Skip to main content

Self-hosting Cobblr

Run Cobblr on your own machine, on your own network, with nothing but Docker. No account, no cloud, no subscription. This section gets you to a working instance you can open from your phone, camera included: this page covers what you're running and what you need, Install walks through the setup, and Operating covers updates and backups.

A real, multi-tenant instance

Self-hosting doesn't mean a stripped-down single-user build. What you run is the full thing: a production-level, multi-tenant server. One box can host many user accounts, each with their own isolated workspaces, and every workspace keeps its own database. Run it just for yourself, or open it up to a household, a makerspace, or a business, all doing their own thing, every space walled off from the others.

You are the operator

Running the instance makes you its operator, a super-admin who sits above every workspace. You grant yourself that by putting your email in SUPERADMIN_EMAILS in .env, then registering your account normally. Nobody gets there by signing up; it is your email on the box that unlocks it.

From the operator console at /admin, you can see and manage every workspace and every user on the instance: check its health, adjust instance-wide settings, mint sign-up invites, and remove a workspace outright. It also has a view-as mode (see a workspace as one of its users sees it, read-only unless you flip the write toggle, with a loud banner while you're in it) and a product-metrics dashboard over the instance. This tier is about running the server, so it's separate from the per-workspace roles (owner, admin, and the rest), which keep working exactly as they do inside each workspace.

What you need

  • A machine on your LAN with Docker and Docker Compose. Linux, a Mac, a NAS, a mini PC, a Raspberry Pi (4/5, 64-bit), or an old laptop all work.
  • The box's LAN IP (for example 192.168.1.50). Give it a DHCP reservation so it doesn't change out from under you.

That's the whole list. No repo to clone and nothing to compile: Install is two files and docker compose up.

Notably not on the list: an email server. Sending email is optional; with nothing configured, password login works as normal and invites become copy-the-link.

How much machine

At runtime Cobblr is light: a Node API, Postgres, and a proxy, with no local AI compute (AI and embeddings run on the provider you connect, not the box). The hardware bar is low:

  • For yourself or a household, a Raspberry Pi 4 or 5 with 4GB or more is plenty. The images are prebuilt (multi-arch, so a Pi pulls the arm64 build), so there's no on-device compile: the first run just pulls and starts. Put Postgres on a USB SSD, not a microSD card, which is slow and wears out (a cheap SATA SSD in a USB 3.0 UASP adapter is a good example).
  • For a busy instance with many active workspaces and users, a small x86 box has more headroom for less money: a used mini PC (an Intel NUC, a Beelink) or a refurbished small-form-factor desktop with 8 to 16GB and an SSD is the sweet spot.

The one gotcha: HTTPS for the camera

Browsers only let a web app use the camera (barcode scanning, photos) in a secure context, which means HTTPS or localhost. A plain http://192.168.x.x LAN address is not secure, so the camera is silently blocked. No app-side flag changes this. It's a browser rule. So to scan from your phone you need HTTPS, and a home box makes that genuinely awkward: a public certificate authority will not issue a certificate for a private IP, and a public name can't reach your box unless you either open a port to the internet or run your own local DNS. That is the real constraint, and it's why the options below trade off differently.

We recommend Tailscale, and it's worth being clear why. It sidesteps the whole problem in one move: it gives each device a real, auto-renewed ts.net certificate, handles the name and the routing itself, and forwards nothing to the internet. You install the Tailscale app once on the box and once on each phone or laptop, sign them into the same tailnet, and then the same URL works whether you're at home or across the country, with nothing exposed and no certificate to install by hand. For a tool you reach from your own devices, that single install is the entire HTTPS story, and it doubles as secure remote access. Nothing else here is both private and this simple.

OptionNothing exposed to the internetTrusted certificatePer-device setup
Tailscale (recommended)yesyes, automaticinstall the app once
Offline CA (tls internal)yesself-signed, trust it onceinstall a certificate
DuckDNSno, you forward a portyesnone
Cloudflareno, you forward a portyesnone

The others exist for cases Tailscale doesn't fit. DuckDNS and Cloudflare are the internet-facing paths: they point a name at your box so you can reach it from anywhere, which means opening a port, so you disable signup and rely on login. The offline CA is the no-network, no-Tailscale fallback: it works fully local but you trust its certificate on each device by hand.

Install leads with the Tailscale path and covers the others as alternatives.