-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-compose.yml
More file actions
121 lines (111 loc) · 5.15 KB
/
docker-compose.yml
File metadata and controls
121 lines (111 loc) · 5.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
services:
hermitstash:
build: .
init: true
ports:
- "3000:3000"
volumes:
- ./data:/app/data
- ./uploads:/app/uploads
shm_size: 256m
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- CHOWN
- SETUID
- SETGID
- DAC_OVERRIDE
healthcheck:
test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health',function(r){process.exit(r.statusCode===200?0:1)}).on('error',function(){process.exit(1)})"]
interval: 30s
timeout: 5s
start_period: 30s
retries: 3
environment:
# Container user — default 99:100 (Unraid). Set to 1000:1000 for standard Linux.
PUID: "99"
PGID: "100"
UMASK: "022" # 755 dirs, 644 files. Use 000 for Unraid nobody:users sharing.
TZ: "Etc/UTC" # e.g. America/New_York
NODE_ENV: production
HERMITSTASH_TMPDIR: /dev/shm
PORT: 3000
SITE_NAME: HermitStash
TRUST_PROXY: "true"
# ── Vault passphrase protection (opt-in) ────────────────────────────
# Default: disabled (vault.key is plaintext JSON at rest, protected
# only by filesystem permissions). Enable to close the disk-snapshot
# threat (stolen backup, leaked volume dump). See README section
# "Passphrase protection (opt-in)" for the full walkthrough.
#
# 1. Run scripts/vault-passphrase-setup.js while the server is
# stopped. It migrates vault.key → vault.key.sealed.
# 2. Uncomment VAULT_PASSPHRASE_MODE below and supply the
# passphrase via ONE of: env var, Docker secret file, or stdin
# (interactive only).
# 3. Restart. LOSS of the passphrase = LOSS of all encrypted data.
#
# VAULT_PASSPHRASE_MODE: "required"
# VAULT_PASSPHRASE: "" # INSECURE in compose — prefer FILE
# VAULT_PASSPHRASE_FILE: "/run/secrets/vault-pw" # Docker secrets idiom
# ── PEM at-rest sealing for CA + TLS keys (v1.9.4+) ───────────────────
# Tristate: "auto" (default; load whichever plain/sealed file exists),
# "required" (refuse to boot/operate on plaintext), "disabled"
# (refuse to operate on sealed). Both are independent.
#
# CA key (mTLS root signing key): data/ca.key plaintext, OR
# data/ca.key.sealed when CA_KEY_SEALED=required. Whoever reads a
# plaintext ca.key can mint trusted client certs forever.
# RECOMMENDED to seal once your deployment is stable:
# 1. Either click "Enable" on the admin Security tab (v1.9.6+), OR:
# docker exec hermitstash node scripts/ca-key-seal.js
# 2. Change CA_KEY_SEALED below to "required" and restart
CA_KEY_SEALED: "auto"
#
# TLS server key (data/tls/privkey.pem or .sealed): when required,
# the cert reload watcher auto-seals plaintext renewals from ACME
# (certbot/acme.sh) — your renewal hooks need no changes.
# 1. Either click "Enable" on the admin Security tab, OR:
# docker exec hermitstash node scripts/tls-key-seal.js
# 2. Change TLS_KEY_SEALED below to "required" and restart
TLS_KEY_SEALED: "auto"
# ── mTLS enforcement strictness ───────────────────────────────────────
# When mTLS is configured (a CA exists in data/), this controls where
# non-mTLS clients are rejected:
# unset (default): soft enforcement at the app layer (middleware/web-guard.js)
# "true": hard enforcement at the TLS handshake (rejectUnauthorized)
# "false": escape hatch — DISABLES all mTLS (use only for
# locked-out recovery; remove once you can boot in)
# Hard mode is stricter and faster (no HTTP cycle for rejected clients).
# ENFORCE_MTLS_STRICT: "true"
# Auth
LOCAL_AUTH: "true"
REGISTRATION_OPEN: "true"
PUBLIC_UPLOAD: "true"
# Passkey / WebAuthn — set RP_ID to your domain, RP_ORIGIN to full URL
PASSKEY_ENABLED: "true"
RP_ID: "" # e.g. hermitstash.example.com
RP_ORIGIN: "" # e.g. https://hermitstash.example.com
# Google OAuth — leave empty to disable
GOOGLE_CLIENT_ID: ""
GOOGLE_CLIENT_SECRET: ""
# SMTP — leave empty to disable email
SMTP_HOST: "" # e.g. smtp.gmail.com
SMTP_PORT: "587"
SMTP_USER: ""
SMTP_PASS: ""
SMTP_FROM: "" # e.g. noreply@hermitstash.example.com
EMAIL_VERIFICATION: "false"
# Storage
STORAGE_BACKEND: local # "local" or "s3"
UPLOAD_DIR: /app/uploads
MAX_FILE_SIZE: "104857600" # 100MB in bytes
# S3 — only when STORAGE_BACKEND=s3
S3_BUCKET: ""
S3_REGION: "" # e.g. us-east-1
S3_ENDPOINT: "" # custom endpoint for R2/MinIO/Backblaze
S3_ACCESS_KEY: ""
S3_SECRET_KEY: ""
restart: unless-stopped