Single-server install

A single command runs NocoDB with Postgres + Redis, sets up Traefik with automatic Let's Encrypt SSL, and gives you a working HTTPS endpoint.

Everything runs on one server: app, database, cache, and proxy. For a managed database, multiple app replicas, or Kubernetes, see Custom infrastructure.

Prerequisites: Docker with the Compose v2 plugin, on a host with ports 80 and 443 reachable. A Linux server is recommended for production; macOS and Windows (Git Bash or WSL) work too. If using a real domain, point its DNS A record at this host's public IP before running the installer.

Just evaluating locally? The Quickstart is the simpler path on Mac or Windows. This installer runs there too, but its HTTPS setup assumes a host reachable at your domain on ports 80 and 443.

1. Run

curl -fsSL https://install.nocodb.com/noco.sh | bash

2. Answer 3–4 prompts

Prompt	What to enter	Notes
Domain	`nocodb.example.com`	Must resolve to this server. Blank or `localhost` gives local mode (port 8080); a bare IP serves plaintext HTTP on port 80. Both skip SSL.
Postgres	`1` (Bundled) or `2` (Existing)	Bundled is the typical choice. Choose Existing to use a managed database (RDS, Cloud SQL, etc.).
Redis	`1` (Bundled) or `2` (Existing)	Same idea.
Let's Encrypt email	`ops@example.com`	Only asked when you provided a real domain. Used for SSL certificate renewal notifications.

After you confirm the summary, the installer writes everything into nocodb/, pulls the images, and starts the stack. The first run can take a few minutes.

3. Open NocoDB

Visit https://your-domain. Sign up with an email and password. The first user becomes super admin.

What the script generates

./nocodb/
├── docker-compose.yml      # Service orchestration
├── docker.env              # Environment variables
├── .gitignore              # Keeps secrets and runtime data out of version control
├── nocodb/
│   └── db.json             # Database connection (knex format, supports custom CA)
├── update.sh               # docker compose pull && up -d && image prune
└── letsencrypt/            # Traefik ACME storage (production with a real domain)

Postgres, Redis, and NocoDB application data (including attachments) are stored in Docker-managed named volumes, not in this directory. Run docker volume ls to see them. They survive docker compose down.

Reviewing the script before running

If you'd rather inspect what runs before piping it to bash:

curl -fsSL https://install.nocodb.com/noco.sh -o noco.sh
less noco.sh
bash noco.sh

The script source lives in the nocodb/nocodb GitHub repo.

Non-interactive install

For automation (CI, IaC, configuration management):

curl -fsSL https://install.nocodb.com/noco.sh | bash -s -- \
  --domain=nocodb.example.com \
  --acme-email=ops@example.com \
  --pg=bundled --redis=bundled

Full flag list:

Flag	Values	Notes
`--quick`		Bundled Postgres + Redis, local mode (port 8080). Add `--domain=` for production HTTPS.
`--domain=`	hostname or IP	Blank or `localhost` → local mode (port 8080). A bare IP serves plaintext HTTP on port 80 (no SSL).
`--acme-email=`	email	Required for production with a valid domain.
`--image-tag=`	image tag	Pin `nocodb/nocodb` to a version. Default: `latest`.
`--pg=`	`bundled` or `external`
`--pg-host=`, `--pg-port=`, `--pg-database=`, `--pg-user=`, `--pg-password=`		When `--pg=external`.
`--pg-ssl=`	`managed`, `none`, or `/path/to/ca.pem`	When `--pg=external`.
`--redis=`	`bundled` or `external`
`--redis-url=`	`redis://...`	When `--redis=external`.

Run bash noco.sh --help for the canonical list.

Updating

cd nocodb
./update.sh

This pulls the latest images, restarts containers, and prunes old image layers.

Common operations

cd nocodb

# Tail logs
docker compose logs -f nocodb

# Restart NocoDB only (keeps DB and Redis up)
docker compose restart nocodb worker

# Stop everything
docker compose down

# Reconfigure: re-run the wizard (overwrites docker-compose.yml after confirmation, then restarts)
curl -fsSL https://install.nocodb.com/noco.sh | bash

If the stack won't start or you can't reach NocoDB, see Troubleshooting.

Bringing your own reverse proxy or SSL

If you already have nginx, Caddy, or a load balancer in front, run the installer with a blank domain (local mode). NocoDB then listens on port 8080. Forward the X-Forwarded-Proto and Host headers from your proxy so NocoDB generates correct callback URLs. For more control, see Custom infrastructure.

Production hardening checklist

Once the stack is up and you can sign in, walk through this checklist before opening it to real traffic:

Firewall. Allow only the ports you need (22 for SSH, 80+443 for HTTPS). On Ubuntu/Debian: sudo ufw allow OpenSSH && sudo ufw allow 80,443/tcp && sudo ufw enable. On RHEL family: firewall-cmd --add-service=ssh --add-service=http --add-service=https --permanent && firewall-cmd --reload.
Verify secret-file permissions. The installer already restricts docker.env and nocodb/db.json to 600. Re-apply if you copied or edited them by hand:
```
cd nocodb
chmod 600 docker.env nocodb/db.json
```
SELinux (RHEL, Rocky, Alma, Fedora). Named volumes are relabeled by Docker automatically, so the data volumes need no action. The remaining bind mounts are the config files and the letsencrypt/ directory. If SELinux is in Enforcing mode (getenforce) and those are denied, add the :Z suffix to their entries in docker-compose.yml (e.g. ./letsencrypt:/letsencrypt:Z).
License activation outbound. NocoDB calls https://app.nocodb.com/api/v1/on-premise/agent over TCP 443 every 6 hours. If you filter egress by host or path, allowlist exactly that. For fully offline servers, see Airgapped license.
Log rotation. Docker's json-file log driver grows unbounded by default. Add a global cap in /etc/docker/daemon.json:
```
{
  "log-driver": "json-file",
  "log-opts": { "max-size": "10m", "max-file": "5" }
}
```
Restart Docker (sudo systemctl restart docker) for the change to apply.
systemd unit (optional but recommended). The default Compose stack restarts containers on Docker daemon restart, but a systemd unit makes the deployment itself a managed service. Create /etc/systemd/system/nocodb.service:
```
[Unit]
Description=NocoDB
Requires=docker.service
After=docker.service network-online.target

[Service]
Type=oneshot
RemainAfterExit=yes
WorkingDirectory=/path/to/nocodb
ExecStart=/usr/bin/docker compose up -d
ExecStop=/usr/bin/docker compose down

[Install]
WantedBy=multi-user.target
```
Enable with sudo systemctl daemon-reload && sudo systemctl enable --now nocodb.service.
Healthcheck endpoint. NocoDB exposes GET /api/v1/health. Wire it into your monitoring system.
Pin your image tags for production rather than tracking latest. See Pinning to a specific version.
Schedule backups. See Backups. At minimum, a daily pg_dump plus an attachment tarball.

Activating an enterprise license

Once NocoDB is running, sign up as the first user and go to Admin Panel → License to paste your key. See Purchase a license and License activation for the full flow.