Docmost MCP Wrapper bitcryptic/docmost-mcp-wrapper:latest https://hub.docker.com/r/bitcryptic/docmost-mcp-wrapper false AI: MCP 2026-06-23 bridge sh false https://github.com/bitcryptic-gw/docmost-mcp-wrapper https://github.com/bitcryptic-gw/docmost-mcp-wrapper https://raw.githubusercontent.com/bitcryptic-gw/unraid-templates/main/DocmostMCPWrapper.xml https://raw.githubusercontent.com/bitcryptic-gw/docmost-mcp-wrapper/main/icon.png Docmost MCP Wrapper — Dockerized, Tailscale-ready MCP bridge for the Docmost community/free edition. This wrapper fronts MrMartiniMo/docmost-mcp (a stdio-only MCP server) with sparfenyuk/mcp-proxy to expose it as a Streamable HTTP endpoint reachable over your Tailscale tailnet. Remote AI agents (Claude, k3, Graham's agents) connect directly via the tailnet — no LAN port publishing, no Caddy reverse proxy. SECURITY: Credentials are loaded from file mounts only (never from env vars visible in docker inspect). The entrypoint validates all inputs and refuses to start with missing or empty secrets. No secret values are ever logged. Container runs as a non-root user by default. PER-INSTANCE DEPLOYMENT: Deploy separate container instances for each bot identity with their own Docmost bot account, secret files, and Tailscale tag. Each instance is isolated at the Tailscale ACL layer. BEFORE FIRST START: 1. Create a Docmost bot account for this instance 2. Create secret files on the host: mkdir -p /mnt/cache/appdata/docmost-mcp/secrets printf '%s' 'bot-email@example.com' > /mnt/cache/appdata/docmost-mcp/secrets/email printf '%s' 'bot-password' > /mnt/cache/appdata/docmost-mcp/secrets/password chmod 600 /mnt/cache/appdata/docmost-mcp/secrets/* 3. Configure Tailscale auth key and tag in Advanced Settings TAILSCALE: The container joins your tailnet via a pre-tagged auth key. State is persisted in the Tailscale State Directory (host and container paths must be identical!). If the Tailscale hook cannot start (eg. permission errors), check with 'docker exec <container> id' — if it shows non-root, add this to Extra Parameters: --user root --cap-add=NET_ADMIN --cap-add=NET_RAW AGENT CONNECTION CONFIG: Once deployed, point your agent's MCP client at: https://docmost-mcp.pygmy-bramble.ts.net:8088/mcp (Change hostname to match your instance's Tailscale hostname.) ACL: On pygmy-bramble, add a 'grants' entry permitting relevant source identities to reach port 8088 on the instance's tag. Scoped per tag — eg. tag:docmost-mcp-bitcryptic only accessible by your devices; tag:docmost-mcp-slepner only accessible by Graham's. Full docs: https://github.com/bitcryptic-gw/docmost-mcp-wrapper/blob/main/WRAPPER.md Upstream: https://github.com/MrMartiniMo/docmost-mcp (MIT) mcp-proxy: https://github.com/sparfenyuk/mcp-proxy (MIT) false false docmost-mcp false true false no false /mnt/cache/appdata/docmost-mcp/tailscale