Docmost MCP Wrapper
bitcryptic/docmost-mcp-wrapper:latest
https://hub.docker.com/r/bitcryptic/docmost-mcp-wrapper
false
AI: MCP
2026-06-23
bridge
sh
false
https://github.com/bitcryptic-gw/docmost-mcp-wrapper
https://github.com/bitcryptic-gw/docmost-mcp-wrapper
https://raw.githubusercontent.com/bitcryptic-gw/unraid-templates/main/DocmostMCPWrapper.xml
https://raw.githubusercontent.com/bitcryptic-gw/docmost-mcp-wrapper/main/icon.png
Docmost MCP Wrapper — Dockerized, Tailscale-ready MCP bridge for the Docmost community/free edition.
This wrapper fronts MrMartiniMo/docmost-mcp (a stdio-only MCP server) with sparfenyuk/mcp-proxy to expose it as a Streamable HTTP endpoint reachable over your Tailscale tailnet. Remote AI agents (Claude, k3, Graham's agents) connect directly via the tailnet — no LAN port publishing, no Caddy reverse proxy.
SECURITY: Credentials are loaded from file mounts only (never from env vars visible in docker inspect). The entrypoint validates all inputs and refuses to start with missing or empty secrets. No secret values are ever logged. Container runs as a non-root user by default.
PER-INSTANCE DEPLOYMENT: Deploy separate container instances for each bot identity with their own Docmost bot account, secret files, and Tailscale tag. Each instance is isolated at the Tailscale ACL layer.
BEFORE FIRST START:
1. Create a Docmost bot account for this instance
2. Create secret files on the host:
mkdir -p /mnt/cache/appdata/docmost-mcp/secrets
printf '%s' 'bot-email@example.com' > /mnt/cache/appdata/docmost-mcp/secrets/email
printf '%s' 'bot-password' > /mnt/cache/appdata/docmost-mcp/secrets/password
chmod 600 /mnt/cache/appdata/docmost-mcp/secrets/*
3. Configure Tailscale auth key and tag in Advanced Settings
TAILSCALE: The container joins your tailnet via a pre-tagged auth key. State is persisted in the Tailscale State Directory (host and container paths must be identical!). If the Tailscale hook cannot start (eg. permission errors), check with 'docker exec <container> id' — if it shows non-root, add this to Extra Parameters:
--user root --cap-add=NET_ADMIN --cap-add=NET_RAW
AGENT CONNECTION CONFIG: Once deployed, point your agent's MCP client at:
https://docmost-mcp.pygmy-bramble.ts.net:8088/mcp
(Change hostname to match your instance's Tailscale hostname.)
ACL: On pygmy-bramble, add a 'grants' entry permitting relevant source identities to reach port 8088 on the instance's tag. Scoped per tag — eg. tag:docmost-mcp-bitcryptic only accessible by your devices; tag:docmost-mcp-slepner only accessible by Graham's.
Full docs: https://github.com/bitcryptic-gw/docmost-mcp-wrapper/blob/main/WRAPPER.md
Upstream: https://github.com/MrMartiniMo/docmost-mcp (MIT)
mcp-proxy: https://github.com/sparfenyuk/mcp-proxy (MIT)
false
false
docmost-mcp
false
true
false
no
false
/mnt/cache/appdata/docmost-mcp/tailscale