diff --git a/hermitstash/data/db/.gitkeep b/hermitstash/data/db/.gitkeep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/hermitstash/data/uploads/.gitkeep b/hermitstash/data/uploads/.gitkeep
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/hermitstash/docker-compose.yml b/hermitstash/docker-compose.yml
new file mode 100644
index 0000000000..9656c7fbbc
--- /dev/null
+++ b/hermitstash/docker-compose.yml
@@ -0,0 +1,39 @@
+version: "3.7"
+
+services:
+  app_proxy:
+    environment:
+      APP_HOST: hermitstash_web_1
+      APP_PORT: 3000
+
+  web:
+    image: ghcr.io/dotcoocoo/hermitstash:1.9.11@sha256:e989f1edd59bf3616584662d833175727f15a2c22c9ff0f450e6e3f946542e86
+    init: true
+    restart: on-failure
+    stop_grace_period: 1m
+    shm_size: "256m"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETUID
+      - SETGID
+      - DAC_OVERRIDE
+    healthcheck:
+      test: ["CMD", "node", "-e", "require('http').get('http://localhost:3000/health',function(r){process.exit(r.statusCode===200?0:1)}).on('error',function(){process.exit(1)})"]
+      interval: 30s
+      timeout: 5s
+      start_period: 30s
+      retries: 3
+    volumes:
+      - ${APP_DATA_DIR}/data/db:/app/data
+      - ${APP_DATA_DIR}/data/uploads:/app/uploads
+    environment:
+      PUID: "1000"
+      PGID: "1000"
+      UMASK: "022"
+      TZ: "Etc/UTC"
+      NODE_ENV: production
+      TRUST_PROXY: "true"
diff --git a/hermitstash/umbrel-app.yml b/hermitstash/umbrel-app.yml
new file mode 100644
index 0000000000..db1c68be87
--- /dev/null
+++ b/hermitstash/umbrel-app.yml
@@ -0,0 +1,27 @@
+manifestVersion: 1
+id: hermitstash
+category: files
+name: HermitStash
+version: "1.9.11"
+tagline: Post-quantum encrypted self-hosted file sharing
+description: >-
+  HermitStash is a self-hosted file upload server with post-quantum encryption.
+  Files are sealed with ML-KEM-1024, XChaCha20-Poly1305, and Argon2id before
+  touching disk. Supports shareable download links with expiry and download
+  limits, WebAuthn passkey authentication, S3-compatible storage backends, and
+  an admin panel for managing users, uploads, and server settings. The TLS
+  layer negotiates X25519MLKEM768 for quantum-resistant key exchange on
+  supported browsers.
+developer: dotCooCoo
+website: https://hermitstash.com
+repo: https://github.com/dotCooCoo/hermitstash
+support: https://github.com/dotCooCoo/hermitstash/issues
+port: 3080
+gallery: []
+path: ""
+defaultUsername: ""
+defaultPassword: ""
+submitter: dotCooCoo
+submission: https://github.com/getumbrel/umbrel-apps/pull/5378
+releaseNotes: ""
+dependencies: []