-
-
Notifications
You must be signed in to change notification settings - Fork 565
Install Docker Compose
Production-ready setup using Docker Compose with security hardening enabled.
See https://github.com/mauriceboe/TREK/blob/main/docker-compose.yml
The compose file ships with several hardening options enabled by default:
| Setting | What it does |
|---|---|
read_only: true |
Mounts the container filesystem read-only; only the two named volumes and /tmp are writable |
security_opt: no-new-privileges:true |
Prevents the process from gaining additional Linux privileges via setuid/setgid executables |
cap_drop: [ALL] |
Drops all Linux capabilities from the container |
cap_add: [CHOWN, SETUID, SETGID] |
Adds back only the capabilities needed for the entrypoint to drop privileges to the node user |
tmpfs: /tmp:noexec,nosuid,size=64m |
Mounts a 64 MB in-memory /tmp; required because the container root is read-only |
| Host path | Container path | Contents |
|---|---|---|
./data |
/app/data |
SQLite database, logs, .jwt_secret, .encryption_key
|
./uploads |
/app/uploads |
Uploaded files (photos, documents, covers, avatars) |
The compose file above uses bind mounts (./data, ./uploads). You can switch to Docker named volumes, which are fully managed by Docker and not tied to a specific host path. See the Docker Compose volumes reference for all options.
services:
app:
# ... (rest of service config unchanged)
volumes:
- trek_data:/app/data
- trek_uploads:/app/uploads
volumes:
trek_data:
trek_uploads:Docker creates the volumes automatically on first docker compose up. Use docker volume ls and docker volume inspect to manage them.
The compose file reads variables from a .env file placed alongside docker-compose.yml. At minimum, set:
# .env
ENCRYPTION_KEY=<output of: openssl rand -hex 32>
TZ=Europe/Berlin
ALLOWED_ORIGINS=https://trek.example.com
APP_URL=https://trek.example.comUncomment and fill in the OIDC, initial setup, or MCP variables as needed. For a full description of every variable, see Environment-Variables.
Three tag strategies are available:
| Tag | Example | Behavior |
|---|---|---|
latest |
mauriceboe/trek:latest |
Always the newest release across all major versions |
| Major version | mauriceboe/trek:3 |
Latest release pinned to that major version |
| Full version | mauriceboe/trek:3.0.15 |
Exact release; never changes |
The compose file above uses latest. To pin, change the image: line:
image: mauriceboe/trek:3 # track major version 3
image: mauriceboe/trek:3.0.15 # pin to exact releasedocker compose up -dCheck the logs:
docker compose logs -fThis compose file is designed for deployments where a reverse proxy (nginx, Caddy, Traefik) terminates TLS in front of TREK. To enable HTTPS redirects and secure cookies, uncomment FORCE_HTTPS=true and TRUST_PROXY=1.
See Reverse-Proxy for complete proxy configuration examples.
- Environment-Variables — full variable reference
- Reverse-Proxy — HTTPS configuration
- Updating — how to pull a new image
- Home
- Quick Start
- Install: Docker
- Install: Docker Compose
- Install: Helm
- Install: Proxmox VE (LXC)
- Install: Unraid
- Install: Portainer
- Reverse Proxy
- Environment Variables
- Updating
- Login and Registration
- OIDC SSO
- Two-Factor Authentication
- Password Reset
- User Settings
- Display Settings
- Map Settings
- Notifications
- Offline Mode and PWA
- Languages
- My Trips Dashboard
- Creating a Trip
- Trip Members and Sharing
- Trip Planner Overview
- Places and Search
- Day Plans and Notes
- Map Features
- Route Optimization
- Weather Forecasts
- Reservations and Bookings
- Transport: Flights, Trains, Cars
- Accommodations
- Budget Tracking
- Packing Lists
- Packing Templates
- Todos and Tasks
- Documents and Files
- Tags and Categories
- Real-Time Collaboration
- Collab Chat
- Collab Notes
- Collab Polls
- What's Next Widget
- Public Share Links
- Invite Links