-
-
Notifications
You must be signed in to change notification settings - Fork 2
Compose Generation
nself build is the heart of the CLI. It reads your .env files, resolves which services to enable, and generates docker-compose.yml and nginx configs. You should run it whenever your config changes.
The Golden Rule
Never hand-edit
docker-compose.yml. It is regenerated on everynself build. Any manual changes will be lost. If you need to customize a service, use env vars or the.env.localoverride file.
When you run nself build, the CLI executes the following steps in order:
-
Load env cascade, reads
.env.dev→.env.{ENV}→.env.secrets→.env.local→.env, with later files overriding earlier ones - Apply smart defaults, fills in any unset variables with safe, sensible values
-
Normalize values, resolves ENV aliases, normalizes boolean flags, sanitizes
PROJECT_NAMEfor Docker compatibility - Run security validation, checks password strength, CORS origins, port bindings, and other security-sensitive settings; aborts with a clear error on any violation
-
Detect enabled services, reads all
*_ENABLEDenvironment variables to determine which services should be included -
Run change detection, compares file modification times to skip regeneration if nothing has changed (use
--forceto bypass) - Generate SSL certificates, uses mkcert if available, falls back to OpenSSL; skips if valid certs already exist
- Generate nginx configuration, writes all nginx config files based on enabled services and SSL state
-
Generate
docker-compose.yml, assembles the full compose file from all enabled service definitions - Apply post-processing, configures log drivers, graceful shutdown timeouts, and security hardening appropriate for the current environment
-
Validate the generated compose, runs
docker compose configto verify the output is well-formed -
Write
.env.computed, records derived values (resolved ports, computed flags, etc.) for use by downstream tooling
nself build is smart, it only regenerates files that actually need updating:
- If
.envis newer thandocker-compose.yml→ regenerate compose - If
.envis newer thannginx/nginx.conf→ regenerate nginx - If SSL certs are missing or expired → regenerate SSL
- If the CLI version has changed → rebuild everything from scratch
This makes repeated builds fast. Use --force to bypass the cache and rebuild everything unconditionally.
When plugins are installed, each one provides a docker-compose.plugin.yml overlay file. During nself build, these overlay files are merged into the final docker-compose.yml in a well-defined order:
- Base compose, core required services
- Optional service sections, Redis, MinIO, mailpit, and other optional services if enabled
-
Monitoring bundle, Prometheus, Grafana, Loki, and the rest of the monitoring stack (if
MONITORING_ENABLED=true) -
Custom services,
CS_1throughCS_10as defined in your env - Plugin overlay files, one per installed plugin, applied in install order
Plugin overlays can add new services, volumes, and networks. They cannot remove or rename services that already exist in the base compose. This ensures the core stack remains stable regardless of which plugins are installed.
The compose file is assembled in this order. Services later in the list can depend on services earlier in the list.
-
Core,
postgres,hasura,auth,nginx -
Optional,
minio(with init container),redis,mailpit,admin,functions,mlflow,search -
Monitoring,
prometheus,grafana,loki,promtail,tempo,alertmanager,cadvisor,node-exporter,postgres-exporter,redis-exporter -
Custom,
CS_1throughCS_10 -
Plugins, loaded from
~/.nself/plugins/, in install order
In staging and prod environments, nself build automatically applies security hardening to every generated service definition:
-
cap_drop: ALL, drops all Linux capabilities by default -
security_opt: no-new-privileges: true, prevents privilege escalation -
cap_add: NET_BIND_SERVICE, re-adds only the capability that services actually need
These are applied automatically based on your ENV setting. You do not need to configure them. In dev, hardening is relaxed to avoid friction during local development.
nself build # Rebuild (only regenerates changed files)
nself build --force # Force full rebuild, bypassing the cache
nself build --check # Validate config without writing any files
nself build --security-report # Show the full security validation reportSee also: Architecture | Config-System | Nginx-Generation | Plugin-Architecture | Home
ɳSelf CLI v1.0.9. MIT licensed. Docs CC BY 4.0.
GitHub · Issues · Discussions · nself.org · docs.nself.org
Getting Started
Commands
- Commands, Overview
- Lifecycle: cmd-init · cmd-build · cmd-start · cmd-stop · cmd-restart · cmd-dev
- Monitoring: cmd-status · cmd-logs · cmd-health · cmd-urls · cmd-doctor · cmd-monitor · cmd-alerts · cmd-sentry · cmd-watchdog · cmd-dogfood
- Data: cmd-db · cmd-backup · cmd-dr · cmd-queue · cmd-webhooks
- Config: cmd-config · cmd-service · cmd-env · cmd-promote
- Networking: cmd-ssl · cmd-trust · cmd-dns-setup
- Security: cmd-security · cmd-secrets · cmd-waf
- Tenancy: cmd-tenant · cmd-billing
- Plugins: cmd-plugin · cmd-license
- AI: cmd-ai · cmd-claw · cmd-model
- Templates: cmd-template
- Utilities: cmd-exec · cmd-clean · cmd-reset · cmd-update · cmd-upgrade · cmd-version · cmd-admin · cmd-migrate · cmd-migrate-firebase · cmd-migrate-supabase · cmd-completion
Features
- Features, Overview
- Feature-Auth
- Feature-Storage
- Feature-Search
- Feature-Functions
- Feature-Email
- Feature-Monitoring
- Feature-Plugins
- Feature-ɳClaw, AI Assistant
- Feature-ɳChat, Messaging
- Feature-ɳTV, Media Player
- Feature-ɳFamily, Family Social
- Feature-ɳCloud, Managed Hosting
- Feature-Memory-Rooms, Knowledge Organization
- Feature-Agent-Dashboard, Agent Metrics
- Feature-Image-Generation, AI Image Generation
Configuration
- Configuration, Overview
- Config-Env-Vars
- Config-Postgres
- Config-Hasura
- Config-Auth
- Config-Nginx
- Config-Optional-Services
- Config-Custom-Services
- Config-System
Plugins (87 + 10 monitoring)
Free (25)
- plugin-backup
- plugin-content-acquisition
- plugin-content-progress
- plugin-cron
- plugin-donorbox
- plugin-feature-flags
- plugin-github
- plugin-github-runner
- plugin-invitations
- plugin-jobs
- plugin-link-preview
- plugin-mdns
- plugin-mlflow
- plugin-monitoring
- plugin-notifications
- plugin-notify
- plugin-paypal
- plugin-search
- plugin-shopify
- plugin-stripe
- plugin-subtitle-manager
- plugin-tokens
- plugin-torrent-manager
- plugin-vpn
- plugin-webhooks
Pro (62)
- plugin-access-controls
- plugin-activity-feed
- plugin-admin-api
- nself-ai-gateway
- nself-ai-cc
- nself-ai-mcp
- plugin-analytics
- plugin-auth
- plugin-backup-pro
- plugin-bots
- plugin-browser
- plugin-calendar
- plugin-cdn
- plugin-chat
- plugin-claw
- plugin-claw-budget
- plugin-claw-news
- plugin-claw-web
- plugin-cloudflare
- plugin-cms
- plugin-compliance
- plugin-cron-pro
- plugin-ddns
- plugin-devices
- plugin-documents
- plugin-donorbox-pro
- plugin-entitlements
- plugin-epg
- plugin-file-processing
- plugin-game-metadata
- plugin-geocoding
- plugin-geolocation
- plugin-google
- plugin-home
- plugin-idme
- plugin-knowledge-base
- plugin-linkedin
- plugin-livekit
- plugin-media-processing
- plugin-meetings
- plugin-moderation
- plugin-mux
- plugin-notify-pro
- plugin-object-storage
- plugin-observability
- plugin-paypal-pro
- plugin-photos
- plugin-podcast
- plugin-post
- plugin-realtime
- plugin-recording
- plugin-retro-gaming
- plugin-rom-discovery
- plugin-shopify-pro
- plugin-social
- plugin-sports
- plugin-stream-gateway
- plugin-streaming
- plugin-stripe-pro
- plugin-support
- plugin-tmdb
- plugin-voice
- plugin-web3
- plugin-workflows
Planned (26)
plugin-auditplugin-blogplugin-checkoutplugin-commerceplugin-drmplugin-exportplugin-flowplugin-importplugin-ldapplugin-mailgunplugin-mediaplugin-oauth-providersplugin-pagesplugin-postmarkplugin-rate-limitplugin-reportsplugin-samlplugin-schedulerplugin-sendgridplugin-ssoplugin-subscriptionplugin-thumbplugin-transcoderplugin-twilioplugin-wafplugin-watermark
Guides
- Guide-Production-Deployment
- Guide-SSL-Setup
- Guide-Multi-Tenancy
- Guide-Security-Hardening
- Guide-Monitoring-Setup
- Guide-Backup-Restore
- Guide-Custom-Services
- Guide-Migration-from-v1
Architecture
Reference
- API-Reference
- reference-error-codes, Error Codes
Licensing
Security
Brand
Operations
- operations/release-cascade, Release Cascade
- operations/self-healing, Self-Healing Schema
- operations/redis-tuning, Redis Pool Tuning
- operations/meilisearch-warmup, MeiliSearch Warm-Up
- operations/jwt-rotation, JWT Key Rotation
- operations/windows-wsl2-setup, Windows / WSL2 Setup
- operations/gemini-oauth-reauth, Gemini OAuth Reauth
Contributing
Admin
- USER-ACTION-QUEUE, Pending Admin Actions