TREK

TREK

Docker app from mauriceboe's Repository

Overview

TREK is a self-hosted, real-time collaborative travel planner with interactive maps, budgets, bookings, packing lists, file management, and more. Plan trips together with your group — changes sync instantly across all connected users. Includes OIDC/SSO support, dark mode, PWA, and a modular addon system (Vacay, Atlas, Collab, Budget, Packing).
TREK
Your trips. Your plan. Your server.

A self-hosted, real-time collaborative travel planner — with maps, budgets, packing lists, a journal, and AI built in.


Demo   Docker   Discord   Roadmap
Ko-fi   BMAC
License Latest Release Docker Pulls Stars


TREK — 60-second tour

Dashboard Trip planner · day plan & route Journey journal Costs · expense splitting Atlas · visited countries Vacay planner Collections · saved place lists Admin panel

What you get

TREK feature tiles
See all features

🧭 Trip planning

  • Drag & drop planner — organise places into day plans with reordering and cross-day moves
  • Interactive map — Leaflet or Mapbox GL with 3D buildings, terrain, photo markers, clustering, route visualization
  • Place search — Google Places (photos, ratings, hours) or OpenStreetMap (free, no API key)
  • Place import — shared Google Maps / Naver Maps lists, plus GPX and KML/KMZ/GeoJSON map files
  • Day notes — timestamped, icon-tagged notes with drag-and-drop reordering
  • Route optimisation — auto-sort places and export to Google Maps
  • Weather forecasts — 16-day via Open-Meteo (no key) + historical climate fallback
  • Category filter — show only matching pins on the map

🧳 Travel management

  • Reservations — flights, accommodations, restaurants with status, confirmation numbers, files; import from booking confirmation emails and PDFs (KDE Itinerary)
  • Costs — track and split trip expenses (Splitwise-style): per-person / per-day breakdowns, settle-up, multi-currency
  • Packing lists — categories, templates, user assignment, progress tracking
  • Bag tracking — optional weight tracking with iOS-style distribution
  • Document manager — attach docs, tickets, PDFs to trips / places / reservations (≤ 50 MB each)
  • PDF export — full trip plan as PDF with cover page, images, notes

👥 Collaboration

  • Real-time sync — WebSocket. Changes appear instantly across all connected users
  • Multi-user trips — invite members with role-based access
  • Invite links — one-time or reusable links with expiry
  • SSO (OIDC) — Google, Apple, Authentik, Keycloak, or any OIDC provider
  • 2FA — TOTP + backup codes
  • Passkeys — passwordless WebAuthn login (fingerprint / face / PIN / security key), admin-toggleable
  • Collab suite — group chat, shared notes, polls, day check-ins

📱 Mobile & PWA

  • Installable — iOS and Android, straight from the browser, no App Store needed
  • Offline support — Service Worker caches tiles, API, uploads via Workbox
  • Native feel — fullscreen standalone, themed status bar, splash screen
  • Touch optimised — mobile-specific layouts with safe-area handling

🧩 Addons (admin-toggleable)

  • Lists — packing lists + to-dos with templates, member assignments, optional bag tracking
  • Costs — expense tracker with splits and settle-up (who owes whom), multi-currency
  • Documents — file attachments on trips, places, and reservations
  • Collab — chat, notes, polls, day-by-day attendance
  • Vacay — personal vacation planner with calendar, 100+ country holidays, carry-over tracking
  • Atlas — world map of visited countries, bucket list, travel stats, streak tracking, liquid-glass UI
  • Journey — magazine-style travel journal with entries, photos (Immich/Synology), maps, moods
  • AirTrail — connect a self-hosted AirTrail instance to import and sync flights into reservations
  • MCP — expose TREK to AI assistants via OAuth 2.1

🤖 AI / MCP

  • Built-in MCP server — OAuth 2.1 authenticated. 150+ tools, 30 resources
  • Granular scopes — 27 OAuth scopes across 13 permission groups
  • Full automation — AI can create trips, plan days, build packing lists, manage budgets, mark countries visited
  • Pre-built promptstrip-summary, packing-list, budget-overview
  • Addon-aware — exposes Atlas, Collab, Vacay when those addons are on

⚙️ Admin & customisation

  • Dashboard views — card grid or compact list · Dark mode — full theme with matching status bar
  • 20 languages — EN, DE, ES, FR, IT, NL, HU, RU, ZH, ZH-TW, PL, CS, AR (RTL), BR, ID, TR, JA, KO, UK, GR
  • Admin panel — users, invites, packing templates, categories, addons, API keys, backups, GitHub history
  • Notifications — per-user preferences across email (SMTP), webhook, ntfy, and an in-app notification center
  • Auto-backups — scheduled with configurable retention · Units — °C/°F, 12h/24h, map tile sources, default coordinates

Get started in 30 seconds

ENCRYPTION_KEY=$(openssl rand -hex 32) docker run -d -p 3000:3000 \
  -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
  -v ./data:/app/data -v ./uploads:/app/uploads mauriceboe/trek

Open http://localhost:3000. On first boot TREK seeds an admin account — if you set ADMIN_EMAIL/ADMIN_PASSWORD those are used, otherwise the credentials are printed to the container log (docker logs trek).

  ·  Docker Compose  ·  Helm / Kubernetes  ·  Install as PWA  ·  Reverse Proxy  ·  


Tech stack

Node.js NestJS SQLite React Vite TypeScript Tailwind Leaflet Docker

Real-time sync via WebSocket (ws). Backend on NestJS 11. State with Zustand. Auth via JWT + OAuth 2.1 + OIDC + Passkeys (WebAuthn) + TOTP MFA. Weather via Open-Meteo (no key required). Maps with Leaflet and Mapbox GL.


Docker Compose (production)

Full compose example with secure defaults
services:
  app:
    image: mauriceboe/trek:latest
    container_name: trek
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
    ports:
      - "3000:3000"
    environment:
      - NODE_ENV=production
      - PORT=3000
      - ENCRYPTION_KEY=${ENCRYPTION_KEY:-}   # generate with: openssl rand -hex 32
      - TZ=${TZ:-UTC}
      - LOG_LEVEL=${LOG_LEVEL:-info}
      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-}
      - APP_URL=${APP_URL:-}                 # required for OIDC + email links
      # - FORCE_HTTPS=true                   # behind a TLS-terminating proxy
      # - TRUST_PROXY=1
      # - OIDC_ISSUER=https://auth.example.com
      # - OIDC_CLIENT_ID=trek
      # - OIDC_CLIENT_SECRET=supersecret
      # - OIDC_DISPLAY_NAME=SSO
      # - OIDC_ADMIN_CLAIM=groups
      # - OIDC_ADMIN_VALUE=app-trek-admins
    volumes:
      - ./data:/app/data
      - ./uploads:/app/uploads
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://localhost:3000/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s

Then:

docker compose up -d

HTTPS notes: FORCE_HTTPS=true is optional — it adds a 301 redirect, HSTS, CSP upgrade-insecure-requests, and forces the secure cookie flag. Only use it behind a TLS-terminating reverse proxy. TRUST_PROXY=1 tells the server how many proxies sit in front so real client IPs and X-Forwarded-Proto work.


Helm (Kubernetes)

helm repo add trek https://mauriceboe.github.io/TREK
helm repo update
helm install trek trek/trek

See charts/README.md for values.

Install as App (PWA)

TREK works as a Progressive Web App — no App Store needed.

  1. Open TREK in the browser (HTTPS required)
  2. iOS: Share ▸ Add to Home Screen
  3. Android: Menu ▸ Install app (or Add to Home Screen)

TREK then launches fullscreen with its own icon, just like a native app.


Updating

Docker Compose:

docker compose pull && docker compose up -d

Docker run — reuse the original volume paths:

docker pull mauriceboe/trek
docker rm -f trek
docker run -d --name trek -p 3000:3000 -v ./data:/app/data -v ./uploads:/app/uploads --restart unless-stopped mauriceboe/trek

Not sure which paths you used? docker inspect trek --format '{{json .Mounts}}' before removing the container.

Your data stays in the mounted data and uploads volumes — updates never touch it.

[!IMPORTANT] Mount only the data and uploads directories — -v ./data:/app/data -v ./uploads:/app/uploads. Never mount a volume at /app. Doing so hides the application code shipped in the image and the container fails to start with Cannot find module 'tsconfig-paths/register'. If you previously mounted /app, switch to the two mounts above; your data in data/ and uploads/ is preserved.

Rotating the Encryption Key

If you need to rotate ENCRYPTION_KEY (e.g. upgrading from a version that derived encryption from JWT_SECRET):

docker exec -it trek node --import tsx scripts/migrate-encryption.ts

The script creates a timestamped DB backup before making changes and prompts for old + new keys (input is not echoed).

Reverse Proxy

For production, put TREK behind a TLS-terminating reverse proxy. TREK uses WebSockets for real-time sync, so the proxy must support WebSocket upgrades on /ws.

Nginx
server {
    listen 80;
    server_name trek.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name trek.yourdomain.com;

    ssl_certificate     /etc/ssl/fullchain.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;

    # 500 MB covers backup-restore uploads (capped at 500 MB server-side).
    client_max_body_size 500m;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /ws {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 86400;
    }
}
Caddy
trek.yourdomain.com {
    reverse_proxy localhost:3000
}

Caddy handles TLS and WebSockets automatically.


Environment variables

Full reference
Variable Description Default
Core
PORT Server port 3000
NODE_ENV Environment (production / development) production
ENCRYPTION_KEY At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC). Recommended: generate with openssl rand -hex 32. If unset, falls back to data/.jwt_secret (existing installs) or auto-generates a key (fresh installs). Auto
TZ Timezone for logs, reminders and cron jobs (e.g. Europe/Berlin) UTC
LOG_LEVEL info = concise user actions, debug = verbose details info
DEFAULT_LANGUAGE Default language on the login page for users with no saved preference. Browser/OS language is auto-detected first; this is the fallback. Supported: de, en, es, fr, hu, nl, br, cs, pl, ru, zh, zh-TW, it, ar, id, tr, ja, ko, uk, gr en
ALLOWED_ORIGINS Comma-separated origins for CORS and email links same-origin
FORCE_HTTPS Optional. When true: 301-redirects HTTP to HTTPS, sends HSTS, adds CSP upgrade-insecure-requests, forces the session cookie secure flag. Useful behind a TLS-terminating reverse proxy. Requires TRUST_PROXY. false
HSTS_INCLUDE_SUBDOMAINS When true: adds the includeSubDomains directive to the HSTS header, extending HTTPS enforcement to all subdomains. Only effective when HSTS is active (FORCE_HTTPS=true or NODE_ENV=production). Leave false if you run other services on sibling subdomains over plain HTTP. false
COOKIE_SECURE Controls the secure flag on the trek_session cookie. Auto-derived: on when NODE_ENV=production or FORCE_HTTPS=true. Escape hatch: set false to allow session cookies over plain HTTP. Not recommended in production. auto
SESSION_DURATION How long a login session stays valid when "Remember me" is unchecked (the default): sets the trek_session JWT exp and issues a browser-session cookie (cleared when the browser closes). Accepts ms-style strings: 1h, 12h, 7d, 30d, 90d. Invalid values warn at startup and fall back to the default. 24h
SESSION_DURATION_REMEMBER Session length when "Remember me" is ticked at login: a longer-lived JWT plus a persistent trek_session cookie that survives browser restarts. Same format and startup-fallback behaviour as SESSION_DURATION. 30d
TRUST_PROXY Number of trusted reverse proxies. Tells the server to read client IP from X-Forwarded-For and protocol from X-Forwarded-Proto. Defaults to 1 in production; off in dev unless set. 1
ALLOW_INTERNAL_NETWORK Allow outbound requests to private/RFC-1918 IPs (e.g. Immich on your LAN). Loopback and link-local addresses remain blocked. false
APP_URL Public base URL of this instance (e.g. https://trek.example.com). Required when OIDC is enabled; used as base for email notification links.
OIDC / SSO
OIDC_ISSUER OpenID Connect provider URL
OIDC_CLIENT_ID OIDC client ID
OIDC_CLIENT_SECRET OIDC client secret
OIDC_DISPLAY_NAME Label shown on the SSO login button SSO
OIDC_ONLY Force SSO-only mode: disables password login + registration, regardless of Admin > Settings. The first SSO login becomes admin. false
OIDC_ADMIN_CLAIM OIDC claim used to identify admin users
OIDC_ADMIN_VALUE Value of the OIDC claim that grants admin role
OIDC_SCOPE Space-separated OIDC scopes. Fully replaces the default — always include openid email profile. openid email profile
OIDC_DISCOVERY_URL Override the auto-constructed OIDC discovery endpoint (e.g. Authentik: .../application/o/trek/.well-known/openid-configuration)
Initial setup
ADMIN_EMAIL Email for the first admin on initial boot. Must be set together with ADMIN_PASSWORD. If either is omitted a random password is printed to the server log. No effect once a user exists. admin@trek.local
ADMIN_PASSWORD Password for the first admin on initial boot. Pairs with ADMIN_EMAIL. random
Other
DEMO_MODE Enable demo mode (hourly data resets) false
UNSPLASH_ACCESS_KEY Optional Unsplash Access Key for trip-cover and place-image search. Without one, TREK uses Unsplash's unauthenticated endpoint, which some datacenter/VPS IPs are blocked from. Get a free key at unsplash.com/developers. Overrides any per-admin key set in Admin > Settings (where it can also be configured instead).
MCP_RATE_LIMIT Max MCP API requests per user per minute 300
MCP_MAX_SESSION_PER_USER Max concurrent MCP sessions per user 20

Data & Backups

  • Database — SQLite, stored in ./data/travel.db
  • Uploads — stored in ./uploads/
  • Logs./data/logs/trek.log (auto-rotated)
  • Backups — create and restore via Admin Panel
  • Auto-Backups — configurable schedule and retention in Admin Panel

Data sources

The Atlas map's country and sub-national (province/county) boundaries come from geoBoundaries (Runfola et al., 2020), licensed CC BY 4.0. See NOTICE.md for full third-party attributions.

License

TREK is AGPL v3. Self-host freely for personal or internal company use. If you modify and offer TREK as a network service to third parties, your modifications must be open-sourced under the same licence.

Install TREK on Unraid in a few clicks.

Find TREK in Community Apps on your Unraid server, review the template, and click Install. Unraid handles the Docker app or plugin setup from the published template.

Open the Apps tab on your Unraid server Search Community Apps for TREK Review the template variables and paths Click Install

Download Statistics

258,828
Total Downloads

Related apps

Details

Repository
mauriceboe/trek
Last Updated2026-06-23
First Seen2026-06-24

Runtime arguments

Web UI
http://[IP]:[PORT:3000]
Network
bridge
Privileged
false

Template configuration

Web UI PortPorttcp

Port for the web interface

Target
3000
Default
3000
Value
3000
DataPathrw

Database and app data

Target
/app/data
Default
/mnt/user/appdata/trek/data
Value
/mnt/user/appdata/trek/data
UploadsPathrw

Uploaded files (photos, documents)

Target
/app/uploads
Default
/mnt/user/appdata/trek/uploads
Value
/mnt/user/appdata/trek/uploads
ENCRYPTION_KEYVariable

At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC). Recommended: generate with: openssl rand -hex 32. If unset, falls back to data/.jwt_secret (existing installs) or auto-generates a key (fresh installs).

PORTVariable

Internal server port (must match the container port mapping above).

Default
3000
Value
3000
NODE_ENVVariable

Node environment (production / development).

Default
production
Value
production
TZVariable

Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin).

Default
UTC
Value
UTC
LOG_LEVELVariable

Log verbosity: info = concise user actions, debug = verbose admin-level details.

Default
info
Value
info
DEFAULT_LANGUAGEVariable

Default language shown on the login page for users with no saved preference. Browser/OS language is auto-detected first; this is the fallback when no match is found. Supported: de, en, es, fr, hu, nl, br, cs, pl, ru, zh, zh-TW, it, ar.

Default
en
Value
en
ALLOWED_ORIGINSVariable

Comma-separated origins allowed for CORS and used as base URL in email notification links (e.g. https://trek.example.com).

APP_URLVariable

Public base URL of this instance (e.g. https://trek.example.com). Required when OIDC is enabled — must match the redirect URI registered with your IdP. Also used as base URL for email notification links.

FORCE_HTTPSVariable

Optional. When true: HTTPS redirect, HSTS header, CSP upgrade-insecure-requests, and secure cookies. Only useful behind a TLS-terminating proxy. Requires TRUST_PROXY.

Default
false
Value
false
HSTS_INCLUDE_SUBDOMAINSVariable

When true: adds includeSubDomains to the HSTS header, extending HTTPS enforcement to all subdomains. Only effective when HSTS is active (FORCE_HTTPS=true or NODE_ENV=production). Leave false if you run other services on sibling subdomains over plain HTTP.

Default
false
Value
false
COOKIE_SECUREVariable

Auto-derived (true in production or when FORCE_HTTPS=true). Set to false to force session cookies over plain HTTP. Not recommended for production.

Default
true
Value
true
TRUST_PROXYVariable

Trusted proxy hops for X-Forwarded-For/X-Forwarded-Proto. Defaults to 1 in production; off in development unless set. Required for FORCE_HTTPS.

Default
1
Value
1
ALLOW_INTERNAL_NETWORKVariable

Allow outbound requests to private/RFC-1918 IP addresses. Set to true if Immich or other integrated services are hosted on your local network.

Default
false
Value
false
SESSION_DURATIONVariable

How long a login session stays valid when 'Remember me' is unchecked (the default): trek_session JWT exp + a browser-session cookie cleared when the browser closes. Accepts 1h, 12h, 7d, 30d, 90d. Defaults to 24h.

Default
24h
Value
24h
SESSION_DURATION_REMEMBERVariable

Session length when 'Remember me' is ticked at login: a longer-lived JWT + persistent cookie that survives browser restarts. Same format as SESSION_DURATION. Defaults to 30d.

Default
30d
Value
30d
ADMIN_EMAILVariable

Email for the first admin account created on initial boot. Has no effect once any user exists.

Default
admin@trek.local
Value
admin@trek.local
ADMIN_PASSWORDVariable

Password for the first admin account created on initial boot. If omitted a random password is generated and printed to the server log. Has no effect once any user exists.

OIDC_ISSUERVariable

OpenID Connect provider URL (e.g. https://auth.example.com).

OIDC_CLIENT_IDVariable

OIDC client ID registered with your identity provider.

OIDC_CLIENT_SECRETVariable

OIDC client secret registered with your identity provider.

OIDC_DISPLAY_NAMEVariable

Label shown on the SSO login button.

Default
SSO
Value
SSO
OIDC_ONLYVariable

Set to true to force SSO-only mode. Disables password login and password registration — overrides the granular toggles in Admin > Settings and cannot be changed at runtime. First SSO login becomes admin.

Default
false
Value
false
OIDC_ADMIN_CLAIMVariable

OIDC claim used to identify admin users (e.g. groups).

OIDC_ADMIN_VALUEVariable

Value of the OIDC claim that grants admin role (e.g. app-trek-admins).

OIDC_SCOPEVariable

Space-separated OIDC scopes to request. Fully overrides the default — always include openid email profile plus any extra scopes you need (e.g. add groups when using OIDC_ADMIN_CLAIM).

Default
openid email profile
Value
openid email profile
OIDC_DISCOVERY_URLVariable

Override the auto-constructed OIDC discovery endpoint. Useful for providers with a non-standard path (e.g. Authentik).

DEMO_MODEVariable

Enable demo mode (resets all data hourly). Not intended for regular use.

Default
false
Value
false
MCP_RATE_LIMITVariable

Max MCP API requests per user per minute.

Default
300
Value
300
MCP_MAX_SESSION_PER_USERVariable

Max concurrent MCP sessions per user.

Default
20
Value
20
UNSPLASH_ACCESS_KEYVariable

Optional Unsplash Access Key for trip-cover and place-image search. Without one, TREK uses Unsplash's unauthenticated endpoint, which some datacenter/VPS IPs are blocked from. Get a free key at unsplash.com/developers. Can also be set per-admin in Admin > Settings; this env var overrides that.