pyrox.dev
1# Ente.io {#module-services-ente}
2
3[Ente](https://ente.io/) is a service that provides a fully open source,
4end-to-end encrypted platform for photos and videos.
5
6## Quickstart {#module-services-ente-quickstart}
7
8To host ente, you need the following things:
9- S3 storage server (either external or self-hosted like [minio](https://github.com/minio/minio))
10- Several subdomains pointing to your server:
11 - accounts.example.com
12 - albums.example.com
13 - api.example.com
14 - cast.example.com
15 - photos.example.com
16 - s3.example.com
17
18The following example shows how to setup ente with a self-hosted S3 storage via minio.
19You can host the minio s3 storage on the same server as ente, but as this isn't
20a requirement the example shows the minio and ente setup separately.
21We assume that the minio server will be reachable at `https://s3.example.com`.
22
23```nix
24{
25 services.minio = {
26 enable = true;
27 # ente's config must match this region!
28 region = "us-east-1";
29 # Please use a file, agenix or sops-nix to securely store your root user password!
30 # MINIO_ROOT_USER=your_root_user
31 # MINIO_ROOT_PASSWORD=a_randomly_generated_long_password
32 rootCredentialsFile = "/run/secrets/minio-credentials-full";
33 };
34
35 systemd.services.minio.environment.MINIO_SERVER_URL = "https://s3.example.com";
36
37 # Proxy for minio
38 networking.firewall.allowedTCPPorts = [
39 80
40 443
41 ];
42 services.nginx = {
43 recommendedProxySettings = true;
44 virtualHosts."s3.example.com" = {
45 forceSSL = true;
46 useACME = true;
47 locations."/".proxyPass = "http://localhost:9000";
48 # determine max file upload size
49 extraConfig = ''
50 client_max_body_size 16G;
51 proxy_buffering off;
52 proxy_request_buffering off;
53 '';
54 };
55 };
56}
57```
58
59And the configuration for ente:
60
61```nix
62{
63 services.ente = {
64 web = {
65 enable = true;
66 domains = {
67 accounts = "accounts.example.com";
68 albums = "albums.example.com";
69 cast = "cast.example.com";
70 photos = "photos.example.com";
71 };
72 };
73 api = {
74 enable = true;
75 nginx.enable = true;
76 # Create a local postgres database and set the necessary config in ente
77 enableLocalDB = true;
78 domain = "api.example.com";
79 # You can hide secrets by setting xyz._secret = file instead of xyz = value.
80 # Make sure to not include any of the secrets used here directly
81 # in your config. They would be publicly readable in the nix store.
82 # Use agenix, sops-nix or an equivalent secret management solution.
83 settings = {
84 s3 = {
85 use_path_style_urls = true;
86 b2-eu-cen = {
87 endpoint = "https://s3.example.com";
88 region = "us-east-1";
89 bucket = "ente";
90 key._secret = pkgs.writeText "minio_user" "minio_user";
91 secret._secret = pkgs.writeText "minio_pw" "minio_pw";
92 };
93 };
94 key = {
95 # generate with: openssl rand -base64 32
96 encryption._secret = pkgs.writeText "encryption" "T0sn+zUVFOApdX4jJL4op6BtqqAfyQLH95fu8ASWfno=";
97 # generate with: openssl rand -base64 64
98 hash._secret = pkgs.writeText "hash" "g/dBZBs1zi9SXQ0EKr4RCt1TGr7ZCKkgrpjyjrQEKovWPu5/ce8dYM6YvMIPL23MMZToVuuG+Z6SGxxTbxg5NQ==";
99 };
100 # generate with: openssl rand -base64 32
101 jwt.secret._secret = pkgs.writeText "jwt" "i2DecQmfGreG6q1vBj5tCokhlN41gcfS2cjOs9Po-u8=";
102 };
103 };
104 };
105
106 networking.firewall.allowedTCPPorts = [
107 80
108 443
109 ];
110 services.nginx = {
111 recommendedProxySettings = true; # This is important!
112 virtualHosts."accounts.${domain}".enableACME = true;
113 virtualHosts."albums.${domain}".enableACME = true;
114 virtualHosts."api.${domain}".enableACME = true;
115 virtualHosts."cast.${domain}".enableACME = true;
116 virtualHosts."photos.${domain}".enableACME = true;
117 };
118}
119```
120
121If you have a mail server or smtp relay, you can optionally configure
122`services.ente.api.settings.smtp` so ente can send you emails (registration code and possibly
123other events). This is optional.
124
125After starting the minio server, make sure the bucket exists:
126
127```
128mc alias set minio https://s3.example.com root_user root_password --api s3v4
129mc mb -p minio/ente
130```
131
132Now ente should be ready to go under `https://photos.example.com`.
133
134## Registering users {#module-services-ente-registering-users}
135
136Now you can open photos.example.com and register your user(s).
137Beware that the first created account will be considered to be the admin account,
138which among some other things allows you to use `ente-cli` to increase storage limits for any user.
139
140If you have configured smtp, you will get a mail with a verification code,
141otherwise you can find the code in the server logs.
142
143```
144journalctl -eu ente
145[...]
146ente # [ 157.145165] ente[982]: INFO[0141]email.go:130 sendViaTransmail Skipping sending email to a@a.a: Verification code: 134033
147```
148
149After you have registered your users, you can set
150`settings.internal.disable-registration = true;` to prevent
151further signups.
152
153## Increasing storage limit {#module-services-ente-increasing-storage-limit}
154
155By default, all users will be on the free plan which is the only plan
156available. While adding new plans is possible in theory, it requires some
157manual database operations which isn't worthwhile. Instead, use `ente-cli`
158with your admin user to modify the storage limit.
159
160## iOS background sync
161
162On iOS, background sync is achived via a silent notification sent by the server
163every 30 minutes that allows the phone to sync for about 30 seconds, enough for
164all but the largest videos to be synced on background (if the app is brought to
165foreground though, sync will resume as normal). To achive this however, a
166Firebase account is needed. In the settings option, configure credentials-dir
167to point towards the directory where the JSON containing the Firebase
168credentials are stored.
169
170```nix
171{
172 # This directory should contain your fcm-service-account.json file
173 services.ente.api.settings = {
174 credentials-dir = "/path/to/credentials";
175 # [...]
176 };
177}
178```