# Sandstorm — Self-Hostable Web App Platform with Sandboxing

> Security-hardened personal server that lets you install and run web apps in isolated sandboxes with one click.

## Install

Save as a script file and run:

# Sandstorm — Self-Hostable Web App Platform with Sandboxing

## Quick Use
```bash
# Install on Debian/Ubuntu
curl https://install.sandstorm.io | bash
# Or run via Docker
docker run -d --privileged -p 6080:6080 
  -v sandstorm-data:/opt/sandstorm 
  sandstorm/sandstorm
```

## Introduction
Sandstorm is a self-hostable web productivity platform that packages web applications into secure, isolated sandboxes. Each app instance runs in its own container with strict capability-based security, making it safe to run untrusted or community-contributed apps on your personal server.

## What Sandstorm Does
- Installs web apps from a marketplace with one-click deployment
- Sandboxes every app instance using Linux namespaces and seccomp filters
- Manages user authentication with built-in login via email, Google, or GitHub
- Provides per-document sharing with fine-grained access controls
- Handles backups and restores for individual app grains

## Architecture Overview
Sandstorm uses a capability-based security model where each app instance (called a grain) runs in its own namespace-isolated sandbox. The platform communicates with apps through Cap'n Proto, a high-performance RPC protocol. A supervisor process mediates all grain I/O, enforcing security policies without requiring apps to be security-aware.

## Self-Hosting & Configuration
- Install via the official script on any Debian or Ubuntu server
- Configure your domain and wildcard DNS for grain subdomains
- Set up HTTPS with a built-in certificate manager or reverse proxy
- Manage users and permissions through the admin panel
- Install apps from the Sandstorm App Market or upload custom SPK packages

## Key Features
- Capability-based sandboxing isolates every app instance
- One-click app installation from a curated marketplace
- Per-document access control modeled after Google Docs sharing
- Built-in user management with multiple auth providers
- Grain-level backup and export for data portability

## Comparison with Similar Tools
- **Cloudron** — commercial app platform; Sandstorm is fully open source with stronger sandboxing
- **YunoHost** — Linux distro for self-hosting; Sandstorm provides per-instance isolation
- **CasaOS** — homelab dashboard; Sandstorm offers security-hardened app sandboxing
- **Coolify** — PaaS for deploying apps; Sandstorm focuses on end-user web productivity

## FAQ
**Q: What apps are available on Sandstorm?**
A: The marketplace includes EtherCalc, Wekan, Rocket.Chat, GitWeb, and dozens of productivity and collaboration apps.

**Q: Does Sandstorm require root access?**
A: Yes, it uses Linux kernel features (namespaces, seccomp) that require privileged access for sandboxing.

**Q: Can I develop my own Sandstorm apps?**
A: Yes, Sandstorm provides an SDK and packaging tools to convert any web app into an SPK package.

**Q: How much resources does Sandstorm need?**
A: A server with 1 GB RAM can run several grains. Each idle grain uses minimal memory.

## Sources
- https://github.com/sandstorm-io/sandstorm
- https://sandstorm.org

---
Source: https://tokrepo.com/en/workflows/asset-72f87b41
Author: Script Depot