Self-hosted install

Updated July 2026

Studios that keep everything on their own network run the Dousen server (DousenCore) themselves with Docker Compose. One container runs the API and web portal, one runs MariaDB; artists' DousenDesktop apps and the Unreal plugin talk to it over plain HTTP/JSON on port 8080.

The deployment bundle ships in the release under deploy/self-hosted/: a docker-compose.yml, an install.sh helper, an annotated .env.example, and SELF_HOSTING.md with operational notes.

Requirements

Install

  1. Copy the bundle and create your env file.

    Copy deploy/self-hosted/ to the host and duplicate .env.example as .env. Every setting below lives in this file.

  2. Fill in the required values.

    Database passwords, a DOUSEN_JWT_SECRET of at least 32 characters (the service refuses to start with a shorter one), and your license keys.

  3. Start it.
    SHELLdocker compose up -d

    The API container waits for MariaDB to be healthy, runs its migrations, and comes up on port 8080.

  4. Verify.

    curl http://localhost:8080/health should answer, and http://<server>:8080/portal/ serves the admin portal. From there, follow the Quick start: create users and a project, connect Jira, and roll DousenDesktop out to artists.

Configuration reference

All server configuration is environment variables in .env. The compose file wires them into the containers.

Required

VariablePurpose
MARIADB_ROOT_PASSWORDRoot password for the bundled MariaDB.
MARIADB_USER / MARIADB_PASSWORDThe service account the API uses (default user dousen).
DOUSEN_JWT_SECRETSecret for signing session tokens. Minimum 32 characters.
DOUSEN_LICENSE_KEYYour license token, pasted verbatim.
DOUSEN_LICENSE_PUBLIC_KEY_PEMThe public key issued with the license; the server verifies the license offline with it.

Optional

VariablePurpose
DOUSEN_CONTROL_PLANE_URLWhere the daily license heartbeat goes. Default https://control.dousen.io. Heartbeat failures never take the server down — offline networks are fine.
DOUSEN_P4PORT / DOUSEN_P4USER / DOUSEN_P4CLIENT / DOUSEN_P4PASSWDThe server's Perforce service connection — used for its changelist operations. Artists' own P4 identities live in DousenDesktop, not here. See Perforce.
DOUSEN_WEBHOOK_SECRETShared secret for the Jira webhook at /webhooks/jira.
DOUSEN_BIND_HOST / DOUSEN_REST_PORTWhere the API port is published on the host. Defaults to 127.0.0.1:8080 — loopback only, expecting a reverse proxy in front. Set DOUSEN_BIND_HOST=0.0.0.0 to expose it directly on a trusted LAN.
DOUSEN_VERSIONImage tag to run. Defaults to latest; pin a version for controlled upgrades.
RUST_LOGLog level, default info.

Directory sign-in (LDAP / Active Directory)

By default users sign in with passwords stored on the instance (DOUSEN_AUTH_MODE=local). To delegate to your directory, set DOUSEN_AUTH_MODE=ldap — users are then auto-provisioned on first login, and membership in the admin group grants the admin role. See User & auth management.

VariablePurpose
DOUSEN_LDAP_URLDirectory server, e.g. ldaps://ad.studio.lan.
DOUSEN_LDAP_BIND_DN_TEMPLATETemplate for the bind DN of the signing-in user.
DOUSEN_LDAP_USER_SEARCH_BASE / DOUSEN_LDAP_USER_FILTERWhere and how to look users up.
DOUSEN_LDAP_ADMIN_GROUPDirectory group whose members become Dousen admins.
DOUSEN_LDAP_START_TLSEnable StartTLS (default false; prefer an ldaps:// URL).

Operational notes

The server binds to loopback by default. If artists can't reach it, that's the first thing to check — either front it with a reverse proxy (recommended, and where TLS should terminate) or set DOUSEN_BIND_HOST=0.0.0.0.