WebUpdated Jun 2026

TREK

5,697 starsTypeScriptView on GitHub

A self-hosted, real-time collaborative travel planner — with maps, budgets, packing lists, a journal, and AI built in. ENCRYPTIONKEY=$(openssl rand -hex 32) docker run -d -p 3000:3000 \ -e ENCRYPTIONKEY=$ENCRYPTIONKEY \ -v ./data:/app/data -v ./uploads:/app/uploads mauriceboe/trek Open http://localhost:3000. On first boot TREK seeds an admin account — if you set ADMINEMAIL/ADMINPASSWORD those are used, otherwise the credentials are printed to the container log (docker logs trek).

A self-hosted, real-time collaborative travel planner — with maps, budgets, packing lists, a journal, and AI built in.

What you get

See all features

🧭 Trip planning

Drag & drop planner — organise places into day plans with reordering and cross-day moves
Interactive map — Leaflet or Mapbox GL with 3D buildings, terrain, photo markers, clustering, route visualization
Place search — Google Places (photos, ratings, hours) or OpenStreetMap (free, no API key)
Place import — shared Google Maps / Naver Maps lists, plus GPX and KML/KMZ/GeoJSON map files
Day notes — timestamped, icon-tagged notes with drag-and-drop reordering
Route optimisation — auto-sort places and export to Google Maps
Weather forecasts — 16-day via Open-Meteo (no key) + historical climate fallback
Category filter — show only matching pins on the map

🧳 Travel management

Reservations — flights, accommodations, restaurants with status, confirmation numbers, files; import from booking confirmation emails and PDFs (KDE Itinerary)
Costs — track and split trip expenses (Splitwise-style): per-person / per-day breakdowns, settle-up, multi-currency
Packing lists — categories, templates, user assignment, progress tracking
Bag tracking — optional weight tracking with iOS-style distribution
Document manager — attach docs, tickets, PDFs to trips / places / reservations (≤ 50 MB each)
PDF export — full trip plan as PDF with cover page, images, notes

👥 Collaboration

Real-time sync — WebSocket. Changes appear instantly across all connected users
Multi-user trips — invite members with role-based access
Invite links — one-time or reusable links with expiry
SSO (OIDC) — Google, Apple, Authentik, Keycloak, or any OIDC provider
2FA — TOTP + backup codes
Passkeys — passwordless WebAuthn login (fingerprint / face / PIN / security key), admin-toggleable
Collab suite — group chat, shared notes, polls, day check-ins

📱 Mobile & PWA

Installable — iOS and Android, straight from the browser, no App Store needed
Offline support — Service Worker caches tiles, API, uploads via Workbox
Native feel — fullscreen standalone, themed status bar, splash screen
Touch optimised — mobile-specific layouts with safe-area handling

🧩 Addons (admin-toggleable)

Lists — packing lists + to-dos with templates, member assignments, optional bag tracking
Costs — expense tracker with splits and settle-up (who owes whom), multi-currency
Documents — file attachments on trips, places, and reservations
Collab — chat, notes, polls, day-by-day attendance
Vacay — personal vacation planner with calendar, 100+ country holidays, carry-over tracking
Atlas — world map of visited countries, bucket list, travel stats, streak tracking, liquid-glass UI
Journey — magazine-style travel journal with entries, photos (Immich/Synology), maps, moods
AirTrail — connect a self-hosted AirTrail instance to import and sync flights into reservations
MCP — expose TREK to AI assistants via OAuth 2.1

🤖 AI / MCP

Built-in MCP server — OAuth 2.1 authenticated. 150+ tools, 30 resources
Granular scopes — 27 OAuth scopes across 13 permission groups
Full automation — AI can create trips, plan days, build packing lists, manage budgets, mark countries visited
Pre-built prompts — trip-summary, packing-list, budget-overview
Addon-aware — exposes Atlas, Collab, Vacay when those addons are on

⚙️ Admin & customisation

Dashboard views — card grid or compact list · Dark mode — full theme with matching status bar
20 languages — EN, DE, ES, FR, IT, NL, HU, RU, ZH, ZH-TW, PL, CS, AR (RTL), BR, ID, TR, JA, KO, UK, GR
Admin panel — users, invites, packing templates, categories, addons, API keys, backups, GitHub history
Notifications — per-user preferences across email (SMTP), webhook, ntfy, and an in-app notification center
Auto-backups — scheduled with configurable retention · Units — °C/°F, 12h/24h, map tile sources, default coordinates

Get started in 30 seconds

ENCRYPTION_KEY=$(openssl rand -hex 32) docker run -d -p 3000:3000 \
  -e ENCRYPTION_KEY=$ENCRYPTION_KEY \
  -v ./data:/app/data -v ./uploads:/app/uploads mauriceboe/trek

Open http://localhost:3000. On first boot TREK seeds an admin account — if you set ADMIN_EMAIL/ADMIN_PASSWORD those are used, otherwise the credentials are printed to the container log (docker logs trek).

· Docker Compose · Helm / Kubernetes · Install as PWA · Reverse Proxy ·

Tech stack

Real-time sync via WebSocket (ws). Backend on NestJS 11. State with Zustand. Auth via JWT + OAuth 2.1 + OIDC + Passkeys (WebAuthn) + TOTP MFA. Weather via Open-Meteo (no key required). Maps with Leaflet and Mapbox GL.

Docker Compose (production)

Full compose example with secure defaults

services:
  app:
    image: mauriceboe/trek:latest
    container_name: trek
    read_only: true
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
    tmpfs:
      - /tmp:noexec,nosuid,size=64m
    ports:
      - "3000:3000"
    environment:
      - NODE_ENV=production
      - PORT=3000
      - ENCRYPTION_KEY=${ENCRYPTION_KEY:-}   # generate with: openssl rand -hex 32
      - TZ=${TZ:-UTC}
      - LOG_LEVEL=${LOG_LEVEL:-info}
      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-}
      - APP_URL=${APP_URL:-}                 # required for OIDC + email links
      # - FORCE_HTTPS=true                   # behind a TLS-terminating proxy
      # - TRUST_PROXY=1
      # - OIDC_ISSUER=https://auth.example.com
      # - OIDC_CLIENT_ID=trek
      # - OIDC_CLIENT_SECRET=supersecret
      # - OIDC_DISPLAY_NAME=SSO
      # - OIDC_ADMIN_CLAIM=groups
      # - OIDC_ADMIN_VALUE=app-trek-admins
    volumes:
      - ./data:/app/data
      - ./uploads:/app/uploads
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://localhost:3000/api/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 15s

Then:

docker compose up -d

HTTPS notes: FORCE_HTTPS=true is optional — it adds a 301 redirect, HSTS, CSP upgrade-insecure-requests, and forces the secure cookie flag. Only use it behind a TLS-terminating reverse proxy. TRUST_PROXY=1 tells the server how many proxies sit in front so real client IPs and X-Forwarded-Proto work.

Helm (Kubernetes)

helm repo add trek https://mauriceboe.github.io/TREK
helm repo update
helm install trek trek/trek

See charts/README.md for values.

Install as App (PWA)

TREK works as a Progressive Web App — no App Store needed.

Open TREK in the browser (HTTPS required)
iOS: Share ▸ Add to Home Screen
Android: Menu ▸ Install app (or Add to Home Screen)

TREK then launches fullscreen with its own icon, just like a native app.

Updating

Docker Compose:

docker compose pull && docker compose up -d

Docker run — reuse the original volume paths:

docker pull mauriceboe/trek
docker rm -f trek
docker run -d --name trek -p 3000:3000 -v ./data:/app/data -v ./uploads:/app/uploads --restart unless-stopped mauriceboe/trek

Not sure which paths you used? docker inspect trek --format '{{json .Mounts}}' before removing the container.

Your data stays in the mounted data and uploads volumes — updates never touch it.

[!IMPORTANT] Mount only the data and uploads directories — -v ./data:/app/data -v ./uploads:/app/uploads. Never mount a volume at /app. Doing so hides the application code shipped in the image and the container fails to start with Cannot find module 'tsconfig-paths/register'. If you previously mounted /app, switch to the two mounts above; your data in data/ and uploads/ is preserved.

Rotating the Encryption Key

If you need to rotate ENCRYPTION_KEY (e.g. upgrading from a version that derived encryption from JWT_SECRET):

docker exec -it trek node --import tsx scripts/migrate-encryption.ts

The script creates a timestamped DB backup before making changes and prompts for old + new keys (input is not echoed).

Reverse Proxy

For production, put TREK behind a TLS-terminating reverse proxy. TREK uses WebSockets for real-time sync, so the proxy must support WebSocket upgrades on /ws.

Nginx

server {
    listen 80;
    server_name trek.yourdomain.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name trek.yourdomain.com;

    ssl_certificate     /etc/ssl/fullchain.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;

    # 500 MB covers backup-restore uploads (capped at 500 MB server-side).
    client_max_body_size 500m;

    location / {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    location /ws {
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_read_timeout 86400;
    }
}

Caddy

trek.yourdomain.com {
    reverse_proxy localhost:3000
}

Caddy handles TLS and WebSockets automatically.

Environment variables

Full reference

Variable	Description	Default
Core
`PORT`	Server port	`3000`
`NODE_ENV`	Environment (`production` / `development`)	`production`
`ENCRYPTION_KEY`	At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC). Recommended: generate with `openssl rand -hex 32`. If unset, falls back to `data/.jwt_secret` (existing installs) or auto-generates a key (fresh installs).	Auto
`TZ`	Timezone for logs, reminders and cron jobs (e.g. `Europe/Berlin`)	`UTC`
`LOG_LEVEL`	`info` = concise user actions, `debug` = verbose details	`info`
`DEFAULT_LANGUAGE`	Default language on the login page for users with no saved preference. Browser/OS language is auto-detected first; this is the fallback. Supported: `de`, `en`, `es`, `fr`, `hu`, `nl`, `br`, `cs`, `pl`, `ru`, `zh`, `zh-TW`, `it`, `ar`, `id`, `tr`, `ja`, `ko`, `uk`, `gr`	`en`
`ALLOWED_ORIGINS`	Comma-separated origins for CORS and email links	same-origin
`FORCE_HTTPS`	Optional. When `true`: 301-redirects HTTP to HTTPS, sends HSTS, adds CSP `upgrade-insecure-requests`, forces the session cookie `secure` flag. Useful behind a TLS-terminating reverse proxy. Requires `TRUST_PROXY`.	`false`
`HSTS_INCLUDE_SUBDOMAINS`	When `true`: adds the `includeSubDomains` directive to the HSTS header, extending HTTPS enforcement to all subdomains. Only effective when HSTS is active (`FORCE_HTTPS=true` or `NODE_ENV=production`). Leave `false` if you run other services on sibling subdomains over plain HTTP.	`false`
`COOKIE_SECURE`	Controls the `secure` flag on the `trek_session` cookie. Auto-derived: on when `NODE_ENV=production` or `FORCE_HTTPS=true`. Escape hatch: set `false` to allow session cookies over plain HTTP. Not recommended in production.	auto
`SESSION_DURATION`	How long a login session stays valid when "Remember me" is unchecked (the default): sets the `trek_session` JWT `exp` and issues a browser-session cookie (cleared when the browser closes). Accepts `ms`-style strings: `1h`, `12h`, `7d`, `30d`, `90d`. Invalid values warn at startup and fall back to the default.	`24h`
`SESSION_DURATION_REMEMBER`	Session length when "Remember me" is ticked at login: a longer-lived JWT plus a persistent `trek_session` cookie that survives browser restarts. Same format and startup-fallback behaviour as `SESSION_DURATION`.	`30d`
`TRUST_PROXY`	Number of trusted reverse proxies. Tells the server to read client IP from `X-Forwarded-For` and protocol from `X-Forwarded-Proto`. Defaults to `1` in production; off in dev unless set.	`1`
`ALLOW_INTERNAL_NETWORK`	Allow outbound requests to private/RFC-1918 IPs (e.g. Immich on your LAN). Loopback and link-local addresses remain blocked.	`false`
`APP_URL`	Public base URL of this instance (e.g. `https://trek.example.com`). Required when OIDC is enabled; used as base for email notification links.	—
OIDC / SSO
`OIDC_ISSUER`	OpenID Connect provider URL	—
`OIDC_CLIENT_ID`	OIDC client ID	—
`OIDC_CLIENT_SECRET`	OIDC client secret	—
`OIDC_DISPLAY_NAME`	Label shown on the SSO login button	`SSO`
`OIDC_ONLY`	Force SSO-only mode: disables password login + registration, regardless of Admin > Settings. The first SSO login becomes admin.	`false`
`OIDC_ADMIN_CLAIM`	OIDC claim used to identify admin users	—
`OIDC_ADMIN_VALUE`	Value of the OIDC claim that grants admin role	—
`OIDC_SCOPE`	Space-separated OIDC scopes. Fully replaces the default — always include `openid email profile`.	`openid email profile`
`OIDC_DISCOVERY_URL`	Override the auto-constructed OIDC discovery endpoint (e.g. Authentik: `.../application/o/trek/.well-known/openid-configuration`)	—
Initial setup
`ADMIN_EMAIL`	Email for the first admin on initial boot. Must be set together with `ADMIN_PASSWORD`. If either is omitted a random password is printed to the server log. No effect once a user exists.	`admin@trek.local`
`ADMIN_PASSWORD`	Password for the first admin on initial boot. Pairs with `ADMIN_EMAIL`.	random
Other
`DEMO_MODE`	Enable demo mode (hourly data resets)	`false`
`MCP_RATE_LIMIT`	Max MCP API requests per user per minute	`300`
`MCP_MAX_SESSION_PER_USER`	Max concurrent MCP sessions per user	`20`

Data & Backups

Database — SQLite, stored in ./data/travel.db
Uploads — stored in ./uploads/
Logs — ./data/logs/trek.log (auto-rotated)
Backups — create and restore via Admin Panel
Auto-Backups — configurable schedule and retention in Admin Panel

Data sources

The Atlas map's country and sub-national (province/county) boundaries come from geoBoundaries (Runfola et al., 2020), licensed CC BY 4.0. See NOTICE.md for full third-party attributions.

License

TREK is AGPL v3. Self-host freely for personal or internal company use. If you modify and offer TREK as a network service to third parties, your modifications must be open-sourced under the same licence.

What people are saying

“Hello HN, I like Ansible as a tool for automation to perform tasks on multiple remote hosts. But like many of you, I'm sick of the custom YAML DSL that many of this kind of tools provide. How many times have we said "jus…”

HN↑ 5linkdd↗

“I run multi-agent teams in high-consequence scenarios. Read: fuckups at 3 AM = I'm awake. I kept hitting the same issue. I couldn't get a rules-based system to enforce behavior and I had no real way to prove that agents …”

HN↑ 2alexgarden↗

“> Oh, dear jest. […] Properly configuring it with ESM and TypeScript was a PhD science project. No kidding, I had to do this recently. It was a trek and a half.”

HNmikl↗

“Is it just me ? Or is lisp-like(Take that all those REST-Like post from yesteryear) post/tech making a comeback ?? Just one datapoint.(ie glorious me) I like php(yea suck it haters) ,c,go,mysql,solr,ml,linux,svelte and c…”

HNrawoke083600↗

“Follow Alice | Junior Frontend Developer | Remote (anywhere) | https://followalice.com Follow Alice is a boutique tour operator offering a selection of the best adventure trips around the globe. We organise authentic adv…”

HNfollowalice↗

“Trek fulfilling some online, retailer orders from company stores - Bicycle Retailer & Industry News — Bicycle Retailer & Industry News”

NEWSBicycle Retailer & Industry News↗

“‘Star Trek: Strange New Worlds’ Season 4 Trailer Emphasizes Action-Adventure - The Hollywood Reporter — The Hollywood Reporter”

NEWSThe Hollywood Reporter↗

“See Borg Queen Jurati Try To Assimilate A Singularity In ‘Star Trek: The Last Starship’ #8 Preview - trekmovie.com — trekmovie.com”

NEWStrekmovie.com↗

Browse All Categories

Web

Recordly

Recordly is your open-source screen recorder and editor for walkthroughs, demos, product videos, and more. Accepting PRs. Recordly is a desktop app for recording and editing screen captures with motion-driven presentation tools built in. Instead of sending raw footage to a motion designer just to add zooms, cursor polish, or a styled background, Recordly handles that workflow in one place for free. Recordly can automatically emphasize activity with zoom suggestions, smooth cursor movement, add motion effects, and place the final composition inside a styled frame with wallpapers, colors, gradients, blur, padding, and shadows.

Web

obscura

Lightweight, stealthy, and built in Rust. Obscura is a headless browser engine written in Rust, built for web scraping and AI agent automation. It runs real JavaScript via V8, supports the Chrome DevTools Protocol, and acts as a drop-in replacement for headless Chrome with Puppeteer and Playwright. Designed for automation at scale, not desktop browsing.

Web

MiMo Code

MiMoCode is a terminal-native AI coding assistant. It can read and write code, run commands, manage Git, and use a persistent memory system to keep a deep understanding of your project across sessions while continuously improving itself. MiMo Auto is built in as a free-for-limited-time channel, so you can start with zero configuration. MiMoCode also supports connecting to any mainstream LLM provider API. The first launch guides you through configuration automatically. Supported options:

Web

Kami

Kami (紙, かみ) means paper in Japanese: the surface where a finished idea lands. AI can produce documents better than most humans do manually. The missing piece is not capability but constraint: without a design system, every session drifts into generic gray and inconsistent layouts. Kami fills that gap: one constraint language, nine templates, simple enough for agents to run reliably, strict enough that every output is something you actually want to ship. English and Chinese are first-class; Japanese and Korean work via best-effort CJK paths with visual QA before delivery. Part of a trilogy: Kaku (書く) writes code, Waza (技) drills habits, Kami (紙) delivers documents.