Server Configuration
All Sync-in server configuration options are defined in the environment.yaml file.
This file allows you to customize how your Sync-in instance behaves: networking, authentication, database, caching, email, and more.
𧱠Sectionsβ
π₯οΈ serverβ
host: IP address the server will listen on (default:0.0.0.0)port: Port used for the web interface (default:8080)workers: Number of worker processes (default:1)- Use
autoor0to use all CPU cores. - In production, itβs recommended to use at least 2 workers to avoid potential blocking caused by the internal scheduler handling background tasks.
- Use
trustProxy: Enables proxy support (number,true,false, or IP range, default: 1) β See available options.restartOnFailure: Automatically restart workers if they crash (trueorfalse, default:true)
π loggerβ
level: Logging level (trace,debug,info,warn,error,fatal)stdout: Outputs logs to the console (true, default) or writes them to a file (false)colorize: Enables log colorization (default:true)filePath: Path to the log file used whenstdoutis set tofalse.
π¬ mysqlβ
url: MySQL connection URL (e.g.,mysql://user:password@localhost:3306/database)logQueries: Enables logging of SQL queries to the database (trueorfalse)
β‘ cacheβ
adapter: Cache system (mysqlby default, orredis)ttl: Default time-to-live for cached entries (in seconds)redis: Redis connection URL (used whenadapter: redis)
π websocketβ
adapter: WebSocket adapter (clusterorredis)cluster: uses Node.js workers for inter-process communication (default)redis: enables communication between distributed instances; recommended for multi-server setups
corsOrigin: Allowed origin(s) for WebSocket connections (default:*)redis: Redis connection URL (used whenadapter: redis)
π§ mailβ
host: SMTP server hostport: SMTP server port (e.g.,587)sender: Sender email address (e.g.,Sync-in<notification@sync-in.com>)auth:user: SMTP usernamepass: SMTP password
secure: Use SSL connection (trueorfalse)ignoreTLS: Disables the use of STARTTLS even if the server advertises it (trueorfalse, default:false).rejectUnauthorized: reject the connection if the server's TLS certificate is invalid (trueorfalse, default:false)logger: Enable SMTP logging (trueorfalse)debug: Enable debug mode (trueorfalse)
π authβ
method: Authentication method (mysqlorldap, default:mysql)cookieSameSite: SameSite cookie policy (lax,strict, default:strict)encryptionKey: Encryption key for user secrets stored in the database, optional but recommended.
β οΈ Once MFA is enabled, any modification or deletion of the encryption key will invalidate the secrets, preventing any further authentication.-
mfaβtotp:enabled: Enable TOTP Authentication for all users (trueorfalse, default:true)issuer: Name shown in the authentication app (e.g., FreeOTP, Proton Authenticator, Aegis Authenticator), default:Sync-in
-
token:βaccess:secret: JWT secret for access tokensexpiration: Access token lifespan (e.g.,30m)
refresh:secret: JWT secret for refresh tokensexpiration: Refresh token lifespan (e.g.,4h)
-
ldap(ifmethod: ldap):βservers: List of LDAP server URLsbaseDN: Base distinguished name (e.g.,ou=people,dc=example,dc=com)filter: LDAP filter (optional)attributes:login: LDAP attribute used for user login (uidorcnormailorsAMAccountNameoruserPrincipalName), default:uidemail: LDAP attribute containing the userβs email address (e.g.,mail,email), default:mail.
adminGroup: CN of a group containing Sync-in administrators (e.g., administrators)upnSuffix: AD domain suffix used withuserPrincipalNameto build UPN-style logins (e.g., user@sync-in.com)netbiosName: NetBIOS domain name used withsAMAccountNameto build legacy logins (e.g.,SYNC_IN\user)
𧩠applicationsβ
π filesβ
dataPath: Path to store user datamaxUploadSize: Maximum allowed file upload size (default:5368709120-> 5 GB)contentIndexing: Enables or disables indexing of file contents used for full-text search (default:true)showHiddenFiles: Show files starting with a dot in the file explorer (default:false)-
onlyoffice:βenabled: Enable OnlyOffice integration (trueorfalse, default:false)externalServer: OnlyOffice server URL (e.g.,https://onlyoffice.my-domain.com)secret: Shared JWT secret with OnlyOfficeverifySSL: Enforce SSL verification (trueorfalse, default:false)
ποΈ appStoreβ
repository: Choice of repository for application client releases:public(default) orlocal
π± Environment variablesβ
All Sync-in server configuration parameters can be set using environment variables prefixed with SYNCIN_.
For example, the following configuration :
auth:
encryptionKey: "changeEncryptionKeyWithStrongKey"
token:
access:
secret: "changeAccessWithStrongSecret"
refresh:
secret: "changeRefreshWithStrongSecret"
mysql:
url: mysql://root:MySQLRootPassword@mariadb:3306/sync_in
Can be replicated with environment variables as follows:
SYNCIN_AUTH_ENCRYPTIONKEY="changeEncryptionKeyWithStrongKey"
SYNCIN_AUTH_TOKEN_ACCESS_SECRET="changeAccessWithStrongSecret"
SYNCIN_AUTH_TOKEN_REFRESH_SECRET="changeAccessWithStrongSecret"
SYNCIN_MYSQL_URL="mysql://root:MySQLRootPassword@mariadb:3306/sync_in"
info
For boolean values, use true or false.
Numeric values are parsed automatically
π Full configuration exampleβ
server:
# default host : `0.0.0.0`
host: 0.0.0.0
# default port : `8080`
port: 8080
# workers: `auto` or `0` (use all cpus) | number of CPUs to use
# default: 1
workers: 1
# trust proxy: number (trust the nth hop from the front-facing proxy server as the client) | `true` | `false` | `127.0.0.1,192.168.1.1/24`
# default: 1
trustProxy: 1
# restartOnFailure: automatically restart workers if they are killed or die
# default: `true`
restartOnFailure: true
logger:
# level: `trace` | `debug` | `info` | `warn` | `error` | `fatal`
# default: `info`
level: info
# stdout: if false logs are written to the run directory
# default: `true`
stdout: true
# Colorize output.
# default: `true`
colorize: true
# Path to the log file used when stdout is set to false
filePath:
mysql:
# required
url: mysql://user:MySQLRootPassword@localhost:3306/database
# default: `false`
logQueries: false
cache:
# adapter: `mysql` | `redis`
# default: `mysql`
adapter: mysql
# TTL in seconds
# default: `60`
ttl: 60
# Redis adapter url
# default: `redis://127.0.0.1:6379`
redis: redis://127.0.0.1:6379
websocket:
# adapter: `cluster` (Node.js Workers: default) | `redis`
# default: `cluster`
adapter: cluster
# Cors origin allowed
# default: `*`
corsOrigin: '*'
# Redis adapter url
# default: `redis://127.0.0.1:6379`
redis: redis://127.0.0.1:6379
mail:
host: smtp.server.com
# default: `25`
port: 25
# default: `Sync-in<notification@sync-in.com>`
sender: 'Sync-in<notification@sync-in.com>'
# optional
auth:
user: user
pass: password
# Defines if the connection should use SSL (if true) or not (if false)
# Note: setting `secure: false` does not necessarily mean messages are sent in plaintext
# If the server supports STARTTLS, the connection is usually upgraded to TLS automatically
# default: `false`
secure: false
# ignoreTLS: if true, disables the use of STARTTLS even if the server advertises it
# default: false
ignoreTLS: false
# rejectUnauthorized: reject the connection if the server's TLS certificate is invalid
# default: false
rejectUnauthorized: false
# Enable logger
# default: `false`
logger: false
# Set log level to debug
# default: `false`
debug: false
auth:
# adapter : `mysql` | `ldap`
# default: `mysql`
method: mysql
# Key used to encrypt user secret keys in the database
# Optional but strongly recommended
# Warning: do not change or remove the encryption key after MFA activation, or the codes will become invalid
encryptionKey: changeEncryptionKeyWithStrongKey
# Multifactor authentication
mfa:
# TOTP configuration
totp:
# Enable TOTP authentication
# default: true
enabled: true
# Name displayed in the authentication app (FreeOTP, Proton Authenticator, Aegis Authenticator etc.)
# default: Sync-in
issuer: Sync-in
# cookie sameSite setting: `lax` | `strict`
# default: `strict`
cookieSameSite: strict
token:
access:
# Used for token and cookie signatures
# required
secret: changeAccessWithStrongSecret
# token expiration = cookie maxAge
# default: `30m`
expiration: 30m
refresh:
# Used for token and cookie signatures
# required
secret: changeRefreshWithStrongSecret
# token expiration = cookie maxAge
# default: `4h`
expiration: 4h
ldap:
# e.g: [ldap://localhost:389, ldaps://localhost:636] (array required)
servers: []
# baseDN: distinguished name (e.g., ou=people,dc=ldap,dc=sync-in,dc=com)
baseDN:
# filter, e.g: (acl=admin)
filter:
attributes:
# Login attribute used to construct the user's DN for binding.
# The value of this attribute is used as the naming attribute (first RDN) when forming the Distinguished Name (DN) during authentication
# login: `uid` | `cn` | `mail` | `sAMAccountName` | `userPrincipalName`, used to authenticate the user
# default: `uid`
login: uid
# Attribute used to retrieve the user's email address
# email: `mail` or `email`
# default: `mail`
email: mail
# adminGroup: The CN of a group containing Sync-in administrators (e.g., administrators)
adminGroup:
# upnSuffix: AD domain suffix used with `userPrincipalName` to build UPN-style logins (e.g., user@`sync-in.com`)
upnSuffix:
# netbiosName: NetBIOS domain name used with `sAMAccountName` to build legacy logins (e.g., `SYNC_IN`\user)
netbiosName:
applications:
files:
# required
dataPath: /home/sync-in
# default: 5368709120 (5 GB)
maxUploadSize: 5368709120
# Enable indexing of file contents for search (disabling this turns off full-text search)
# default: true
contentIndexing: true
# Show files starting with a dot in the file explorer
# default: false
showHiddenFiles: false
onlyoffice:
# enable onlyoffice integration
# default: false
enabled: false
# For an external server (e.g., https://onlyoffice.domain.com), remember the url must be accessible from browser!
# If externalServer is empty (case of official docker compose), we use the local instance
# default: null
externalServer:
# Secret used for jwt tokens, it must be the same on the onlyoffice server
# required
secret: onlyOfficeSecret
# If you use https, set to `true`.
# default: `false`
verifySSL: false
appStore:
# repository: `public` | `local`
# default: `public`
repository: public