Skip to content

Add HermitStash one-click app#1291

Open
dotCooCoo wants to merge 3 commits intocaprover:masterfrom
dotCooCoo:add-hermitstash
Open

Add HermitStash one-click app#1291
dotCooCoo wants to merge 3 commits intocaprover:masterfrom
dotCooCoo:add-hermitstash

Conversation

@dotCooCoo
Copy link
Copy Markdown

@dotCooCoo dotCooCoo commented Apr 18, 2026

Adds HermitStash — a post-quantum encrypted self-hosted file sharing server.

  • Image: ghcr.io/dotcoocoo/hermitstash
  • Port: 3000
  • Volumes: data (database + encryption keys), uploads (user files)
  • Architectures: amd64, arm64

Encryption stack: ML-KEM-1024 vault, XChaCha20-Poly1305 file encryption, Argon2id key derivation. TLS negotiates X25519MLKEM768 for quantum-resistant key exchange.

Note: shm_size is documented as a post-deploy step since it is not supported in the CapRover compose parser.

Website: https://hermitstash.com
Source: https://github.com/dotCooCoo/hermitstash
License: AGPL-3.0-or-later

Self Check before Merge

  • I have tested the template using the method described in README.md thoroughly
  • I have ensured that I put as much default values as possible (except passwords) to ensure minimum effort required for end users to get started.
  • I have ensured that I am not using the "latest" tag as this tag is dynamically changing and might break the one-click app. Use a fixed version.
  • I have made sure that instructions.start and instructions.end are clear and self-explanatory.
  • Icon is added as a png file to the logos directory.
  • I've executed the checks if necessary by running npm ci && npm run validate_apps && npm run formatter
  • I will take responsibility addressing any issues that arises as a result of this PR (maintaining this app).

@dotCooCoo
Add HermitStash one-click app
9315729 
Post-quantum encrypted self-hosted file sharing server.
@dotCooCoo
Update HermitStash for v1.7.x security hardening
bc7b985 
- Default version: 1.6.1 -> 1 (rolling latest in 1.x major)
- Add init, security_opt no-new-privileges, cap_drop ALL with minimal cap_add
  (CHOWN, SETUID, SETGID, DAC_OVERRIDE)
- Add PUID/PGID/UMASK/TZ env vars
@dotCooCoo
Update HermitStash for v1.9.11 — stop_grace_period + healthcheck
1b62868 
- Add stop_grace_period: 1m so the SQLite shutdown path can flush + reseal
  data/db.key.enc before the container stops (matches the umbrel-apps
  template).
- Add /health-based healthcheck via node:http with the same parameters
  the upstream Dockerfile uses (interval 30s, timeout 5s, start_period 30s,
  retries 3).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dotCooCoo