How do I install Notory (self-hosted)?
Short answer
Section titled “Short answer”Notory runs as a container stack (backend + web/reverse proxy + database). We recommend
PostgreSQL or MariaDB; SQLite is for quick trials only. You put the configuration in a
.env, start the stack with Docker Compose, run the database migrations, and create
the first tenant and administrator on first launch. Without a valid license the installation
runs in read-only mode: data stays visible but changes are blocked until a valid license
(Starter or higher) is applied.
Prerequisites
Section titled “Prerequisites”- Docker + Docker Compose
- A database: PostgreSQL 16+ or MariaDB 11.x (containerized or external)
- Optional, recommended for production: a reverse proxy (nginx/Traefik) with a TLS certificate
-
Create environment variables (
.env). Database connection, a long randomSECRET_KEY, and optionally the license key:.env # Database (pick one line)DATABASE_URL=postgresql://inv:secret@db:5432/notory# DATABASE_URL=mariadb://inv:secret@db:3306/notory# SecuritySECRET_KEY=set-a-long-random-value# License (optional - without a valid license it runs read-only, no changes)LICENSE_KEY= -
Create
docker-compose.yml.docker-compose.yml services:db:image: postgres:16environment:POSTGRES_USER: invPOSTGRES_PASSWORD: secretPOSTGRES_DB: notoryvolumes: [ "dbdata:/var/lib/postgresql/data" ]backend:image: notory/backend:latestenv_file: .envdepends_on: [ db ]web:image: notory/web:latestports: [ "8080:80" ] # nginx reverse proxydepends_on: [ backend ]volumes:dbdata:docker-compose.yml services:db:image: mariadb:11environment:MARIADB_USER: invMARIADB_PASSWORD: secretMARIADB_DATABASE: notoryMARIADB_ROOT_PASSWORD: change-mevolumes: [ "dbdata:/var/lib/mysql" ]backend:image: notory/backend:latestenv_file: .env # DATABASE_URL=mariadb://…depends_on: [ db ]web:image: notory/web:latestports: [ "8080:80" ]depends_on: [ backend ]volumes:dbdata: -
Start & run migrations.
Terminal window docker compose up -d# Create/upgrade the database schema:docker compose exec backend alembic upgrade headThe interface is then reachable at
http://SERVER:8080. -
Create the first tenant and admin. On first launch, Notory walks you through creating the first tenant and an administrator account. Afterwards you can sign in.
-
Set up TLS / reverse proxy (production). For production, put a reverse proxy with a certificate (e.g. Let’s Encrypt) in front and route HTTPS to the
webservice (port 8080). -
Install a license (optional). Add the
LICENSE_KEYto.envand restart thebackendservice. Details, instance binding, and status: Install a license.
What happens behind the scenes?
Section titled “What happens behind the scenes?”- Read-only mode as fallback. Without a valid license the installation runs in read-only mode: data stays visible but changes are blocked until a valid license (Starter or higher) is applied. A key installed later unlocks the plan, limits, and modules - your data is kept.
- Instance ID. On first start Notory generates a unique instance ID (visible under Administration → License), required for instance-bound licenses.
- Migrations are repeatable.
alembic upgrade headbrings the schema up to date; you run the same command after every update.