Why I Love Sandstorm.io
"App store, but for your own server. Sandboxed, secure, sovereign."
Sandstorm.io was ahead of its time — an app deployment system for humans. It runs open-source apps in isolated containers, designed for per-document security, and delivers them via a slick web UI with identity control, sharing, and one-click installs.
Core Benefits
- No sysadmin needed
- Every app runs in a container
- Each document = a sandbox
- You control sharing, access, versions
- One-click installs for popular tools
- Clean web UI, runs on your server
Use Cases in My Stack
- Local-first productivity suites (Etherpad, Wekan, Rocket.Chat)
- Simple installs for customers or family without complex Linux training
- Acts as a private "sovereign app store"
- Great entry point for teaching people to self-host
Sovereign by Design
Sandstorm apps don’t share a database or runtime. Everything is scoped and sandboxed — perfect isolation. Combined with DNS + wildcard subdomains + ZeroTier, it’s a solid model for zero-cloud, LAN/VPN-access-only services.
And it can talk to my daemons — just another local interface layer.
Bonus Integration Tips
- Use nginx to reverse proxy *.yourdomain into your VPN tunnel
- Build Meteor apps for Sandstorm — special package format, very portable
- Great companion to Cairodock or any launcher UI
- Can be wired into
koad:ioas a service template or deployment target
Philosophy Match
Sandstorm fits the mindset:
- Portable apps
- No central authority
- Designed for private infrastructure
- Encourages ownership of data + workflows
- And yes: no public ports required (via VPN or reverse proxy)
I don’t need a cloud account. I don’t need Docker. I don’t even need to run a shell. I just click “Install” and it works — on my machine, under my domain, on my terms.