Ente サーバー
関連記事
Ente server is the server part that stores and serves encrypted blobs of data to ente (mobile) clients. The clients send/receive encrypted data, which then arrives at the Ente server and is stored/read via the local MinIO object storage service.
For example when the Ente photos client is used, the client encrypts the photos, which are then stored on this server. Later on the client can then lookup the encrypted photos, and decrypt them locally (end-to-end encryption). Since only the client, or anyone the client shares the photos with, have the encryption key, only they can decrypt the data and actually see the photos, the server will never be able to do this due to the lack of that key material.
Installation
The ente-server-gitAUR package is meant for self hosting in contrary to the by default provided dockerized Ente server. If a dockerized or hosted solution is required, see ente.io.
Start by installing the ente-server-gitAUR package.
Note that since self hosted server space is often available in limited quantity, the ente-server-gitAUR package has been modified to cleanup old unlinked ente-server MinIO objects much faster. The default upstream Ente server cleans these object every 45 days by default, but this package decreased the delay to cleanup every 5 minutes instead.
To get the Ente server running a working PostgreSQL database (to store Ente object meta data and user data) and MinIO bucket (to store encrypted object data) is required. Furthermore, a HTTPS proxy like Nginx is recommended to be used to access the Ente server. Lastly, the ente-cli tool can be used to easily upgrade ente-server account size limit and account expiry.
To install these required components, it is recommended installing the packages listed as optional dependencies, preferably as dependent package when installing them on the same host. For example, this can be done using the --asdeps
option when using pacman or yayAUR to install these packages.
For completeness, the following packages are currently listed as optional dependencies:
minio
minio-client
nginx
postgresql
Configuration
MinIO setup
Edit the configuration file as follows:
/etc/minio/minio.conf
MINIO_VOLUMES="/srv/minio/data" MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD='YOUR-STRONG-MINIO-ROOT-PASSWORD' MINIO_OPTS="--address your_public_domain.tld:3200 --console-address 127.0.0.1:3201"
Enable/start minio.service
.
Create MinIO ente-server bucket with the mcli command (as the minio user):
# cd /srv/minio/data [minio]$ mcli mb -p ente-server
PostgreSQL setup
Initialize the database as the postgres user:
[postgres]$ initdb --locale en_US.UTF-8 -D '/var/lib/postgres/data' --data-checksums --auth=scram-sha-256 --pwprompt
Configure to only listen on a AF_UNIX socket:
/var/lib/postgres/data/postgresql.conf
listen_addresses = '' # AF_UNIX Socket only
Restrict socket access to PostgreSQL user or group by editing postgresql.service
:
/etc/systemd/system/postgresql.d/socket-access-restriction.conf
[Service] RuntimeDirectoryMode=750
Add ente
to the postgres
user group, then start/enablepostgresql.service
.
Create PostgreSQL database user and a database owned by this user (specify new password twice, then specify postgres password to store new account):
[postgres]$ createuser -P ente
Then specify postgres password to create new database:
[postgres]$ createdb -T template0 -O ente -E unicode ente-server
Running ente-server
Add MinIO bucket details:
/etc/ente-server/local.yaml
b2-eu-cen: key: minio secret: "YOUR-STRONG-MINIO-ROOT-PASSWORD" endpoint: your_public_domain.tld:3200 region: eu-central-2 bucket: ente-server
Add PostgreSQL details:
/etc/ente-server/local.yaml
db: host: /run/postgresql port: 5432 name: ente-server user: ente password: "YOUR-STRONG-ENTE-DATABASE-USER-PASSWORD"
Generate new secret key values using the ente-server-gen-random-keys command and use these values as a replacement of the default values in the /etc/ente-server/local.yaml
configuration file.
Edit ente-server.service
to allow it to access to the IP address of your_public_domain.tld (by default the service only allows access from and to localhost):
[Service] IPAddressAllowテンプレート:=IP_address_of_your_public_domain.tld
Enable/start ente-server.service
.
Configuring Nginx proxy
Copy the example Nginx config and the accompanying HTTP(S) security header config files to the Nginx configuration directory:
# cp -v /usr/lib/ente-server/ente-server-nginx.conf /etc/nginx/ # cp -v /usr/lib/ente-server/http*security_headers.conf /etc/nginx/
Edit this example config, and replace your_public_domain.tld with your actual public domain name
Request a letsencrypt ceritifacte (or a SSL certificate from another provider) if not already done so:
# certbot certonly --email your_email --agree-tos --preferred-challenge http --webroot -w /var/lib/letsencrypt -d your_public_domain.tld
Append an include
statement to the Nginx http
config to include the ente-server config:
/etc/nginx/nginx.conf
http { include /etc/nginx/ente-server-nginx.conf }
Fix permissions:
# chmod 644 /etc/nginx/ente-server-nginx.conf # chmod 644 /etc/nginx/http*security_headers.conf
Restart nginx.service
to apply the changes.
Configuring ente-server and ente-cli
- Install
ente-cli
on the client:- Install the ente-cli-binAUR package
- Add
ente-cli
config on the client:
$ mkdir -p ~/.ente/export
~/.ente/config.yaml
endpoint: api: "https://your_public_domain.tld" >
- Add a user account via the photos mobile app or web app on the client, using a custom endpoint:
- In the photos mobile app:
- Click 7 times on the main screen to enable developers mode
- Define your custom Ente server API endpoint:
- In the photos mobile app:
URL: https://your_public_domain.tld
- In the web app on the client:
$ git clone https://github.com/ente-io/ente.git cd ente/web git submodule update --init --recursive yarn install NEXT_PUBLIC_ENTE_ENDPOINTテンプレート:=https://your_public_domain.tld yarn dev:photos
- Follow the photos app or web app (http://localhost:3000) instructions to create a new user
- Obtain the OTP code:
- Via email:
- Configure the
smtp
section in/etc/ente-server/local.yaml
- Make sure the configure SMTP server is working
- Wait for the mail to arrive and copy the OTP code
- Configure the
- Via the ente-server log:
# journalctl -u ente-server | grep SendEmailOTT | tail -n 1
- Via email:
- Obtain the new users account ID:
# psql -U ente ente-server -c 'select user_id from users order by user_id desc limit 1;'
- Configure this user as the admin:
/etc/ente-server/local.yaml
internal: admin: [ADD_USER_ID_HERE]
- Restart
ente-server.service
to activate the new admin privileges - Configure this admin within
ente-cli
on the client:
$ ente account add photos ~/.ente/export email_address_of_admin_account password_of_admin_account
Increasing user storage and account expiry limit
- Use ente-cli to increase storage limit with 100 TB and expiry with 100 years:
ente admin update-subscription -u "user@domain.tld"
(Optional) Copy and apply AppArmor profile
An AppArmor profile has been provided for those that wish to limit the access the ente-server binary has using AppArmor. Copy and apply this profile as follows (assuming that AppArmor has already been installed and enabled):
# install -Dvm600 -o root -g root /usr/lib/ente-server/usr.bin.ente-server -t /etc/apparmor.d/ # aa-enforce /usr/bin/ente-server
(Optional) Configure Firewall
If a host firewall like iptables or nftables has been enabled and configured, make sure the following is allowed:
- Traffic on
localhost
- Traffic from your Ente (mobile) client to TCP port
443
to reach Nginx - Traffic from your Ente (mobile) client to TCP port
3200
to reach the MinIO API port
Files
The ente-server-gitAUR package contains the ente-server(1) man page that lists and explains all files that are installed by this package.
See also
- Upstream Repository: ente.io Ente Server Repository