Deployment Targets

Six variants. Pick one and skip the others. The /deploy-application skill is the interactive form of this page.

From source (dev only)

For teams with source access. From the root of the source tree:

dotnet run --project Zenvara/Zenvara.fsproj

For development machines and short-lived demos. Not a production target.

Linux + systemd

dotnet publish -c Release produces a self-contained binary. The zen CLI registers the service:

zen app fetch \
  --url https://artifacts.example.com/zenvara-linux-x64.tar.gz \
  --dir /opt/zenvara

zen service install \
  --dir /opt/zenvara \
  --port 5000 \
  --service-user zenvara \
  --data-dir /var/lib/zenvara

zen service start

The generated unit includes hardening flags — ProtectSystem=strict, PrivateTmp=true, NoNewPrivileges=true, RestrictNamespaces=true. Inspect with systemctl cat zenvara.service.

Windows Service

Same binary, same zen service install, registered via sc.exe. Most customers want a domain service account so the platform can reach SFTP and SQL with existing AD credentials.

zen service install `
  --dir C:\Services\Zenvara `
  --port 5000 `
  --service-user .\SvcZenvara `
  --service-password $password

Console debugging with Git versioning

With Git versioning enabled, the data/versions working tree is owned by the service account. libgit2 enforces a safe.directory-style ownership check and refuses to open the tree from a process running as a different user. To launch the binary from a console for debugging, switch to the service account first: runas /user:.\SvcZenvara cmd. Running as a different user produces a single Fatal log line and exits cleanly without corrupting the repo.

IIS site

For organisations standardised on IIS as the public-facing tier. The platform ships an AspNetCoreModule-compatible binary; the IIS site reverse-proxies to Kestrel.

zen iis install --dir C:\Services\Zenvara --port 5000

Kernel-mode authentication caveat: if you use Windows integrated auth on both the inbound IIS side and the platform side, configure them in the same authentication zone or you’ll see double-hop credential failures.

Docker

A multi-stage Dockerfile ships under .docker/:

docker build -f .docker/Dockerfile -t zenvara:local .

docker run -d \
  --name zenvara \
  -p 5000:5000 \
  -v /srv/zenvara/data:/data \
  zenvara:local

The container persists /data (storage, cache, logs, backups) on a named volume and emits a HEALTHCHECK against /health.

Kubernetes

Single-replica StatefulSet with a PersistentVolumeClaim for data/, a Service on port 5000, and an Ingress terminating TLS. Treat the platform as the stateful workload it is — horizontal scaling is on the roadmap; for now, scale up, not out.