Mastodon Docker Setup - most complete and easiest guide online

Mastodon Docker Setup

In this guide we will only focus on using the prebuilt images from Docker Hub.

Prerequisites: You have Git, Docker, Docker compose and Nginx pre-installed.


Clone Mastodon's repository.

# Clone mastodon git repo
git clone
# Change directory to mastodon
cd mastodon
# Checkout to the latest stable branch
git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1)

Docker Compose file

Open the docker-compose.yml file in your favorite text editor.

  1. Comment out the build: . lines for all images (web, streaming, sidekiq). You can do this by adding: # before those lines.
  2. Edit the image: tootsuite/mastodon lines for all images to include the release you want. The default is latest which is the most recent stable version, however it recommended to explicitly pin a version: If you wanted to use v4.0 for example, you would edit the lines to say: image: tootsuite/mastodon:v4.0
  3. Do maybe want to change the default volume mount location in the Docker compose file, see the web section. Default is ./public/system. If you change this to another location (let's say: /var/www/mastodon/public/system). Update the volumes section of the web section to:
 - /var/www/mastodon/public/system:/mastodon/public/system
  1. Save the docker-compose.yml file and exit your text editor.

Create public web folder

We will now create the web folder on your host machine, we specified earlier in the docker-compose.yml file.

  1. To create this folder, execute:
mkdir -p /var/www/mastodon/public/system

Or when using the default settings, create a local public/system folder hierarchy:

mkdir -p public/system
  1. You also need to set the correct permissions to the public web folder. When you change the volume mount to the location I described earlier, use:
sudo chown -R 991:991 /var/www/mastodon/public

Or when you kept the default settings execute instead:

sudo chown -R 991:991 public

Mastodon environment config file

  1. It is adviced to use the sample configuration file as our starting point (so we have all the comments and options available). Thus, let's make a copy the example config using:
    cp .env.production.sample .env.production
  2. You could use the mastodon:setup task to help you generate several important configuration variables for the .env.production file.
    docker run -it --rm tootsuite/mastodon bundle exec rake mastodon:setup
    Hint: If it asks you to "Save configuration?" You can say: No/N.
  3. Open your local .env.production file and apply the generated settings. Pay extra attention to the following settings: LOCAL_DOMAIN, DB_*, ES_ENABLED, S3_ENABLED, SECRET_KEY_BASE and OTP_SECRET, VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY.
    1. LOCAL_DOMAIN should point to your public (sub)domain you want to use to serve Mastodon on.
    2. PostgreSQL config for Docker should be:
    3. Redis can be set to redis for Docker:
    4. Set both ES_ENABLED and S3_ENABLED to false, if you aren't using Elasticsearch or Amazon.
    5. The SECRET_KEY, OPT_SECRET, VAPID_*_KEY's are generated by the setup, which you can copy one-by-one.
    6. Try to enable SMTP as well. Example of Gmail config. Generate an Application password at your Google Account settings:
      SMTP_LOGIN[email protected]
      SMTP_FROM_ADDRESS=Mastodon <[email protected]>
    7. When running in production it's advised to log level to warn (default info):
    8. Depending on your servers load and usage, you could also increase some limits. (It's up to you to select the values that fit your needs):
  4. Save all the changes to .env.production and exit your text editor.

More info about the configuration environment settings.

Continue with the Database setup, chapter below.

Database Setup

Before starting Mastodon for the first time. We need to setup the database once. You should now have configured both the docker-compose.yml and .env.production before continuing with this step.

To setup the database we wil run the db:setup task together with Docker compose command, execute:

docker-compose run --rm web bundle exec rails db:setup

Launching Mastodon

If the database setup went successfully; well done! We can now start Mastodon for the first time.

You can launch Mastodon with:

docker-compose up

If everything seems to run fine, you can start the containers with the -d flag (for detach, so the containers will run in the background):

docker-compose up -d

Important: You can now go to the last step, setting-up Nginx as your reverse proxy. See below "Nginx Setup".


As discussed earlier. We will use the default Docker PostgreSQL configuration. Meaning the .env.production config file should contain the following database settings:



As discussed earlier, Redis can be set to redis when using Docker compose:


Email (SMTP)

As described earlier, here is an example of the Gmail config in .env.production as the SMTP service provider, used for outgoing emails:
SMTP_LOGIN[email protected]
SMTP_FROM_ADDRESS=Mastodon <[email protected]>

Generate an Application password at your Google Account settings. Try to avoid using your account password directly.

Docker network

Mastodon docker-compose.yml configuration file by default configures two Docker bridge networks. An external_network and an internal_network. The db and redis containers will not be part of the external network, however web, streaming and the sidekiq containers are part of the external_network bridge network and thus available on your host machine. After all that is what the Docker external bridge does as long as you publish the ports (which is also part of the docker-compose file).

The internal_network allows all different Mastodon containers (web, db, redis,..) to contact each other, while still be in an isolated Docker network.

The containers that are part of the external_network should now be accessible to you from the host machine.

I created a simple high-level network overview of the self-defined Docker bridge networks that will be created for you:


If you didn't understand a word of what I told you, don't panic, everything is done automatically for you when starting the containers.

Nginx Setup

You need to configure Nginx to serve your Mastodon instance. We assume you already have installed Nginx.

cd to /etc/nginx/sites-available and open a new file:

sudo nano /etc/nginx/sites-available/

We adapted the official Nginx configuration slightly to fit our needs.

Reminder: Replace all occurrences of with your own instance's domain or sub-domain.

Reminder #2: Depending on your public volume folder for the web instance, you want to change /var/www/mastodon/public in the Nginx example below to the location you setup earlier in this guide. Currently, we assume you changed the Docker compose web volume to: /var/www/mastodon/public/system:/mastodon/public/system.

Copy and paste the following and make additional edits where needed:

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;

upstream backend {
    server fail_timeout=0;

upstream streaming {
    server fail_timeout=0;

proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m inactive=7d max_size=1g;

server {
  listen 80;
  listen [::]:80;
  root /var/www/mastodon/public;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  # intermediate SSL config (Mozilla Guideline)
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;

  # Uncomment these lines once you acquire a certificate:
  # ssl_certificate     /etc/letsencrypt/live/;
  # ssl_certificate_key /etc/letsencrypt/live/;
  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  ssl_session_tickets off;
  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;
  root /var/www/mastodon/public;

  gzip on;
  gzip_disable "msie6";
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml image/x-icon;

  location / {
    try_files $uri @proxy;

  # If Docker is used for deployment and Rails serves static files,
  # then needed must replace line `try_files $uri =404;` with `try_files $uri @proxy;`.
  location = /sw.js {
    add_header Cache-Control "public, max-age=604800, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ~ ^/assets/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ~ ^/avatars/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ~ ^/emoji/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ~ ^/headers/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ~ ^/packs/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ~ ^/shortcuts/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ~ ^/sounds/ {
    add_header Cache-Control "public, max-age=2419200, must-revalidate";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ~ ^/system/ {
    add_header Cache-Control "public, max-age=2419200, immutable";
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
    try_files $uri @proxy;

  location ^~ /api/v1/streaming {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Proxy "";

    proxy_pass http://streaming;
    proxy_buffering off;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";

    tcp_nodelay on;

  location @proxy {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Proxy "";
    proxy_pass_header Server;

    proxy_pass http://backend;
    proxy_buffering on;
    proxy_redirect off;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    proxy_cache CACHE;
    proxy_cache_valid 200 7d;
    proxy_cache_valid 410 24h;
    proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
    add_header X-Cached $upstream_cache_status;

    tcp_nodelay on;

  error_page 404 500 501 502 503 504 /500.html;

Activate your Nginx site configuration:

cd /etc/nginx/sites-enabled
sudo ln -s ../sites-available/

And finally restart the Nginx server:

sudo systemctl restart nginx

This configuration makes the assumption you are using Let's Encrypt as your TLS certificate provider.

If you are going to be using Let's Encrypt as your TLS certificate provider, see the next sub-section. If not edit the ssl_certificate and ssl_certificate_key values accordingly.

Let's Encrypt

This section is only relevant if you are using Let's Encrypt as your TLS certificate provider.

Prerequisites: You need to have Certbot installed, follow these installation instructions.

Generation of the Certificate

Creating a Let's encrypt certificate easy. Just select the domain from the list after executing:

sudo certbot --nginx

When you are using the latest stable release of certbot your certificates will be renewed automatically.


k3yss commented Mar 23, 2023

Hey @melroy89 , can you suggest which parts should I skip in this guide if I just want to run a mastodon server locally, I am trying to develop admin moderation tools for tokodon (desktop mastodon client), so I don't need to make changes to the mastodon source code. After running docker run -it --rm tootsuite/mastodon bundle exec rake mastodon:setup I get asked for a domain name, I want the server to run in the local host, what should I give to the prompt.

lnlyssg commented Mar 23, 2023

@k3yss It's not recommended to use Docker for any dev purposes as it's simply not set-up for dev. There used to be a warning message in the docs but it got removed at some point:

Don't use Docker to do development. It's a quick way to get Mastodon running in production, it's really really inconvenient for development.

all it says now is

The best way of working with Mastodon in a development environment is installing all the dependencies on your system, rather than using Docker or Vagrant.

k3yss commented Mar 23, 2023

@jaytay79 Do i need to have a domain and SMTP server, even if i want to run mastodon locally, I am also on kde neon which is based on ubuntu 22.04, the docs recommend ubuntu 20.04 or debian 11.

A machine running Ubuntu 20.04 or Debian 11 that you have root access to
A domain name (or a subdomain) for the Mastodon server, e.g.
An e-mail delivery service or other SMTP server
You will be running the commands as root. If you aren’t already root, switch to root: sudo su -

What should be the best way which is fast and easy to setup mastodon locally?

lnlyssg commented Mar 23, 2023

@k3yss I'm afraid I can't help, if you have any queries on setting up a local dev environment it's probably best to ask on the Mastodon GitHub or join their Patreon and access their Discord server.

Maybe you can "fake" the domain name by adding the ip + domain name to your /etc/hosts file on your host machine? In case of Docker, assuming you the Mastodon port is mapped to your host machine, your IP will be localhost or

Copy link

Daniel15 commented Mar 27, 2023

@k3yss It's not recommended to use Docker for any dev purposes as it's simply not set-up for dev. There used to be a warning message in the docs but it got removed at some point:

Don't use Docker to do development. It's a quick way to get Mastodon running in production, it's really really inconvenient for development.

all it says now is

The best way of working with Mastodon in a development environment is installing all the dependencies on your system, rather than using Docker or Vagrant.

This is strange as they're recommending exactly the opposite of what modern software development is becoming. Manually installing dependencies is a pain so it's becoming common to use containerization (Docker, LXC, even something even lighter weight like a Python venv) or virtualization (KVM, VMWare, VirtualBox, etc) for development purposes, especially now that VS Code has great remoting support. You can run VS Code on your computer and connect to a container or VM to actually edit and debug the code.

Having said that, Mastodon also don't really recommend Docker in production either (mastodon/documentation#1035, mastodon/documentation#770), so it seems like they don't like convenience or ease-of-use and would prefer people to have the pain of running Ruby on Rails services, which are generally a nightmare for sysadmins.

They're going to be forever stuck in the past if they don't embrace newer technologies...

@Daniel15 I completely agree with all your statements.. I think those developers should really embrace Docker and the power of containerization and new technologies. The world is not standing still.

Copy link

danielkrajnik commented Nov 5, 2023

Thank you for creating this. It's really good. A few notes:

  • Nginx.conf is missing a semicolon on the line 46 client_max_body_size 80m
  • I got an error on the certbot step:
Error while running nginx -c /etc/nginx/nginx.conf -t.

2023/11/06 00:28:12 [emerg] 1239#1239: no "ssl_certificate" is defined for the "listen ... ssl" directive in /etc/nginx/sites-enabled/
nginx: configuration file /etc/nginx/nginx.conf test failed

To get around that I temporarily commented out these lines:

        # listen 443 ssl http2;
        # listen [::]:443 ssl http2;

  # ssl_protocols TLSv1.2 TLSv1.3;
  # ssl_prefer_server_ciphers off;

  # ssl_certificate     /etc/letsencrypt/live/;
  # ssl_certificate_key /etc/letsencrypt/live/;
  # ssl_session_timeout 1d;
  # ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
  # ssl_session_tickets off;

It worked, but it messed up the configuration file a lot and I had to fiddle with it for half an hour, but finally it seems to work:

For the future if you know a better way to add a certificate to this site configuration file please let me know.

  • May be worth adding extra flags to the certbot command sudo certbot --nginx --domain --email [email protected] --agree-tos --hsts --staple-ocsp. I've tried also adding --redirect flag, but it broke the site (I had to remove the if ($host = { return 301 https://$host$request_uri; } block it added).

Daniel15 commented Nov 6, 2023

(I had to remove the if ($host = { return 301 https://$host$request_uri; } block it added).

@danielkrajnik if blocks in Nginx configs should be avoided as there's a lot of pitfalls in terms of using them properly. The right way to redirect from HTTP to HTTPS is by using a separate server block:

server {
  listen 80;
  listen [::]:80;
  return 301 https://$host$request_uri;

You'll also have to allow access to /.well-known/acme-challenge/ without redirecting if you're using Let's Encrypt with HTTP challenges. I use DNS challenges so I don't do that in my configs.

danielkrajnik commented Nov 6, 2023

@Daniel15 thank you, I've changed that.

Copy link

I've also added watchtower to the docker-compose file for automated updates:

    image: containrrr/watchtower
      - /var/run/docker.sock:/var/run/docker.sock
    restart: always

lnlyssg commented Nov 6, 2023

I would be wary of using watchtower as sometimes there are migration actions when updating to newer releases e.g. with 4.2

Copy link

danielkrajnik commented Nov 6, 2023

Thanks @lnlyssg. Do you know some other automated updates mechanism that could work? Or would you just update it manually with each new release?

Even if it breaks, it should be as simple to repair as cd /home/<USERNAME>/mastodon && git pull origin main && git checkout $(git tag -l | grep -v 'rc[0-9]*$' | sort -V | tail -n 1) && docker compose down && docker compose up -d (after backing up docker-compose.yaml), no?

Copy link

danielkrajnik commented Nov 6, 2023

For anyone who didn't get the SMTP server to work on the first try:

  • confirm account email: docker exec -ti mastodon-web-1 tootctl accounts modify <USERNAME> --confirm
  • delete account: docker exec -ti mastodon-web-1 tootctl accounts delete <USERNAME>

lnlyssg commented Nov 6, 2023

TBH you don't actually need to do any of the git actions as all you really need from GitHub is the docker-compose and .env.production files. As and when there are changes to either file they should be in the release notes. I am specifying the specific versions in my docker-compose i.e. image: tootsuite/mastodon:v4.2.1 as I had an issue once with pulling latest when it pulled in a back level v3 image!

Copy link

danielkrajnik commented Nov 6, 2023

True, that confused me as well. Maybe we could change it in the guide?


patch file (following the above instructions):
you could then create a cron job with: patch -u docker-compose.yaml patch-file
same for .env.production, but with user-defined values

I had an issue once with pulling latest when it pulled in a back level v3 image!

Wow, thanks. I didn't know that. For small instances it would be nice to automate updates though. Ideally "set it up once and forget". Do you think that issue happens frequently?

Daniel15 commented Nov 6, 2023

For automated updates, I'd only recommend doing it for minor updates and bug fixes. Major updates can have breaking changes, including things like database schema changes that aren't backwards-compatible with the old version.

If you do use automatic updates, make sure you take a backup or snapshot (if using ZFS, LVM or btrfs) plus a database dump immediately before the update, so that you can roll back.

danielkrajnik commented Nov 6, 2023

Hmm, thanks for the heads up. That's a shame. I will turn backups on at my hosting provider then.

Interestingly enough AUR (which never ceases to amaze me) offers a mastodon package, which users claim to offer "seemless upgrades". I've never run Arch on a server but this makes me seriously consider it.

I suppose that the question why there is no support for some form of packaging from the developers (like matrix with their own PPAs) will remain a mystery (but the more issues you read the more obvious it becomes).

melroy89 commented Nov 6, 2023

Ps. Certbot nginx plugin will insert if blocks in nginx server block on port 80.

Copy link

Daniel15 commented Nov 6, 2023

Ps. Certbot nginx plugin will insert if blocks in nginx server block on port 80.

Ah, I didn't realise it did that. It probably does it because it's easiest to do, but it's not recommended. I use certbot certonly rather than the Nginx plugin which is why I was unaware of this behaviour.

danielkrajnik commented Nov 6, 2023

I haven't tried certonly, but python3-certbot-nginx messed up the site configuration quite a lot, so if (or when) the time comes to reinstall mastodon I will definitely try it instead.

otrapersona commented Feb 21, 2024

To install glitch-soc with this instructions:
I cloned glitch-soc's repo instead of mastodon's.
And replaced with yakumosaki/glitch-soc-aarch64 (or yakumosaki/glitch-soc for amd64)

melroy89 commented Feb 22, 2024

good to know! All I need is markdown, so is a much welcoming feature with code blocks and alike. Too bad the code blocks doesn't really show like a code block (and without syntax highlighting) and it will also most likely be stripped by Mastodon software. I just really wish Mastodon implements markdown by default, how hard can it be?

Copy link

Sweeistaken commented Dec 8, 2024

When I successfully follow this tutorial, the new instance doesn't seem to have an admin account, how do I make one via tootctl if I use docker-compose?

Daniel15 commented Dec 8, 2024 via email

Copy link

TheGorf commented Jan 17, 2025

Thank god for some competent docker documentation. The Mastodon dev team are a bunch of twats when it comes to fighting this. There is a thread where they basically pushed back on Docker documentation because "boohoo docker is to complicated". ugh.

One of the things that would be super helpful is if we could tackle the upgrade process. I'm all for pinning versions for production, but at some point you have to migrate to new versions. And that process is what has just screwed me every time. It's largely why i've given up trying to run Mastodon even though I want to so bad.

lnlyssg commented Jan 17, 2025

Upgrades are pretty easy, I check the release notes and then update the versions in docker-compose followed by running any upgrade steps as dictated by the release notes. I do it via Ansible playbook these days but my notes for doing it manually are:

Update docker-compose.yml with version:
sudo sed -i 's/4.2.10/4.2.11/g' docker-compose.yml

Pull new images, then bring down:
docker compose pull && docker compose down

Run any commands as per the release notes e.g. docker compose run --rm mastodon_web_1 bin/tootctl cache clear docker compose run --rm mastodon_web_1 rails db:migrate

Then docker compose up -d

Daniel15 commented Jan 17, 2025

boohoo docker is to complicated"

@TheGorf I find their argument amusing, because manually configuring and maintaining/updating a Ruby on Rails app is way more complicated than just using Docker. I would never want to run a Ruby app on bare metal these days.

