Ente サーバーのソースを表示

[[Category:ファイル共有]]
{{Related articles start}}
{{Related|AppArmor}}
{{Related|Certbot}}
{{Related|MinIO}}
{{Related|Nginx}}
{{Related|PostgreSQL}}
{{Related articles end}}
[https://ente.io Ente server] is the server part that stores and serves encrypted blobs of data to ente (mobile) clients. The clients send/receive encrypted data, which then arrives at the Ente server and is stored/read via the local [[MinIO]] object storage service.

For example when the '''Ente''' photos client is used, the client encrypts the photos, which are then stored on this server. Later on the client can then lookup the encrypted photos, and decrypt them locally ('''end-to-end encryption'''). Since only the client, or anyone the client shares the photos with, have the encryption key, only they can decrypt the data and actually see the photos, the server will never be able to do this due to the lack of that key material.

== Installation ==

The {{AUR|ente-server-git}} package is meant for self hosting in contrary to the by default provided dockerized '''Ente''' server. If a dockerized or hosted solution is required, see [https://ente.io/ ente.io].

Start by [[install]]ing the {{AUR|ente-server-git}} package.

Note that since self hosted server space is often available in limited quantity, the {{AUR|ente-server-git}} package has been modified to cleanup old unlinked ente-server [[MinIO]] objects much faster. The default upstream Ente server cleans these object every 45 days by default, but this package decreased the delay to cleanup every 5 minutes instead.

To get the '''Ente''' server running a working [[PostgreSQL]] database (to store Ente object meta data and user data) and [[MinIO]] bucket (to store encrypted object data) is required. Furthermore, a HTTPS proxy like [[Nginx]] is recommended to be used to access the '''Ente''' server. Lastly, the ''ente-cli'' tool can be used to easily upgrade ente-server account size limit and account expiry.

To install these required components, it is recommended installing the [[packages]] listed as optional dependencies, preferably as dependent [[package]] when installing them on the same host. For example, this can be done using the {{ic|--asdeps}} option when using [[pacman]] or {{AUR|yay}} to install these packages.

For completeness, the following [[packages]] are currently listed as optional dependencies:

* {{ic|minio}}
* {{ic|minio-client}}
* {{ic|nginx}}
* {{ic|postgresql}}

== Configuration ==

=== MinIO setup ===

[[textedit|Edit]] the configuration file as follows: 

{{hc|/etc/minio/minio.conf|2=
MINIO_VOLUMES="/srv/minio/data"
MINIO_ROOT_USER=minio
MINIO_ROOT_PASSWORD='<nowiki/>''YOUR-STRONG-MINIO-ROOT-PASSWORD''<nowiki/>'
MINIO_OPTS="--address ''your_public_domain.tld'':3200 --console-address 127.0.0.1:3201"
}}

[[Enable/start]] {{ic|minio.service}}.

Create [[MinIO]] ente-server bucket with the ''mcli'' command (as the minio user):

 # cd /srv/minio/data
 [minio]$ mcli mb -p ente-server

=== PostgreSQL setup ===

Initialize the database as the postgres user:

 [postgres]$ initdb --locale en_US.UTF-8 -D '/var/lib/postgres/data' --data-checksums --auth=scram-sha-256 --pwprompt

Configure to only listen on a [https://man.archlinux.org/man/unix.7.en AF_UNIX] socket: 

{{hc|/var/lib/postgres/data/postgresql.conf|2=
listen_addresses = <nowiki>''</nowiki> # AF_UNIX Socket only
}}

Restrict socket access to [[PostgreSQL]] user or group by [[edit]]ing {{ic|postgresql.service}}: 

{{hc|/etc/systemd/system/postgresql.d/socket-access-restriction.conf|2=
[Service]
RuntimeDirectoryMode=750
}}

Add {{ic|ente}} to the {{ic|postgres}} [[user group]], then [[start/enable]]{{ic|postgresql.service}}.

Create [[PostgreSQL]] database user and a database owned by this user (specify new password twice, then specify postgres password to store new account):

 [postgres]$ createuser -P ente

Then specify postgres password to create new database:

 [postgres]$ createdb -T template0 -O ente -E unicode ente-server

=== Running ente-server ===

Add [[MinIO]] bucket details:

{{hc|/etc/ente-server/local.yaml|
b2-eu-cen:
    key: minio
    secret: "''YOUR-STRONG-MINIO-ROOT-PASSWORD''"
    endpoint: ''your_public_domain.tld'':3200
    region: eu-central-2
    bucket: ente-server
}}

Add [[PostgreSQL]] details:

{{hc|/etc/ente-server/local.yaml|
db:
    host: /run/postgresql
    port: 5432
    name: ente-server
    user: ente
    password: "''YOUR-STRONG-ENTE-DATABASE-USER-PASSWORD''"
}}

Generate new secret key values using the ''ente-server-gen-random-keys'' command and use these values as a replacement of the default values in the {{ic|/etc/ente-server/local.yaml}} configuration file.

[[Edit]] {{ic|ente-server.service}} to allow it to access to the IP address of ''your_public_domain.tld'' (by default the service only allows access from and to localhost):

{{bc|
[Service]
IPAddressAllow{{=}}''IP_address_of_your_public_domain.tld''
}}

[[Enable/start]] {{ic|ente-server.service}}.

=== Configuring Nginx proxy ===

Copy the example [[Nginx]] config and the accompanying  HTTP(S) security header config files to the [[Nginx]] configuration directory:

 # cp -v /usr/lib/ente-server/ente-server-nginx.conf /etc/nginx/
 # cp -v /usr/lib/ente-server/http*security_headers.conf /etc/nginx/

Edit this example config, and replace ''your_public_domain.tld'' with your actual public domain name

Request a letsencrypt ceritifacte (or a SSL certificate from another provider) if not already done so:

 # certbot certonly --email ''your_email'' --agree-tos --preferred-challenge http --webroot -w /var/lib/letsencrypt -d ''your_public_domain.tld''

Append an {{ic|include}} statement to the [[Nginx]] {{ic|http}} config to include the ''ente-server'' config:

{{hc|/etc/nginx/nginx.conf|
http {
    include /etc/nginx/ente-server-nginx.conf
}
}}

Fix permissions:

 # chmod 644 /etc/nginx/ente-server-nginx.conf
 # chmod 644 /etc/nginx/http*security_headers.conf

[[Restart]] {{ic|nginx.service}} to apply the changes.

=== Configuring ente-server and ente-cli ===

{{Style|Last section to adjust.|section=Cleanup}}

* Install {{ic|ente-cli}} on the client:
** [[Install]] the {{AUR|ente-cli-bin}} package
* Add {{ic|ente-cli}} config on the client:
{{bc|$ mkdir -p ~/.ente/export }}
{{hc|~/.ente/config.yaml|
endpoint:
  api: "''<nowiki>https://your_public_domain.tld</nowiki>''" >}} 
* Add a user account via the photos mobile app or web app on the client, using a custom endpoint:
** In the photos mobile app:
*** Click 7 times on the main screen to enable developers mode
*** Define your custom '''Ente''' server API endpoint:
{{bc|        URL: ''<nowiki>https://your_public_domain.tld</nowiki>''}}
** In the web app on the client:
{{bc|      $ git clone https://github.com/ente-io/ente.git
      cd ente/web
      git submodule update --init --recursive
      yarn install
      NEXT_PUBLIC_ENTE_ENDPOINT{{=}}''<nowiki>https://your_public_domain.tld</nowiki>'' yarn dev:photos}}
* Follow the photos app or web app (''http://localhost:3000'') instructions to create a new user
* Obtain the OTP code:
** Via email:
*** Configure the {{ic|smtp}} section in {{ic|/etc/ente-server/local.yaml}}
*** Make sure the configure [https://man.archlinux.org/man/smtp.1.en SMTP] server is working
*** Wait for the mail to arrive and copy the OTP code
** Via the ente-server log:
***     {{bc|# journalctl -u ente-server {{!}} grep SendEmailOTT {{!}} tail -n 1}}
* Obtain the new users account ID:
{{bc| # psql -U ente ente-server -c 'select user_id from users order by user_id desc limit 1;'}}
* Configure this user as the admin:
{{hc|/etc/ente-server/local.yaml|
internal:
     admin: [''ADD_USER_ID_HERE'']}}
* [[Restart]] {{ic|ente-server.service}} to activate the new admin privileges
* Configure this admin within {{ic|ente-cli}} on the client:
{{bc| $ ente account add
     photos
     ~/.ente/export
     ''email_address_of_admin_account''
     ''password_of_admin_account''
}}

=== Increasing user storage and account expiry limit ===

* Use ''ente-cli'' to increase storage limit with 100 TB and expiry with 100 years:
{{bc| ente admin update-subscription -u "''user@domain.tld''"}}

=== (Optional) Copy and apply AppArmor profile ===

An [[AppArmor]] profile has been provided for those that wish to limit the access the '''ente-server''' binary has using [[AppArmor]]. Copy and apply this profile as follows (assuming that [[AppArmor]] has already been installed and enabled):
{{bc| # install -Dvm600 -o root -g root /usr/lib/ente-server/usr.bin.ente-server -t /etc/apparmor.d/
 # aa-enforce /usr/bin/ente-server}}

=== (Optional) Configure Firewall ===

If a host firewall like iptables or nftables has been enabled and configured, make sure the following is allowed:

* Traffic on {{ic|localhost}}
* Traffic from your '''Ente''' (mobile) client to TCP port {{ic|443}} to reach [[Nginx]]
* Traffic from your '''Ente''' (mobile) client to TCP port {{ic|3200}} to reach the [[MinIO]] API port

== Files ==

The {{AUR|ente-server-git}} package contains the {{man|1|ente-server|url=}} [[man page]] that lists and explains all files that are installed by this package.

== See also ==

* Upstream Repository: [https://github.com/ente-io/ente/tree/main/server ente.io Ente Server Repository]