App Submission: HermitStash#5378
Open
dotCooCoo wants to merge 16 commits intogetumbrel:masterfrom
Open
Conversation
Post-quantum encrypted self-hosted file sharing server. ML-KEM-1024 vault encryption, WebAuthn passkeys, S3 backends.
- Bump version 1.6.1 -> 1.7.15 (image pinned with sha256 digest) - Add init, security_opt no-new-privileges, cap_drop ALL with minimal cap_add - Add healthcheck on /health - Add PUID/PGID/UMASK/TZ env vars - Populate releaseNotes for v1.7.x
Author
|
Added gallery entries for 5 screenshots. Source images are committed to the HermitStash public repo and directly viewable here if helpful for review:
All are 1638×832 PNG. Happy to re-export to any target dimension/format if needed. |
- Chainguard wolfi-based image (near-zero CVE base layer) - su-exec for privilege drop (wolfi's BusyBox setpriv is stripped) - chmod-before-chown in entrypoint (avoids FOWNER cap requirement) - Digest sha256:b9f7a0fcf3d23e69c9085c289bd1d3be6dd5734483fd34257942fc2090be352b
- Empty gallery list per umbrel-apps README convention for new submissions (Umbrel team populates icon/gallery after merge) - Bump version 1.9.2 → 1.9.4 (current ghcr.io release) - Pin image to v1.9.4 SHA256 a4400df45f95...410f7026
- v1.9.5 brings the new admin Security tab with read-only status of every security setting (vault wrapping, CA/TLS sealing, mTLS enforcement) — no operator config needed to see it - Audit log search now shows a spinner during slow queries - Updates compose to current ghcr.io v1.9.5 SHA256 digest - Operators upgrading from v1.9.0–v1.9.3 should re-enter their backup passphrase once after upgrade (silent-blank bug, fixed in v1.9.4)
v1.9.6 adds admin UI seal-script invocation: operators can enable/ disable the three sealable layers (vault passphrase wrapping, CA key sealing, TLS key sealing) via wizards in the Security tab instead of running CLI scripts inside the container.
🎉 Linting finished with no errors or warnings 🎉Thank you for your submission! This is an automated linter that checks for common issues in pull requests to the Umbrel App Store. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
HermitStash
Post-quantum encrypted self-hosted file sharing server.
ghcr.io/dotcoocoo/hermitstash:1.6.1(pinned with@sha256:digest)data/db→/app/data,data/uploads→/app/uploadsWhat it does
HermitStash encrypts uploaded files with ML-KEM-1024, XChaCha20-Poly1305, and Argon2id before they touch disk. It provides shareable download links with expiry and download limits, WebAuthn passkey authentication, S3-compatible storage backends, and an admin panel.
Website: https://hermitstash.com
Source: https://github.com/dotCooCoo/hermitstash
License: AGPL-3.0-or-later