# Install and deploy

## Prerequisites (baseline)
- Linux host with sufficient CPU, memory, and disk for SBOM and artifact storage.
- Docker Compose or Kubernetes (Helm) for deployment.
- TLS termination for external access.

## Required infrastructure
- PostgreSQL (single cluster, schema isolation per module).
- Valkey for cache, queues, and streams.
- RustFS for content-addressed artifacts.

## Optional infrastructure
- Rekor mirror for transparency log anchoring.
- Fulcio or KMS-backed signing provider.
- NATS JetStream as an alternative queue and stream transport.

## Deployment models
- Compose profiles for single-node and lab environments.
- Helm charts for multi-node and HA deployments.
- Air-gap deployment via Offline Kit (see operations/airgap.md).

## Configuration hierarchy
1) Environment variables
2) appsettings.{Environment}.json
3) appsettings.json
4) YAML overlays under etc/

## Operational baselines
- Enforce non-root containers and read-only filesystems where possible.
- Use digest-pinned images for releases.
- Keep clocks synchronized and use UTC everywhere.