Welcome to Penpot Install Guide. Penpot is a free, open-source design and prototyping tool that serves as an excellent alternative to proprietary solutions like Figma. One of its major advantages is the ability to self-host, granting you full control over your data and ensuring privacy. This guide walks you through the official steps to self-host Penpot using Docker for a smooth production-ready setup.
Table of Contents
What is Penpot and Why Self-Host?
Penpot is a collaborative design and prototyping platform built entirely on web standards (SVG). Unlike closed-source and cloud-based design tools like Figma, Penpot’s open-source nature allows:
- Full Data Ownership: Your design files and project data remain on servers you control.
- Customization: You can modify, extend, or integrate Penpot with other tools in ways that are not possible with proprietary solutions.
- Cost-Efficiency: Self-hosting can be more affordable in the long run, especially for larger teams.
- Privacy and Security: Keeping data in-house provides an additional layer of privacy and control.
Prerequisites
System Requirements
- CPU: At least 1–2 cores (more for larger teams).
- RAM: 4 GiB or more recommended for stable performance.
- Disk Space: At least 10 GB, though storage requirements increase as your design assets grow.
Installed Software
- Docker
- Docker Desktop for Windows/MacOS.
- Docker Engine for Linux VPS.
- Docker Compose V2
- Bundled with Docker Desktop or installed as a plugin on Docker Engine.
Domain Name
- Required if you want to make Penpot accessible over the internet via a custom domain.
Basic Command Line Skills
- Familiarity with terminal commands is helpful for managing containers, images, and volumes.
Step 1: Install Docker
Skip this step if Docker is already installed and running on your system.
Docker Desktop
- Available for Windows, MacOS, and some Linux distributions (e.g., Debian, Ubuntu, Fedora).
- Offers a graphical user interface (GUI) for container management.
Install Docker Desktop by following the official guide.
Docker Engine (Linux VPS)
- The standard choice for Linux servers without a GUI.
- Follow the Docker Engine installation guide for your specific distro.
- Confirm that Docker Compose V2 is installed by running:
docker compose version
If you see an older docker-compose (with a dash), you may need to install the new Docker Compose V2 plugin or alias it.
Step 2: Download the Docker Compose File
Penpot provides an official docker-compose.yaml for quick deployment. Download it using one of the following commands:
wget https://raw.githubusercontent.com/penpot/penpot/main/docker/images/docker-compose.yamlor
curl -o docker-compose.yaml https://raw.githubusercontent.com/penpot/penpot/main/docker/images/docker-compose.yamlStep 3: Start Penpot
Edit the penpot docker compose yaml by issuing nano docker-compose.yaml
Navigate to the penpot-backend: section and add
PENPOT_SECRET_KEY: 4FEmYEd4x8NLXUNecT3OcYYuBbdUXcmz5VHL7UJOSS2kiEaBB3kcnGvZghQFTjOMkMlAQhc-0x4XF8ieKscj6QLaunch the Penpot instance with Docker Compose:
docker compose -p penpot -f docker-compose.yaml up -dThis will pull the required images and run Penpot in the background. By default, Penpot is accessible at:
http://localhost:9001(Replace localhost with your server’s IP or domain if hosted on a remote server.)
Stop Penpot
To stop the running instance, use:
docker compose -p penpot -f docker-compose.yaml downThis stops and removes containers but leaves volumes intact.
Step 4: Configure Penpot
Penpot’s configuration is managed via environment variables in the docker-compose.yaml file. The provided file contains default values and additional commented lines you can enable as needed.
Key environment variables:
- Domain Name:
PENPOT_PUBLIC_HOST: your-domain.com - Database Credentials:
PENPOT_DB_PASS: your_secure_password - Email Settings (optional): Configure SMTP settings to enable email notifications and password resets.
Adjust these according to your environment. After making changes, restart the containers:
docker compose -p penpot -f docker-compose.yaml down
docker compose -p penpot -f docker-compose.yaml up -dStep 5: Create Users via CLI
If you have email verification disabled (the default setting), you can manually create user accounts using the CLI:
docker exec -ti penpot-penpot-backend-1 python3 manage.py create-profileNotes:
- The container name (
penpot-penpot-backend-1) may differ. Usedocker psto find the correct name. - Ensure the container is running and has the
enable-prepl-serverflag set if needed.
Step 6: Update Penpot
Staying up-to-date ensures you have the latest features, bug fixes, and security patches. To update:
docker compose -f docker-compose.yaml pull
docker compose -f docker-compose.yaml up -dMigration to Version 2.0
Upgrading from version 1.x to 2.0 automatically triggers a database migration on startup. For extensive datasets, this process may take a while. If you prefer a manual approach:
- Disable the automatic migration by setting
disable-v2-migrationinPENPOT_FLAGS. - Run the migration script manually:
docker exec -ti <container-name-or-id> ./run.sh app.migrations.v2
Step 7: Backup Penpot
Regular backups are essential to protect your designs and user data.
Identify Volumes
By default, Penpot uses Docker volumes for:
- PostgreSQL database (
penpot_db) - User-uploaded assets (images, SVGs, etc.)
Backup Procedure
Create a backup by mounting the desired volume and copying its contents:
docker run --rm \
-v penpot_db:/volume \
-v $(pwd):/backup \
busybox tar cvf /backup/penpot_db_backup.tar /volumeThis command:
- Starts a temporary container.
- Mounts the
penpot_dbvolume to/volume. - Archives the contents to
penpot_db_backup.tarin your current directory ($(pwd)).
Repeat similar commands for other volumes (e.g., assets) if needed.
Optional: Setting Up HTTPS with a Reverse Proxy
To secure your Penpot instance with an SSL certificate, you can set up a reverse proxy using tools like Nginx, Traefik, or Caddy. This step is especially important if you are exposing Penpot to the internet.
- Install a Reverse Proxy (e.g., Nginx).
- Obtain an SSL Certificate (e.g., via Let’s Encrypt using Certbot).
- Configure Proxy Rules
- Listen on port 443 (HTTPS).
- Forward traffic to
localhost:9001(Penpot default).
- Update Penpot’s
PENPOT_PUBLIC_HOST- Set to
https://your-domain.comindocker-compose.yaml.
- Set to
Example Nginx configuration snippet:
server {
listen 80;
server_name your-domain.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name your-domain.com;
ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
location / {
proxy_pass http://localhost:9001;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Best Practices for Production
Monitor Resource Usage
- Docker Stats: Use
docker statsto monitor CPU, memory, and network usage of containers. - System Monitoring: Tools like Grafana, Prometheus, or Netdata can provide deeper insights.
Regular Updates and Security
- Update both Penpot and Docker-related packages regularly.
- Patch your OS and third-party libraries to stay ahead of security vulnerabilities.
Use Strong Credentials
- Pick a strong password for your PostgreSQL database (
PENPOT_DB_PASS). - Secure any SSH or remote desktop access with key-based authentication and firewalls.
Conclusion
Penpot Install Guide with Docker provides flexibility, cost savings, and complete data ownership—a significant advantage over proprietary design platforms. By following the outlined steps and best practices, you can ensure a robust, production-ready Penpot environment. Remember to:
- Keep your installation up to date.
- Configure backups on a regular schedule.
- Secure your instance with strong credentials and HTTPS.
With a successful deployment, you and your team can start designing with confidence, knowing your data is fully under your control. Happy designing! Thank you for reading our Penpot Install Guide.
