Self-Hosting on Quollix

Automatic updates

Mon, 01 Jan 0001 00:00:00 +0000

This article is on automatic updates of Quollix itself. The apps installed in Quollix are already automatically updated by Quollix. On the server, run:

sudo crontab -e

Add a cronjob automatically updating quollix image, for example:

0 3 * * * /usr/bin/bash -c "docker pull quollix/quollix:latest && docker compose -f /path/to/docker-compose.yml up -d"

It is recommended to test the bash command above for correct execution by manually running it.

Backup server setup

Mon, 01 Jan 0001 00:00:00 +0000

This guide shows how to set up a backup server for Quollix. For production use, this can serve as the external backup system in the 3-2-1 backup strategy.

There are two setup options:

local storage for testing
external storage for production

Local Testing

Start Quollix.
Create this docker-compose.yml:

services:
 ssh-server:
 image: linuxserver/openssh-server:latest
 container_name: dummy_backup_server
 environment:
 - PASSWORD_ACCESS=true
 - USER_NAME=sshadmin
 - USER_PASSWORD=sshpassword
 ports:
 - "127.0.0.1:2222:2222"
 networks:
 - quollix_postgres

networks:
 quollix_postgres:
 external: true

Start the backup server:

docker compose up -d

Use these values on the Quollix Settings -> Backup server page:

Backup strategy

Mon, 01 Jan 0001 00:00:00 +0000

This article describes an easy-to-set-up, low-maintenance way to implement the 3-2-1 backup rule for a Quollix server. It focuses on recoverability under realistic failure scenarios such as server compromise, data loss, or accidental deletion.

3-2-1 Backup Rule

The 3-2-1 backup rule is a widely recommended approach to data backup. It recommends:

3 copies of data
2 independent trust domains
1 off-site copy

Proposed Architecture

The above diagram shows a backup architecture that complies with the 3-2-1 rule. The system is organised into two trust domains.

GDPR compliance

Mon, 01 Jan 0001 00:00:00 +0000

Note

This section provides general information only and does not constitute legal advice. No responsibility or liability is assumed for how this information is used.

Quollix includes features that can support GDPR-aligned operation. This page provides additional legal context for selected features, explaining their relevance from a data protection perspective. The information here is not comprehensive and does not cover all GDPR obligations.

User invites

The link generated for user invitation contains only a temporary token, not a password. The token is valid for a limited time, can only be used once, and is protected by HTTPS provided that a properly signed certificate is configured, which is required for secure operation. Transmitting such links, even over insecure channels, is considered GDPR-compliant. Administrators may distribute the link through the following channels:

Scaling

Mon, 01 Jan 0001 00:00:00 +0000

Quollix is designed to run as a single-node system. There is no built-in horizontal clustering. Scaling is achieved using one of the following approaches.

Vertical Scaling

The primary scaling strategy is vertical scaling. Run Quollix on a machine with more CPU, memory, and disk space. This can be done by migrating the instance to a larger server. The server migration guide might be helpful for that.

Federation

This feature is not, or not fully, implemented yet. See the feature overview.

Server migration

Mon, 01 Jan 0001 00:00:00 +0000

Server migration means moving Quollix and apps data from one server to another. This could be for reasons such as switching cloud providers, upgrading hardware or moving between self-hosted and SaaS infrastructure.

With Quollix, migration is straightforward: simply create remote backups of all apps, set up a new Quollix instance, configure access to the remote backup server, and restore the apps from the remote backup server. To avoid compatibility issues, ensure that the Docker image tags of the old and new Quollix containers are the same.

Server preparations

Mon, 01 Jan 0001 00:00:00 +0000

This sample guide walks you through setting up a hardened Ubuntu Server host for Quollix. Adapt it to your own environment as needed.

Restrict Physical Access

Place the device in a locked rack or drawer.

OS Installation

Download Ubuntu Server: Grab the latest ISO from Canonical’s download page.
Flash it to a USB drive (Rufus, balenaEtcher, etc.). You will need to connect a screen and a keyboard in order to complete the initial setup.
During setup:
- Pick minimal installation, no GUI.
- Enable SSH server.
- Optional: Choose LVM with full-disk encryption (FDE) if you want encrypted storage (see below).

Internet Connection

Connect the server to a wired LAN to avoid having to configure a Wi-Fi connection on boot. With FDE, Wi-Fi setup would even be required twice: once in the encrypted-mode initramfs and again in the decrypted-mode main operating system. Please note that the LAN IP address of the server may differ between initramfs mode and the main operating system, since the router may recognise them as two distinct devices.

Threat model

Mon, 01 Jan 0001 00:00:00 +0000

This document describes how Quollix mitigates threats to protect its digital infrastructure.

Security Measures

Cryptography

We only use modern, well-tested cryptographic algorithms. Administrators can generate Let’s Encrypt–signed certificates or provide their own certificates to secure HTTPS endpoints. HTTP requests are redirected to HTTPS so users reach the encrypted endpoint by default.

Container Isolation

Every app runs in its own Docker container with no shared volumes, networks, or Docker socket access, and with restricted Linux capabilities.

Troubleshooting

Mon, 01 Jan 0001 00:00:00 +0000

I have forgotten my Quollix password. How can I reset it?

You can ask an admin to reset your account password.

If you are the only admin and have lost access to your account, you can reset the password by running the following command on the server:

docker exec -i quollix_postgres_postgres psql -U postgres -d application -c "UPDATE users SET hashed_password = '\$2a\$10\$ly6w8BjJ35pdGOp3rdVnHOWmZzC/MQwdF5qSt8AQZk6WnhDqNSKqW' WHERE username = '<enter-your-username>';"

This resets the account password to ‘password’.