What is Weavestream?

What is Weavestream and why does it exist?

Weavestream is a self-hosted IT documentation platform designed for small teams, Managed Service Providers (MSPs), and homelabs. It brings together the tools you need to document and manage your infrastructure — assets, credentials, articles, domain health — in a single, self-contained deployment that runs entirely on your own hardware.

The problem it solves

Modern IT environments generate a constant stream of knowledge that needs to be captured: server configurations, software licenses, passwords, network topology, SSL renewal dates. Proprietary platforms like Hudu or ITGlue solve this well, but they come with:

Monthly per-seat subscription costs
Data locked behind vendor APIs
No control over uptime, backup strategy, or data residency
Opaque pricing as you scale

Weavestream is the self-hosted alternative. One Docker Compose file, no cloud dependency, no data leakage.

What it includes

Feature	Description
Asset management	Customisable layouts with 14+ field types to track any kind of infrastructure
Password vault	AES-256-GCM encrypted credentials with TOTP, breach checking, and version history
Documentation	Rich-text articles and folders per tenant via Tiptap
Domain monitoring	WHOIS, DNS, and TLS/SSL expiry tracking
File uploads	Per-tenant object storage with photo galleries
Client portal	Read-only portal scoped to each tenant's allowed data
User management	Three-axis RBAC (role, default access, membership) with capabilities, invite-only onboarding, and forced MFA
Audit log	Append-only, tamper-resistant mutation history
Full-text search	PostgreSQL-backed search across articles, assets, and uploads

Design principles

One codebase, any vocabulary. The operator chooses what to call their tenants — Client, Department, Site, Tenant, or a custom term — from the Admin UI. URL paths and database columns remain stable; the terminology change is purely cosmetic.

Docker-first. Three containers (api, web, worker) plus Postgres and Redis. Uploaded files live on a host bind-mounted directory shared by api and worker. All images are published to GHCR. No build step required on the host.

Security by default. Forced TOTP MFA on every account. AES-256-GCM encryption for credentials. Append-only audit log protected at the database-role level. Per-IP and per-email rate limiting. Strict Content-Security-Policy.

Own your data. Persistent data lives in host-mounted folders you control. Back up with pg_dump, rsync, or any standard tool. No vendor lock-in, no API quota.

Next steps

Key concepts — understand the core data model
Architecture — how the pieces fit together
Getting started — deploy in under 10 minutes