data:/data networks: - truthvouch
postgres: image: postgres:16-alpine container_name: truthvouch-db environment: POSTGRES_USER: truthvouch POSTGRES_PASSWORD: securepass123 POSTGRES_DB: truthvouch ports: - "5432:5432" volumes: - postgres-data:/var/lib/postgresql/data networks: - truthvouch
volumes: firewall-logs: redis-data: postgres-data:
networks: truthvouch: driver: bridge3. Launch
docker-compose up -dFirewall is now running at http://localhost:5003.
Kubernetes Deployment
1. Create Namespace
kubectl create namespace truthvouch2. ConfigMap for Config
kubectl create configmap firewall-config \ --from-file=firewall-config.yaml \ -n truthvouch3. Deployment Manifest
apiVersion: apps/v1kind: Deploymentmetadata: name: truthvouch-firewall namespace: truthvouchspec: replicas: 3 selector: matchLabels: app: firewall template: metadata: labels: app: firewall spec: containers: - name: firewall image: truthvouch/firewall:latest ports: - containerPort: 5003 env: - name: TRUTHVOUCH_FIREWALL_CONFIG value: /etc/truthvouch/firewall-config.yaml - name: TRUTHVOUCH_REDIS_URL value: redis://redis-service:6379 - name: TRUTHVOUCH_DATABASE_URL valueFrom: secretKeyRef: name: db-credentials key: connection-string volumeMounts: - name: config mountPath: /etc/truthvouch readOnly: true resources: requests: cpu: 500m memory: 1Gi limits: cpu: 2000m memory: 4Gi volumes: - name: config configMap: name: firewall-config
---apiVersion: v1kind: Servicemetadata: name: firewall-service namespace: truthvouchspec: selector: app: firewall ports: - port: 5003 targetPort: 5003 type: LoadBalancer4. Deploy
kubectl apply -f firewall-deployment.yamlkubectl get pods -n truthvouchTLS/SSL Configuration
Self-Signed Certificate (Development)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodesProduction Certificate
Use Let’s Encrypt or your CA:
# Create secretkubectl create secret tls firewall-tls \ --cert=/path/to/cert.pem \ --key=/path/to/key.pem \ -n truthvouch
# Update deployment to mount and useDocker Compose with TLS
services: firewall: environment: TRUTHVOUCH_FIREWALL_TLS_ENABLED: "true" TRUTHVOUCH_FIREWALL_TLS_CERT: /etc/truthvouch/certs/cert.pem TRUTHVOUCH_FIREWALL_TLS_KEY: /etc/truthvouch/certs/key.pem volumes: - ./certs:/etc/truthvouch/certs:ro ports: - "5003:5003"Networking & Load Balancing
Behind Nginx Proxy
upstream firewall { server firewall-1:5003; server firewall-2:5003; server firewall-3:5003;}
server { listen 443 ssl; server_name firewall.company.com;
ssl_certificate /etc/nginx/certs/cert.pem; ssl_certificate_key /etc/nginx/certs/key.pem;
location / { proxy_pass http://firewall; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 30s; }}Service Mesh (Istio)
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: firewall namespace: truthvouchspec: hosts: - firewall http: - route: - destination: host: firewall-service port: number: 5003---apiVersion: networking.istio.io/v1alpha3kind: DestinationRulemetadata: name: firewall namespace: truthvouchspec: host: firewall-service trafficPolicy: connectionPool: tcp: maxConnections: 100 http: http1MaxPendingRequests: 1000Scaling
Horizontal Scaling
Add more replicas:
kubectl scale deployment truthvouch-firewall --replicas=5 -n truthvouchVertical Scaling
Increase resources:
kubectl set resources deployment truthvouch-firewall \ --limits=cpu=4000m,memory=8Gi \ --requests=cpu=2000m,memory=4Gi \ -n truthvouchAuto-Scaling
Enable HPA:
apiVersion: autoscaling/v2kind: HorizontalPodAutoscalermetadata: name: firewall-hpa namespace: truthvouchspec: scaleTargetRef: apiVersion: apps/v1 kind: Deployment name: truthvouch-firewall minReplicas: 2 maxReplicas: 10 metrics: - type: Resource resource: name: cpu target: type: Utilization averageUtilization: 70Monitoring & Logging
Prometheus Metrics
Firewall exports metrics on :5003/metrics:
scrape_configs: - job_name: 'truthvouch-firewall' static_configs: - targets: ['localhost:5003']Key Metrics
firewall_requests_total— Total requests processedfirewall_request_duration_seconds— Request latencyfirewall_violations_total— Violations detected by stagefirewall_cache_hits_total— Cache hit rate
Logging
Logs go to stdout (Docker) or /var/log/truthvouch/firewall.log:
# Dockerdocker logs firewall
# Kuberneteskubectl logs -f deployment/truthvouch-firewall -n truthvouch
# File-basedtail -f /var/log/truthvouch/firewall.logBackup & Recovery
Database Backups
# Manual backuppg_dump -h localhost -U truthvouch truthvouch > backup.sql
# Restorepsql -h localhost -U truthvouch truthvouch < backup.sql
# Automated (cron)0 2 * * * pg_dump -h localhost -U truthvouch truthvouch | gzip > /backups/truthvouch-$(date +\%Y\%m\%d).sql.gzConfiguration Backups
# Save current configkubectl get configmap firewall-config -n truthvouch -o yaml > firewall-config-backup.yaml
# Restorekubectl apply -f firewall-config-backup.yamlTroubleshooting
”Connection refused” to upstream AI provider
Check that the Firewall can reach your AI provider API. May need to allow outbound HTTPS in firewall rules.
High memory usage
Enable Redis caching: TRUTHVOUCH_REDIS_URL=redis://redis:6379
Increase GC: TRUTHVOUCH_FIREWALL_GC_INTERVAL=60
Configuration not reloading
Restart the pod: kubectl rollout restart deployment truthvouch-firewall -n truthvouch
Audit logs growing too large
Set retention: TRUTHVOUCH_FIREWALL_AUDIT_RETENTION_DAYS=30