Server Configuration
All Sync-in server configuration options are defined in the environment.yaml file.
This file allows you to customize how your Sync-in instance behaves: networking, authentication, database, caching, email, and more.
𧱠Sectionsβ
π₯οΈ serverβ
host: IP address the server will listen on (default:0.0.0.0)port: Port used for the web interface (default:8080)workers: Number of worker processes.- Use
autoto utilize all CPU cores. - Regardless of the value, at least 2 workers are always started β 1 is reserved for scheduled tasks.
- Use
trustProxy: Enables proxy support (number,true,false, or IP range, default: 1) β See available options.restartOnFailure: Automatically restart workers if they crash (trueorfalse, default:true)
π loggerβ
level: Logging level (trace,debug,info,warn,error,fatal)stdout: Outputs logs to the console (true, default) or writes them to a file (false)colorize: Enables log colorization (default:true)filePath: Path to the log file used whenstdoutis set tofalse.
π¬ mysqlβ
url: MySQL connection URL (e.g.,mysql://user:password@localhost:3306/database)logQueries: Enables logging of SQL queries to the database (trueorfalse)
β‘ cacheβ
adapter: Cache system (mysqlby default, orredis)ttl: Default time-to-live for cached entries (in seconds)redis: Redis connection URL (used whenadapter: redis)
π websocketβ
adapter: WebSocket adapter (clusterorredis)cluster: uses Node.js workers for inter-process communication (default)redis: enables communication between distributed instances; recommended for multi-server setups
corsOrigin: Allowed origin(s) for WebSocket connections (default:*)redis: Redis connection URL (used whenadapter: redis)
π§ mailβ
host: SMTP server hostport: SMTP server port (e.g.,587)sender: Sender email address (e.g.,Sync-in<notification@sync-in.com>)auth:user: SMTP usernamepass: SMTP password
secure: Use SSL connection (trueorfalse)ignoreTLS: Disables the use of STARTTLS even if the server advertises it (trueorfalse, default:false).rejectUnauthorized: reject the connection if the server's TLS certificate is invalid (trueorfalse, default:false)logger: Enable SMTP logging (trueorfalse)debug: Enable debug mode (trueorfalse)
π authβ
method: Authentication method (mysqlorldap, default:mysql)cookieSameSite: SameSite cookie policy (lax,strict, default:strict)encryptionKey: Encryption key for user secrets stored in the database, optional but recommended.
β οΈ Once MFA is enabled, any modification or deletion of the encryption key will invalidate the secrets, preventing any further authentication.-
mfaβtotp:enabled: Enable TOTP Authentication for all users (trueorfalse, default:true)issuer: Name shown in the authentication app (e.g., FreeOTP, Proton Authenticator, Aegis Authenticator), default:Sync-in
-
token:βaccess:secret: JWT secret for access tokensexpiration: Access token lifespan (e.g.,30m)
refresh:secret: JWT secret for refresh tokensexpiration: Refresh token lifespan (e.g.,4h)
-
ldap(ifmethod: ldap):βservers: List of LDAP server URLsbaseDN: Base distinguished name (e.g.,ou=people,dc=example,dc=com)filter: LDAP filter (optional)attributes:login: LDAP attribute used for user login (uidorsAMAccountNameoruserPrincipalName), default:uidemail: LDAP attribute containing the userβs email address (e.g.,mail,email), default:mail.
adminGroup: CN of a group containing Sync-in administrators (e.g., administrators)upnSuffix: AD domain suffix used withuserPrincipalNameto build UPN-style logins (e.g., user@sync-in.com)netbiosName: NetBIOS domain name used withsAMAccountNameto build legacy logins (e.g.,SYNC_IN\user)
𧩠applicationsβ
π filesβ
dataPath: Path to store user datamaxUploadSize: Maximum allowed file upload size (default: 5 GB)showHiddenFiles: Show files starting with a dot in the file explorer (default:false)-
onlyoffice:βenabled: Enable OnlyOffice integration (trueorfalse, default:false)externalServer: OnlyOffice server URL (e.g.,https://onlyoffice.my-domain.com)secret: Shared JWT secret with OnlyOfficeverifySSL: Enforce SSL verification (trueorfalse, default:false)
ποΈ appStoreβ
repository: Choice of repository for application client releases:public(default) orlocal
π± Environment variablesβ
All Sync-in server configuration parameters can be set using environment variables prefixed with SYNCIN_.
For example, the following configuration :
auth:
encryptionKey: "changeEncryptionKeyWithStrongKey"
token:
access:
secret: "changeAccessWithStrongSecret"
refresh:
secret: "changeRefreshWithStrongSecret"
mysql:
url: mysql://root:MySQLRootPassword@mariadb:3306/sync_in
Can be replicated with environment variables as follows:
SYNCIN_AUTH_ENCRYPTIONKEY="changeEncryptionKeyWithStrongKey"
SYNCIN_AUTH_TOKEN_ACCESS_SECRET="changeAccessWithStrongSecret"
SYNCIN_AUTH_TOKEN_REFRESH_SECRET="changeAccessWithStrongSecret"
SYNCIN_MYSQL_URL="mysql://root:MySQLRootPassword@mariadb:3306/sync_in"
info
For boolean values, use true or false.
Numeric values are parsed automatically
π Full configuration exampleβ
server:
# default host : `0.0.0.0`
host: 0.0.0.0
# default port : `8080`
port: 8080
# workers: `auto` (use all cpus) | number
# regardless of the value, starts with at least 2 workers, 1 worker is dedicated to scheduled tasks
workers: 2
# trust proxy: number (trust the nth hop from the front-facing proxy server as the client) | `true` | `false` | `127.0.0.1,192.168.1.1/24`
# default: 1
trustProxy: 1
# restartOnFailure: automatically restart workers if they are killed or die
# default: `true`
restartOnFailure: true
logger:
# level: `trace` | `debug` | `info` | `warn` | `error` | `fatal`
# default: `info`
level: info
# stdout: if false logs are written to the run directory
# default: `true`
stdout: true
# colorize output
# default: `true`
colorize: true
# path to the log file used when stdout is set to false
filePath:
mysql:
# required
url: mysql://user:MySQLRootPassword@localhost:3306/database
# default: `false`
logQueries: false
cache:
# adapter: `mysql` | `redis`
# default: `mysql`
adapter: mysql
# ttl in seconds
# default: `60`
ttl: 60
# redis adapter url
# default: `redis://127.0.0.1:6379`
redis: redis://127.0.0.1:6379
websocket:
# adapter: `cluster` (Node.js Workers: default) | `redis`
# default: `cluster`
adapter: cluster
# cors origin allowed
# default: `*`
corsOrigin: '*'
# redis adapter url
# default: `redis://127.0.0.1:6379`
redis: redis://127.0.0.1:6379
mail:
host: smtp.server.com
# default: `25`
port: 25
# default: `Sync-in<notification@sync-in.com>`
sender: 'Sync-in<notification@sync-in.com>'
# optional
auth:
user: user
pass: password
# secure: defines if the connection should use SSL (if true) or not (if false)
# note: setting `secure: false` does not necessarily mean messages are sent in plaintext
# if the server supports STARTTLS, the connection is usually upgraded to TLS automatically
# default: `false`
secure: false
# ignoreTLS: if true, disables the use of STARTTLS even if the server advertises it
# default: false
ignoreTLS: false
# rejectUnauthorized: reject the connection if the server's TLS certificate is invalid
# default: false
rejectUnauthorized: false
# enable logger
# default: `false`
logger: false
# set log level to debug
# default: `false`
debug: false
auth:
# adapter : `mysql` | `ldap`
# default: `mysql`
method: mysql
# key used to encrypt user secret keys in the database
# optional, but strongly recommended
# warning: do not change or remove the encryption key after MFA activation, or the codes will become invalid
encryptionKey: changeEncryptionKeyWithStrongKey
# multifactor authentication
mfa:
# totp configuration
totp:
# enable TOTP authentication
# default: true
enabled: true
# name displayed in the authentication app (FreeOTP, Proton Authenticator, Aegis Authenticator etc.)
# default: Sync-in
issuer: Sync-in
# cookie sameSite setting: `lax` | `strict`
# default: `strict`
cookieSameSite: strict
token:
access:
# used for token and cookie signatures
# required
secret: changeAccessWithStrongSecret
# token expiration = cookie maxAge
# default: `30m`
expiration: 30m
refresh:
# used for token and cookie signatures
# required
secret: changeRefreshWithStrongSecret
# token expiration = cookie maxAge
# default: `4h`
expiration: 4h
ldap:
# e.g: [ldap://localhost:389, ldaps://localhost:636] (array required)
servers: []
# baseDN: distinguished name ( e.g.ou=people,dc=ldap,dc=sync-in,dc=com)
baseDN:
# filter, e.g: (acl=admin)
filter:
attributes:
# login attribute: `uid` | `sAMAccountName` | `userPrincipalName`
# default: `uid`
login: uid
# email attribute: `mail` or `email`
# default: `mail`
email: mail
# adminGroup: The CN of a group containing Sync-in administrators (e.g., administrators)
adminGroup:
# upnSuffix: AD domain suffix used with `userPrincipalName` to build UPN-style logins (e.g., user@`sync-in.com`)
upnSuffix:
# netbiosName: NetBIOS domain name used with `sAMAccountName` to build legacy logins (e.g., `SYNC_IN`\user)
netbiosName:
applications:
files:
# required
dataPath: /home/sync-in
# default: 5368709120 (5 GB)
maxUploadSize: 5368709120
# Show files starting with a dot in the file explorer
# default: false
showHiddenFiles: false
onlyoffice:
# enable onlyoffice integration
# default: false
enabled: false
# for an external server (e.g., https://onlyoffice.domain.com), remember the url must be accessible from browser !
# if externalServer is empty (case of official docker compose), we use the local instance
# default: null
externalServer:
# secret used for jwt tokens, it must be the same on the onlyoffice server
# required
secret: onlyOfficeSecret
# if you use https, set to `true`
# default: `false`
verifySSL: false
appStore:
# repository: `public` | `local`
# default: `public`
repository: public