FabrikFabrik
FabrikDeployment

Prerequisites

Host sizing, operating system, Docker version, domain, and TLS prerequisites for a production Fabrik install.

Before you pull the repository, make sure the host that will run Fabrik meets the baseline below. Most issues during the first deploy trace back to a missing prerequisite — not a misconfigured service.

Host sizing

Fabrik's nine-service stack has a cumulative memory limit of roughly 7.5 GB across containers, with Neo4j alone taking 2 GB. Plan headroom for the operating system and a future upgrade path.

Deployment sizeUsersvCPURAMDiskNotes
Small / lab1–1048 GB40 GB SSDFine for evaluation and small teams
Medium10–50816 GB100 GB SSDRecommended production baseline
Large50+16+32+ GB200+ GB SSDMore Celery workers, bigger Neo4j heap

The limits in docker-compose.yml (NEO4J_HEAP_MAX_SIZE, CELERY_WORKER_CONCURRENCY) are tunable — start with defaults, watch docker stats, raise what saturates first.

Disk growth is driven mostly by two things: APIC query result history (Time Machine snapshots can be 10–100 MB each for large fabrics) and the audit log (gzip-compressed beyond 1 MB, per-category retention). Both have retention knobs — don't over-provision until you see the growth curve.

Operating system

  • Linux x86_64. Ubuntu 22.04 LTS or Debian 12 are the tested hosts. Other distributions work as long as the Docker version below is available.
  • Linux kernel ≥ 5.10. Neo4j 5 and Alpine-based images are sensitive to older kernels.
  • Timezone set. The host /etc/timezone is mounted into containers that need it (gitea). Set it to whatever your team uses and mirror it in TZ in .env.

Windows and macOS work for development (Docker Desktop) but are not supported production targets.

Docker

  • Docker Engine ≥ 24.0 with the Compose v2 plugin (docker compose, not docker-compose). Older docker-compose v1 will not parse the file.
  • rootless mode optional. Fabrik containers do not require host privileges; they bind mounts to named volumes only.
  • BuildKit enabled. This is the default in recent Docker — DOCKER_BUILDKIT=1 if you're on something older.

Verify with:

docker --version            # Docker version 24.0.x or newer
docker compose version      # Docker Compose version v2.x.x

Network

  • Outbound HTTPS (port 443) to github.com for the MIM registry on first boot (backend downloads the MIM dump matching APIC_VERSION). If the host has no outbound access, pre-seed the MIM volume or set MIM_REGISTRY_INDEX_URL to a mirror.
  • Access to your APIC(s) from the backend and Celery worker containers. No fixed port — whatever your APIC listens on (usually 443). Proxies are fine; Fabrik honors HTTPS_PROXY if set.
  • Access to your AWX/Tower endpoint from the backend and Celery worker containers.
  • Inbound 80/443 for end users, reaching the reverse proxy on the Fabrik host.

Domain and TLS

Production Fabrik assumes HTTPS. The shipped nginx/nginx.conf expects Cloudflare Origin certificates by default, but any valid cert works:

  • DNS A record pointing to the Fabrik host (e.g. fabrik.example.com).
  • TLS certificate for that hostname. Let's Encrypt (certbot), Cloudflare Origin, or your internal CA — Fabrik doesn't care which. Mount the cert and key into the nginx container.
  • Matching ALLOWED_HOSTS and CORS_ALLOWED_ORIGINS in .env. Mismatches produce cryptic Django 400s and browser CORS failures — get these right the first time.

Running Fabrik over plain HTTP works, but the stock settings (SECURE_SSL_REDIRECT=true, SESSION_COOKIE_SECURE=true, CSRF_COOKIE_SECURE=true) assume TLS. If you deploy without HTTPS, you must flip those off — at which point you lose session cookie protection. HTTPS is cheap now; don't skip it.

External systems you'll integrate with

Fabrik doesn't require any of these at install time, but you'll need credentials before the install is useful:

  • One or more Cisco APIC controllers — hostname, username, password. Added through the UI after first login.
  • AWX / Ansible Tower (optional, for automation) — base URL, OAuth2 token.
  • SMTP server (optional, for email notifications) — host, port, credentials. Mailpit is bundled for local testing; disable email entirely with EMAIL_ENABLED=false if you don't need it.
  • LDAP / Active Directory (optional, for SSO) — bind DN, bind password, user and group search bases. See LDAP integration.
  • AI provider API key (optional, for AI query builder) — any of the seven supported providers. Configured per-user or as a platform default.

Before you run docker compose up

Checklist, in order:

  1. Host meets sizing, OS, and Docker requirements.
  2. Domain name resolves to the host, TLS certificate issued.
  3. Repository cloned: git clone <repo-url> fabrik && cd fabrik.
  4. Copy the template: cp .env.example .env.
  5. Generate secrets (DJANGO_SECRET_KEY, ENCRYPTION_KEY, POSTGRES_PASSWORD, NEO4J_PASSWORD, RABBITMQ_PASSWORD) — never use the placeholder values.
  6. Mirror the new passwords into DATABASE_URL and RABBITMQ_URL. Both URLs embed the password as part of the connection string. Django reads DATABASE_URL, the AWX consumer reads RABBITMQ_URL — if either drifts apart from its *_PASSWORD sibling, the stack boots but authentication fails. See Environment variables → PostgreSQL / RabbitMQ for the full explanation.
  7. Fill in ALLOWED_HOSTS, CORS_ALLOWED_ORIGINS, SITE_URL, and SMTP settings.
  8. Reserve the reverse proxy hostname and TLS cert path.

Every item on that list maps to a section in Environment variables. Work through the file top to bottom once, then start the stack.

Deployment

Self-host Fabrik on your own infrastructure with Docker Compose — nine services, clearly scoped dependencies, and a production topology you can reason about.

Environment variables

Every .env key Fabrik reads — what it controls, whether it's required, and what to set it to in production.

On this page

Host sizingOperating systemDockerNetworkDomain and TLSExternal systems you'll integrate withBefore you run docker compose up