You can change 1122 to any available port on your host system.

Target

3000

Default

1122

Value

1122

Target

/app/data

Value

/mnt/user/appdata/jotty/data

Target

/app/config

Value

/mnt/user/appdata/jotty/config

Target

/app/.next/cache

Value

/mnt/user/appdata/jotty/cache

Sets the Node.js environment to production mode for optimal performance and security.

Default

production

Value

production

Process User ID that the container will run as.

Default

99

Value

99

Process Group ID that the container will run as.

Default

100

Value

100

Sets the default file creation mask.

Default

002

Value

002

Enables HTTPS mode for secure connections.

Default

false|true

Value

false

Base URL of your jotty·page instance. Required for secure session (https) and SSO. Include the https://

Target

APP_URL

Allows public access to uploaded images via direct URLs.

Target

SERVE_PUBLIC_IMAGES

Default

yes|no

Value

yes

Allows public access to uploaded files via direct URLs.

Target

SERVE_PUBLIC_VIDEOS

Default

yes|no

Value

yes

Allows public access to uploaded files via direct URLs.

Target

SERVE_PUBLIC_FILES

Default

yes|no

Value

yes

If set to yes stops the github api call and won't give you a toast when a new update is available.

Target

STOP_CHECK_UPDATES

Default

no|yes

Value

no

Optional. Disables brute force protection for local login authentication. By default, accounts are temporarily locked after 3 failed login attempts with exponential delays (10s, 30s, 60s, etc.). Set to true to completely disable this security feature.

Target

DISABLE_BRUTEFORCE_PROTECTION

Default

false|true

Value

false

Optional. Sets the default language for the application (e.g., on the login page) when no user is logged in or a user hasn't set a preference.

Target

DEFAULT_LOCALE

Default

en

Value

en

Optional. Enables zooming on the PWA for accessibility reasons.

Target

ENABLE_PWA_ZOOM

Default

no|yes

Value

no

Enables OIDC (OpenID Connect) single sign-on or LDAP/Active Directory authentication. Set to 'oidc' or 'ldap'. Supersedes SSO_MODE.

Target

AUTH_MODE

Default

|oidc|ldap

Legacy fallback for AUTH_MODE. Kept for backward compatibility with existing setups — prefer AUTH_MODE for new installs. Leave empty if AUTH_MODE is set.

Target

SSO_MODE

Default

|oidc

URL of your OIDC provider (e.g., Authentik, Auth0, Keycloak).

Target

OIDC_ISSUER

Client ID from your OIDC provider configuration.

Target

OIDC_CLIENT_ID

Optional. Client secret for confidential OIDC client authentication.

Target

OIDC_CLIENT_SECRET

Optional. Path to file containing the OIDC client ID. If set, takes priority over OIDC_CLIENT_ID. Useful for Docker Secrets.

Target

OIDC_CLIENT_ID_FILE

Optional. Path to file containing the OIDC client secret. If set, takes priority over OIDC_CLIENT_SECRET. Useful for Docker Secrets.

Target

OIDC_CLIENT_SECRET_FILE

Optional. Allows both SSO and local authentication methods.

Target

SSO_FALLBACK_LOCAL

Default

yes|no

Value

yes

Optional. Comma-separated list of OIDC groups that should have admin privileges.

Target

OIDC_ADMIN_GROUPS

Default

admins

Value

admins

Optional. Comma-separated list of OIDC roles that should have admin privileges.

Target

OIDC_ADMIN_ROLES

Default

admin

Value

admin

Optional. Comma-separated list of OIDC groups allowed to access the application. If set, only users in these groups (or admins) can log in.

Target

OIDC_USER_GROUPS

Optional. Comma-separated list of OIDC roles allowed to access the application. If set, only users with these roles (or admins) can log in.

Target

OIDC_USER_ROLES

Scope to request for groups. Defaults to 'groups'. Set to empty string or 'no' to disable for providers like Entra ID that don't support the groups scope.

Target

OIDC_GROUPS_SCOPE

Default

groups

Value

groups

Optional. Custom logout URL for global logout. Full URL to redirect to when logging out.

Target

OIDC_LOGOUT_URL

URL of your LDAP server (e.g., ldap://ldap.example.com:389). Use ldaps:// on port 636 for TLS. Required when AUTH_MODE=ldap.

Target

LDAP_URL

Distinguished name of the service account used to search the directory (e.g., cn=service,dc=example,dc=com). Required when AUTH_MODE=ldap.

Target

LDAP_BIND_DN

Password of the LDAP service account. Required when AUTH_MODE=ldap (unless LDAP_BIND_PASSWORD_FILE is set).

Target

LDAP_BIND_PASSWORD

Optional. Path to a file containing the LDAP service account password. Takes priority over LDAP_BIND_PASSWORD. Useful for Docker Secrets.

Target

LDAP_BIND_PASSWORD_FILE

Base DN under which to search for users (e.g., ou=users,dc=example,dc=com). Required when AUTH_MODE=ldap.

Target

LDAP_BASE_DN

Optional. The LDAP attribute matched against the submitted username. Defaults to 'uid'. Use 'sAMAccountName' for Active Directory.

Target

LDAP_USER_ATTRIBUTE

Default

uid

Optional. Pipe-separated list of group DNs granted admin rights on first login (e.g., cn=admins,ou=groups,dc=example,dc=com). Use '|' as separator since DNs contain commas. Requires memberof overlay on the LDAP server.

Target

LDAP_ADMIN_GROUPS

Optional. Pipe-separated list of group DNs allowed to log in. Only members of these groups (or admin groups) can authenticate. Requires memberof overlay on the LDAP server.

Target

LDAP_USER_GROUPS

Optional. Path (inside the container) to a CA certificate file. Use this for LDAPS with a self-signed certificate (e.g., /app/config/ldap-ca.crt).

Target

NODE_EXTRA_CA_CERTS

Use if getting 403 errors after SSO login: Set to http://localhost:3000

Target

INTERNAL_API_URL