On-Premise Deployment
Self-hosted Deslicer AI with Docker Compose — OIDC authentication, SMTP email, PostgreSQL, and enterprise-tier features
On-Premise Deployment
Run Deslicer AI entirely within your organization's network. The on-premise deployment uses Docker Compose and integrates with your existing Identity Provider, email server, and Splunk infrastructure.
Navigation
- Parent: Deployment
- Related: Cloud SaaS | Getting Started
Overview
On-premise deployment gives you full control over where Deslicer runs and where your data stays. The application connects to your OIDC Identity Provider for authentication, your SMTP server for email, and routes LLM requests through a LiteLLM proxy. Billing is disabled — all users get enterprise-tier features and limits by default.
What Is Different from Cloud SaaS
| Feature | Cloud SaaS | On-Premise |
|---|---|---|
| Database | Supabase (managed) | PostgreSQL 16 + pgvector (self-hosted) |
| Authentication | Email/password + OAuth | OIDC via your Identity Provider |
| Managed (Resend) | Your SMTP server | |
| Billing | Stripe plans (Free / Standard / Enterprise) | Disabled — enterprise tier included |
| LLM routing | Direct API keys | LiteLLM proxy |
| Observability | Managed (Sentry + PostHog) | OpenTelemetry → Splunk HEC |
| Storage | Supabase Storage | S3-compatible (MinIO or your own) |
Prerequisites
Hardware
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 4 cores | 8 cores |
| RAM | 8 GB | 16 GB |
| Disk | 20 GB SSD | 50 GB SSD |
Software
- Docker 24.0 or later with Docker Compose v2
Services You Provide
You need three external services before installing:
- OIDC Identity Provider — PingIdentity, Okta, Azure AD, Keycloak, or any OIDC-compliant provider. Register an application with the Authorization Code grant and PKCE. Set the callback URL to
https://<your-domain>/api/auth/oidc/callback. - SMTP server — for invitation emails, notifications, and verification messages.
- At least one LLM API key — OpenAI, Anthropic, Google, or xAI. LiteLLM routes requests to whichever providers you configure.
Installation
Run the interactive installer:
bash scripts/onprem/install.sh
The installer checks prerequisites, generates secrets, pulls Docker images, initializes the database, seeds default data, and verifies that all services are healthy. The process takes approximately 30–60 minutes on first run.
For manual setup, copy .env.onprem.template to .env.onprem, fill in your OIDC, SMTP, LLM, and Splunk configuration, and start the stack with Docker Compose.
Air-Gapped Installation
If your network has no internet access, export Docker images on a connected machine first:
bash scripts/onprem/export-images.sh
Transfer the resulting archive to the target machine. The installer detects the archive automatically and loads images from it instead of pulling from the registry.
Services
The on-premise stack includes the following services:
| Service | Purpose |
|---|---|
| App Database | PostgreSQL 16 with pgvector for application data |
| Web | The Deslicer AI application |
| LiteLLM | LLM proxy that routes requests to OpenAI, Anthropic, Google, xAI |
| LiteLLM Database | PostgreSQL for LiteLLM configuration and usage tracking |
| Redis | Session caching and rate limiting |
| OTel Collector | OpenTelemetry forwarder — sends telemetry to your Splunk HEC endpoint |
| Splunk MCP | MCP server for Splunk tool integration |
Authentication
On-premise uses your organization's Identity Provider via OIDC. Users click Sign in with your organization on the login page and are redirected to your IdP. After authenticating, they return to Deslicer with a session.
Automatic Team Provisioning
When your IdP sends group claims during login, Deslicer automatically provisions organizations and teams based on those groups. The first user in a group becomes the owner; subsequent users join as members. Group name changes from the IdP can update organization names in Deslicer.
Local Admin Access
A local administrator account is created during installation. This account uses email/password authentication and bypasses OIDC. Use it for initial setup, troubleshooting, or when the IdP is unavailable.
Billing and Plan Limits
Billing is disabled in on-premise deployments. All users and teams receive enterprise-tier access to features, integrations, and model selections. There are no credit limits, plan restrictions, or Stripe integration.
Upgrading
Run the upgrade script to pull new images and apply changes:
bash scripts/onprem/upgrade.sh
The script backs up your database, pulls updated Docker images, restarts services, and verifies health checks before completing.
Key Configuration
| Setting | Purpose |
|---|---|
OIDC_ISSUER_URL | Your Identity Provider's OIDC discovery endpoint |
OIDC_CLIENT_ID | Application client ID from your IdP |
OIDC_CLIENT_SECRET | Application client secret from your IdP |
SMTP_HOST | SMTP server hostname for outbound email |
ONPREM_ADMIN_EMAIL | Local administrator email address |
ONPREM_ADMIN_PASSWORD | Local administrator password |
SPLUNK_HEC_URL | Splunk HTTP Event Collector endpoint for telemetry |
LITELLM_MASTER_KEY | Admin key for the LiteLLM proxy |
AUTH_SECRET | Session encryption key (minimum 32 characters) |
Full configuration reference is available in the .env.onprem.template file included with the installation.
