Docker Compose is the most flexible deployment target — it runs on any host whereDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/omnigent-ai/omnigent/llms.txt
Use this file to discover all available pages before exploring further.
docker compose works: your laptop, a VPS, an EC2 instance, a home server, or on-premises infrastructure. The stack ships a Postgres container alongside the server, so there is nothing external to provision. For Cloud Run, Kubernetes, or any other container platform, use the same docker/Dockerfile image and adapt the platform-specific glue.
Quickstart
Clone the deploy directory or copy the compose stack
deploy/docker/. You only need this directory on your target host — not the full repo source — if you are running against the pre-built image from GHCR.Generate .env secrets with bootstrap.sh
bootstrap.sh is idempotent — re-running it leaves already-set secrets alone. It mints three random secrets into .env: POSTGRES_PASSWORD, OMNIGENT_ACCOUNTS_COOKIE_SECRET, and OMNIGENT_OIDC_COOKIE_SECRET (pre-minted so switching to OIDC later is a one-line edit). If you prefer to manage .env yourself, copy the example instead:Start the stack
http://localhost:8000. The Postgres container must pass its healthcheck before the server starts; this takes a few seconds on first boot.Open the web UI, create the admin account, invite your team
On first boot the server auto-creates an admin account and prints the generated password to the container logs:The password is also written to
/data/admin-credentials on the artifact-data volume — it survives docker compose restart and is deleted by docker compose down -v.Open http://localhost:8000, log in as the admin, then go to your username → Members → Invite member to share single-use invite links with teammates.To pre-seed the admin password (useful for headless or CI deploys where you cannot read logs), set it before first boot:Key environment variables
The.env file (generated by bootstrap.sh from .env.example) controls the full server configuration. Secrets live in .env; non-secret settings can go in the optional config.yaml file.
| Variable | Default | Purpose |
|---|---|---|
POSTGRES_PASSWORD | required | Password for the bundled Postgres container. Set by bootstrap.sh. |
POSTGRES_USER / POSTGRES_DB | omnigent | DB user and database name. |
OMNIGENT_PORT | 8000 | Host port the server is published on. |
OMNIGENT_AUTH_ENABLED | 1 (in compose) | Master auth switch. 1 → accounts or OIDC; 0 → single-user local mode. |
OMNIGENT_AUTH_PROVIDER | unset | Explicit mode override: accounts, oidc, or header. |
OMNIGENT_ACCOUNTS_COOKIE_SECRET | minted by bootstrap.sh | 32-byte hex cookie secret for built-in accounts mode. |
OMNIGENT_ACCOUNTS_BASE_URL | auto-detected | Public URL of the server. Required for any deploy reachable through a domain. |
OMNIGENT_ACCOUNTS_INIT_ADMIN_PASSWORD | unset | Pre-seed the admin password instead of auto-generating it. |
OMNIGENT_OIDC_ISSUER | unset | OIDC provider base URL. Its presence (with auth on) switches the mode to OIDC. |
OMNIGENT_OIDC_CLIENT_ID | unset | OAuth client ID from your IdP. |
OMNIGENT_OIDC_CLIENT_SECRET | unset | OAuth client secret from your IdP. |
OMNIGENT_OIDC_COOKIE_SECRET | minted by bootstrap.sh | 32-byte hex cookie secret for OIDC mode. |
OMNIGENT_OIDC_ALLOWED_DOMAINS | unset | Comma-separated domain allowlist (critical for Google OAuth on external consent screens). |
OMNIGENT_DOMAIN | unset | Your server’s public domain. Used to derive the OIDC redirect URI and by the Caddy HTTPS overlay. |
DATABASE_URL and ARTIFACT_DIR are computed by compose and injected automatically — do not set them manually in the default stack.
Database options
Postgres (default). The compose stack provisions apostgres:16-alpine container and wires DATABASE_URL automatically. This is the recommended option for any shared deploy. The database lives on a named Docker volume (postgres-data) and survives container restarts.
SQLite (lite tier). For a single-user or demo deploy with no external database, drop the postgres service from docker-compose.yaml and set:
.db file lives on the artifact-data volume and survives docker compose restart. Tradeoff: single instance only, no managed backups.
Bring your own Postgres (Neon or external). Set DATABASE_URL to any postgres:// or postgresql:// connection string in .env. The entrypoint normalizes it to the psycopg3 dialect automatically. Neon is the fastest external option — create a free database and paste the connection string.
Reset everything (drops the DB and artifact store):
HTTPS overlay (Caddy)
For any deploy reachable through a public domain, use the bundled Caddy overlay to get automatic Let’s Encrypt TLS:!reset directive.
Managed hosts (cloud sandboxes)
Instead of a laptop acting as the runner host, you can have the server provision disposable cloud sandboxes automatically on each session. Add asandbox: section to the server config (/data/config.yaml):
"host_type": "managed" trigger automatic sandbox provisioning. Modal credentials (MODAL_TOKEN_ID / MODAL_TOKEN_SECRET) must be available in the server’s environment. See the deploy README for the full managed-host walkthrough, including LLM credential injection and custom images.
Auth configuration
By default,docker compose up starts the server with built-in accounts auth (OMNIGENT_AUTH_ENABLED=1). To switch to OIDC SSO or header-proxy mode after deploying, update .env and restart: