1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
|
# Ente-server configuration file
# This configuration has been modified to work in a standalone non-Docker setup.
#
# Note that the original ente.io local.yaml server configuration,
# which contains all available options can be found at:
# /usr/lib/ente-server/local.yaml
# or in the online ente.io GIT repo at:
# https://github.com/ente-io/ente/blob/main/server/configurations/local.yaml
#
# When a config item is not used, it must not be deleted, but set to an empty value, for example:
# unused-setting: ""
# credential config file:
credentials-file: ""
# this dir is used for TLS data, by default this is done by nginx, and thus can be left empty
credentials-dir: ""
# std-out of the ente-server is send to the systemd journal, when started via the systemd service
# if started without the systemd-service, please specify a log file location instead:
log-file: ""
# HTTP connection parameters
http:
# If true, bind to 443 and use TLS.
# By default, this is false, and ente-server will bind to 8080 without TLS.
# TLS is handled by nginx
use-tls: false
# Database connection parameters
db:
host: /run/postgresql
port: 5432
name: ente-server
user: ente
password: "<YOUR-STRONG-ENTE-DATABASE-USER-PASSWORD>"
sslmode: disable
# See https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION
# Map of data centers, emulated by minio by default
# Each data center also specifies which bucket in that provider should be used.
s3:
hot_storage:
primary: b2-eu-cen
secondary: ""
b2-eu-cen:
key: minio
secret: "<YOUR-STRONG-MINIO-ROOT-PASSWORD>"
endpoint: https://<your_public_domain.tld>:3200
region: eu-central-2
bucket: ente-server
# If true, enable some workarounds to allow us to use a local minio instance
# for object storage.
#
# 1. Disable SSL.
#
# 2. Use "path" style S3 URLs (see `use_path_style_urls` below).
#
# 3. Directly download the file during replication instead of going via the
# Cloudflare worker.
#
# 4. Do not specify storage classes when uploading objects (since minio does
# not support them, specifically it doesn't support GLACIER).
#
are_local_buckets: true
# Uncomment this to use "path" style S3 URLs.
#
# By default the bucket name is part of the (sub)domain, e.g.
# http://b2-eu-cen.localhost:3200/. If this is true, then we use "path"
# style S3 URLs where the bucket is part of the URL path, e.g.
# http://localhost:3200/b2-eu-cen.
#
# This is useful in scenarios when sub-domain based addressing cannot be
# resolved, e.g. when running a local instance, or when using MinIO as a
# production store.
use_path_style_urls: true
# Key used for encrypting customer emails before storing them in DB
# Current values are examples, its recommended replacing them with new unique values
# Run `ente-server-gen-random-keys` to generate new values
key:
encryption: yvmG/RnzKrbCb9L3mgsmoxXr9H7i2Z4qlbT0mL3ln4w=
hash: KXYiG07wC7GIgvCSdg+WmyWdXDAn6XKYJtp/wkEU7x573+byBRAYtpTP0wwvi8i/4l37uicX1dVTUzwH3sLZyw==
# JWT secrets
# Current value is an example, its recommended replacing it with a new unique value
# Run `ente-server-gen-random-keys` to generate new values
jwt:
secret: i2DecQmfGreG6q1vBj5tCokhlN41gcfS2cjOs9Po-u8=
# SMTP configuration (optional)
#
# Configure credentials here for sending mails from museum (e.g. OTP emails).
#
# The smtp credentials will be used if the host is specified. Otherwise it will
# try to use the transmail credentials. Ideally, one of smtp or transmail should
# be configured for a production instance.
smtp:
host: ""
port: ""
username: ""
password: ""
# Various low-level configuration options
internal:
# If false (the default), then museum will notify the external world of
# various events. E.g, email users about their storage being full, send
# alerts to Discord, etc.
#
# It can be set to true when running a "read only" instance like a backup
# restoration test, where we want to be able to access data but otherwise
# minimize external side effects.
silent: false
# If provided, this external healthcheck url is periodically pinged.
health-check-url:
# Hardcoded verification codes, useful for logging in when developing.
#
# Uncomment this and set these to your email ID or domain so that you don't
# need to peek into the server logs for obtaining the OTP when trying to log
# into an instance you're developing on.
# hardcoded-ott:
# emails:
# - "example@example.org,123456"
# # When running in a local environment, hardcode the verification code to
# # 123456 for email addresses ending with @example.org
# local-domain-suffix: "@example.org"
# local-domain-value: 123456
# List of user IDs that can use the admin API endpoints.
admins: []
# Cleanup delay of S3/MinIO objects in minutes (default: 45 days = 64800 minutes)
# WARNING: Only change this value when you know what you're doing, since this can cause things to break if configured incorrectly.
# For example, if replication is enabled then this value should be such that the deletion is never attempted before compliance lock passes.
# delete-object-delay: 64800
# Replication config
#
# If enabled, replicate each file to 2 other data centers after it gets
# successfully uploaded to the primary hot storage.
replication:
enabled: false
# The Cloudflare worker to use to download files from the primary hot
# bucket. Must be specified if replication is enabled.
worker-url:
# Number of go routines to spawn for replication
# This is not related to the worker-url above.
# Optional, default value is indicated here.
worker-count: 6
# Where to store temporary objects during replication v3
# Optional, default value is indicated here.
tmp-storage: tmp/replication
# Configuration for various background / cron jobs.
jobs:
cron:
# Instances run various cleanup, sending emails and other cron jobs. Use
# this flag to disable all these cron jobs.
skip: false
remove-unreported-objects:
# Number of go routines to spawn for object cleanup
# Optional, default value is indicated here.
worker-count: 1
clear-orphan-objects:
# By default, this job is disabled.
enabled: false
# If provided, only objects that begin with this prefix are pruned.
prefix: ""
# Passkey support (WIP)
webauthn:
rpid: "example.com"
rporigins:
- "https://example.com:3005"
|