All apps · 0 apps
khoj-aio
Docker app from JSONbored's Repository
Overview
Khoj is a self-hosted AI second brain for chatting with your docs, the web, and local or hosted LLMs.
All-In-One Unraid Editionkhoj-aio packages the Khoj server with an internally managed PostgreSQL database so beginners can get a clean first boot on Unraid without wiring a separate database container.
Quick Install (Beginners)
- Install the template and leave the default appdata paths in place.
- Optionally set [code]KHOJ_ADMIN_EMAIL[/code], [code]KHOJ_ADMIN_PASSWORD[/code], and [code]KHOJ_DJANGO_SECRET_KEY[/code].
- Leave [code]KHOJ_ANONYMOUS_MODE=true[/code] for the simplest private LAN-first install, then click Apply.
- Wait for first boot to finish, open [code]http://SERVER_IP:42110[/code], and restart the container once after the initial setup so all settings are applied cleanly.
- If you left the password or secret blank, the container generates secure values and saves them in your mapped config folder at [code]/root/.khoj/aio/generated.env[/code].
Power Users (Advanced View)
- Advanced View exposes the practical upstream self-hosted environment surface plus AIO-specific controls.
- You can keep the bundled internal PostgreSQL default, or point Khoj at external PostgreSQL, search providers, code sandboxes, identity providers, upload storage, Twilio/Notion integrations, and OpenAI-compatible local or hosted LLM endpoints.
- Leave defaults in place for the easiest install. Only set the overrides you actually need.
Important Notes
- This image intentionally keeps PostgreSQL bundled because that is the critical first-boot dependency for Khoj on Unraid. Search, sandbox, and provider integrations remain optional advanced add-ons.
- If you expose Khoj outside your LAN, set strong admin credentials, configure [code]KHOJ_DOMAIN[/code] and [code]KHOJ_ALLOWED_DOMAIN[/code] correctly, and strongly consider disabling anonymous mode.
- Upstream currently documents Google OAuth mainly against the prod [code]khoj-cloud[/code] image, so the Google auth variables below should be treated as expert-only and tested carefully in this standard self-host image flow.
Readme
View on GitHubkhoj-aio
An Unraid-first, single-container deployment of Khoj for people who want the easiest reliable self-hosted install without manually wiring PostgreSQL or reworking the upstream compose stack for Unraid.
khoj-aio keeps the critical first-boot dependency bundled: PostgreSQL with pgvector. The wrapper is opinionated for a predictable beginner install, but it does not hide the real tradeoffs: remote exposure still needs correct auth and domain settings, operator/computer features carry meaningful security implications, and advanced search/sandbox/provider integrations still consume real resources.
What This Image Includes
- Khoj web UI and API on port
42110 - Embedded PostgreSQL with
pgvector - Persistent appdata paths for config, database state, and model caches
- First-run generation for
KHOJ_DJANGO_SECRET_KEY,KHOJ_ADMIN_PASSWORD, and the internal DB password when left unset - Unraid CA template at khoj-aio.xml
Beginner Install
If you want the simplest supported path:
- Install the Unraid template.
- Leave the default appdata paths in place.
- Optionally set
KHOJ_ADMIN_EMAIL,KHOJ_ADMIN_PASSWORD, andKHOJ_DJANGO_SECRET_KEY. - Leave
KHOJ_ANONYMOUS_MODE=truefor the default private single-user flow. - Start the container and wait for first-boot initialization to complete.
- Open the web UI on port
42110. - Restart the container once after the initial setup so all settings are fully applied.
If you leave the admin password or Django secret blank, the wrapper generates secure values and writes them to /root/.khoj/aio/generated.env inside your mapped config path.
Power User Surface
This repo is deliberately not a stripped-down wrapper. The template now tracks the practical self-hosted environment surface exposed by upstream source and docs, plus AIO-specific controls for the bundled database flow. In Advanced View you can:
- move PostgreSQL out of the container with the standard
POSTGRES_*settings - point Khoj at OpenAI, Anthropic, Gemini, Ollama, LM Studio, LiteLLM, vLLM, or other OpenAI-compatible endpoints
- configure SearxNG, Serper, Google Search, Firecrawl, Olostep, or Exa for search and webpage reading
- enable Terrarium or E2B code execution
- tune operator/computer behavior and optionally mount the Docker socket for that path
- configure Resend, Google auth, Notion OAuth, Twilio, and AWS-backed upload storage
- expose runtime tuning knobs like Gunicorn worker/timeouts and research iteration limits
The wrapper still defaults to the internal bundled database and a minimal beginner-safe install path so new Unraid users are not forced into extra containers on day one.
Runtime Notes
- Upstream Khoj releases are currently tagged as beta releases. This wrapper tracks the latest published production-facing release line rather than floating
latest. - The internal PostgreSQL service is bound to loopback inside the container and now uses a generated per-install password instead of a fixed hardcoded credential.
- The bundled database user is no longer created as a PostgreSQL superuser; the wrapper creates the
vectorextension aspostgresduring initialization instead. - Search, webpage-reading, and code-execution integrations are intentionally optional. The AIO image does not currently bundle SearxNG or Terrarium by default because that would materially increase resource cost and attack surface for all users.
- If you expose Khoj beyond your LAN, you should set strong credentials, set
KHOJ_DOMAINandKHOJ_ALLOWED_DOMAINcorrectly, and strongly consider disabling anonymous mode.
Publishing and Releases
- Wrapper releases use the upstream version plus an AIO revision, such as
2.0.0-beta.28-aio.1. - Upstream monitoring, release preparation, registry publishing, and catalog sync are owned by
aio-fleetfrom.aio-fleet.yml. - Changelog generation and XML
<Changes>sync are run centrally byaio-fleetduring release preparation. mainpublisheslatest, the pinned upstream version tag, an explicit AIO packaging line tag, andsha-<commit>.- Publish jobs require Docker Hub credentials and push the CA-facing Docker Hub tags directly.
See docs/releases.md for the central release process details.
Validation
Required local validation is aio-fleet first:
python3 -m venv .venv-local
.venv-local/bin/pip install -e "../aio-fleet[app-tests]"
.venv-local/bin/pytest tests/integration -m integration --junit-xml=reports/pytest-integration.xml -o junit_family=xunit1
cd ../aio-fleet
.venv/bin/python -m aio_fleet validate-repo --repo khoj-aio --repo-path ../khoj-aio
.venv/bin/python -m aio_fleet trunk run --repo khoj-aio --repo-path ../khoj-aio --no-fix
CI cost model:
- relevant PRs and
mainpushes run the fast validation layers first - Docker-backed integration tests run for build-relevant changes, for
mainrelease-metadata commits when publish is still in play, and for manual dispatches - image publish stays gated behind the integration suite instead of treating skipped integration as acceptable
- local Docker validation stays explicit instead of hiding inside every routine commit hook
Support
- Repo issues: JSONbored/khoj-aio issues
- Upstream app: khoj-ai/khoj
Funding
If this work saves you time, support it here:
Star History
Media gallery
1 / 3Install khoj-aio on Unraid in a few clicks.
Find khoj-aio in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.
Requirements
Categories
Download Statistics
Related apps
Explore more like this
Explore allDetails
jsonbored/khoj-aio:latestRuntime arguments
- Web UI
http://[IP]:[PORT:42110]- Network
bridge- Shell
sh- Privileged
- false
Template configuration
The main Khoj web interface port.
- Target
- 42110
- Default
- 42110
- Value
- 42110
Stores generated credentials, uploads, and Khoj configuration state.
- Target
- /root/.khoj
- Default
- /mnt/user/appdata/khoj-aio/config
- Value
- /mnt/user/appdata/khoj-aio/config
Internal PostgreSQL database storage for the AIO deployment.
- Target
- /var/lib/postgresql/data
- Default
- /mnt/user/appdata/khoj-aio/postgres
- Value
- /mnt/user/appdata/khoj-aio/postgres
Admin login email for the Khoj admin panel. You can change it later.
- Target
- KHOJ_ADMIN_EMAIL
- Default
- admin@khoj.local
- Value
- admin@khoj.local
Optional. Leave blank to auto-generate a secure admin password on first boot and save it in the mapped config folder.
- Target
- KHOJ_ADMIN_PASSWORD
Optional but recommended. Leave blank to auto-generate a secure secret key on first boot and save it in the mapped config folder.
- Target
- KHOJ_DJANGO_SECRET_KEY
Leave true for the simplest single-user LAN-first install. Set false if you want user sign-in and multi-user auth flows.
- Target
- KHOJ_ANONYMOUS_MODE
- Default
- true|false
- Value
- true
Persistent cache for Hugging Face downloads and model assets.
- Target
- /root/.cache/huggingface
- Default
- /mnt/user/appdata/khoj-aio/models/huggingface
- Value
- /mnt/user/appdata/khoj-aio/models/huggingface
Persistent cache for SentenceTransformers embeddings and related model files.
- Target
- /root/.cache/torch/sentence_transformers
- Default
- /mnt/user/appdata/khoj-aio/models/sentence-transformers
- Value
- /mnt/user/appdata/khoj-aio/models/sentence-transformers
Optional Docker socket mount for advanced operator/computer workflows. Do not enable this unless you understand the security tradeoff.
- Target
- /var/run/docker.sock
Default single-container mode. Set false only if you are intentionally using an external PostgreSQL database.
- Target
- KHOJ_USE_INTERNAL_POSTGRES
- Default
- true|false
- Value
- true
Container bind address. Leave at 0.0.0.0 for standard Unraid bridge networking.
- Target
- KHOJ_HOST
- Default
- 0.0.0.0
- Value
- 0.0.0.0
Recommended for unattended container startup.
- Target
- KHOJ_NON_INTERACTIVE
- Default
- true|false
- Value
- true
Optional extra arguments appended to the Khoj startup command.
- Target
- KHOJ_EXTRA_ARGS
Set true only when troubleshooting with more verbose upstream debug behavior.
- Target
- KHOJ_DEBUG
- Default
- false|true
- Value
- false
Optional worker-process override. Leave blank for the upstream default.
- Target
- GUNICORN_WORKERS
Optional request timeout in seconds. Leave blank for the upstream default.
- Target
- GUNICORN_TIMEOUT
Optional graceful shutdown timeout in seconds. Leave blank for the upstream default.
- Target
- GUNICORN_GRACEFUL_TIMEOUT
Optional keep-alive timeout in seconds. Leave blank for the upstream default.
- Target
- GUNICORN_KEEP_ALIVE
Optional deterministic seed for supported model providers. Useful for repeatable debugging and testing.
- Target
- KHOJ_LLM_SEED
Optional cap for research-mode iterations. Leave blank for the upstream default.
- Target
- KHOJ_RESEARCH_ITERATIONS
Optional external PostgreSQL host. When set, the bundled PostgreSQL stays idle.
- Target
- POSTGRES_HOST
External PostgreSQL port.
- Target
- POSTGRES_PORT
- Default
- 5432
- Value
- 5432
External PostgreSQL database name.
- Target
- POSTGRES_DB
- Default
- postgres
- Value
- postgres
External PostgreSQL username.
- Target
- POSTGRES_USER
- Default
- postgres
- Value
- postgres
External PostgreSQL password.
- Target
- POSTGRES_PASSWORD
API key for OpenAI itself or other OpenAI-compatible gateways that require auth.
- Target
- OPENAI_API_KEY
Anthropic API key for Claude models. Also required for Khoj operator/computer workflows.
- Target
- ANTHROPIC_API_KEY
Google Gemini API key for Gemini chat or image workflows.
- Target
- GEMINI_API_KEY
Use this for Ollama, vLLM, LM Studio, LiteLLM, LocalAI, or any OpenAI-compatible endpoint. Example: http://host.docker.internal:11434/v1/.
- Target
- OPENAI_BASE_URL
Optional default chat model name for your configured OpenAI-compatible endpoint.
- Target
- KHOJ_DEFAULT_CHAT_MODEL
Optional SearxNG endpoint for online search. Example: http://192.168.1.20:8080.
- Target
- KHOJ_SEARXNG_URL
Optional paid web-search API key from Serper.
- Target
- SERPER_DEV_API_KEY
Optional Google Custom Search JSON API key for expert search routing.
- Target
- GOOGLE_SEARCH_API_KEY
Optional Google Programmable Search Engine ID paired with GOOGLE_SEARCH_API_KEY.
- Target
- GOOGLE_SEARCH_ENGINE_ID
Optional webpage-read API key from OloStep.
- Target
- OLOSTEP_API_KEY
Optional OloStep API base URL override. Leave blank for the upstream default.
- Target
- OLOSTEP_API_URL
Optional Firecrawl API key for search and webpage reading.
- Target
- FIRECRAWL_API_KEY
Optional Firecrawl API base URL override. Leave blank for the upstream default.
- Target
- FIRECRAWL_API_URL
Optional Exa API key for search and webpage reading.
- Target
- EXA_API_KEY
Optional Exa API base URL override. Leave blank for the upstream default.
- Target
- EXA_API_URL
Set true to have Khoj automatically read a small number of search result pages while researching online.
- Target
- KHOJ_AUTO_READ_WEBPAGE
- Default
- false|true
- Value
- false
Optional external Terrarium sandbox URL for code execution. Example: http://192.168.1.30:8080.
- Target
- KHOJ_TERRARIUM_URL
Optional E2B API key if you want remote code sandboxing instead of Terrarium.
- Target
- E2B_API_KEY
Optional E2B template override. Leave blank for Khoj's upstream default template.
- Target
- E2B_TEMPLATE
Set true only if you intentionally enable Khoj's operator/computer features and understand the extra security and resource cost.
- Target
- KHOJ_OPERATOR_ENABLED
- Default
- false|true
- Value
- false
Optional max-iteration cap for operator runs. Leave blank for the upstream default.
- Target
- KHOJ_OPERATOR_ITERATIONS
Optional Chrome DevTools Protocol URL for expert external-browser operator setups.
- Target
- KHOJ_CDP_URL
Required for remote access through a custom hostname or IP. Do not include http:// or https://.
- Target
- KHOJ_DOMAIN
Optional internal hostname/IP for reverse proxy or load balancer setups. If blank, Khoj defaults to KHOJ_DOMAIN.
- Target
- KHOJ_ALLOWED_DOMAIN
Set true when intentionally serving over plain HTTP on a trusted LAN or behind a reverse proxy that terminates TLS.
- Target
- KHOJ_NO_HTTPS
- Default
- true|false
- Value
- true
Optional. Enables emailed magic-link login for multi-user access.
- Target
- RESEND_API_KEY
Optional sender address used for magic-link authentication emails.
- Target
- RESEND_EMAIL
Optional Resend audience ID if you want Khoj to add users to a Resend audience after welcome email flows.
- Target
- RESEND_AUDIENCE_ID
Expert-only Google OAuth client ID. Upstream currently documents Google auth mainly against the prod khoj-cloud image.
- Target
- GOOGLE_CLIENT_ID
Expert-only Google OAuth client secret paired with GOOGLE_CLIENT_ID.
- Target
- GOOGLE_CLIENT_SECRET
Optional. Enables text-to-speech voice responses using ElevenLabs.
- Target
- ELEVEN_LABS_API_KEY
Optional Notion OAuth client ID for advanced self-hosted Notion integration flows.
- Target
- NOTION_OAUTH_CLIENT_ID
Optional Notion OAuth client secret.
- Target
- NOTION_OAUTH_CLIENT_SECRET
Optional Notion OAuth redirect URI registered with your integration.
- Target
- NOTION_REDIRECT_URI
Optional object-storage access key for advanced image upload offload paths.
- Target
- AWS_ACCESS_KEY
Optional object-storage secret key paired with AWS_ACCESS_KEY.
- Target
- AWS_SECRET_KEY
Optional bucket name for Khoj-generated image uploads.
- Target
- AWS_IMAGE_UPLOAD_BUCKET
Optional bucket name for user-uploaded images.
- Target
- AWS_USER_UPLOADED_IMAGES_BUCKET_NAME
Optional Twilio Account SID for Twilio-backed verification or messaging flows.
- Target
- TWILIO_ACCOUNT_SID
Optional Twilio auth token paired with TWILIO_ACCOUNT_SID.
- Target
- TWILIO_AUTH_TOKEN
Optional Twilio Verify service SID.
- Target
- TWILIO_VERIFICATION_SID
Set true to opt out of Khoj's anonymous self-hosted telemetry.
- Target
- KHOJ_TELEMETRY_DISABLE
- Default
- false|true
- Value
- false