How to run trilium as rootless on server

[podhorsky-ksj]

Hi,
how to run trilium as rootless?

this manual seems to be outdated
https://docs.triliumnotes.org/user-guide/setup/server/installation/docker

I'm trying to run it on podman quadlet

[Unit]
Description=Trilium
StartLimitIntervalSec=1d
StartLimitBurst=3

[Container]
ContainerName=trilium
AutoUpdate=registry
Environment=TRILIUM_DATA_DIR=/data USER_UID=0 USER_GID=0 TRILIUM_DISABLE_CHOWN=true
Image=docker.io/triliumnext/trilium:latest
User=0:0
UserNS=keep-id
PublishPort=6000:8080
Volume=%h/containers/trilium-data:/data
Volume=/etc/localtime:/etc/localtime:ro

[Service]
Restart=always
RestartSec=5s

[Install]
WantedBy=default.target

But even this is not proper way. this is working, but /data are still under user node (uuid 1000), not under root, so they will show under different user than host user on host
When I try another uid and guid than 0, e.g. 1000 like the node, it will fail, bacause it doesn't have su priviledges.

[dosubot[bot]]

Hi @podhorsky-ksj! I'm Dosu and I’m helping the Trilium team.

To run Trilium rootless on a server with Podman Quadlet, you should use the rootless image (triliumnext/trilium:rootless or build it locally if not available). The standard image expects root privileges for UID/GID changes and will fall back to UID 1000 if you set USER_UID=0, causing permission mismatches with your host data directory. Running as root (UID 0) or using su inside the container is not supported in rootless mode and will fail or cause the data to be owned by the wrong user source.

Here's what works:

1. Build the rootless image locally if it's not available:

   pnpm install
   pnpm nx build server
   docker build -t triliumnext/trilium:rootless -f apps/server/Dockerfile.rootless .
   

   The rootless image creates a non-root user (default UID 1001, customizable at build time) source.

2. Prepare your host data directory:
   Either chown it to match the container UID/GID (e.g., sudo chown -R 1001:1001 /path/to/trilium-data), or as a quick workaround, set permissions to 777 (chmod -R 777 /path/to/trilium-data). The first is more secure source.

3. Podman Quadlet unit example (adapt as needed):

   [Unit]
   Description=Trilium (rootless)
   [Container]
   ContainerName=trilium
   Image=localhost/trilium:rootless
   # Set the user to match the UID/GID you used for the data directory
   User=1001:1001
   Environment=TRILIUM_UID=1001 TRILIUM_GID=1001
   Volume=/home/youruser/containers/trilium-data:/home/trilium/trilium-data
   PublishPort=6000:8080
   [Service]
   Restart=always
   RestartSec=5s
   [Install]
   WantedBy=default.target
   

   Make sure the volume path and UID/GID match your setup. Avoid using User=0:0 or USER_UID=0, USER_GID=0.

4. Common pitfalls:

   • Do not use the latest tag—use a specific version for stability.
   • If you use a custom data directory path, ensure both the environment variable and volume mapping match, and the directory exists and is writable by the container user.
   • If you see missing UI icons, you may need to update the client build config to copy static assets like Boxicons fonts before building the Docker image source.
   • If your data volume is on a non-Linux filesystem (exFAT, NTFS), permissions may not work as expected.

This approach avoids root, aligns permissions, and works with Podman’s rootless defaults. If you hit permission errors, double-check the UID/GID on both host and container, and check logs for EACCES or ENOENT errors.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.

[podhorsky-ksj]

I have issue with the build:
pnpm nx build server
 ERR_PNPM_RECURSIVE_EXEC_FIRST_FAIL  Command "nx" not found

[dosubot[bot]]

The build error happens because Trilium no longer uses Nx; the docs and some scripts are outdated. Instead, you should use pnpm workspace scripts. Here’s how to fix it:

1. Delete all node_modules and .pnpm-store folders from the root and every workspace directory (like apps/server/node_modules, apps/client/node_modules, etc).
2. Run pnpm install in the project root.
3. Build the server with pnpm run server:build (not pnpm nx build server).

If you’re building a Docker image, make sure your Dockerfile copies the full repo and runs pnpm install before building. The official Dockerfile and build steps are a good reference for this process.

If you still see errors, double-check your Node.js and pnpm versions and review the build logs for missing assets or native module errors. More details: TriliumNext does not require Nx; use pnpm scripts instead, recommended build steps, clean node_modules if needed.

To reply, just mention @dosu.

---

Docs are dead. Just use Dosu.

[Aitanuqui]

I also tried to get this working on Podman and ran into the same issues: when running Trilium Notes' container with my user in ~/.config/containers/systemd, even if I have Environment=USER_UID=0 USER_GID=0, the user namespace modes won't map the data directory to my user, because as you mentioned, is running as another user within the container.

I tried running rootful Podman changing to Environment=USER_UID=1000 USER_GID=1000, or rootless adding UserNS=keep-idor UserNS=keep-id:uid=1000,gid=1000 but the container would not even start. I made sure my current user matched those UID and GID numbers just in case.

As I understand from your post, the fix would be some access or option to change the user running the data directory within the container. I wonder if there is a way for Podman to map all users (not just root) running within the container to a desired one on the host system.

Edit: I somehow managed to get rootful Podman working with Environment=USER_UID=<my-user> USER_GID=<my-group> now. I don't know what was the issue earlier for why it would not even start.

[Hetti]

I got it working to build my own container and run it with podman rootless.

Don't forget to run the UID/GUID config:
https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md#etcsubuid-and-etcsubgid-configuration

Here is my Dockerfile:

# Stage 1: Build the application
FROM node:24.11.0-alpine AS builder
RUN corepack enable

WORKDIR /usr/src/app

# Copy workspace configuration
COPY pnpm-workspace.yaml package.json pnpm-lock.yaml tsconfig.base.json tsconfig.json .
COPY patches ./patches
COPY packages ./packages
COPY apps	./apps
#COPY docs	./docs
COPY scripts ./scripts

# Install all dependencies
RUN pnpm install --frozen-lockfile --ignore-scripts

# Build the server (this runs the TypeScript compilation and bundles everything)
RUN pnpm run server:build

# Stage 2: Build native dependencies for target platform
FROM node:24.11.0-alpine AS native-builder
RUN corepack enable

# Install native dependencies since we might be building cross-platform.
WORKDIR /usr/src/app
COPY apps/server/docker/package.json apps/server/docker/pnpm-workspace.yaml ./
# We have to use --no-frozen-lockfile due to CKEditor patches
RUN pnpm install --no-frozen-lockfile --prod && pnpm rebuild

# Stage 3: Final runtime image
FROM node:24.11.0-alpine
# Create a non-root user with configurable UID/GID
ARG USER=trilium
ARG UID=1001
ARG GID=1001
ENV USER=${USER}

# Install runtime dependencies and create user with specific UID/GID
RUN apk add --no-cache dumb-init && \
    apk add --no-cache bash && \
    # Alpine uses addgroup/adduser (from busybox) instead of groupadd/useradd
    addgroup -g ${GID} ${USER} && \
    adduser -u ${UID} -G ${USER} -s /bin/sh -D -h /home/${USER} ${USER}

WORKDIR /home/${USER}/app
COPY --from=builder /usr/src/app/apps/server/dist /home/${USER}/app
# Also copy the rootless entrypoint script
COPY --from=builder /usr/src/app/apps/server/rootless-entrypoint.sh /home/${USER}/app/
RUN rm -rf /home/${USER}/app/node_modules/better-sqlite3
COPY --from=native-builder /usr/src/app/node_modules/better-sqlite3 /home/${USER}/app/node_modules/better-sqlite3
RUN chown -R ${USER}:${USER} /home/${USER}

# Configure container
USER ${USER}
EXPOSE 8080

# By default, use UID/GID that was set during build
# These can be overridden at runtime
ENV TRILIUM_UID=${UID}
ENV TRILIUM_GID=${GID}
ENV TRILIUM_DATA_DIR=/home/${USER}/trilium-data

# Use dumb-init as entrypoint to handle signals properly
ENTRYPOINT ["/usr/bin/dumb-init", "--"]

# Use the entrypoint script
CMD [ "bash", "./rootless-entrypoint.sh" ]

HEALTHCHECK --start-period=10s CMD node /home/${USER}/app/docker_healthcheck.js

place this into the cloned git folder of Trilium.

This is the shellscript that builds the container, which is placed in the same folder as the cloned git folder:

#!/usr/bin/env bash

cd Trilium

# https://stackoverflow.com/a/22857288
# Get new tags from remote
git fetch --tags

# check out to latest non beta version with some grep magic
latestTag=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -n 1)

echo "[+] Checking out to Version \"$latestTag\""

# Checkout latest tag
git checkout $latestTag

VERSION=`jq -r ".version" package.json`
SERIES=${VERSION:0:5}-latest

echo "[+] Building container"
# Build from the repository
podman build -t triliumnext_selfbuilt/trilium:$VERSION -t triliumnext_selfbuilt/trilium:$SERIES .

echo "[+] Tagging built container"
if [[ $VERSION != *"beta"* ]]; then
  podman tag triliumnext_selfbuilt/trilium:$VERSION triliumnext_selfbuilt/trilium:latest
fi

See also https://github.com/orgs/TriliumNext/discussions/7478