Docs / Start

Install & self-host

BreachFix Cloud runs as a gateway process (marketing site, dashboard, /v1 API) plus a Docker-based runtime for customer workloads. Production URL: https://cloud.breachfix.com (local default port 9876).

Production (Cloudflare tunnel)

Run the gateway on breachfix-net so breachfix-tunnel can reach it. See Cloudflare tunnel setup for wildcard routing.

cd /path/to/breachfix-cloud
cp .env.example .env   # set BREACHFIX_CLOUD_PUBLIC_URL=https://cloud.breachfix.com
docker compose up -d --build
docker restart breachfix-tunnel

Verify: curl -sI https://cloud.breachfix.com/200

Service URL TLS: run ./scripts/verify-public-routing.sh before customer https://srv-….breachfix.com URLs work in browsers.

Production Docker (with deploy capability)

The gateway container mounts the Docker socket to build and run customer workloads on the host:

docker network create breachfix-cloud 2>/dev/null || true
docker compose up -d --build

Customer traffic uses the gateway host proxy via Cloudflare tunnel — not host Traefik. Traefik Docker labels are reserved for a future edge option.

Local development

cd /path/to/breachfix-cloud
./scripts/start.sh

First run installs dependencies, builds all apps, and starts the API gateway on port 9876.

URLs (local)

  • Marketing: http://127.0.0.1:9876/
  • Dashboard: http://127.0.0.1:9876/dashboard/
  • API: http://127.0.0.1:9876/v1/services
  • Health: http://127.0.0.1:9876/api/health

Environment

Copy .env.example to .env. Set BREACHFIX_CLOUD_API_TOKEN, GitHub App credentials, and BreachFix billing keys as needed. See Connect GitHub for App setup.

systemd

sudo cp systemd/breachfix-cloud.service /etc/systemd/system/
sudo systemctl daemon-reload
sudo systemctl enable --now breachfix-cloud