storage-p
All guides

Self-hosting storage-p

storage-p is built to be self-hosted: a single Docker stack behind Caddy on your own domain, with the database encrypted at rest. You operate it end to end — nobody else holds the keys.

What you need

A small Linux server, a domain name, and Docker with Docker Compose. That is enough to run the whole stack.

How the stack fits together

Caddy serves the static web client and reverse-proxies /api to the backend (Rust/axum). Caddy automatically provisions TLS certificates. The backend stores everything in a SQLite database that is encrypted at rest with SQLCipher, and it only ever holds ciphertext.

Deploy

  1. Point your domain’s DNS A record at the server.
  2. Bring up the Compose stack (static client + backend + Caddy). Caddy obtains TLS on first start.
  3. Open the site and create the first account — the client generates all keys in the browser.

Protect the database and keys

The SQLite database is encrypted at rest with SQLCipher. Keep the database encryption key outside the repository, and back up the data volume (including the write-ahead log) so a restore is consistent.

Keep only ports 80 and 443 public; the backend should stay on the internal network.

Optional: Telegram approvals

To approve scoped API reads from your phone, configure the Telegram webhook secret and connect the bot. When the bot is not configured the webhook path stays closed.