Frequently Asked Questions

Tronexus is an opinionated, production-grade AI infrastructure stack that runs on your own hardware. It bundles local LLM inference, an AI chat interface, workflow automation, authentication, monitoring, and security hardening into a single installable package. You get all the capabilities of a cloud AI platform — without the subscription fees, data privacy concerns, or vendor lock-in.

Yes. Tronexus itself is MIT licensed and free. You run it on your own hardware — the only costs are the hardware you already own and electricity. If you choose to route requests to commercial AI providers (OpenAI, Anthropic, etc.) through LiteLLM, those providers charge per token — but local models via Ollama are entirely free.

Most self-hosted AI projects give you individual containers without integration. Tronexus is different in three ways: it is fully integrated out of the box (services talk to each other), it includes production-grade security from day one (hardened Ubuntu, auth API, TLS, monitoring), and it is designed to be installed with a single command on a fresh machine. You do not spend a week stitching things together.

Ubuntu 24.04 LTS is the current long-term support release with 5-year security coverage. The installer applies hardening that is specific to this release — package names, systemd unit paths, and sysctl values are all tested against 24.04. Other Ubuntu versions and Debian-based distros may work but are not officially supported in v1.

Tronexus installs and runs without a GPU. Ollama falls back to CPU inference automatically. Performance will be significantly slower (minutes per response rather than seconds), but it is functional for development, testing, or light use. For production workloads, a GPU is strongly recommended. AMD GPU support is on the roadmap.

Yes. This is actually the recommended setup if you have a gaming PC or workstation on the same local network. Install Ollama on the GPU machine, configure it to listen on all interfaces, and set INFERENCE_HOST in your Tronexus .env. Your primary server stays lean and the GPU machine handles all inference. See the Remote Inference section in the installation guide.

For 8GB VRAM, the sweet spot is 7B–8B parameter models at 4-bit quantisation. Good starting points: mistral:7b-instruct-q4_K_M (fast, well-rounded), llama3:8b (strong reasoning), gemma3:9b (Google's model, good instruction following). For the monitoring summary specifically, Mistral 7B is used by default — it produces clean, concise output. Pull models with docker exec tronexus-ollama ollama pull <model>.

A 7B model at 4-bit quantisation is roughly 4–5 GB. A 13B model is around 8 GB. Models are stored in the ollama_data Docker volume. For a useful collection of 3–4 models, budget 20–30 GB of storage just for models. The rest of the stack (containers, databases, volumes) uses around 10–15 GB.

The installer applies these hardening measures automatically: UFW firewall (only SSH, HTTP, HTTPS allowed), fail2ban (SSH brute force protection with automatic banning), SSH configuration hardening (no root login, no password auth, reduced grace time, no X11 forwarding), sysctl network hardening (no ICMP redirects, SYN cookie protection, kernel pointer restriction), and unattended-upgrades for automatic security patches. These are the same measures applied to professional server infrastructure.

The installer disables SSH password authentication and sets PermitRootLogin no. If you did not have an SSH key configured before running the installer, you may be locked out. To recover: access the machine directly (console, KVM, or cloud provider's serial console), log in as root or via the hosting provider's rescue mode, and re-enable password authentication temporarily by editing /etc/ssh/sshd_config and running systemctl restart sshd. Then add your SSH public key to ~/.ssh/authorized_keys before disabling password auth again.

The stack provides strong perimeter security but does not encrypt data at rest by default. The Postgres database and Ollama model files are stored unencrypted on disk. For sensitive deployments, consider full-disk encryption (LUKS) on the underlying storage. The .env file containing secrets is chmod 600. API keys and passwords are bcrypt hashed in the database — a database dump does not reveal plain credentials.

No data leaves your machine unless you explicitly configure it to. Local LLM inference via Ollama is 100% on-device. Caddy sends ACME challenges to Let's Encrypt to obtain TLS certificates — this is standard HTTPS and involves no user data. Watchtower checks Docker Hub for container image updates. The monitoring script sends alert messages to your Telegram bot — this is opt-in and configured by you. If you add commercial AI provider API keys (OpenAI, Anthropic), requests to those models will be sent to their APIs.

Watchtower automatically updates all containers that pull from public registries (Open WebUI, n8n, LiteLLM, Postgres, etc.) at 3:00 AM daily. The Auth API is a local build and is not updated by Watchtower — update it manually by pulling the latest code and rebuilding: cd /opt/tronexus && git pull && docker compose up -d --build auth.

The critical data to back up is the Postgres database and the .env file. A simple backup: docker exec tronexus-postgres pg_dumpall -U tronexus > /backup/tronexus-$(date +%Y%m%d).sql. n8n workflows are stored in Postgres. Open WebUI conversations are in the openwebui_data volume. Ollama models can be re-pulled and do not need backing up unless you have customised them.

Check the container logs: docker logs tronexus-<service> --tail 50. Common causes: wrong credentials in .env (check the exact variable names against the configuration reference), port conflict (another service using the same port), or a dependency not being ready (Postgres health check failing). The monitoring script will also catch containers in a restart loop and send a Telegram alert.

Yes. Add your service to docker-compose.yml under the tronexus network and it will be able to communicate with all existing services by container name. Add a Caddy route in caddy/Caddyfile to expose it via HTTPS. Caddy will automatically obtain a TLS certificate for the new subdomain.

It is a compound of Duotronic (the foundational computing architecture of the Federation in Star Trek) and Nexus (the central connection point everything routes through). Duotronic was the computing system that preceded isolinear chips — the technology that made warp navigation and ship intelligence possible. Tronexus is the nexus of your own computing stack.