hermitstash/docker-compose.image.yml at main · dotCooCoo/hermitstash · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# HermitStash — Docker Compose (pre-built image)
#
# Quick start:
#   curl -O https://raw.githubusercontent.com/dotCooCoo/hermitstash/main/docker-compose.image.yml
#   docker compose -f docker-compose.image.yml up -d
#   open http://localhost:3000
#
# Data is stored in ./data (encrypted DB + vault keys) and ./uploads (files).
# Back up ./data/vault.key — loss of this file means all sealed data is unrecoverable.

services:
  hermitstash:
    image: ghcr.io/dotcoocoo/hermitstash:1   # see README "Image tag scheme" for :1 / :1.7 / :1.7.x / :latest options
    init: true
    ports:
      - "3000:3000"
    volumes:
      - ./data:/app/data         # encrypted DB, vault keys, TLS certs
      - ./uploads:/app/uploads   # files (local storage only, not needed with S3)
    shm_size: 256m               # in-memory database — minimum 128MB, 256MB recommended
    security_opt:
      - no-new-privileges:true
    cap_drop:
      - ALL
    cap_add:
      - CHOWN
      - SETUID
      - SETGID
      - DAC_OVERRIDE
    healthcheck:
      test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health',function(r){process.exit(r.statusCode===200?0:1)}).on('error',function(){process.exit(1)})"]
      interval: 30s
      timeout: 5s
      start_period: 30s
      retries: 3
    environment:
      # Container user — default 99:100 (Unraid). Set to 1000:1000 for standard Linux.
      PUID: "99"
      PGID: "100"
      UMASK: "022"               # 755 dirs, 644 files. Use 000 for Unraid nobody:users sharing.
      TZ: "Etc/UTC"              # e.g. America/New_York

      NODE_ENV: production
      HERMITSTASH_TMPDIR: /dev/shm
      PORT: 3000
      TRUST_PROXY: "true"        # set if behind a reverse proxy

      # Required for passkeys + HSTS — set to your full domain URL
      RP_ORIGIN: ""              # e.g. https://files.example.com

      # Auth (defaults work for getting started)
      LOCAL_AUTH: "true"
      REGISTRATION_OPEN: "true"
      PUBLIC_UPLOAD: "true"
      PASSKEY_ENABLED: "true"

      # All other settings (email, S3, branding, etc.) are configured
      # via the admin panel at /admin after first start.

      # ── Vault passphrase protection (opt-in, v1.9+) ────────────────────
      # Wraps data/vault.key with an Argon2id-derived passphrase. Closes
      # the disk-snapshot threat — see README "Passphrase protection".
      # LOSS of passphrase = LOSS of all encrypted data. Enable only after
      # storing the passphrase in a password manager, and only after
      # running scripts/vault-passphrase-setup.js to migrate the existing
      # plaintext vault.key to the wrapped format.
      #
      # VAULT_PASSPHRASE_MODE: "required"
      # VAULT_PASSPHRASE_FILE: "/run/secrets/vault-pw"   # preferred — Docker secrets
      # VAULT_PASSPHRASE: ""                             # env-var alternative (less secure)

      # ── PEM at-rest sealing for CA + TLS keys (v1.9.4+) ─────────────────
      # Tristate: auto (default) | required | disabled
      # See docker-compose.yml for the full walkthrough. Flip to "required"
      # after running the seal script or admin UI wizard.
      CA_KEY_SEALED: "auto"
      TLS_KEY_SEALED: "auto"

      # ── mTLS strictness (v1.9.5 documented) ─────────────────────────────
      # unset = soft (app-layer); "true" = hard (TLS-layer); "false" = OFF
      # ENFORCE_MTLS_STRICT: "true"
    restart: unless-stopped