Requirements#
Hinata runs comfortably on a single modest server and scales up from there. This page lists what the host needs, what each component expects, and what you'll want for building from source.
Host requirements#
The server and its dependencies ship as containers, so the host mainly needs a container runtime and enough headroom to run the JVM, MongoDB and MinIO side by side.
| Resource | Minimum | Recommended |
|---|---|---|
| CPU | 2 cores (x86_64 or arm64) | 4+ cores |
| RAM | 4 GB | 8 GB+ (the JVM + a 3-member replica set are the main consumers) |
| Disk | 20 GB SSD | 50 GB+ SSD, growing with attachments and database size |
| OS | Any Linux with a modern kernel | A stable server distro you patch regularly |
- Docker Engine + Docker Compose v2 are the only hard software prerequisites. The Compose files use v2 syntax (
docker compose, not the legacydocker-compose). - Architecture: images are published for x86_64 and arm64, so Apple Silicon, AWS Graviton and Raspberry Pi-class arm64 boxes all work.
Attachments drive disk growth
The database itself stays lean; the variable is object storage. Attachments and avatars live in S3/MinIO, so size the volume behind MinIO (or your external bucket) for how much your teams will upload over time.
Component requirements#
A production Hinata stack is a handful of cooperating services. Here's what each one needs.
| Component | What it needs | Notes |
|---|---|---|
| Server (Spring Boot) | JVM runtime (in the image), the env from .env |
Publishes the API; host port 3356 by default |
| MongoDB | A replica set (2 data nodes + 1 arbiter) in prod, with TLS + X.509 | Runtime settings and all data live here |
| S3 / MinIO | An S3-compatible bucket (default name hinata) + credentials |
Attachments, avatars; presigned downloads |
| SMTP relay | A real outbound mail relay in prod (Mailpit in dev) | Verification, notifications, password reset |
| Reverse proxy | Terminates TLS, forwards to the server/app ports | Public DNS + certificate; see below |
| Hinata Connect gateway | Optional — the hosted gateway, or your own | Push notifications + universal links |
Network#
- Public DNS + TLS. For anything beyond a local test you need public DNS names and TLS. Terminate TLS at a reverse proxy and forward to Hinata over the internal ports. Typical names are
api.track.example.com(API) andtrack.example.com(web app). - Internal ports. The server publishes
3356and the web/app container3456by default (HINATA_PORT/HINATA_APP_PORT). These are the ports your proxy forwards to; they should not be exposed directly to the internet. - Trusted proxies. Set
HINATA_TRUSTED_PROXIESto the CIDRs of your reverse proxies soX-Forwarded-Foris honored only from them. Empty means trust none. - CORS. The hosted web app calls the API cross-origin, so list your browser origins in
HINATA_CORS_ALLOWED_ORIGINS.
Terminate TLS in front, always
The internal ports (3356/3456) speak plain HTTP and are meant to sit behind a TLS-terminating proxy. Never expose them directly. The app requires https:// for saved production servers.
MongoDB replica set#
Production Hinata expects a replica set, not a standalone MongoDB, for two reasons: it's required for the transactional guarantees Hinata relies on, and it enables safe rolling operation. The shipped Compose brings up 2 data nodes + 1 arbiter with TLS and X.509 client authentication. The app authenticates to MongoDB with an X.509 certificate — not the SCRAM root password, which is reserved for internal/admin use.
- Generate the cluster keyfile with
./deploy/generate-secrets.sh. - Generate the production PKI with
./deploy/x509/generate-certs.sh prod, then create the X.509 user with./deploy/x509/init-prod-user.sh.
Full detail lives in MongoDB & X.509.
S3 / MinIO#
Hinata needs an S3-compatible object store. The bundled MinIO is the easy default (bucket HINATA_S3_BUCKET, default hinata), configured with MINIO_ROOT_USER / MINIO_ROOT_PASSWORD; in dev, HINATA_S3_ACCESS_KEY / HINATA_S3_SECRET_KEY are also used. You can point Hinata at any external S3-compatible provider instead. See Object storage.
SMTP#
For real mail — e-mail verification, notifications and password reset — configure an outbound SMTP relay with HINATA_SMTP_HOST/PORT/USERNAME/PASSWORD/AUTH/STARTTLS and a sensible HINATA_MAIL_FROM. In development, Mailpit captures everything at http://localhost:8025 so nothing leaves the machine. See E-mail & SMTP.
Hinata Connect gateway (optional)#
Push notifications and universal links flow through the Connect gateway. Using the hosted gateway means self-hosters need no Firebase project of their own — the server registers itself on boot. It's optional; you can run without push, or stand up your own gateway and set HINATA_GATEWAY_BASE_URL. See Hinata Connect gateway.
Client requirements#
The app runs on:
- Android and iOS phones/tablets,
- Web (any modern browser),
- macOS desktop.
Because the app is multi-server, users just need the URL of a running server; no per-user install configuration is required.
Development requirements#
Building from source (rather than pulling images) needs the toolchains behind each repo:
- hinata-server — JDK 21 and the bundled Gradle wrapper (
./gradlew). Bring up the dev dependencies withdocker compose -f docker-compose.dev.yml up -d(Mongo replica set, Mailpit, MinIO), then run the server:
bash
docker compose -f docker-compose.dev.yml up -d # Mongo RS, Mailpit, MinIO
HINATA_MONGODB_URI="mongodb://localhost:27017/hinata?replicaSet=rs0&directConnection=true" \
HINATA_S3_ACCESS_KEY=hinata HINATA_S3_SECRET_KEY=hinata-dev-secret \
./gradlew bootRun
Run the test suite with ./gradlew build.
- hinata-app — a Flutter SDK (with the Android/iOS/macOS toolchains for the targets you build). State via bloc/cubit, routing via go_router, i18n via i18next.
Just want it running?
You don't need JDK or Flutter to operate Hinata — the Quick start pulls prebuilt images. The development toolchains are only for building from source or contributing. See Development and Contributing.
Next steps#
- Quick start — three commands to a running stack.
- Production deployment — the full production path.
- Reverse proxy & TLS — public DNS, certificates and forwarding.