Server Configuration
All Sync-in server configuration options are defined in the environment.yaml file.
A complete example is available on GitHub: environment.dist.yaml.
This file lets you customize how your Sync-in instance behaves: network, authentication, database, cache, mail, etc.
Environment.yamlβ
serverβ
host: Server listening IP address.- Default :
0.0.0.0 - Type : string (IP)
- Default :
port: Port used for the web interface.- Default :
8080 - Type : number
- Default :
workers: Number of processes.- Default :
1 - Type : number |
auto|0 - Note :
autoor0to use all CPU cores
- Default :
trustProxy: Enable proxy handling.- Default :
1 - Type : boolean | number | string
- Note : See available options
- Default :
restartOnFailure: Automatically restarts workers on failure.- Default :
true - Type : boolean
- Default :
loggerβ
level: Server log level.- Default :
info - Type :
trace|debug|info|warn|error|fatal
- Default :
stdout: Output logs to the console (true) or write them to a file (false).- Default :
true - Type : boolean
- Default :
colorize: Enable log coloring.- Default :
true - Type : boolean
- Default :
jsonOutput: Enable JSON output.- Default :
false - Type : boolean
- Note : When enabled,
colorizeis ignored.
- Default :
filePath: Log file path used whenstdoutisfalse.- Default :
logs/server.log - Type : string
- Default :
mysqlβ
url: MySQL connection URL.- Default : not defined
- Type : string
- Required : yes
- Example :
mysql://user:password@localhost:3306/database
logQueries: Log all SQL queries sent to the database.- Default :
false - Type : boolean
- Default :
cacheβ
adapter: Cache system.- Default :
mysql - Type :
mysql|redis
- Default :
ttl: Cache data lifetime, in seconds.- Default :
60 - Type : number
- Default :
redis: Redis connection URL (ifadapter: redisis used).- Default :
redis://127.0.0.1:6379 - Type : string
- Required : yes
- Default :
websocketβ
adapter: Defines how WebSocket connections are managed.- Default :
cluster - Type :
cluster|redis
- Default :
corsOrigin: Allowed origin(s) for WebSocket connections.- Default :
* - Type : string
- Default :
redis: Redis connection URL (ifadapter: redis).- Default :
redis://127.0.0.1:6379 - Type : string
- Required : yes (if
adapter:redis)
- Default :
mailβ
host: SMTP server host.- Default : not defined
- Type : string
- Required : yes
port: SMTP port (e.g.587).- Default :
25 - Type : number
- Default :
sender: Sender address.- Default :
Sync-in<notification@sync-in.com> - Type : string
- Default :
auth:user: SMTP username.- Default : not defined
- Type : string
pass: SMTP password.- Default : not defined
- Type : string
secure: SSL connection.- Default :
false - Type : boolean
- Default :
ignoreTLS: Disable STARTTLS even if the server advertises it.- Default :
false - Type : boolean
- Default :
rejectUnauthorized: Reject the connection if the server TLS certificate is invalid.- Default :
false - Type : boolean
- Default :
logger: Enable SMTP logs.- Default :
false - Type : boolean
- Default :
debug: Enable debug mode.- Default :
false - Type : boolean
- Default :
authβ
provider: Authentication method.- Default :
mysql - Type :
mysql|ldap|oidc
- Default :
cookieSameSite: SameSite policy for cookies.- Default :
strict - Type :
lax|strict
- Default :
encryptionKey: Encryption key for user secrets in the database, optional but recommended.- Default : not defined
- Type : string
- Note : β οΈ Once MFA is enabled, any change or deletion of the encryption key will invalidate secrets, preventing any subsequent authentication.
mfa:totp:enabled: Enable TOTP authentication for all users.- Default :
true - Type : boolean
- Default :
issuer: Name displayed in the authenticator app.- Default :
Sync-in - Type : string
- Default :
token:access:secret: JWT secret for access tokens.- Default : not defined
- Type : string
- Required : yes
expiration: Access token validity duration.- Default :
30m - Type : string
- Default :
refresh:secret: JWT secret for refresh tokens.- Default : not defined
- Type : string
- Required : yes
expiration: Refresh token validity duration.- Default :
4h - Type : string
- Default :
-
ldap(ifprovider: ldap) :β- Note : See the dedicated documentation
servers: List of LDAP servers.- Default :
[] - Type : string[]
- Required : yes
- Example :
[ldap://localhost:389]
- Default :
baseDN: Base DN.- Default : not defined
- Type : string
- Required : yes
- Example :
ou=people,dc=example,dc=com
filter: Optional LDAP filter added to the search.- Default : not defined
- Type : string
- Example :
(acl=admin)
upnSuffix: AD domain suffix used withuserPrincipalName.- Default : not defined
- Type : string
- Example : user@
sync-in.com
netbiosName: NetBIOS domain name used withsAMAccountName.- Default : not defined
- Type : string
- Example :
SYNC_IN\user
serviceBindDN: DN of a service account to perform LDAP searches.- Default : not defined
- Type : string
serviceBindPassword: Password of the service account.- Default : not defined
- Type : string
attributes:login: LDAP attribute used for user identification.- Default :
uid - Type :
uid|cn|mail|sAMAccountName|userPrincipalName
- Default :
email: LDAP attribute containing the email address (e.g.mail,email).- Default :
mail - Type : string
- Default :
options:autoCreateUser: Create a local user on first LDAP login.- Default :
true - Type : boolean
- Default :
autoCreatePermissions: Permissions assigned to auto-created users.- Default :
[] - Type : string[]
- Note : See permission identifiers
- Default :
adminGroup: LDAP group that grants admin privileges (simple CN or full DN).- Default : not defined
- Type : string
enablePasswordAuthFallback: Allow local password if LDAP is unavailable.- Default :
true - Type : boolean
- Default :
-
oidc(ifprovider: oidc) :β- Note : See the dedicated documentation
issuerUrl: OpenID Connect provider discovery URL.- Default : not defined
- Type : string
- Required : yes
clientId: OAuth 2.0 Client ID.- Default : not defined
- Type : string
- Required : yes
clientSecret: OAuth 2.0 Client Secret.- Default : not defined
- Type : string
- Required : yes
redirectUri: Callback URL registered with the provider.- Default : not defined
- Type : string
- Required : yes
- Note : β οΈ The URL must end with
/api/auth/oidc/callback
options:autoCreateUser: Create a local user on first OIDC login.- Default :
true - Type : boolean
- Default :
autoCreatePermissions: Permissions assigned to auto-created users.- Default :
[] - Type : string[]
- Note : See permission identifiers
- Default :
adminRoleOrGroup: Role or group granting admin privileges.- Default : not defined
- Type : string
enablePasswordAuth: Allow local password authentication for existing users.- Default :
true - Type : boolean
- Default :
autoRedirect: Automatically redirect to the IdP.- Default :
false - Type : boolean
- Default :
buttonText: Label of the OIDC login button.- Default :
Continue with OpenID Connect - Type : string
- Default :
security:scope: Scopes requested.- Default :
openid email profile - Type : string
- Default :
tokenEndpointAuthMethod: Authentication method on the token endpoint.- Default :
client_secret_basic - Type :
client_secret_basic|client_secret_post
- Default :
tokenSigningAlg: Signing algorithm for ID tokens.- Default :
RS256 - Type : string
- Default :
userInfoSigningAlg: Algorithm for a signed UserInfo response.- Default : not defined
- Type : string
skipSubjectCheck: Disablesubclaim verification.- Default :
false - Type : boolean
- Default :
applicationsβ
files:dataPath: Storage location for application files, including user files, spaces, and temporary files.- Default : not defined
- Type : string
- Required : yes
maxUploadSize: Maximum upload file size.- Default :
5368709120(5 GB) - Type : number
- Note : Value expressed in bytes.
- Default :
contentIndexing: Enable or disable file content indexing used for full-text search.- Default :
true - Type : boolean
- Default :
showHiddenFiles: Hide or show dotfiles in the file explorer.- Default :
false - Type : boolean
- Default :
onlyoffice:enabled: Enable OnlyOffice integration.- Default :
false - Type : boolean
- Default :
secret: Shared JWT secret with OnlyOffice.- Default : not defined
- Type : string
- Required : yes (if enabled for OnlyOffice)
externalServer: URL of your OnlyOffice server.- Default : not defined
- Type : string
- Example :
https://onlyoffice.my-domain.com - Note : Optional if you use Sync-in Docker Compose.
verifySSL: Verify the SSL certificate.- Default :
false - Type : boolean
- Default :
collabora:enabled: Enable Collabora Online integration.- Default :
false - Type : boolean
- Default :
externalServer: URL of your Collabora Online server.- Default : not defined
- Type : string
- Example :
https://collabora.my-domain.com - Note : Optional if you use Sync-in Docker Compose.
appStore:repository: Repository choice for app client releases.- Default :
public - Type : public | local
- Default :
Environment variablesβ
All Sync-in server configuration parameters can be set via environment variables prefixed by SYNCIN_.
For example, the following configuration:
auth:
encryptionKey: "changeEncryptionKeyWithStrongKey"
token:
access:
secret: "changeAccessWithStrongSecret"
refresh:
secret: "changeRefreshWithStrongSecret"
mysql:
url: mysql://root:MySQLRootPassword@mariadb:3306/sync_in
Can be reproduced using the following environment variables:
SYNCIN_AUTH_ENCRYPTIONKEY="changeEncryptionKeyWithStrongKey"
SYNCIN_AUTH_TOKEN_ACCESS_SECRET="changeAccessWithStrongSecret"
SYNCIN_AUTH_TOKEN_REFRESH_SECRET="changeAccessWithStrongSecret"
SYNCIN_MYSQL_URL="mysql://root:MySQLRootPassword@mariadb:3306/sync_in"
info
For boolean values, use true or false. Numeric values are interpreted automatically.
Minimal configurationβ
mysql:
url: mysql://root:MySQLRootPassword@mariadb:3306/sync_in
auth:
encryptionKey: changeEncryptionKeyWithStrongKey
token:
access:
secret: changeAccessWithStrongSecret
refresh:
secret: changeRefreshWithStrongSecret
applications:
files:
dataPath: /app/data
Full configurationβ
server:
# default host : `0.0.0.0`
host: 0.0.0.0
# default port : `8080`
port: 8080
# workers: `auto` or `0` (use all cpus) | number of CPUs to use
# default: 1
workers: 1
# trust proxy: number (trust the nth hop from the front-facing proxy server as the client) | `true` | `false` | `127.0.0.1,192.168.1.1/24`
# default: 1
trustProxy: 1
# restartOnFailure: automatically restart workers if they are killed or die
# default: `true`
restartOnFailure: true
logger:
# level: `trace` | `debug` | `info` | `warn` | `error` | `fatal`
# default: `info`
level: info
# stdout: if false logs are written to the run directory
# default: `true`
stdout: true
# Colorize output.
# default: `true`
colorize: true
# JSON output. When enabled, colorize is ignored.
# default: `false`
jsonOutput: false
# Path to the log file used when stdout is set to false
filePath:
mysql:
# required
url: mysql://user:MySQLPassword@localhost:3306/database
# default: `false`
logQueries: false
cache:
# adapter: `mysql` | `redis`
# default: `mysql`
adapter: mysql
# TTL in seconds
# default: `60`
ttl: 60
# Redis adapter url
# default: `redis://127.0.0.1:6379`
redis: redis://127.0.0.1:6379
websocket:
# adapter: `cluster` (Node.js Workers: default) | `redis`
# default: `cluster`
adapter: cluster
# Cors origin allowed
# default: `*`
corsOrigin: '*'
# Redis adapter url
# default: `redis://127.0.0.1:6379`
redis: redis://127.0.0.1:6379
mail:
host: smtp.server.com
# default: `25`
port: 25
# default: `Sync-in<notification@sync-in.com>`
sender: 'Sync-in<notification@sync-in.com>'
# optional
auth:
user: user
pass: password
# Defines if the connection should use SSL (if true) or not (if false)
# Note: setting `secure: false` does not necessarily mean messages are sent in plaintext
# If the server supports STARTTLS, the connection is usually upgraded to TLS automatically
# default: `false`
secure: false
# ignoreTLS: if true, disables the use of STARTTLS even if the server advertises it
# default: false
ignoreTLS: false
# rejectUnauthorized: reject the connection if the server's TLS certificate is invalid
# default: false
rejectUnauthorized: false
# Enable logger
# default: `false`
logger: false
# Set log level to debug
# default: `false`
debug: false
auth:
# provider : `mysql` | `ldap` | `oidc`
# default: `mysql`
provider: mysql
# Key used to encrypt user secret keys in the database
# Optional but strongly recommended
# Warning: do not change or remove the encryption key after MFA activation, or the codes will become invalid
encryptionKey: changeEncryptionKeyWithStrongKey
# cookie sameSite setting: `lax` | `strict`
# default: `strict`
cookieSameSite: strict
token:
access:
# Used for token and cookie signatures
# required
secret: changeAccessWithStrongSecret
# token expiration = cookie maxAge
# default: `30m`
expiration: 30m
refresh:
# Used for token and cookie signatures
# required
secret: changeRefreshWithStrongSecret
# token expiration = cookie maxAge
# default: `4h`
expiration: 4h
# Multifactor authentication
mfa:
# TOTP configuration
totp:
# Enable TOTP authentication
# default: true
enabled: true
# Name displayed in the authentication app (FreeOTP, Proton Authenticator, Aegis Authenticator etc.)
# default: Sync-in
issuer: Sync-in
# LDAP authentication
ldap:
# e.g.: [ldap://localhost:389, ldaps://localhost:636] (array required)
# Multiple servers are tried in order until a bind/search succeeds.
# required
servers: []
# baseDN: Distinguished name (e.g.: ou=people,dc=ldap,dc=sync-in,dc=com)
# Used as the search base for users, and for groups when adminGroup is a CN.
# required
baseDN: ou=people,dc=ldap,dc=sync-in,dc=com
# filter, e.g: (acl=admin)
# Appended as-is to the LDAP search filter (trusted config).
# optional
filter:
# upnSuffix: AD domain suffix used with `userPrincipalName` to build UPN-style logins (e.g.: user@`sync-in.com`)
# Only used when login is set to userPrincipalName.
# optional
upnSuffix:
# netbiosName: NetBIOS domain name used with `sAMAccountName` to build legacy logins (e.g.: `SYNC_IN`\user)
# Only used when login is set to sAMAccountName.
# optional
netbiosName:
# serviceBindDN: Distinguished Name for a service account used to search users/groups.
# When set, searches are performed with this account; user bind is used only to validate the password.
# e.g.: cn=syncin,ou=services,dc=ldap,dc=sync-in,dc=com
# optional
serviceBindDN:
# serviceBindPassword: Password for the service account used to search users/groups.
# optional
serviceBindPassword:
attributes:
# LDAP attribute that matches the login stored in the database.
# With a service bind, it is used to locate the user (then bind with the found DN).
# Without a service bind, it is used to construct the user's DN for binding (except AD: UPN/DOMAIN\\user).
# If you choose mail, local logins should be the user's email address.
# e.g.: uid | cn | mail | sAMAccountName | userPrincipalName
# default: uid
login: uid
# Attribute used to retrieve the user's email address
# email: `mail` or `email`
# default: `mail`
email: mail
options:
# autoCreateUser: Automatically create a local user on first successful LDAP authentication.
# The local account is created from LDAP attributes:
# - login: from the configured LDAP login attribute (e.g.: uid, cn, sAMAccountName, userPrincipalName)
# - email: from the configured email attribute (required)
# - firstName / lastName: from givenName+sn, or displayName, or cn (fallback)
# When disabled, only existing users can authenticate via LDAP.
# default: true
autoCreateUser: true
# autoCreatePermissions: Permissions assigned to users automatically created via LDAP.
# Applied only at user creation time when autoCreateUser is enabled.
# Has no effect on existing users.
# A complete list of permissions is available in the documentation: https://sync-in.com/docs/admin-guide/permissions
# e.g.: [personal_space, spaces_access] (array required)
# default: []
autoCreatePermissions: []
# adminGroup: LDAP group that grants Sync-in administrator privileges.
# Accepts either a simple CN (e.g.: "Admins") or a full DN (e.g.: "CN=Admins,OU=Groups,DC=ldap,DC=sync-in,DC=com").
# If set, users whose LDAP `memberOf` contains this CN (or whose group DN matches) are assigned the administrator role.
# If `memberOf` is missing, Sync-in can also check membership by searching `groupOfNames` groups.
# If users cannot read `groupOfNames`, use a service bind account to perform this lookup.
# If not set, existing administrator users keep their role and it cannot be removed via LDAP.
# optional
adminGroup:
# enablePasswordAuthFallback: Allow local password authentication when LDAP authentication fails.
# When enabled, users can authenticate with their local password if the LDAP service is unavailable.
# Always allowed for administrator users (break-glass access).
# default: true
enablePasswordAuthFallback: true
oidc:
# issuerUrl: The URL of the OIDC provider's discovery endpoint
# e.g.:
# - Keycloak: https://auth.example.com/realms/my-realm
# - Authentik: https://auth.example.com/application/o/my-app/
# - Google: https://accounts.google.com
# - Microsoft: https://login.microsoftonline.com/<tenant-id>/v2.0
# The server will automatically discover the authorization, token, and userinfo endpoints.
# required
issuerUrl:
# clientId: OAuth 2.0 Client ID obtained from your OIDC provider
# required
clientId:
# clientSecret: OAuth 2.0 Client Secret obtained from your OIDC provider
# required
clientSecret: changeOIDCClientSecret
# redirectUri: The callback URL where users are redirected after authentication
# This URL must be registered in your OIDC provider's allowed redirect URIs
# e.g.: (API callback): https://sync-in.domain.com/api/auth/oidc/callback
#
# To allow authentication from the desktop application, the following redirect URLs must also be registered in your OIDC provider:
# - http://127.0.0.1:49152/oidc/callback
# - http://127.0.0.1:49153/oidc/callback
# - http://127.0.0.1:49154/oidc/callback
#
# If your OIDC provider supports wildcards or regular expressions, you may instead register a single entry such as:
# - http://127.0.0.1/*
#
# required
redirectUri: https://sync-in.domain.com/api/auth/oidc/callback
options:
# autoCreateUser: Automatically create a local user account on first successful OIDC login.
# When enabled, the user `login` is derived from OIDC claims: preferred_username, then the email local-part, with `sub` as a last-resort fallback.
# When disabled, only existing users are allowed to authenticate via OIDC.
# default: true
autoCreateUser: true
# autoCreatePermissions: Permissions assigned to users automatically created via OIDC.
# Applied only when autoCreateUser is enabled and only applied at user creation time.
# This option has no effect on existing users.
# A complete list of permissions is available in the documentation: https://sync-in.com/docs/admin-guide/permissions
# e.g.: [personal_space, spaces_access] (array required)
# default: []
autoCreatePermissions: []
# adminRoleOrGroup: Name of the role or group that grants Sync-in administrator access
# Users with this value will be granted administrator privileges.
# The value is matched against `roles` or `groups` claims provided by the IdP.
# Note: depending on the provider (e.g.: Keycloak), roles/groups may be exposed only in tokens
# and require proper IdP mappers to be included in the ID token or UserInfo response.
# optional
adminRoleOrGroup:
# enablePasswordAuth: Allow local password-based authentication when using OIDC.
# When enabled, users may authenticate with their Sync-in password instead of OIDC.
# Local password authentication is always allowed for:
# - guest users
# - administrator users (break-glass access)
# - application scopes (app passwords)
# Regular users are allowed only when this option is enabled.
# Users must already exist locally and have a password set.
# default: true
enablePasswordAuth: true
# autoRedirect: Automatically redirect users to the OIDC login flow.
# When enabled, the login page is skipped and users are sent directly to the OIDC provider.
# default: false
autoRedirect: false
# buttonText: Label displayed on the OIDC login button.
# default: Continue with OpenID Connect
buttonText: Continue with OpenID Connect
security:
# scope: OAuth 2.0 scopes to request (space-separated string)
# Common scopes: openid (required), email, profile, groups, roles
# default: `openid email profile`
scope: openid email profile
# OAuth 2.0 / OIDC client authentication method used at the token endpoint.
# Possible values:
# - client_secret_basic (DEFAULT): HTTP Basic auth using client_id and client_secret.
# Recommended for backend (confidential) clients.
# - client_secret_post: client_id and client_secret sent in the request body.
# - none (or undefined): no client authentication (public clients: mobile / SPA with PKCE).
# default: `client_secret_basic`
tokenEndpointAuthMethod: client_secret_basic
# tokenSigningAlg: Algorithm used to verify the signature of ID tokens (JWT) returned by the OpenID Connect provider.
# Common values: RS256, RS384, RS512, ES256, ES384, ES512
# default: `RS256`
tokenSigningAlg: RS256
# userInfoSigningAlg: Algorithm used to request a signed UserInfo response from the OpenID Connect provider.
# When not set, the UserInfo endpoint returns a standard JSON response (not signed). This is the most common and recommended configuration.
# Common values: (empty), RS256, RS384, RS512, ES256, ES384, ES512
# default: empty
userInfoSigningAlg:
# skipSubjectCheck: Disable verification that the `sub` claim returned by the UserInfo endpoint
# matches the `sub` claim from the ID token.
# Set to true only for non-compliant or legacy OIDC providers.
# default: false
skipSubjectCheck: false
applications:
files:
# required
dataPath: /home/sync-in
# default: 5368709120 (5 GB)
maxUploadSize: 5368709120
# Enable indexing of file contents for search (disabling this turns off full-text search)
# default: true
contentIndexing: true
# Show files starting with a dot in the file explorer
# default: false
showHiddenFiles: false
onlyoffice:
# enable onlyoffice integration
# default: false
enabled: false
# Secret used for jwt tokens, it must be the same on the onlyoffice server
# required
secret: onlyOfficeSecret
# If no external server is configured, the local Nginx service from the Docker Compose setup is used.
# If an external server is configured, it will be used instead.
# Note: when using an external server (e.g.: https://onlyoffice.domain.com), make sure it is accessible from the client/browser.
# default: null
externalServer:
# If you use https, set to `true`.
# default: false
verifySSL: false
collabora:
# enable collabora online integration
# default: false
enabled: false
# If no external server is configured, the local Nginx service from the Docker Compose setup is used.
# If an external server is configured, it will be used instead.
# Note: when using an external server (e.g.: https://collabora.domain.com), make sure it is accessible from the client/browser.
# default: null
externalServer:
appStore:
# repository: `public` | `local`
# default: `public`
repository: public