Self-hosting

Run Vestyn on infrastructure you control.

Vestyn runs as a Docker stack with Postgres behind your HTTPS reverse proxy. Put it on a VPS, home server, or NAS — wherever you want your vault data to live.

Requirements

Docker & Compose, a domain with HTTPS, and enough disk for Postgres backups.

First run

The first account registered on a new instance becomes the admin.

Upkeep

Pin image tags, apply updates deliberately, and back up Postgres plus the API data volume.

1 · Clone & configure

Grab the repo and create your environment file. Set a strong POSTGRES_PASSWORD and the public URL clients will use.

# clone and prepare config git clone https://github.com/mtenekeci/Vestyn cd Vestyn cp .env.example .env # edit .env APP_URL=https://vault.example.com POSTGRES_PASSWORD=change-me-to-something-long

2 · Bring it up

Compose starts Postgres, the API, and the web proxy. The API runs database migrations on first boot.

docker compose -f docker/docker-compose.yml up -d # check it’s healthy docker compose -f docker/docker-compose.yml ps docker compose -f docker/docker-compose.yml logs -f api

3 · Terminate TLS

Put the published web port behind a reverse proxy. Caddy gets you automatic certificates in two lines:

vault.example.com { reverse_proxy localhost:8080 }

4 · Create the first account

Open https://vault.example.com in a browser. The first account you register becomes the admin — it can invite others and manage vaults. Then open the Mac app and point it at the same host on first launch.

5 · Updating

Pin to a version tag in production. To update, bump the tag and recreate the stack during a maintenance window:

# pull the new image and recreate docker compose -f docker/docker-compose.yml pull docker compose -f docker/docker-compose.yml up -d

6 · Backups

Vault contents are encrypted, but backups still matter: losing the database loses the vault records, and losing the API data volume invalidates active sessions. Back up Postgres and keep restore drills boring.

# nightly dump docker compose -f docker/docker-compose.yml exec -T db \ pg_dump -U vestyn vestyn | gzip > vestyn-$(date +%F).sql.gz

How the encryption works →  ·  Download the apps →