Install Selega

Selega is self-hosted with Docker. The provided docker-compose.yml brings up two containers — Selega and its own PostgreSQL — plus a volume for the data. You do not need to install or provision a database separately.

Requirements

• Docker with the Compose plugin (docker compose).
• A host port for the web UI (default 8088).
• For production: a reverse proxy with HTTPS/TLS (Caddy, nginx, or your panel’s built-in TLS).

The container image is built from node:22-slim and bakes in Tesseract OCR (with the Spanish language pack) and poppler-utils for scanned PDFs. It runs as a non-root user.

1-minute install (Docker)

Batteries included

The docker-compose.yml starts Selega and its PostgreSQL together. The only mandatory variable is POSTGRES_PASSWORD.

git clone https://github.com/diegoparras/selega.git && cd selega
cp .env.example .env                # edit POSTGRES_PASSWORD (use something strong)
docker compose up -d --build
docker compose logs selega          # the generated admin password is printed here (once)
# → http://localhost:8088

That is all: two containers (selega + selega-db) and one volume for the data.

How you get the image

Selega is published to GHCR on every push as ghcr.io/diegoparras/selega:latest, and the docker-compose.yml also declares build: .. You can therefore either build from the repo or pull the published image:

Build from repo

git clone https://github.com/diegoparras/selega.git && cd selega
cp .env.example .env
docker compose up -d --build

Pull published image

If your panel only lets you paste a compose file without cloning the repo, use this image-only block — it pulls the already-published image from GHCR:

services:
  db:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: selega
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?set a strong password}
      POSTGRES_DB: selega
    volumes: [ "selega-pg:/var/lib/postgresql/data" ]
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U selega -d selega"]
      interval: 5s
      timeout: 3s
      retries: 12
    restart: unless-stopped
  selega:
    image: ghcr.io/diegoparras/selega:latest
    ports: [ "8088:8080" ]
    environment:
      SELEGA_ADMIN_EMAIL: ${SELEGA_ADMIN_EMAIL:-admin@selega.local}
      SELEGA_ADMIN_PASS: ${SELEGA_ADMIN_PASS:-}
      SELEGA_SECURE_COOKIE: ${SELEGA_SECURE_COOKIE:-0}
      DATABASE_URL: "postgresql://selega:${POSTGRES_PASSWORD}@db:5432/selega"
    depends_on:
      db: { condition: service_healthy }
    restart: unless-stopped
volumes:
  selega-pg:

Environment variables

Copy .env.example to .env and set real values. Never commit .env to git.

Variable	Default	Purpose
POSTGRES_PASSWORD	— (required)	Database password. Use something strong.
SELEGA_ADMIN_EMAIL	admin@selega.local	User of the first superadmin.
SELEGA_ADMIN_PASS	(empty)	Leave empty → a password is generated and printed once in the logs.
SELEGA_SECURE_COOKIE	0	Set to 1 behind HTTPS/TLS (session cookie sent over HTTPS only).
SELEGA_PORT	8088	Host port (the app listens on 8080 inside the container).
OPENROUTER_KEY	(empty)	Optional cloud AI key. Prefer loading it from Admin (stored write-only).
POSTGRES_USER / POSTGRES_DB	selega	Database user / name.

First start

1. Run docker compose logs selega (or read your panel’s logs) and copy the generated admin password. It is printed once.
2. Sign in with SELEGA_ADMIN_EMAIL and that password. You are now superadmin.
3. Open the kebab menu (⋮) → System: choose which jurisdictions this installation serves and configure the engines.
4. Open the kebab menu (⋮) → Administration: create users (agent / supervisor / auditor / admin) and edit the rules.

Deploy on a panel

All of Dokploy, Easypanel, Coolify and Portainer support Docker Compose. The recommended path is to connect this GitHub repo so the panel builds the image for you; if your panel only accepts a pasted compose, use the image-only block above.

The only mandatory variable is POSTGRES_PASSWORD. Leave SELEGA_ADMIN_PASS empty so Selega generates the admin password and prints it once in the container logs. When the panel provides TLS (Dokploy, Easypanel and Coolify do automatically), set SELEGA_SECURE_COOKIE=1.

Update

git pull && docker compose up -d --build      # build from the repo
# or, with the published image:
docker compose pull && docker compose up -d

Production checklist

Before exposing it to the internet

Read SECURITY.md in the repo. The essentials are below.

• TLS: put Selega behind a reverse proxy with HTTPS and set SELEGA_SECURE_COOKIE=1.
• Strong secrets in .env; never commit .env. Empty SELEGA_ADMIN_PASS → auto-generated.
• Close the Postgres port — do not expose the db service to the host in production.
• Back up the selega-pg volume — it is the record of legalizations.

The container runs as a non-root user, with CSP and security headers, scrypt password hashing, HMAC sessions, login lockout and parameterized queries. It is audited with semgrep, OWASP ZAP, Trivy and gitleaks.