Moltis
Deployment

Cloud Deploy

Moltis publishes a multi-arch Docker image (linux/amd64 and linux/arm64) to ghcr.io/moltis-org/moltis. You can deploy it to any cloud provider that supports container images.

Common configuration

All cloud providers terminate TLS at the edge, so Moltis must run in plain HTTP mode. The key settings are:

SettingValuePurpose
--no-tls or MOLTIS_NO_TLS=trueDisable TLSProvider handles HTTPS
--bind 0.0.0.0Bind all interfacesRequired for container networking
--port <PORT>Listen portMust match provider’s expected internal port
MOLTIS_CONFIG_DIR=/data/configConfig directoryPersist moltis.toml, credentials
MOLTIS_DATA_DIR=/dataData directoryPersist databases, sessions, memory
MOLTIS_DEPLOY_PLATFORMDeploy platformHides local-only providers (see below)
MOLTIS_PASSWORDInitial passwordSet auth password via environment variable

MOLTIS_DEPLOY_PLATFORM

Set this to the name of your cloud provider (e.g. flyio, digitalocean, render). When set, Moltis hides local-only LLM providers (local-llm and Ollama) from the provider setup page since they cannot run on cloud VMs. The included deploy templates for Fly.io, DigitalOcean, and Render already set this variable.

ngrok

Moltis can also expose a public HTTPS endpoint through ngrok without running an external ngrok binary. This is useful when you want a public callback URL or temporary team access from a local machine or private host.

Configuration:

[ngrok]
enabled = true
authtoken = "${NGROK_AUTHTOKEN}" # or set NGROK_AUTHTOKEN in the environment
# domain = "team-gateway.ngrok.app" # optional reserved/static domain

Notes:

  • The tunnel is feature-gated. Standard CLI builds include it by default, but custom minimal builds can opt out of the ngrok feature.
  • In the web UI, configure Tailscale and ngrok from Settings -> Remote Access.
  • ngrok forwards into a loopback-only internal HTTP listener. Your normal local TLS and bind settings remain unchanged.
  • Keep authentication enabled. Exposing ngrok with auth.disabled = true creates a public unauthenticated endpoint, which is exactly as bad as it sounds.
  • Passkeys are hostname-bound. If you use ephemeral ngrok URLs, existing passkeys may not work on the new hostname. Use a reserved domain if you want stable passkey behavior.

Coolify (self-hosted, e.g. Hetzner)

Coolify deployments can run Moltis with sandboxed exec tools, as long as the service mounts the host Docker socket.

  • Use examples/docker-compose.coolify.yml as a starting point.
  • Run Moltis with --no-tls (Coolify terminates HTTPS at the proxy).
  • Set MOLTIS_BEHIND_PROXY=true so client IP/auth behavior is correct behind reverse proxying.
  • Mount /var/run/docker.sock:/var/run/docker.sock to enable container-backed sandbox execution.

Fly.io

The repository includes a fly.toml ready to use.

Quick start

# Install the Fly CLI if you haven't already
curl -L https://fly.io/install.sh | sh

# Launch from the repo (uses fly.toml)
fly launch --image ghcr.io/moltis-org/moltis:latest

# Set your password
fly secrets set MOLTIS_PASSWORD="your-password"

# Create persistent storage
fly volumes create moltis_data --region iad --size 1

How it works

  • Image: pulled from ghcr.io/moltis-org/moltis:latest
  • Port: internal 8080, Fly terminates TLS and routes HTTPS traffic
  • Storage: a Fly Volume mounted at /data persists the database, sessions, and memory files
  • Auto-scaling: machines stop when idle and start on incoming requests

Custom domain

fly certs add your-domain.com

Then point a CNAME to your-app.fly.dev.

DigitalOcean App Platform

Deploy to DO

Click the button above or create an app manually:

  1. Go to Apps > Create App
  2. Choose Container Image as source
  3. Set image to ghcr.io/moltis-org/moltis:latest
  4. Set the run command: moltis --bind 0.0.0.0 --port 8080 --no-tls
  5. Set environment variables:
    • MOLTIS_DATA_DIR = /data
    • MOLTIS_PASSWORD = your password
  6. Set the HTTP port to 8080

Render

Deploy to Render

The repository includes a render.yaml blueprint. Click the button above or:

  1. Go to Dashboard > New > Blueprint
  2. Connect your fork of the Moltis repository
  3. Render will detect render.yaml and configure the service

Configuration details

  • Port: Render uses port 10000 by default
  • Persistent disk: 1 GB mounted at /data (included in the blueprint)
  • Environment: set MOLTIS_PASSWORD in the Render dashboard under Environment > Secret Files or Environment Variables

OAuth Providers (OpenAI Codex, GitHub Copilot)

OAuth providers that redirect to localhost (like OpenAI Codex) cannot complete the browser flow when Moltis runs on a remote server — localhost on the user’s browser points to their own machine, not the cloud instance.

Use the CLI to authenticate instead:

# Fly.io
fly ssh console -C "moltis auth login --provider openai-codex"

# DigitalOcean (Droplet with Docker)
docker exec -it moltis moltis auth login --provider openai-codex

# Generic container
docker exec -it <container> moltis auth login --provider openai-codex

The CLI opens a browser on the machine where you run the command. If automatic callback capture fails, Moltis prompts you to paste the callback URL (or code#state) directly in the terminal. After you log in, tokens are saved to the config volume and the running gateway picks them up automatically — no restart needed.

Authentication

On first launch, Moltis requires a password or passkey to be set. In cloud deployments the easiest approach is to set the MOLTIS_PASSWORD environment variable (or secret) before deploying. This pre-configures the password so the setup code flow is skipped.

# Fly.io
fly secrets set MOLTIS_PASSWORD="your-secure-password"

For Render and DigitalOcean, set the variable in the dashboard’s environment settings.

Health checks

All provider configs use the /health endpoint which returns HTTP 200 when the gateway is ready. Configure your provider’s health check to use:

  • Path: /health
  • Method: GET
  • Expected status: 200