Reapps
Private. Encrypted. Yours.
Open-source, end-to-end encrypted productivity apps.
Your data never leaves your device unencrypted.
Try re/task ยท Try re/notes ยท Website
Reborn Apps is a suite of two Progressive Web Apps built with a Zero Knowledge architecture - all user data is encrypted on your device before it ever reaches the server. The server stores only ciphertext and cannot read your tasks, notes, or metadata.
Built by Reborn Foundation (Poland), a European non-profit. Hosted on Hetzner Cloud (Germany). No tracking, no ads, no email required.
Apps
re/task - Encrypted task management
- Task lists
- Subtasks with progress tracking
- Recurring tasks - daily, weekly, or custom schedule
- Starred & favorites - focus on what matters
- Due dates & reminders with optional push notifications
- Smart views - Today, Upcoming, Overdue, Starred, Completed
- Full-text search with operators -
list:Inbox,due:<7d,is:overdue,has:link, โฆ (reference) - Trash & recovery - restore deleted tasks within 30 days
- Import & export - JSON backup and restore
- Read-only share links - send a frozen snapshot of a task (with its subtasks) via an encrypted public URL; the snapshot key lives in the URL fragment so the server never sees it. Optional password, expiry, and view-count limit; revoke anytime (blog post).
re/notes - Encrypted notes & documents
- Markdown editor - headings, lists, code blocks, images, and more
- Folders & tags - flexible organization system
- Multi-select & bulk actions - pin, star, move to folder, or delete many notes at once (long-press on touch, header toggle on desktop)
- Periodic notes - one-click Daily, Weekly, and Monthly notes (Obsidian-style); date-based titles with configurable formats, lazy-created folders, Daily on by default (blog post)
- Version history - up to 10 saved versions per note
- Internal links - link between notes with autocomplete to build a knowledge base
- Live preview - edit Markdown on one side, see formatted output on the other
- Encryption X-Ray - see exactly what the server sees (encrypted blobs)
- Full-text search with operators -
tag:work,folder:projects/active,created:<7d,has:link,-tag:archived, โฆ (reference) - Trash & recovery - safely delete and restore notes
- Import & export - Markdown, JSON, or encrypted backup; import single
.mdfiles or entire folders with subfolders (e.g., an Obsidian vault) preserving directory structure - Read-only share links - publish a frozen snapshot of a note via an encrypted public URL; the snapshot key lives in the URL fragment so the server never sees it. Optional password, expiry, and view-count limit; revoke anytime (blog post).
Shared features
- ๐ End-to-end encryption - data is encrypted on your device before reaching any server
- ๐ฑ Offline-first PWA - works without internet, syncs when back online
- ๐ Cross-device sync - access from any device, changes sync automatically
- ๐ก๏ธ Two-factor authentication - TOTP (2FA) with one-time recovery codes
- ๐ค One account, no email - just a username and password, shared across both apps (SSO)
- ๐ Installable - add to home screen as a native-like app
- ๐ Dark mode - full dark theme support
- ๏ฟฝ Multilingual - English ๐ฌ๐ง, French ๐ซ๐ท, German ๐ฉ๐ช, Polish ๐ต๐ฑ, Spanish ๐ช๐ธ
Security & privacy
Reborn Apps uses a Zero Knowledge E2E architecture:
| What | Where | Who can read it |
|---|---|---|
| Tasks, notes, subtasks, metadata | Server (encrypted) | Only you |
| Username | Server (plaintext) | Server operator |
| Password | Server (Argon2id hash) | Nobody |
| Encryption keys | Your device only | Only you |
| Email, phone, real name | Not collected | - |
How it works:
- You set a password โ a master encryption key is derived on your device (PBKDF2 600K iterations)
- All data is encrypted with AES-256-GCM before leaving the browser
- The server stores only ciphertext - it cannot decrypt anything
- Even sensitive metadata (due dates, completion status, starred flags) is bundled into an encrypted blob
- If the server is compromised, attackers get only encrypted noise
โ ๏ธ If you forget your password, your data is irrecoverable. Recovery codes cannot help with password recovery - they only bypass 2FA if you lose access to your authenticator app. This is by design - the server cannot help you because it cannot read your data.
For a deep dive, see the Zero Knowledge Architecture document and the Security Overview.
Try it
A free public instance is available at reapps.eu, maintained by Reborn Foundation:
| App | URL |
|---|---|
| re/task | reapps.eu/task |
| re/notes | reapps.eu/notes |
No email required. Create an account with just a username and password.
Live status: stats.uptimerobot.com/JDB9dZbrRv
Self-hosting
You own your data - you can also run your own instance.
There are two flows depending on what you want to do:
| Flow | Source on host? | Image | Speed | Use case |
|---|---|---|---|---|
| Development | Required (cloned repo) | node:alpine + bind mount + pnpm install at boot |
Slow first start, HMR after | Hacking on the code |
| Production | Not required at runtime | Pre-built from multi-stage Dockerfile |
<15 s boot, no install | Running your own instance |
Why this matters: the default
docker-compose.ymlis the development flow. If you paste it into a stack editor (Portainer, Coolify, โฆ) without a cloned repo on the host,pnpm installfails withERR_PNPM_NO_PKG_MANIFESTbecause the bind mount points at an empty directory. For self-hosting, use the production flow below.
Requirements
- Docker v25+ with Docker Compose
- A
.envfile (copy from.env.example, generate strong secrets - see below)
Development flow
# Clone the repository
git clone https://github.com/fundacja-reborn/reapps.git
cd reapps
# Copy environment config
cp .env.example .env
# Start both apps with SSO support (recommended)
docker compose -f docker-compose.yml -f docker-compose.proxy.yml --profile with-notes up
After startup:
| App | URL |
|---|---|
| re/task | http://localhost/task |
| re/notes | http://localhost/notes |
Both apps share a single PostgreSQL database and a single user account (SSO via shared origin).
First startup takes a few minutes (downloading images +
pnpm install). Subsequent starts are fast thanks to Docker volume caching.
Other dev configurations
# Only re/task (port 4200)
docker compose up
# Both apps on separate ports (no SSO)
docker compose --profile with-notes up
Production flow
The production flow builds a multi-stage Dockerfile and runs the pre-compiled SvelteKit server - no pnpm install at boot, no bind mount, no source on the host required at runtime.
git clone https://github.com/fundacja-reborn/reapps.git
cd reapps
# Copy and edit the environment + production override.
cp .env.example .env
cp docker-compose.prod.yml.example docker-compose.prod.yml
Edit .env and set at least:
PUBLIC_SITE_URL=https://your-domain.example.com # or http://your-server-ip
DB_USER=postgres
DB_PASSWORD=<strong-random-password>
DB_NAME=reborn
JWT_SECRET=<32+ random bytes, base64>
REFRESH_TOKEN_SECRET=<32+ random bytes, base64>
SESSION_SECRET=<32+ random bytes, base64>
RECOVERY_KEY_SECRET=<32+ random bytes, base64>
Generate a secret with openssl rand -base64 48.
Build and start:
docker compose -f docker-compose.yml -f docker-compose.prod.yml \
--profile with-notes up -d --build --wait
The apps listen on :4200 (task) and :4201 (notes) on the Docker host. For SSO (shared origin โ shared localStorage) put a TLS-terminating reverse proxy in front (nginx, Caddy, Traefik, Cloudflare Tunnel, โฆ) that maps:
<PUBLIC_SITE_URL>/task/โhttp://127.0.0.1:4200/task/<PUBLIC_SITE_URL>/notes/โhttp://127.0.0.1:4201/notes/
nginx/dev.conf is a reference proxy config - adapt it (add listen 443 ssl;, certificate paths, HSTS) for your environment.
Portainer / Coolify / stack editors: paste the contents of
docker-compose.ymlanddocker-compose.prod.yml.example(combined or as a compose project that fetches both from git). The build context needs the repo source - point the stack at this Git URL, not at a raw paste.
Smoke-testing the production image locally
If you want to verify the production build works before pointing your real domain at it:
cp docker-compose.localprod.yml.example docker-compose.localprod.yml
docker compose -f docker-compose.yml -f docker-compose.localprod.yml \
-f docker-compose.proxy.yml --profile with-notes -p reborn-localprod \
up -d --build --wait
# โ http://localhost/task and http://localhost/notes
This uses http://localhost as the origin and the dev DB credentials, so it composes cleanly without further configuration.
Without Docker
# Prerequisites: Node.js 20+, PNPM 10+, PostgreSQL
pnpm install
pnpm db:generate
pnpm db:migrate
# Start re/task
pnpm nx dev reborn-task
# Start re/notes (separate terminal)
pnpm nx dev reborn-notes
Stopping & cleanup
# Stop containers (dev)
docker compose -f docker-compose.yml -f docker-compose.proxy.yml --profile with-notes down
# Stop containers (production)
docker compose -f docker-compose.yml -f docker-compose.prod.yml --profile with-notes down
# Full reset (removes database and cached node_modules)
docker compose -f docker-compose.yml -f docker-compose.proxy.yml --profile with-notes down -v
Tech stack
| Layer | Technology |
|---|---|
| Frontend | SvelteKit 2, Svelte 5 (runes), TypeScript |
| Styling | TailwindCSS 4 |
| Offline storage | IndexedDB (Dexie.js) |
| Encryption | AES-256-GCM, PBKDF2, Argon2id (Web Crypto API + hash-wasm) |
| Backend | SvelteKit API routes |
| Database | PostgreSQL 17, Prisma 6 |
| Auth | JWT + refresh tokens, TOTP 2FA, recovery codes |
| Monorepo | pnpm workspaces, Nx 21 |
| Notes editor | CodeMirror 6 (Markdown) |
Project structure
apps/
โโโ reborn-task/ # Task management app (SvelteKit)
โโโ reborn-notes/ # Notes app (SvelteKit)
packages/
โโโ @reborn/auth # Authentication (JWT, 2FA, recovery codes)
โโโ @reborn/crypto # E2E encryption & key management
โโโ @reborn/database # Prisma schema & client
โโโ @reborn/storage # Encrypted IndexedDB stores
โโโ @reborn/types # Shared TypeScript types
โโโ @reborn/ui # UI components (shadcn-svelte)
โโโ @reborn/i18n # Internationalization (PL/EN)
โโโ @reborn/utils # Shared utilities
โโโ @reborn/api-client # HTTP client for API
docs/
โโโ architecture/ # Zero Knowledge architecture docs
โโโ security/ # Security audits
Contributing
We welcome community involvement! Due to the security-sensitive nature of this project (E2E encryption, Zero Knowledge architecture), we maintain all code changes internally.
How you can help:
- Report bugs - open an Issue with clear reproduction steps
- Suggest features & discuss ideas - join GitHub Discussions
- Report security vulnerabilities - see our Security Policy (please report privately)
- Improve translations - suggest corrections or new languages via Issues
Note: We do not accept external pull requests. Every code change undergoes internal security review to protect the integrity of the encryption layer. If you've found a bug and know the fix, please describe it in an Issue - we'll gladly credit you.
Acknowledgments
Reborn Apps is shaped by feedback from people who try it, share ideas, and tell us what's missing. Special thanks to:
- Travis Solin (@computrav) - for early feedback on the public release and detailed thinking on power-user search semantics that directly informed the operator-based search syntax.
If you've contributed something that shaped this project - an idea, a substantive bug report, a translation - and you're not listed here, please open an Issue. Smaller individual reports are credited per-release in commit messages and release notes.
License
AGPL-3.0 - Copyright ยฉ 2025 Fundacja Reborn (Poland)
You are free to use, modify, and self-host. If you modify the server-side code and offer it as a service, you must open-source your changes under the same license.
Further reading
- Zero Knowledge Architecture - how encryption works under the hood
- Security Overview - security posture, cryptographic primitives, and known limitations
- Security Policy - how to report vulnerabilities
Support
Reborn Apps is built by a non-profit foundation - no investors, no ads, no tracking. If you find our apps useful and want to support their continued development, every donation helps us build software free from commercial pressure.
โ Donate via Wise
Built with privacy in mind by Reborn Foundation (Poland).
