Ente server
Ente server is the server part that stores and serves encrypted blobs of data to ente (mobile) clients. The clients send/receive encrypted data, which then arrives at the Ente server and is stored/read via the local MinIO object storage service.
For example when the Ente photos client is used, the client encrypts the photos, which are then stored on this server. Later on the client can then lookup the encrypted photos, and decrypt them locally (end-to-end encryption). Since only the client, or anyone the client shares the photos with, have the encryption key, only they can decrypt the data and actually see the photos, the server will never be able to do this due to the lack of that key material.
Installation
The ente-server-gitAUR package is meant for self hosting in contrary to the by default provided dockerized Ente server. If a dockerized or hosted solution is required, see ente.io.
Start by installing the ente-server-gitAUR package.
Note that since self hosted server space is often available in limited quantity, the ente-server-gitAUR package added the ability to change the cleanup delay cleanup before old unlinked ente-server MinIO objects will be actually deleted. This can be configured via the internal:delete-object-delay
ente-server configuration parameter. The default upstream Ente server cleans these objects every 45 days
by default, but when replication is not required, this setting can be set to cleanup every 5 minutes
for example.
To get the Ente server running a working PostgreSQL database (to store Ente object meta data and user data) and MinIO bucket (to store encrypted object data) is required. Furthermore, a HTTPS proxy like Nginx is recommended to be used to access the Ente server. Lastly, the ente-cli tool can be used to easily upgrade ente-server account size limit and account expiry.
These required components are listed as optional dependencies and should preferably be installed as dependencies: Pacman#Installation_reason
Configuration
MinIO setup
Edit the configuration file as follows:
/etc/minio/minio.conf
MINIO_VOLUMES="/srv/minio/data" MINIO_ROOT_USER=minio MINIO_ROOT_PASSWORD='YOUR-STRONG-MINIO-ROOT-PASSWORD' MINIO_OPTS="--address 127.0.0.1:43200 --console-address 127.0.0.1:43201"
Enable/start minio.service
.
Create MinIO ente-server bucket with the mcli command (as the minio user):
# cd /srv/minio/data [minio]$ mcli mb -p ente-server
PostgreSQL setup
Initialize the database as the postgres user:
[postgres]$ initdb --locale en_US.UTF-8 -D '/var/lib/postgres/data' --data-checksums --auth=scram-sha-256 --pwprompt -c listen_addresses=''
PostgreSQL#Configure PostgreSQL to be accessible exclusively through UNIX Sockets, in case of an existing PostgreSQL setup:
/var/lib/postgres/data/postgresql.conf
listen_addresses = '' # AF_UNIX Socket only
Restrict socket access to PostgreSQL user or group by editing postgresql.service
:
[Service] RuntimeDirectoryMode=750
Add ente
to the postgres
user group, then start/enablepostgresql.service
.
Create PostgreSQL database user and a database owned by this user (specify new password twice, then specify postgres password to store new account):
[postgres]$ createuser -P ente
Then specify postgres password to create new database:
[postgres]$ createdb -T template0 -O ente -E unicode ente-server
Running ente-server
Add MinIO bucket details:
/etc/ente-server/local.yaml
b2-eu-cen: key: minio secret: "YOUR-STRONG-MINIO-ROOT-PASSWORD" endpoint: https://your_public_domain.tld:3200 region: eu-central-2 bucket: ente-server
Add PostgreSQL details:
/etc/ente-server/local.yaml
db: host: /run/postgresql port: 5432 name: ente-server user: ente password: "YOUR-STRONG-ENTE-DATABASE-USER-PASSWORD"
Generate new secret key values using the ente-server-gen-random-keys command and use these values as a replacement of the default values in the /etc/ente-server/local.yaml
configuration file.
Edit ente-server.service
to allow it to access to the IP address of your_public_domain.tld (by default the service only allows access from and to localhost):
[Service] IPAddressAllow=IP_address_of_your_public_domain.tld
Enable/start ente-server.service
.
Configuring Nginx proxy
Copy the example MinIO and Ente server Nginx config and the accompanying HTTP(S) security header config files to the Nginx configuration directory:
# cp -v /usr/lib/ente-server/ente-server-nginx.conf /etc/nginx/ # cp -v /usr/lib/ente-server/http*security_headers.conf /etc/nginx/ # cp -v /usr/lib/ente-server/minio-server-nginx.conf /etc/nginx/
Edit this example config, and replace your_public_domain.tld with your actual public domain name
Request a letsencrypt ceritifacte (or a SSL certificate from another provider) if not already done so:
# certbot certonly --email your_email --agree-tos --preferred-challenge http --webroot -w /var/lib/letsencrypt -d your_public_domain.tld
Append an include
statement to the Nginx http
config to include the ente-server config:
/etc/nginx/nginx.conf
http { include /etc/nginx/ente-server-nginx.conf }
Fix permissions:
# chmod 644 /etc/nginx/ente-server-nginx.conf # chmod 644 /etc/nginx/http*security_headers.conf
Restart nginx.service
to apply the changes.
Configuring ente-server and ente-cli
Install ente-cli
on the client with the ente-cli-binAUR package.
Add the ente-cli
configuration on the client:
$ mkdir -p ~/.ente/export
~/.ente/config.yaml
endpoint: api: "https://your_public_domain.tld" >
Add a user account via the Ente photos mobile, desktop or web app on the client, using a custom endpoint.
In the photos mobile app, click 7 times on the main screen to enable developers mode, then define your custom Ente server API endpoint:
URL: https://your_public_domain.tld
In the web app on the client:
$ git clone https://github.com/ente-io/ente.git $ cd ente/web $ git submodule update --init --recursive $ yarn install $ NEXT_PUBLIC_ENTE_ENDPOINT=https://your_public_domain.tld yarn dev:photos
When using the desktop app using the ente-desktop-gitAUR package, make sure you export the NEXT_PUBLIC_ENTE_ENDPOINT
environment variable before building.
Follow the photos mobile, desktop or web app (http://localhost:3000) instructions to create a new user.
Obtain the OTP code:
- Via email:
- Configure the
smtp
section in/etc/ente-server/local.yaml
- Make sure the configured smtp(1) server is working
- Wait for the mail to arrive and copy the OTP code
- Configure the
- Via the ente-server log:
# journalctl -au ente-server | grep SendEmailOTT | tail -n 1
Obtain the new users account ID:
# psql -U ente ente-server -c 'select user_id from users order by user_id desc limit 1;'
Configure this user as the admin:
/etc/ente-server/local.yaml
internal: admin: [ADD_USER_ID_HERE]
Restart ente-server.service
to activate the new admin privileges.
Configure this admin within ente-cli
on the client:
$ ente account add photos ~/.ente/export email_address_of_admin_account password_of_admin_account
Increasing user storage and account expiry limit
Use ente-cli to increase storage limit with 100 TB and expiry with 100 years:
$ ente admin update-subscription -u "user@domain.tld"
(Optional) Copy and apply AppArmor profile
An AppArmor profile has been provided for those that wish to limit the access the ente-server binary has using AppArmor. Copy and apply this profile as follows (assuming that AppArmor has already been installed and enabled):
# install -Dvm600 -o root -g root /usr/lib/ente-server/usr.bin.ente-server -t /etc/apparmor.d/ # aa-enforce /usr/bin/ente-server
(Optional) Configure Firewall
If a host firewall like iptables or nftables has been enabled and configured, make sure the following is allowed:
- Traffic on
localhost
- Traffic from your Ente (mobile) client to TCP port
443
to reach the Ente server via Nginx - Traffic from your Ente (mobile) client to TCP port
3200
to reach the MinIO server via Nginx
Files
The ente-server-gitAUR package contains the ente-server(1) man page that lists and explains all files that are installed by this package.
See also
- Upstream Repository: ente.io Ente Server Repository