Switching rooted<->rootless re-maps every container's on-disk UIDs (rootless offsets them by the subuid base), so a stateful app's data no longer lines up in the new mode and a chown can't carry it. The portable carry is backup (old mode) -> switch -> restore (new mode): restoreAppStart wipes and re-lays each tree and re-owns it to the new mode's install user, which is exactly the remap needed. Wire that into dockerSwitcherSwap: - switchMigrateBackupApps <old_mode>: before the switch, back up every installed app except libreportal (reconcile already carries the control plane). CFG_DOCKER_INSTALL_TYPE is already the target mode by the time the switcher runs, so force it (and the resolved install user) back to the old mode for the backups, else backupAppStart would talk to the not-yet-running new daemon. Any backup failure aborts the switch before the daemon is touched (nothing changed). No backup location enabled -> skip and keep the manual warning. - switchMigrateRestoreApps: after the new daemon is up, restore each captured app best-effort, re-resolving the install user first so data is owned correctly; failures are reported per app rather than blocking. Subject to the existing backup-completeness limitation (restic-as-libreportal can't read files owned by other UIDs unless the app declares container-side file capture) — same caveat as the manual procedure this automates. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
LibrePortal
Your own private corner of the internet — free, open, and yours.
LibrePortal is a self-hosted platform for running the apps you rely on, on your own server: one-click installs, a reverse proxy with automatic SSL, rootless Docker, optional VPN routing, and a clean web dashboard to manage it all.
⚠️ v0.1.0 — early days. Expect rough edges while things settle.
Why LibrePortal
Too many services today treat your data as theirs to take — quietly overstepping boundaries that should never have been crossed. LibrePortal grew out of frustration with that: it's a way to run the apps you depend on on your own server, where your data stays yours. Privacy here isn't a feature to toggle — it's the whole point.
Free & open — forever
The entire platform is free software under the GNU AGPLv3. Self-host it and you get everything — every feature, no paywalls, no telemetry. See our Promise for exactly what that means.
What you get
- 📦 One-click self-hosted apps (Nextcloud, Vaultwarden, Jellyfin, Gitea, …)
- 🔀 Traefik reverse proxy + automatic Let's Encrypt SSL
- 🔒 Rootless Docker, CrowdSec, sane security defaults
- 🛡️ Optional VPN routing (gluetun) for any app
- 🖥️ A web dashboard to install, configure, back up, and monitor everything
Quick start
git clone https://gitea.scottwebstar.co.uk/Webstar/LibrePortal.git
cd LibrePortal
./init.sh
LibrePortal Connect (optional)
Self-hosting is free and complete. If you'd rather not fiddle with the tricky parts — like reaching your server from your phone, or keeping off-site backups — LibrePortal Connect will handle them for you. Here's the catch that makes us different: we work like a courier carrying a sealed box. We move your data between your devices and store backup copies, but it stays locked and you hold the only key — we can't open it, and we never run your apps for you. Everything we offer, you can also set up yourself for free. Our Promise spells out exactly where that line sits.
Contributing
PRs welcome — see CONTRIBUTING.md. We use a lightweight
DCO sign-off (git commit -s), no CLA.
Acknowledgments
LibrePortal has been built from scratch since 2023. Its spark of inspiration
was a small installer script from Brian McGonagill (OpenSourceIsAwesome):
gitlab.com/bmcgonag/docker_installs.
From that seed it grew start to finish — refined, extended, and refactored
into the platform it is today.
License
GNU AGPLv3. What's open stays open.