-
-
Notifications
You must be signed in to change notification settings - Fork 915
/
Copy pathlocal.yaml
369 lines (348 loc) · 12.5 KB
/
local.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
# Configuring museum
# ------------------
#
# 1. If the environment variable `ENVIRONMENT` is specified, then it is used to
# load one of the files from the `configurations/` directory. If not present,
# then by default `local.yaml` (this file) will get loaded.
#
# 2. If the "credentials-file" config option is set then museum will look for
# that file. If found, that file will also be loaded, and entries specified
# therein will override the defaults specified here.
#
# 3. Then, museum will look for a file named `museum.yaml` (gitignored) in the
# current working directory. If found, this file will also be loaded and
# merged.
#
# 4. Config can be overridden with via environment variables (details below).
#
# Environment variables
# ---------------------
#
# All configuration options can be overridden via environment variables. The
# environment variable should have the prefix "ENTE_", and any nesting should be
# replaced by underscores.
#
# For example, the nested string "db.user" in the config file can alternatively
# be specified (or be overridden) by setting an environment variable named
# ENTE_DB_USER.
#
#
# Empty strings
# -------------
#
# The empty string indicates missing values (to match go convention).
#
# This also means that to override a value that is specified in local.yaml in a
# subsequently loaded config file, you should specify the key as an empty string
# (`key: ""`) instead of leaving it unset.
#
# ---
# If this option is specified, then it is loaded and gets merged-in over the
# defaults present in default.yaml. This provides a way to inject credentials
# and other overrides.
#
# The default is to look for a file named credentials.yaml in the CWD.
#credentials-file: credentials.yaml
# Some credentials (e.g. the TLS cert) are cumbersome to provide inline in the
# YAML configuration file, thus these are loaded at runtime from separate files.
#
# This is the directory where museum should look for them.
#
# Currently, the following files are loaded (if needed)
#
# - credentials/{tls.cert,tls.key}
# - credentials/pst-service-account.json
# - credentials/fcm-service-account.json
#
# The default is to look for a these files in a directory named credentials
# under the CWD.
#credentials-dir: credentials
# By default, museum logs to stdout when running locally. Specify this path to
# get it to log to a file instead.
#
# It must be specified if running in a non-local environment.
log-file: ""
# HTTP connection parameters
http:
# If true, bind to 443 and use TLS.
# By default, this is false, and museum will bind to 8080 without TLS.
# use-tls: true
# Specify the base endpoints for various apps
apps:
# Default is https://albums.ente.io
#
# If you're running a self hosted instance and wish to serve public links,
# set this to the URL where your albums web app is running.
public-albums:
# Default is https://cast.ente.io
cast:
# Default is https://accounts.ente.io
# Set this to the URL where your accounts web app is running, primarily used for
# passkey based 2FA.
accounts:
# Default is https://family.ente.io
family:
# Database connection parameters
db:
host: localhost
port: 5432
name: ente_db
# You might want to set this to "require" for production
# See https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION
sslmode: disable
# These can be specified here, or alternatively provided via the environment
# as ENTE_DB_USER and ENTE_DB_PASSWORD.
user:
password:
# This can be used to provide parameters that are appended verbatim to the
# generated DSN used for connecting to the DB.
# extra:
# Map of data centers
#
# Each data center also specifies which bucket in that provider should be used.
#
# If you're not using replication (it is off by default), you only need to
# provide valid credentials for the first entry (the default hot storage,
# "b2-eu-cen").
#
# Note that you need to use the same key names (e.g. "b2-eu-cen") as below. The
# values and the S3 provider itself can any arbitrary S3 storage, it is not tied
# to the region (eu-cen) or provider (b2, wasabi), but for historical reasons
# the key names have to be one of those in the list below.
s3:
# Override the primary and secondary hot storage. The commented out values
# are the defaults.
#
#hot_storage:
# primary: b2-eu-cen
# secondary: wasabi-eu-central-2-v3
b2-eu-cen:
key:
secret:
endpoint:
region:
bucket:
wasabi-eu-central-2-v3:
key:
secret:
endpoint:
region:
bucket:
# If enabled, this causes us to opt the object out of the compliance
# lock when the object is deleted. See "Wasabi Compliance".
#
# Currently this flag is only honoured for the Wasabi v3 bucket.
compliance: true
scw-eu-fr-v3:
key:
secret:
endpoint:
region:
bucket:
wasabi-eu-central-2-derived:
key:
secret:
endpoint:
region:
bucket:
# Derived storage bucket is used for storing derived data like embeddings, preview etc.
# By default, it is the same as the hot storage bucket.
# derived-storage: wasabi-eu-central-2-derived
# If true, enable some workarounds to allow us to use a local minio instance
# for object storage.
#
# 1. Disable SSL.
#
# 2. Use "path" style S3 URLs (see `use_path_style_urls` below).
#
# 3. Directly download the file during replication instead of going via the
# Cloudflare worker.
#
# 4. Do not specify storage classes when uploading objects (since minio does
# not support them, specifically it doesn't support GLACIER).
#
#are_local_buckets: true
# Uncomment this to use "path" style S3 URLs.
#
# By default the bucket name is part of the (sub)domain, e.g.
# http://b2-eu-cen.localhost:3200/. If this is true, then we use "path"
# style S3 URLs where the bucket is part of the URL path, e.g.
# http://localhost:3200/b2-eu-cen.
#
# This is useful in scenarios when sub-domain based addressing cannot be
# resolved, e.g. when running a local instance, or when using MinIO as a
# production store.
#use_path_style_urls: true
#
# Warning: For file-storage, do not specify buckets with any lock or versioning enabled.
# The application does not handle these cases. By default, we will use the derived-storage or hot storage bucket
# as the primary bucket for file-data-config.
# file-data-config:
# mldata:
# primaryBucket:
# replicaBuckets: []
# img_preview:
# primaryBucket:
# replicaBuckets: []
# Key used for encrypting customer emails before storing them in DB
#
# To make it easy to get started, some randomly generated values are provided
# here. But if you're really going to be using museum, please generate new keys.
# You can use `go run tools/gen-random-keys/main.go` for that.
key:
encryption: yvmG/RnzKrbCb9L3mgsmoxXr9H7i2Z4qlbT0mL3ln4w=
hash: KXYiG07wC7GIgvCSdg+WmyWdXDAn6XKYJtp/wkEU7x573+byBRAYtpTP0wwvi8i/4l37uicX1dVTUzwH3sLZyw==
# JWT secrets
#
# To make it easy to get started, a randomly generated values is provided here.
# But if you're really going to be using museum, please generate new keys. You
# can use `go run tools/gen-random-keys/main.go` for that.
jwt:
secret: i2DecQmfGreG6q1vBj5tCokhlN41gcfS2cjOs9Po-u8=
# SMTP configuration (optional)
#
# Configure credentials here for sending mails from museum (e.g. OTP emails).
#
# The smtp credentials will be used if the host is specified. Otherwise it will
# try to use the transmail credentials. Ideally, one of smtp or transmail should
# be configured for a production instance.
#
# username and password are optional (e.g. if you're using a local relay server
# and don't need authentication).
smtp:
host:
port:
username:
password:
# The email address from which to send the email. Set this to an email
# address whose credentials you're providing.
email:
# Zoho Zeptomail config (optional)
#
# This is an alternative to the `smtp` configuration for sending emails. If this
# is set (and SMTP credentials are not set), then museum will use the transmail
# SDK for sending emails using Zoho Zeptomail.
transmail:
# Transmail token
# Mail agent: dev
key:
# Apple config (optional)
# Use case: In-app purchases
apple:
# Secret used when communicating with Apple for validating IAP receipts.
shared-secret:
# Stripe config (optional)
# Use case: Payments
stripe:
us:
key:
webhook-secret:
in:
key:
webhook-secret:
whitelisted-redirect-urls: []
path:
success: ?status=success&session_id={CHECKOUT_SESSION_ID}
cancel: ?status=fail&reason=canceled
# Passkey support (optional)
# Use case: MFA
webauthn:
# Our "Relying Party" ID. This scopes the generated credentials.
# See: https://www.w3.org/TR/webauthn-3/#rp-id
rpid: localhost
# Whitelist of origins from where we will accept WebAuthn requests.
# See: https://github.com/go-webauthn/webauthn
rporigins:
- "http://localhost:3001"
# Discord config (optional)
# Use case: Devops
discord:
bot:
cha-ching:
token:
channel:
mona-lisa:
token:
channel:
# Zoho Campaigns config (optional)
# Use case: Sending emails
zoho:
client-id:
client-secret:
refresh-token:
list-key:
topic-ids:
# Listmonk Campaigns config (optional)
# Use case: Sending emails
listmonk:
server-url:
username:
password:
list-ids:
# Various low-level configuration options
internal:
# If false (the default), then museum will notify the external world of
# various events. E.g, email users about their storage being full, send
# alerts to Discord, etc.
#
# It can be set to true when running a "read only" instance like a backup
# restoration test, where we want to be able to access data but otherwise
# minimize external side effects.
silent: false
# If provided, this external healthcheck url is periodically pinged.
health-check-url:
# Hardcoded verification codes, useful for logging in when developing.
#
# Uncomment this and set these to your email ID or domain so that you don't
# need to peek into the server logs for obtaining the OTP when trying to log
# into an instance you're developing on.
# hardcoded-ott:
# emails:
# - "example@example.org,123456"
# # When running in a local environment, hardcode the verification code to
# # 123456 for email addresses ending with @example.org
# local-domain-suffix: "@example.org"
# local-domain-value: 123456
# List of user IDs that can use the admin API endpoints.
# If this is not set, as a fallback, the first user is considered an admin.
admins: []
# In case there is a single admin, it can be alternatively specified by as
# the "admin" instead of "admins". This can be useful e.g. when wishing to
# pass the admin as an environment variable.
admin:
# If set to true, users will not be able to register a new account.
#
# During sign up, the client will get an unauthorized error and
# thus cannot create new accounts.
disable-registration: false
# Replication config
#
# If enabled, replicate each file to 2 other data centers after it gets
# successfully uploaded to the primary hot storage.
replication:
enabled: false
# The Cloudflare worker to use to download files from the primary hot
# bucket. If this isn't specified, files will be downloaded directly.
worker-url:
# Number of go routines to spawn for replication
# This is not related to the worker-url above.
# Optional, default value is indicated here.
worker-count: 6
# Where to store temporary objects during replication v3
# Optional, default value is indicated here.
tmp-storage: tmp/replication
# Configuration for various background / cron jobs.
jobs:
cron:
# Instances run various cleanup, sending emails and other cron jobs. Use
# this flag to disable all these cron jobs.
skip: false
remove-unreported-objects:
# Number of go routines to spawn for object cleanup
# Optional, default value is indicated here.
worker-count: 1
clear-orphan-objects:
# By default, this job is disabled.
enabled: false
# If provided, only objects that begin with this prefix are pruned.
prefix: ""