Filebrowser
A web-based file manager for browsing and managing files on your server.
Filebrowser is a lightweight, self-hosted file manager that provides a clean web UI to upload, download, manage, and share files stored on your server. It supports multiple users with scoped path access and shareable links. Self-hosting gives full control over your files without depending on cloud storage services.
Alternatives considered
Cloud Hosted
| Tool | Open Source | Free Tier | Monthly Cost |
|---|---|---|---|
| Dropbox | No | Limited | From $9.99/mo |
| Google Drive | No | Limited | From $2.99/mo |
Self Hosted
| Tool | Open Source | Full Features | Notes |
|---|---|---|---|
| Nextcloud | Yes | Yes | Full collaboration suite, much heavier |
Installation
Architecture
- Deployment: Single
filebrowserdeployment in thefilebrowsernamespace - Image:
filebrowser/filebrowser:v2.63.1(digest-pinned) - Storage: Longhorn PVC for app config (encrypted); multiple NFS PersistentVolumes for file access
- Networking: ClusterIP service on port 80; two HTTPRoutes — one OIDC-gated, one open for
/sharelinks
Security
- Runs as
runAsUser: 1000,runAsNonRoot: true,allowPrivilegeEscalation: false, capabilities dropped - OIDC enforced via Envoy Gateway
SecurityPolicy;/sharepath bypasses OIDC for public links - Longhorn config PVC encrypted at rest; Keycloak CA cert mounted as ConfigMap for TLS verification
Updates
Managed by Renovate. Image is digest-pinned.
Data Management
- PVC: Longhorn-encrypted PVC for app config and database (
FB_DATABASE) - NFS: Multiple NFS PersistentVolumes mounted read-write for file browsing
- Backups: No k8up schedule present.
User Management
OIDC enforced via Envoy Gateway SecurityPolicy (filebrowser-oidc-policy). Provider is Keycloak. Admin password also available from SOPS secret for initial setup.
Configuration Management
- Admin password (
FB_PASSWORD) and database path from SOPS-encrypted secret - Keycloak CA certificate from ConfigMap (
keycloak-ca) - OIDC policy configured via Envoy Gateway
SecurityPolicyresource
Administration
Usage
Browse, upload, and download files across all mounted NFS shares via the web UI. Create user accounts with access scoped to specific paths. Generate shareable links for external access to individual files or directories.
Cluster-specific deviations from the above live in the per-cluster README — see k8s/apps/talos/filebrowser/README.md.
Cluster Deployment
Filebrowser — Talos cluster
Cluster-specific notes only. General product info, "why we use it", and alternatives live in docusaurus/docs/apps/filebrowser.mdx.
Deviations from defaults
Defaults live in docusaurus/docs/apps/filebrowser.mdx — document anything this cluster does differently here, with a one-line reason.
- Image:
filebrowser/filebrowser:v2.63.15@sha256:9805b21cf910f3ef6f4a1c8f441f1dd6cc4197136f9541fe2a1ab6d050706e4b
Rendered manifests (kustomize build)
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kustomize.toolkit.fluxcd.io/force: enabled
labels:
app.kubernetes.io/instance: filebrowser
app.kubernetes.io/name: filebrowser
name: filebrowser
namespace: filebrowser
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: filebrowser
app.kubernetes.io/name: filebrowser
ingress: public
strategy:
rollingUpdate: null
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: filebrowser
app.kubernetes.io/name: filebrowser
ingress: public
spec:
containers:
- env:
- name: FB_PASSWORD
valueFrom:
secretKeyRef:
key: adminPassword
name: filebrowser
- name: FB_DATABASE
value: /database/filebrwoser.db
image: filebrowser/filebrowser:v2.63.15@sha256:9805b21cf910f3ef6f4a1c8f441f1dd6cc4197136f9541fe2a1ab6d050706e4b
name: filebrowser
ports:
- containerPort: 80
name: web
protocol: TCP
readinessProbe:
failureThreshold: 1
httpGet:
path: /
port: 80
initialDelaySeconds: 2
periodSeconds: 3
successThreshold: 1
timeoutSeconds: 2
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
volumeMounts:
- mountPath: /database/
name: filebrowser-config
- mountPath: /srv/archive/
name: filebrowser-archive
- mountPath: /srv/audio/
name: filebrowser-audio
- mountPath: /srv/downloads
name: filebrowser-downloads
- mountPath: /srv/gaming/
name: filebrowser-gaming
- mountPath: /srv/images/
name: filebrowser-images
- mountPath: /srv/reading/
name: filebrowser-reading
- mountPath: /srv/stash/
name: filebrowser-stash
- mountPath: /srv/videos/
name: filebrowser-videos
securityContext:
fsGroup: 1000
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
seccompProfile:
type: RuntimeDefault
volumes:
- name: filebrowser-config
persistentVolumeClaim:
claimName: filebrowser-config
- name: filebrowser-archive
persistentVolumeClaim:
claimName: filebrowser-truenas-nfs-archive
- name: filebrowser-audio
persistentVolumeClaim:
claimName: filebrowser-truenas-nfs-audio
- name: filebrowser-downloads
persistentVolumeClaim:
claimName: filebrowser-truenas-nfs-downloads
- name: filebrowser-gaming
persistentVolumeClaim:
claimName: filebrowser-truenas-nfs-gaming
- name: filebrowser-images
persistentVolumeClaim:
claimName: filebrowser-truenas-nfs-images
- name: filebrowser-reading
persistentVolumeClaim:
claimName: filebrowser-truenas-nfs-reading
- name: filebrowser-stash
persistentVolumeClaim:
claimName: filebrowser-truenas-nfs-stash
- name: filebrowser-videos
persistentVolumeClaim:
claimName: filebrowser-truenas-nfs-videos