Ente server

Ente server is the server part that stores and serves encrypted blobs of data to ente (mobile) clients. The clients send/receive encrypted data, which then arrives at the Ente server and is stored/read via the local MinIO object storage service.

For example when the Ente photos client is used, the client encrypts the photos, which are then stored on this server. Later on the client can then lookup the encrypted photos, and decrypt them locally (end-to-end encryption). Since only the client, or anyone the client shares the photos with, have the encryption key, only they can decrypt the data and actually see the photos, the server will never be able to do this due to the lack of that key material.

Installation

The ente-server-git^AUR package is meant for self hosting in contrary to the by default provided dockerized Ente server. If a dockerized or hosted solution is required, see ente.io.

Start by installing the ente-server-git^AUR package.

Note that since self hosted server space is often available in limited quantity, the ente-server-git^AUR package added the ability to change the cleanup delay cleanup before old unlinked ente-server MinIO objects will be actually deleted. This can be configured via the internal:delete-object-delay ente-server configuration parameter. The default upstream Ente server cleans these objects every 45 days by default, but when replication is not required, this setting can be set to cleanup every 5 minutes for example.

Note: This setting is NOT supported by the Ente developers, due to the possible risk of breaking ente-server. The full warning has been described in the ente-server configuration file.

To get the Ente server running a working PostgreSQL database (to store Ente object meta data and user data) and MinIO bucket (to store encrypted object data) is required. Furthermore, a HTTPS proxy like Nginx is recommended to be used to access the Ente server. Lastly, the ente-cli tool can be used to easily upgrade ente-server account size limit and account expiry.

These required components are listed as optional dependencies and should preferably be installed as dependencies: Pacman#Installation_reason

Configuration

MinIO setup

Edit the configuration file as follows:

/etc/minio/minio.conf

MINIO_VOLUMES="/srv/minio/data"
MINIO_ROOT_USER=minio
MINIO_ROOT_PASSWORD='YOUR-STRONG-MINIO-ROOT-PASSWORD'
MINIO_OPTS="--address your_public_domain.tld:3200 --console-address 127.0.0.1:3201"

Enable/start minio.service.

Create MinIO ente-server bucket with the mcli command (as the minio user):

# cd /srv/minio/data
[minio]$ mcli mb -p ente-server

PostgreSQL setup

Initialize the database as the postgres user:

[postgres]$ initdb --locale en_US.UTF-8 -D '/var/lib/postgres/data' --data-checksums --auth=scram-sha-256 --pwprompt -c listen_addresses=''

PostgreSQL#Configure PostgreSQL to be accessible exclusively through UNIX Sockets, in case of an existing PostgreSQL setup:

/var/lib/postgres/data/postgresql.conf

listen_addresses = '' # AF_UNIX Socket only

Restrict socket access to PostgreSQL user or group by editing postgresql.service:

[Service]
RuntimeDirectoryMode=750

Add ente to the postgres user group, then start/enablepostgresql.service.

Create PostgreSQL database user and a database owned by this user (specify new password twice, then specify postgres password to store new account):

[postgres]$ createuser -P ente

Then specify postgres password to create new database:

[postgres]$ createdb -T template0 -O ente -E unicode ente-server

Running ente-server

Add MinIO bucket details:

/etc/ente-server/local.yaml

b2-eu-cen:
    key: minio
    secret: "YOUR-STRONG-MINIO-ROOT-PASSWORD"
    endpoint: your_public_domain.tld:3200
    region: eu-central-2
    bucket: ente-server

Add PostgreSQL details:

/etc/ente-server/local.yaml

db:
    host: /run/postgresql
    port: 5432
    name: ente-server
    user: ente
    password: "YOUR-STRONG-ENTE-DATABASE-USER-PASSWORD"

Generate new secret key values using the ente-server-gen-random-keys command and use these values as a replacement of the default values in the /etc/ente-server/local.yaml configuration file.

Edit ente-server.service to allow it to access to the IP address of your_public_domain.tld (by default the service only allows access from and to localhost):

[Service]
IPAddressAllow=IP_address_of_your_public_domain.tld

Enable/start ente-server.service.

Configuring Nginx proxy

Copy the example Nginx config and the accompanying HTTP(S) security header config files to the Nginx configuration directory:

# cp -v /usr/lib/ente-server/ente-server-nginx.conf /etc/nginx/
# cp -v /usr/lib/ente-server/http*security_headers.conf /etc/nginx/

Edit this example config, and replace your_public_domain.tld with your actual public domain name

Request a letsencrypt ceritifacte (or a SSL certificate from another provider) if not already done so:

# certbot certonly --email your_email --agree-tos --preferred-challenge http --webroot -w /var/lib/letsencrypt -d your_public_domain.tld

Append an include statement to the Nginx http config to include the ente-server config:

/etc/nginx/nginx.conf

http {
    include /etc/nginx/ente-server-nginx.conf
}

Fix permissions:

# chmod 644 /etc/nginx/ente-server-nginx.conf
# chmod 644 /etc/nginx/http*security_headers.conf

Restart nginx.service to apply the changes.

Configuring ente-server and ente-cli

Install ente-cli on the client with the ente-cli-bin^AUR package.

Add the ente-cli configuration on the client:

$ mkdir -p ~/.ente/export

~/.ente/config.yaml

endpoint:
  api: "https://your_public_domain.tld" >

Add a user account via the photos mobile app or web app on the client, using a custom endpoint. In the photos mobile app, click 7 times on the main screen to enable developers mode, then define your custom Ente server API endpoint:

URL: https://your_public_domain.tld

In the web app on the client:

$ git clone https://github.com/ente-io/ente.git
$ cd ente/web
$ git submodule update --init --recursive
$ yarn install
$ NEXT_PUBLIC_ENTE_ENDPOINT=https://your_public_domain.tld yarn dev:photos

Follow the photos app or web app (http://localhost:3000) instructions to create a new user.

Obtain the OTP code:

Via email:
- Configure the smtp section in /etc/ente-server/local.yaml
- Make sure the configured smtp(1) server is working
- Wait for the mail to arrive and copy the OTP code
Via the ente-server log:

# journalctl -u ente-server | grep SendEmailOTT | tail -n 1

Obtain the new users account ID:

# psql -U ente ente-server -c 'select user_id from users order by user_id desc limit 1;'

Configure this user as the admin:

/etc/ente-server/local.yaml

internal:
     admin: [ADD_USER_ID_HERE]

Restart ente-server.service to activate the new admin privileges.

Configure this admin within ente-cli on the client:

$ ente account add
photos
~/.ente/export
email_address_of_admin_account
password_of_admin_account

Increasing user storage and account expiry limit

Use ente-cli to increase storage limit with 100 TB and expiry with 100 years:

$ ente admin update-subscription -u "user@domain.tld"

(Optional) Copy and apply AppArmor profile

An AppArmor profile has been provided for those that wish to limit the access the ente-server binary has using AppArmor. Copy and apply this profile as follows (assuming that AppArmor has already been installed and enabled):

 # install -Dvm600 -o root -g root /usr/lib/ente-server/usr.bin.ente-server -t /etc/apparmor.d/
 # aa-enforce /usr/bin/ente-server

(Optional) Configure Firewall

If a host firewall like iptables or nftables has been enabled and configured, make sure the following is allowed:

Traffic on localhost
Traffic from your Ente (mobile) client to TCP port 443 to reach Nginx
Traffic from your Ente (mobile) client to TCP port 3200 to reach the MinIO API port

Files

The ente-server-git^AUR package contains the ente-server(1) man page that lists and explains all files that are installed by this package.