Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/Termix-SSH/Termix/llms.txt

Use this file to discover all available pages before exploring further.

Termix is configured primarily through environment variables passed to the Docker container. Most settings have sensible defaults so a minimal deployment only needs PORT, but you can tune everything from the HTTP port to every detail of your OIDC provider.

Core variables

PORT
number
default:"8080"
The port that the internal nginx reverse proxy listens on. Map the same port on the host side in your ports declaration.
docker-compose.yml
environment:
  PORT: "8080"
ports:
  - "8080:8080"
DATA_DIR
string
default:"/app/data"
Absolute path inside the container where Termix stores its encrypted SQLite databases, SSL certificates, and other persistent data. Mount a Docker volume here so data survives container restarts.
PUID
number
default:"1000"
The UID that the node process user is remapped to inside the container. Set this to match your host user to avoid permission issues on the mounted volume.
PGID
number
default:"1000"
The GID that the node process group is remapped to inside the container.
SALT
number
default:"10"
bcrypt cost factor used when hashing passwords. Higher values are more secure but make login slower. The default of 10 is appropriate for most deployments; values between 10 and 14 are typical.

SSL variables

ENABLE_SSL
string
default:"false"
Set to "true" to activate the HTTPS nginx configuration. When enabled, Termix generates a self-signed TLS certificate on first start and reconfigures nginx to redirect all HTTP traffic to the SSL port.
SSL_PORT
number
default:"8443"
The port that the HTTPS listener binds to when ENABLE_SSL=true. Make sure to expose this port in your ports mapping.
SSL_CERT_PATH
string
default:"/app/data/ssl/termix.crt"
Path to the TLS certificate file. Termix reads this path when configuring nginx. If you supply your own certificate, write it to this path (or change the variable to match your certificate location) before starting the container.
SSL_KEY_PATH
string
default:"/app/data/ssl/termix.key"
Path to the TLS private key file that pairs with SSL_CERT_PATH.
SSL_DOMAIN
string
default:"localhost"
The domain name embedded in the auto-generated self-signed certificate’s CN and Subject Alternative Name fields. Set this to your actual domain when using the built-in SSL so that browsers show the correct hostname.

OIDC variables

These variables let you pre-configure an OIDC provider at container startup rather than entering the settings through the admin UI. All five marked required must be present together; if any are missing, the environment-based OIDC config is ignored and you must configure OIDC through the UI instead.
OIDC_CLIENT_ID
string
required
The client ID issued by your identity provider when you registered the Termix application.
OIDC_CLIENT_SECRET
string
required
The client secret issued by your identity provider.
OIDC_ISSUER_URL
string
required
The issuer URL of your OIDC provider (e.g. https://accounts.example.com). Termix appends /.well-known/openid-configuration to this URL during discovery.
OIDC_AUTHORIZATION_URL
string
required
The authorization endpoint URL where Termix redirects users to log in with your provider.
OIDC_TOKEN_URL
string
required
The token endpoint URL that Termix calls to exchange an authorization code for tokens.
OIDC_USERINFO_URL
string
The userinfo endpoint URL. When omitted, Termix discovers the endpoint from .well-known/openid-configuration or falls back to common paths automatically.
OIDC_IDENTIFIER_PATH
string
default:"sub"
A dot-separated path into the userinfo payload that Termix uses as the unique identifier for each OIDC user. Common values are sub, email, or preferred_username. Nested paths like profile.id are supported.
OIDC_NAME_PATH
string
default:"name"
A dot-separated path into the userinfo payload from which Termix reads the display name to show in the UI.
OIDC_SCOPES
string
default:"openid email profile"
Space-separated list of OAuth 2.0 scopes requested during authorization. Adjust if your provider requires additional scopes to return the claims you configured in OIDC_IDENTIFIER_PATH and OIDC_NAME_PATH.
OIDC_ALLOWED_USERS
string
Comma-separated list of identifiers or patterns that are permitted to sign in via OIDC. When empty, any successfully authenticated OIDC user is allowed. See the Authentication page for pattern syntax.
OIDC_ALLOW_REGISTRATION
string
default:"false"
Set to "true" to allow new accounts to be created automatically when an OIDC user logs in for the first time, independently of the global registration toggle. When "false", new OIDC users can only be created if the global allow_registration setting is enabled in the admin UI.

Minimal docker-compose example

docker-compose.yml
services:
  termix:
    image: ghcr.io/lukegus/termix:latest
    container_name: termix
    restart: unless-stopped
    ports:
      - "8080:8080"
    volumes:
      - termix-data:/app/data
    environment:
      PORT: "8080"

  guacd:
    image: guacamole/guacd:1.6.0
    container_name: guacd
    restart: unless-stopped
    ports:
      - "4822:4822"

volumes:
  termix-data:
    driver: local

OIDC example

docker-compose.yml
environment:
  PORT: "8080"
  OIDC_CLIENT_ID: "termix"
  OIDC_CLIENT_SECRET: "super-secret"
  OIDC_ISSUER_URL: "https://auth.example.com/application/o/termix"
  OIDC_AUTHORIZATION_URL: "https://auth.example.com/application/o/authorize/"
  OIDC_TOKEN_URL: "https://auth.example.com/application/o/token/"
  OIDC_IDENTIFIER_PATH: "sub"
  OIDC_NAME_PATH: "name"
  OIDC_SCOPES: "openid email profile"
  OIDC_ALLOWED_USERS: "@example.com,admin@other.com"
  OIDC_ALLOW_REGISTRATION: "true"
OIDC settings configured via environment variables take precedence over settings saved through the admin UI. To use the UI-based configuration instead, omit all OIDC_* variables from your container environment.

Build docs developers (and LLMs) love

Get started for freeTalk to us