How to completely self host Standard Notes - Part 1

Part 1

This part will cover setting up your own self-hosted Standard Notes instance and routing your instance through nginx to allow for public exposure. Part 2 will cover self hosting Standard Notes Extensions to allow you to use extensions within your instance, such as a Markdown editor or secure spreadsheets.

What is Standard Notes

Standard Notes is a free, open-source, and completely encrypted notes app. Being open-source, allows anyone to self-host their own Standard Notes server. Which means that you own all of your data, on your own server.

Standard Notes is great for a secure, private, encypted note taking solution. Even without self-hosting, all notes are E2E (end-to-end) encrypted. This means that nobody, other than yourself, can view the notes that you have written.

I have written about Standard Notes in my My Self Hosted Note Syncing Journey Once Switching to Iphone blog post.

Self-hosting Standard Notes is probably for the paranoid and the curious. I was the latter!

It’s relativley simple and gives you piece of mind knowing that only you own your data.

Step 1: Setting up the syncing server

You’ll need to set up a new Linux server. I’ll be using a Ubuntu Server instance which I self host in Proxmox. This new server will need to have Docker and Docker Compose installed.

These can be installed by running the following commands on your server after you have ssh’d to your server

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install
sudo apt-get install docker-compose

Next, you’ll need to create a new folder in your home directory of your server. Mine would be /home/ed/ for example.

mkdir standard-notes-server
cd standard-notes-server

In the standard-notes-server directory, you’ll need to create an new file named docker-compose.yml

touch docker-compose.yml

Open this file with your favorite editor, I use Vim.

You’ll need to paste the following yaml code into the docker-compose.yml file. This is what Docker Compose reads to provision your Docker container.
version: '3'
    build: .
    command: start-local
    env_file: .env
    restart: unless-stopped
      DB_HOST: db
      - ${EXPOSED_PORT}:3000
      - .:/syncing-server
      - db
    image: mysql:5.7
      - 3306
      - 3306
    restart: unless-stopped
    command: --default-authentication-plugin=mysql_native_password --character-set-server=utf8 --collation-server=utf8_general_ci
      - ./data:/var/lib/mysql

Save docker-compose.yml and exit back to the folder.

You’ll also need the create a .env file. This is where your environment variables will be stored.

touch .env

Again, edit this file with your favorite editor and paste in the following.

# Rails Settings


# Database Settings


# Please change this!

# Please change this!



# Disable user registration

# Datadog

Save and exit that file.

Now, ensure that you’re in the standard-notes-server directory and run the following command.

docker-compose up -d

This will start docker, using the docker-compose.yml file and run the server in detached mode.

You should hopefully have an instance running at http://localhost:3000

Your MySQL Data will be written to your local disk at /var/lib/mysql - Be sure to back this up.

Step 2: Setting up Nginx

Nginx is a reverse proxy that allows you to point incoming web traffic to your new Standard Notes syncing server. If you only intend on using Standard Notes locally, you can skip this section entirely.


sudo apt install nginx
If you have UFW installed, you will have to Allow Nginx through your local firewall.

I have a tutorial for setting up UFW here

sudo ufw app list

Available applications:
  Nginx Full
  Nginx HTTP
  Nginx HTTPS

As you can see, there are three profiles available for Nginx:

  • Nginx Full: This profile opens both port 80 (normal, unencrypted web traffic) and port 443 (TLS/SSL encrypted traffic)
  • Nginx HTTP: This profile opens only port 80 (normal, unencrypted web traffic)
  • Nginx HTTPS: This profile opens only port 443 (TLS/SSL encrypted traffic)

It is recommended that you enable the most restrictive profile that will still allow the traffic you’ve configured. Since we haven’t configured SSL for our server yet in this guide, we will only need to allow traffic on port 80.

You can enable this by typing:

sudo ufw allow 'Nginx HTTP'

Checking your webserver is up and running

sudo systemctl status nginx

You should see something that looks like the following

● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running)

Step 3: Pointing Nginx to your syncing server

The next part allows us to take incoming traffic and point it to your container instance. Allowing you to expose your syncing server to the internet.

This will allow you to hook up Standard Notes on any device and sync your notes privatley.

If someone gets hold of your public endpoint, your notes will still be safe as they are encrypted with your Standard Notes username and password.

Navigate to /etc/nginx/

cd /etc/nginx/

Use your favorite text editor and open the following file with sudo

sudo vim nginx.conf

I use the following code for my syncing server

server {
    listen 80;
    listen [::]:80;

    location / {
        proxy_pass; # syncing-server address

Step 4: Port-forwarding

You will need to port forward your instance to allow public access to your instance. This will involve googling how to port forward from your router.

You’ll need to point port 80 to your instance where nginx is set up.

Step 5: Linking Standard Notes with your public domain

You will also need to set up a public domain name. This can then be used to call your new public instance with port 80 exposed.

For example, I would set up a sub domain on to be Notice this is also the domain I specified in my nginx config above.

Here’s something to search for with regards to setting up a domain name

Part 2 to follow

Similar Articles:

GitHub - zhenyolka/DPITunnel: DPITunnel is an android app made for censorship bypass

GitHub - zhenyolka/DPITunnel: DPITunnel is an android app made for censorship bypass

GitHub - hooram/ownphotos: Self hosted alternative to Google Photos

GitHub - hooram/ownphotos: Self hosted alternative to Google Photos

GitHub - eldridgea/dnsonward: A CoreDNS based service that forwards traditional DNS requests to a DNS-over-TLS upstream server

GitHub - eldridgea/dnsonward: A CoreDNS based service that forwards traditional DNS requests to a DNS-over-TLS upstream server

Security Without Borders

Security Without Borders