Production Deployment

This guide covers best practices for deploying GalaxDB in production. See the platform-specific guides for Linux (systemd) and Docker Compose.

Pre-deployment Checklist

• ✅ Use a persistent --data-dir (not the default temp dir)
• ✅ Mount the data directory on NVMe storage for best performance
• ✅ Enable encryption at rest with GALAXDB_KEY_PROVIDER
• ✅ Configure Prometheus scraping of /metrics
• ✅ Set up health check monitoring on /health
• ✅ Configure log rotation for structured JSON logs
• ✅ Set GALAXDB_LOG_LEVEL=info (not debug) in production
• ✅ Mount HuggingFace cache if using embeddings
• ✅ Test backup and restore procedure before going live

Hardware Recommendations

GalaxDB is designed for NVMe storage. The benchmark hardware (AWS c6id.4xlarge) is a good reference point:

Storage Configuration

For best performance, mount the data directory on a dedicated NVMe volume:

# Format and mount NVMe (Linux)
mkfs.ext4 /dev/nvme1n1
mkdir -p /var/lib/galaxdb
mount /dev/nvme1n1 /var/lib/galaxdb

# Add to /etc/fstab for persistence
echo '/dev/nvme1n1 /var/lib/galaxdb ext4 defaults,noatime 0 2' >> /etc/fstab

# Set permissions
chown galaxdb:galaxdb /var/lib/galaxdb
chmod 750 /var/lib/galaxdb

Security

Production security checklist:

• Encryption at rest: Enable GALAXDB_KEY_PROVIDER with a production key management system (AWS KMS, Vault, etc.)
• Network: Bind the wire protocol port to a private network interface, not 0.0.0.0, unless behind a load balancer
• Firewall: Restrict access to port 5433 to application servers only. Port 9090 (observability) should be accessible only to monitoring infrastructure.
• Key rotation: Rotate encryption keys periodically. Stop the server, re-encrypt the data directory with the new key, update GALAXDB_KEY_PROVIDER, and restart.

Monitoring

Key metrics to alert on: