339 lines
11 KiB
YAML
339 lines
11 KiB
YAML
# Configuring museum
|
|
# ------------------
|
|
#
|
|
# 1. If the environment variable `ENVIRONMENT` is specified, then it is used to
|
|
# load one of the files from the `configurations/` directory. If not present,
|
|
# then by default `local.yaml` (this file) will get loaded.
|
|
#
|
|
# 2. Then, museum will look for a file named `museum.yaml` in the current
|
|
# working directory. If found, this file will also be loaded, and entries
|
|
# specified therein will override the defaults specified here.
|
|
#
|
|
# 3. If the "credentials-file" config option is set, then museum will also load
|
|
# that and merge it in.
|
|
#
|
|
# 4. Config can be overridden with via environment variables (details below).
|
|
#
|
|
# Environment variables
|
|
# ---------------------
|
|
#
|
|
# All configuration options can be overridden via environment variables. The
|
|
# environment variable should have the prefix "ENTE_", and any nesting should be
|
|
# replaced by underscores.
|
|
#
|
|
# For example, the nested string "db.user" in the config file can alternatively
|
|
# be specified (or be overridden) by setting an environment variable named
|
|
# ENTE_DB_USER.
|
|
#
|
|
#
|
|
# Empty strings
|
|
# -------------
|
|
#
|
|
# The empty string indicates missing values (to match go convention).
|
|
#
|
|
# This also means that to override a value that is specified in local.yaml in a
|
|
# subsequently loaded config file, you should specify the key as an empty string
|
|
# (`key: ""`) instead of leaving it unset.
|
|
#
|
|
# ---
|
|
|
|
# If this option is specified, then it is loaded and gets merged-in over the
|
|
# defaults present in default.yaml. This provides a way to inject credentials
|
|
# and other overrides.
|
|
#
|
|
# The default is to look for a file named credentials.yaml in the CWD.
|
|
#credentials-file: credentials.yaml
|
|
|
|
# Some credentials (e.g. the TLS cert) are cumbersome to provide inline in the
|
|
# YAML configuration file, thus these are loaded at runtime from separate files.
|
|
#
|
|
# This is the directory where museum should look for them.
|
|
#
|
|
# Currently, the following files are loaded (if needed)
|
|
#
|
|
# - credentials/{tls.cert,tls.key}
|
|
# - credentials/pst-service-account.json
|
|
# - credentials/fcm-service-account.json
|
|
#
|
|
# The default is to look for a these files in a directory named credentials
|
|
# under the CWD.
|
|
#credentials-dir: credentials
|
|
|
|
# By default, museum logs to stdout when running locally. Specify this path to
|
|
# get it to log to a file instead.
|
|
#
|
|
# It must be specified if running in a non-local environment.
|
|
log-file: ""
|
|
|
|
# HTTP connection parameters
|
|
http:
|
|
# If true, bind to 443 and use TLS.
|
|
# By default, this is false, and museum will bind to 8080 without TLS.
|
|
# use-tls: true
|
|
|
|
# Specify the base endpoints for various apps
|
|
apps:
|
|
# Default is https://albums.ente.io
|
|
#
|
|
# If you're running a self hosted instance and wish to serve public links,
|
|
# set this to the URL where your albums web app is running.
|
|
public-albums:
|
|
|
|
# Database connection parameters
|
|
db:
|
|
host: localhost
|
|
port: 5432
|
|
name: ente_db
|
|
# You might want to set this to "require" for production
|
|
# See https://www.postgresql.org/docs/current/libpq-ssl.html#LIBPQ-SSL-PROTECTION
|
|
sslmode: disable
|
|
# These can be specified here, or alternatively provided via the environment
|
|
# as ENTE_DB_USER and ENTE_DB_PASSWORD.
|
|
user:
|
|
password:
|
|
|
|
# Map of data centers
|
|
#
|
|
# Each data center also specifies which bucket in that provider should be used.
|
|
#
|
|
# If you're not using replication (it is off by default), you only need to
|
|
# provide valid credentials for the first entry (the default hot storage,
|
|
# "b2-eu-cen").
|
|
#
|
|
# Note that you need to use the same key names (e.g. "b2-eu-cen") as below. The
|
|
# values and the S3 provider itself can any arbitrary S3 storage, it is not tied
|
|
# to the region (eu-cen) or provider (b2, wasabi), but for historical reasons
|
|
# the key names have to be one of those in the list below.
|
|
s3:
|
|
# Override the primary and secondary hot storage. The commented out values
|
|
# are the defaults.
|
|
#
|
|
#hot_storage:
|
|
# primary: b2-eu-cen
|
|
# secondary: wasabi-eu-central-2-v3
|
|
b2-eu-cen:
|
|
key:
|
|
secret:
|
|
endpoint:
|
|
region:
|
|
bucket:
|
|
wasabi-eu-central-2-v3:
|
|
key:
|
|
secret:
|
|
endpoint:
|
|
region:
|
|
bucket:
|
|
# If enabled, this causes us to opt the object out of the compliance
|
|
# lock when the object is deleted. See "Wasabi Compliance".
|
|
#
|
|
# Currently this flag is only honoured for the Wasabi v3 bucket.
|
|
compliance: true
|
|
scw-eu-fr-v3:
|
|
key:
|
|
secret:
|
|
endpoint:
|
|
region:
|
|
bucket:
|
|
wasabi-eu-central-2-derived:
|
|
key:
|
|
secret:
|
|
endpoint:
|
|
region:
|
|
bucket:
|
|
# Derived storage bucket is used for storing derived data like embeddings, preview etc.
|
|
# By default, it is the same as the hot storage bucket.
|
|
# derived-storage: wasabi-eu-central-2-derived
|
|
|
|
# If true, enable some workarounds to allow us to use a local minio instance
|
|
# for object storage.
|
|
#
|
|
# 1. Disable SSL.
|
|
#
|
|
# 2. Use "path" style S3 URLs (see `use_path_style_urls` below).
|
|
#
|
|
# 3. Directly download the file during replication instead of going via the
|
|
# Cloudflare worker.
|
|
#
|
|
# 4. Do not specify storage classes when uploading objects (since minio does
|
|
# not support them, specifically it doesn't support GLACIER).
|
|
#
|
|
#are_local_buckets: true
|
|
# Uncomment this to use "path" style S3 URLs.
|
|
#
|
|
# By default the bucket name is part of the (sub)domain, e.g.
|
|
# http://b2-eu-cen.localhost:3200/. If this is true, then we use "path"
|
|
# style S3 URLs where the bucket is part of the URL path, e.g.
|
|
# http://localhost:3200/b2-eu-cen.
|
|
#
|
|
# This is useful in scenarios when sub-domain based addressing cannot be
|
|
# resolved, e.g. when running a local instance, or when using MinIO as a
|
|
# production store.
|
|
#use_path_style_urls: true
|
|
|
|
# Key used for encrypting customer emails before storing them in DB
|
|
#
|
|
# To make it easy to get started, some randomly generated values are provided
|
|
# here. But if you're really going to be using museum, please generate new keys.
|
|
# You can use `go run tools/gen-random-keys/main.go` for that.
|
|
key:
|
|
encryption: yvmG/RnzKrbCb9L3mgsmoxXr9H7i2Z4qlbT0mL3ln4w=
|
|
hash: KXYiG07wC7GIgvCSdg+WmyWdXDAn6XKYJtp/wkEU7x573+byBRAYtpTP0wwvi8i/4l37uicX1dVTUzwH3sLZyw==
|
|
|
|
# JWT secrets
|
|
#
|
|
# To make it easy to get started, a randomly generated values is provided here.
|
|
# But if you're really going to be using museum, please generate new keys. You
|
|
# can use `go run tools/gen-random-keys/main.go` for that.
|
|
jwt:
|
|
secret: i2DecQmfGreG6q1vBj5tCokhlN41gcfS2cjOs9Po-u8=
|
|
|
|
# SMTP configuration (optional)
|
|
#
|
|
# Configure credentials here for sending mails from museum (e.g. OTP emails).
|
|
#
|
|
# The smtp credentials will be used if the host is specified. Otherwise it will
|
|
# try to use the transmail credentials. Ideally, one of smtp or transmail should
|
|
# be configured for a production instance.
|
|
smtp:
|
|
host:
|
|
port:
|
|
username:
|
|
password:
|
|
# The email address from which to send the email. Set this to an email
|
|
# address whose credentials you're providing.
|
|
email:
|
|
|
|
# Zoho Zeptomail config (optional)
|
|
#
|
|
# This is an alternative to the `smtp` configuration for sending emails. If this
|
|
# is set (and SMTP credentials are not set), then museum will use the transmail
|
|
# SDK for sending emails using Zoho Zeptomail.
|
|
transmail:
|
|
# Transmail token
|
|
# Mail agent: dev
|
|
key:
|
|
|
|
# Apple config (optional)
|
|
# Use case: In-app purchases
|
|
apple:
|
|
# Secret used when communicating with Apple for validating IAP receipts.
|
|
shared-secret:
|
|
|
|
# Stripe config (optional)
|
|
# Use case: Payments
|
|
stripe:
|
|
us:
|
|
key:
|
|
webhook-secret:
|
|
in:
|
|
key:
|
|
webhook-secret:
|
|
whitelisted-redirect-urls: []
|
|
path:
|
|
success: ?status=success&session_id={CHECKOUT_SESSION_ID}
|
|
cancel: ?status=fail&reason=canceled
|
|
|
|
# Passkey support (WIP)
|
|
webauthn:
|
|
rpid: "example.com"
|
|
rporigins:
|
|
- "https://example.com:3005"
|
|
|
|
# Roadmap SSO (optional)
|
|
#
|
|
# Allow the user to sign into an hosted roadmap service using their ente.io
|
|
# credentials. Here we can can configure the URL prefix and service levels
|
|
# credentials for SSO.
|
|
roadmap:
|
|
# The prefix of the URL the user should be redirected to
|
|
url-prefix:
|
|
# This secret can be obtained from the roadmap dashboard
|
|
sso-secret:
|
|
|
|
# Discord config (optional)
|
|
# Use case: Devops
|
|
discord:
|
|
bot:
|
|
cha-ching:
|
|
token:
|
|
channel:
|
|
mona-lisa:
|
|
token:
|
|
channel:
|
|
|
|
# Zoho Campaigns config (optional)
|
|
# Use case: Sending emails
|
|
zoho:
|
|
client-id:
|
|
client-secret:
|
|
refresh-token:
|
|
list-key:
|
|
topic-ids:
|
|
|
|
# Listmonk Campaigns config (optional)
|
|
# Use case: Sending emails
|
|
listmonk:
|
|
server-url:
|
|
username:
|
|
password:
|
|
list-ids:
|
|
|
|
# Various low-level configuration options
|
|
internal:
|
|
# If false (the default), then museum will notify the external world of
|
|
# various events. E.g, email users about their storage being full, send
|
|
# alerts to Discord, etc.
|
|
#
|
|
# It can be set to true when running a "read only" instance like a backup
|
|
# restoration test, where we want to be able to access data but otherwise
|
|
# minimize external side effects.
|
|
silent: false
|
|
# If provided, this external healthcheck url is periodically pinged.
|
|
health-check-url:
|
|
# Hardcoded verification codes, useful for logging in when developing.
|
|
#
|
|
# Uncomment this and set these to your email ID or domain so that you don't
|
|
# need to peek into the server logs for obtaining the OTP when trying to log
|
|
# into an instance you're developing on.
|
|
# hardcoded-ott:
|
|
# emails:
|
|
# - "example@example.org,123456"
|
|
# # When running in a local environment, hardcode the verification code to
|
|
# # 123456 for email addresses ending with @example.org
|
|
# local-domain-suffix: "@example.org"
|
|
# local-domain-value: 123456
|
|
# List of user IDs that can use the admin API endpoints.
|
|
admins: []
|
|
|
|
# Replication config
|
|
#
|
|
# If enabled, replicate each file to 2 other data centers after it gets
|
|
# successfully uploaded to the primary hot storage.
|
|
replication:
|
|
enabled: false
|
|
# The Cloudflare worker to use to download files from the primary hot
|
|
# bucket. Must be specified if replication is enabled.
|
|
worker-url:
|
|
# Number of go routines to spawn for replication
|
|
# This is not related to the worker-url above.
|
|
# Optional, default value is indicated here.
|
|
worker-count: 6
|
|
# Where to store temporary objects during replication v3
|
|
# Optional, default value is indicated here.
|
|
tmp-storage: tmp/replication
|
|
|
|
# Configuration for various background / cron jobs.
|
|
jobs:
|
|
cron:
|
|
# Instances run various cleanup, sending emails and other cron jobs. Use
|
|
# this flag to disable all these cron jobs.
|
|
skip: false
|
|
remove-unreported-objects:
|
|
# Number of go routines to spawn for object cleanup
|
|
# Optional, default value is indicated here.
|
|
worker-count: 1
|
|
clear-orphan-objects:
|
|
# By default, this job is disabled.
|
|
enabled: false
|
|
# If provided, only objects that begin with this prefix are pruned.
|
|
prefix: ""
|