Skip to content

Docmost

Deploy Docmost on Kubernetes — an open-source collaborative wiki and documentation platform. Supports bundled or external PostgreSQL and Redis, local PVC or S3 uploads storage, and scheduled pg_dump backups.

appUrl must be set explicitly in production

If docmost.appUrl is empty, Docmost auto-detects the URL from the Ingress host. In production, always set it explicitly (e.g. https://wiki.example.com). An incorrect appUrl causes password reset emails, invite links, and OAuth redirects to reference the wrong address.

Key Features

  • Collaborative wiki — real-time editing, spaces, pages, and permissions
  • PostgreSQL + Redis — bundled subcharts or external connections
  • Auto-bootstrapunaccent and pg_trgm extensions granted on first start
  • Storage modes — local PVC (single replica) or S3-compatible (scalable)
  • pg_dump backup — scheduled CronJob to S3; database-only (uploads separate)
  • JWT sessions — configurable jwtTokenExpiresIn with auto-generated app secret

Installation

HTTPS repository:

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install docmost helmforge/docmost -f values.yaml

OCI registry:

helm install docmost oci://ghcr.io/helmforgedev/helm/docmost -f values.yaml

Deployment Examples

# values.yaml — Docmost with bundled PostgreSQL and Redis
docmost:
  appUrl: 'https://wiki.example.com'
  appSecret: 'generate-with-openssl-rand-hex-32'

postgresql:
  enabled: true
  auth:
    database: docmost
    username: docmost
    password: 'strong-db-password'
  standalone:
    persistence:
      enabled: true
      size: 8Gi

redis:
  enabled: true
  standalone:
    persistence:
      enabled: true
      size: 1Gi

storage:
  mode: local
  local:
    enabled: true
    size: 20Gi

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: wiki.example.com
      paths:
        - path: /
          pathType: Prefix
# values.yaml — Docmost with external PostgreSQL and Redis
# IMPORTANT: On the external PostgreSQL instance, run before installing:
#   GRANT CREATE ON DATABASE docmost TO docmost;
#   \connect docmost
#   CREATE EXTENSION IF NOT EXISTS unaccent;
#   CREATE EXTENSION IF NOT EXISTS pg_trgm;
docmost:
  appUrl: 'https://wiki.example.com'
  appSecret: 'generate-with-openssl-rand-hex-32'

postgresql:
  enabled: false

database:
  mode: external
  external:
    host: postgres.database.svc.cluster.local
    port: 5432
    name: docmost
    username: docmost
    existingSecret: docmost-db-credentials
    existingSecretPasswordKey: database-password

redis:
  enabled: false
  external:
    host: redis.cache.svc.cluster.local
    port: 6379
    existingSecret: docmost-redis-credentials
    existingSecretPasswordKey: redis-password

storage:
  mode: local
  local:
    enabled: true
    size: 20Gi

ingress:
  enabled: true
  ingressClassName: traefik
  hosts:
    - host: wiki.example.com
      paths:
        - path: /
          pathType: Prefix
# values.yaml — Docmost with S3 uploads (enables horizontal scaling)
docmost:
  appUrl: 'https://wiki.example.com'
  appSecret: 'generate-with-openssl-rand-hex-32'

postgresql:
  enabled: true
  auth:
    password: 'strong-db-password'

redis:
  enabled: true

storage:
  mode: s3 # no local PVC created; allows replicaCount > 1
  s3:
    region: us-east-1
    bucket: docmost-uploads
    endpoint: https://s3.amazonaws.com # or MinIO endpoint
    forcePathStyle: true # required for MinIO and most S3-compatible providers
    existingSecret: docmost-s3-credentials
    existingSecretAccessKeyKey: access-key
    existingSecretSecretKeyKey: secret-key

replicaCount: 2 # safe to scale with S3 storage
# values.yaml — Full production Docmost with backup and TLS
docmost:
  appUrl: 'https://wiki.example.com'
  appSecret: 'generate-with-openssl-rand-hex-32'
  jwtTokenExpiresIn: 30d

postgresql:
  enabled: true
  auth:
    database: docmost
    username: docmost
    password: 'strong-db-password'
    postgresPassword: 'strong-superuser-password'
  standalone:
    persistence:
      enabled: true
      size: 20Gi

redis:
  enabled: true
  auth:
    enabled: true
    password: 'strong-redis-password'
  standalone:
    persistence:
      enabled: true
      size: 1Gi

storage:
  mode: local
  local:
    enabled: true
    size: 50Gi

backup:
  enabled: true
  schedule: '0 3 * * *'
  s3:
    endpoint: https://s3.amazonaws.com
    bucket: docmost-backups
    existingSecret: docmost-backup-s3-credentials

resources:
  requests:
    memory: 256Mi
    cpu: 200m
  limits:
    memory: 1Gi

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: wiki.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: docmost-tls
      hosts:
        - wiki.example.com

Configuration Reference

Core

Parameter Type Default Description
replicaCount integer 1 Pod replicas. Safe to increase only with storage.mode: s3.
nameOverride string "" Override the chart name.
fullnameOverride string "" Override the full release name.
commonLabels object {} Extra labels added to all resources.

Image

Parameter Type Default Description
image.repository string docker.io/docmost/docmost Docmost image.
image.tag string "0.90.1" Image tag.
image.pullPolicy string IfNotPresent Image pull policy.

Docmost Configuration

Parameter Type Default Description
docmost.appUrl string "" Full public URL. Auto-detected from first Ingress host if empty. Set explicitly in production.
docmost.appSecret string "" Application secret key. Auto-generated if empty. Store in a stable secret for production.
docmost.jwtTokenExpiresIn string 30d JWT token expiration for user sessions.
docmost.extraEnv array [] Extra environment variables for the container.

Database

Auto-detection precedence (database.mode: auto):

  1. database.external.host or database.external.existingSecret → external PostgreSQL
  2. postgresql.enabled: true → bundled PostgreSQL subchart
Parameter Type Default Description
database.mode string auto Database mode: auto, external, or postgresql.
database.external.host string "" External PostgreSQL hostname.
database.external.port integer 5432 External PostgreSQL port.
database.external.name string docmost Database name.
database.external.username string docmost Database username.
database.external.existingSecret string "" Existing secret with the database password.
database.external.existingSecretPasswordKey string database-password Key for the password in the existing secret.
External PostgreSQL requires manual extension setup

When using an external PostgreSQL, the bundled bootstrap scripts do not run. Before installing Docmost, manually execute on the target database:

GRANT CREATE ON DATABASE docmost TO docmost;
\connect docmost
CREATE EXTENSION IF NOT EXISTS unaccent;
CREATE EXTENSION IF NOT EXISTS pg_trgm;

PostgreSQL Subchart

Parameter Type Default Description
postgresql.enabled boolean true Deploy the bundled PostgreSQL subchart.
postgresql.auth.database string docmost Database name.
postgresql.auth.username string docmost Database username.
postgresql.auth.password string "" Database password. Auto-generated if empty.
postgresql.auth.postgresPassword string "" Superuser password. Auto-generated if empty.
postgresql.standalone.persistence.size string 8Gi PVC size for PostgreSQL.

Redis Subchart / External

Parameter Type Default Description
redis.enabled boolean true Deploy the bundled Redis subchart.
redis.auth.enabled boolean true Enable Redis password authentication.
redis.auth.password string "" Redis password. Auto-generated if empty.
redis.standalone.persistence.size string 1Gi PVC size for Redis.
redis.external.host string "" External Redis hostname.
redis.external.existingSecret string "" Existing secret with external Redis password.

Storage

local storage limits replicaCount to 1

With storage.mode: local, the uploads PVC uses ReadWriteOnce. Only one pod can mount it at a time. The chart rejects replicaCount > 1 unless storage.mode: s3 is configured for horizontal scaling.

Parameter Type Default Description
storage.mode string local Storage mode: local (PVC) or s3.
storage.local.enabled boolean true Create a local PVC for uploads.
storage.local.size string 10Gi Uploads PVC size.
storage.local.storageClass string "" StorageClass for the uploads PVC.
storage.local.existingClaim string "" Use an existing PVC for uploads.
storage.s3.region string us-east-1 S3 region.
storage.s3.bucket string "" S3 bucket name.
storage.s3.endpoint string "" S3-compatible endpoint URL.
storage.s3.forcePathStyle boolean true Force path-style requests. Required for MinIO.
storage.s3.existingSecret string "" Existing secret with S3 credentials.
storage.s3.existingSecretAccessKeyKey string access-key Key for the S3 access key.
storage.s3.existingSecretSecretKeyKey string secret-key Key for the S3 secret key.

Backup

The backup CronJob runs pg_dump and uploads the result to S3. Upload files are not included.

Parameter Type Default Description
backup.enabled boolean false Enable scheduled pg_dump S3 backup.
backup.schedule string "0 3 * * *" Cron schedule.
backup.archivePrefix string docmost Prefix for backup archive filenames.
backup.images.postgresql string postgres:18-alpine Image providing pg_dump.
backup.s3.endpoint string "" S3-compatible endpoint URL.
backup.s3.bucket string "" Target bucket name.
backup.s3.existingSecret string "" Existing secret with S3 credentials.

Service and Ingress

Parameter Type Default Description
service.type string ClusterIP Service type.
service.port integer 80 Service port.
ingress.enabled boolean false Enable an Ingress resource.
ingress.ingressClassName string "" Ingress class name.
ingress.annotations object {} Ingress annotations (e.g. cert-manager).
ingress.hosts array [] Host and path rules.
ingress.tls array [] TLS configuration.

Probes

All probes use /api/health as the HTTP path.

Parameter Type Default Description
startupProbe.enabled boolean true Enable startup probe.
startupProbe.failureThreshold integer 30 Startup probe failure threshold.
livenessProbe.enabled boolean true Enable liveness probe.
readinessProbe.enabled boolean true Enable readiness probe.

Resources and Scheduling

Parameter Type Default Description
resources object {} CPU and memory requests/limits.
terminationGracePeriodSeconds integer 30 Termination grace period.
nodeSelector object {} Node selector for scheduling.
tolerations array [] Tolerations for scheduling.
extraVolumes array [] Extra volumes.
extraVolumeMounts array [] Extra volume mounts.
extraManifests array [] Extra Kubernetes manifests.

More Information