Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Cloud Deploy

Moltis publishes a multi-arch Docker image (linux/amd64 and linux/arm64) to ghcr.io/moltis-org/moltis. You can deploy it to any cloud provider that supports container images.

Common configuration

All cloud providers terminate TLS at the edge, so Moltis must run in plain HTTP mode. The key settings are:

SettingValuePurpose
--no-tls or MOLTIS_NO_TLS=trueDisable TLSProvider handles HTTPS
--bind 0.0.0.0Bind all interfacesRequired for container networking
--port <PORT>Listen portMust match provider’s expected internal port
MOLTIS_CONFIG_DIR=/data/configConfig directoryPersist moltis.toml, credentials
MOLTIS_DATA_DIR=/dataData directoryPersist databases, sessions, memory
MOLTIS_DEPLOY_PLATFORMDeploy platformHides local-only providers (see below)
MOLTIS_PASSWORDInitial passwordSet auth password via environment variable

Tip

If requests to your domain are redirected to :13131, Moltis TLS is still enabled behind a TLS-terminating proxy. Use --no-tls (or MOLTIS_NO_TLS=true).

Only keep Moltis TLS enabled when your proxy talks HTTPS to Moltis (or uses TCP TLS passthrough). In that case, set MOLTIS_ALLOW_TLS_BEHIND_PROXY=true.

Warning

Sandbox limitation: Most cloud providers do not support Docker-in-Docker. The sandboxed command execution feature (where the LLM runs shell commands inside isolated containers) will not work on these platforms. The agent will still function for chat, tool calls that don’t require shell execution, and MCP server connections.

MOLTIS_DEPLOY_PLATFORM

Set this to the name of your cloud provider (e.g. flyio, digitalocean, render). When set, Moltis hides local-only LLM providers (local-llm and Ollama) from the provider setup page since they cannot run on cloud VMs. The included deploy templates for Fly.io, DigitalOcean, and Render already set this variable.

Coolify (self-hosted, e.g. Hetzner)

Coolify deployments can run Moltis with sandboxed exec tools, as long as the service mounts the host Docker socket.

  • Use examples/docker-compose.coolify.yml as a starting point.
  • Run Moltis with --no-tls (Coolify terminates HTTPS at the proxy).
  • Set MOLTIS_BEHIND_PROXY=true so client IP/auth behavior is correct behind reverse proxying.
  • Mount /var/run/docker.sock:/var/run/docker.sock to enable container-backed sandbox execution.

Fly.io

The repository includes a fly.toml ready to use.

Quick start

# Install the Fly CLI if you haven't already
curl -L https://fly.io/install.sh | sh

# Launch from the repo (uses fly.toml)
fly launch --image ghcr.io/moltis-org/moltis:latest

# Set your password
fly secrets set MOLTIS_PASSWORD="your-password"

# Create persistent storage
fly volumes create moltis_data --region iad --size 1

How it works

  • Image: pulled from ghcr.io/moltis-org/moltis:latest
  • Port: internal 8080, Fly terminates TLS and routes HTTPS traffic
  • Storage: a Fly Volume mounted at /data persists the database, sessions, and memory files
  • Auto-scaling: machines stop when idle and start on incoming requests

Custom domain

fly certs add your-domain.com

Then point a CNAME to your-app.fly.dev.

DigitalOcean App Platform

Deploy to DO

Click the button above or create an app manually:

  1. Go to Apps > Create App
  2. Choose Container Image as source
  3. Set image to ghcr.io/moltis-org/moltis:latest
  4. Set the run command: moltis --bind 0.0.0.0 --port 8080 --no-tls
  5. Set environment variables:
    • MOLTIS_DATA_DIR = /data
    • MOLTIS_PASSWORD = your password
  6. Set the HTTP port to 8080

No persistent disk

DigitalOcean App Platform does not support persistent disks for image-based services in the deploy template. Data will be lost on redeployment. For persistent storage, consider using a DigitalOcean Droplet with Docker instead.

Render

Deploy to Render

The repository includes a render.yaml blueprint. Click the button above or:

  1. Go to Dashboard > New > Blueprint
  2. Connect your fork of the Moltis repository
  3. Render will detect render.yaml and configure the service

Configuration details

  • Port: Render uses port 10000 by default
  • Persistent disk: 1 GB mounted at /data (included in the blueprint)
  • Environment: set MOLTIS_PASSWORD in the Render dashboard under Environment > Secret Files or Environment Variables

OAuth Providers (OpenAI Codex, GitHub Copilot)

OAuth providers that redirect to localhost (like OpenAI Codex) cannot complete the browser flow when Moltis runs on a remote server — localhost on the user’s browser points to their own machine, not the cloud instance.

Use the CLI to authenticate instead:

# Fly.io
fly ssh console -C "moltis auth login --provider openai-codex"

# DigitalOcean (Droplet with Docker)
docker exec -it moltis moltis auth login --provider openai-codex

# Generic container
docker exec -it <container> moltis auth login --provider openai-codex

The CLI opens a browser on the machine where you run the command. After you log in, tokens are saved to the config volume and the running gateway picks them up automatically — no restart needed.

Tip

GitHub Copilot uses device-flow authentication (a code you enter on github.com), so it works from the web UI without this workaround.

Authentication

On first launch, Moltis requires a password or passkey to be set. In cloud deployments the easiest approach is to set the MOLTIS_PASSWORD environment variable (or secret) before deploying. This pre-configures the password so the setup code flow is skipped.

# Fly.io
fly secrets set MOLTIS_PASSWORD="your-secure-password"

For Render and DigitalOcean, set the variable in the dashboard’s environment settings.

Health checks

All provider configs use the /health endpoint which returns HTTP 200 when the gateway is ready. Configure your provider’s health check to use:

  • Path: /health
  • Method: GET
  • Expected status: 200