Self-hosted · Open Source

YOUR FILES. YOUR RULES. Secure file access for teams — without the weight of Nextcloud.

Mount any volume, assign permissions per group and path, share files with expiring links, and keep a full audit trail. All in one container.

GET STARTED READ THE DOCS →
audit_log · live
14:32:07john@corpfile_downloadapp1/q3.pdf
14:31:44ci-botfile_uploadstaging/app.tar.gz
14:30:11guest_7f2aperm_deniedbackups/dump.sql
14:29:58alice@corpfile_deleteinfra/expired.pem
app1/reports
J
john@corp.com
Volumes
app1
RW
staging
RWD
backups
R
infra
ADM
NameSizeModified
2024
3d ago
q3_report.pdf
2.4 MB2h ago
q2_report.pdf
1.9 MB1mo ago
deploy.yaml
4.2 KB5h ago
secrets.env
312 Breadonly
What you get

Everything ops needs.
Nothing ops doesn't.

No plugin store. No sync engine. No photo albums. Just secure, audited file access — exactly as configured.

Use the SSO you already have

OIDC works with Keycloak, Authentik, Auth0, Azure AD out of the box. LDAP available for on-prem. No local users to manage or passwords to rotate.

OIDC · LDAP · SSO

Access exactly where needed

Give dev write access to /public without exposing /secret. Per-path rules within a volume, group-based. Most specific rule wins.

PER-PATH · PER-GROUP

Share files without sharing access

Generate a signed link for any file. Set it to expire in 24h, limit to one use, add a password. No account needed to receive. Every access logged.

EXPIRING LINKS · PASSWORD

Know who did what, when

Every download, upload, delete, rename, failed login and permission denial is recorded. Filter by user, volume or action. Export as CSV for compliance.

FULL AUDIT · CSV EXPORT

Mount volumes in your OS

WebDAV endpoint for every volume. macOS Finder, Windows, Cyberduck, rclone — connect natively without extra software. Same permissions, same audit trail.

WEBDAV · NATIVE MOUNT

Version-control your permissions

The entire access model lives in a single YAML file. Commit it, review it, roll it back. Restart the container — config applied. No database migrations.

YAML · GITOPS
How it compares

Right-sized
for the job.

FileBrowser is too limited. Nextcloud is too heavy. Astrot fills the gap.

Astrot THIS FileBrowser Nextcloud
// Access & Identity
OIDC / SSO native via plugin
LDAP
Per-path permissions path prefix rules volume-level only partialshares only
Group-based access control
// File Sharing
Expiring share links + max uses basic
Password-protected links
WebDAV native mount
// Operations
Full audit log + CSV export partial
Declarative YAML config (GitOps) JSON only
Single container, no DB server requires PostgreSQL
Memory footprint <30 MB ~50 MB 512 MB+
Audit log

Nothing goes
unrecorded.

Every file operation, every failed login, every share link access — attributed, timestamped, exportable. Filter by user, volume, action or date range.

audit_events · all volumes · today LIVE
Time User Action Path IP
14:32:07 john@corp.com file_download app1/reports/q3.pdf 192.168.1.4
14:31:44 ci-bot file_upload staging/build/app.tar.gz 10.0.0.12
14:30:52 alice@corp.com app1/reports/q3.pdf · expires 24h · 1 use 10.0.0.2
14:30:11 guest_7f2a permission_denied backups/db_dump_2024.sql 203.0.113.9
14:29:58 alice@corp.com file_delete infra/old-certs/expired.pem 10.0.0.2
14:28:30 unknown login_failure — 3 attempts from same IP — 185.220.101.3
Get started

Running in
three steps.

01

Write your config

Define volumes, groups and permissions in a single YAML file. Commit it to git — that's your source of truth.

volumes:
  - name: app1
    path: /app1
    permissions:
      - group: dev
        read: true
        write: true
02

Deploy the container

Mount your storage, pass your OIDC config, expose port 8080. One command and it's live.

$ docker run -d \
  -v /srv/app1:/app1 \
  -v ./astrot.yaml:/etc/astrot/config.yaml \
  -e OIDC_ISSUER=https://auth.corp \
  -p 8080:8080 astrot/gateway
03

Your team logs in

Users authenticate via your identity provider. Groups map automatically. They see exactly what they're allowed to — nothing more.

Mounted: app1 (RW) · backups (RO)
OIDC: auth.corp.com
WebDAV ready at /dav/app1/
Listening on :8080
https://files.corp.com
// READY

Your storage.
Your rules.
Your infra.

DEPLOY NOW READ THE DOCS → GITHUB →