How to run trilium as rootless on server

[podhorsky-ksj]

Hi,
how to run trilium as rootless?

this manual seems to be outdated
https://docs.triliumnotes.org/user-guide/setup/server/installation/docker

I'm trying to run it on podman quadlet

[Unit]
Description=Trilium
StartLimitIntervalSec=1d
StartLimitBurst=3

[Container]
ContainerName=trilium
AutoUpdate=registry
Environment=TRILIUM_DATA_DIR=/data USER_UID=0 USER_GID=0 TRILIUM_DISABLE_CHOWN=true
Image=docker.io/triliumnext/trilium:latest
User=0:0
UserNS=keep-id
PublishPort=6000:8080
Volume=%h/containers/trilium-data:/data
Volume=/etc/localtime:/etc/localtime:ro

[Service]
Restart=always
RestartSec=5s

[Install]
WantedBy=default.target

But even this is not proper way. this is working, but /data are still under user node (uuid 1000), not under root, so they will show under different user than host user on host
When I try another uid and guid than 0, e.g. 1000 like the node, it will fail, bacause it doesn't have su priviledges.

[dosubot[bot]]

Hi @podhorsky-ksj! I'm Dosu and I’m helping the Trilium team.

To run Trilium rootless on a server with Podman Quadlet, you should use the rootless image (triliumnext/trilium:rootless or build it locally if not available). The standard image expects root privileges for UID/GID changes and will fall back to UID 1000 if you set USER_UID=0, causing permission mismatches with your host data directory. Running as root (UID 0) or using su inside the container is not supported in rootless mode and will fail or cause the data to be owned by the wrong user source.

Here's what works:

1. Build the rootless image locally if it's not available:

   pnpm install
   pnpm nx build server
   docker build -t triliumnext/trilium:rootless -f apps/server/Dockerfile.rootless .
   

   The rootless image creates a non-root user (default UID 1001, customizable at build time) source.

2. Prepare your host data directory:
   Either chown it to match the container UID/GID (e.g., sudo chown -R 1001:1001 /path/to/trilium-data), or as a quick workaround, set permissions to 777 (chmod -R 777 /path/to/trilium-data). The first is more secure source.

3. Podman Quadlet unit example (adapt as needed):

   [Unit]
   Description=Trilium (rootless)
   [Container]
   ContainerName=trilium
   Image=localhost/trilium:rootless
   # Set the user to match the UID/GID you used for the data directory
   User=1001:1001
   Environment=TRILIUM_UID=1001 TRILIUM_GID=1001
   Volume=/home/youruser/containers/trilium-data:/home/trilium/trilium-data
   PublishPort=6000:8080
   [Service]
   Restart=always
   RestartSec=5s
   [Install]
   WantedBy=default.target
   

   Make sure the volume path and UID/GID match your setup. Avoid using User=0:0 or USER_UID=0, USER_GID=0.

4. Common pitfalls:

   • Do not use the latest tag—use a specific version for stability.
   • If you use a custom data directory path, ensure both the environment variable and volume mapping match, and the directory exists and is writable by the container user.
   • If you see missing UI icons, you may need to update the client build config to copy static assets like Boxicons fonts before building the Docker image source.
   • If your data volume is on a non-Linux filesystem (exFAT, NTFS), permissions may not work as expected.

This approach avoids root, aligns permissions, and works with Podman’s rootless defaults. If you hit permission errors, double-check the UID/GID on both host and container, and check logs for EACCES or ENOENT errors.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[podhorsky-ksj]

I have issue with the build:
pnpm nx build server
 ERR_PNPM_RECURSIVE_EXEC_FIRST_FAIL  Command "nx" not found

[dosubot[bot]]

The build error happens because Trilium no longer uses Nx; the docs and some scripts are outdated. Instead, you should use pnpm workspace scripts. Here’s how to fix it:

1. Delete all node_modules and .pnpm-store folders from the root and every workspace directory (like apps/server/node_modules, apps/client/node_modules, etc).
2. Run pnpm install in the project root.
3. Build the server with pnpm run server:build (not pnpm nx build server).

If you’re building a Docker image, make sure your Dockerfile copies the full repo and runs pnpm install before building. The official Dockerfile and build steps are a good reference for this process.

If you still see errors, double-check your Node.js and pnpm versions and review the build logs for missing assets or native module errors. More details: TriliumNext does not require Nx; use pnpm scripts instead, recommended build steps, clean node_modules if needed.

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}

   

[Aitanuqui]

I also tried to get this working on Podman and ran into the same issues: when running Trilium Notes' container with my user in ~/.config/containers/systemd, even if I have Environment=USER_UID=0 USER_GID=0, the user namespace modes won't map the data directory to my user, because as you mentioned, is running as another user within the container.

I tried running rootful Podman changing to Environment=USER_UID=1000 USER_GID=1000, or rootless adding UserNS=keep-idor UserNS=keep-id:uid=1000,gid=1000 but the container would not even start. I made sure my current user matched those UID and GID numbers just in case.

As I understand from your post, the fix would be some access or option to change the user running the data directory within the container. I wonder if there is a way for Podman to map all users (not just root) running within the container to a desired one on the host system.

Edit: I somehow managed to get rootful Podman working with Environment=USER_UID=<my-user> USER_GID=<my-group> now. I don't know what was the issue earlier for why it would not even start.