ultimate-media-tracker/server/.env.example
Tronax de353f0218
feat: add Android app and end-to-end encrypted library sync
Introduce the Kotlin/Compose Android companion app and extend the TMDB
proxy into a combo server that synchronizes the whole library as an
encrypted snapshot, with all three components (Go server, Android,
desktop) sharing one zero-knowledge crypto envelope and JSON schema.

- server: add PostgreSQL-backed /sync/library (GET/PUT) with optimistic
  concurrency (revision + 409 on conflict); sync stays disabled unless
  DATABASE_URL is set. Add docker-compose with Postgres.
- desktop: add libsodium CryptoEnvelope, LibrarySerializer and SyncClient;
  storage-mode and passphrase settings; a "Sync now" toolbar action with
  conflict resolution.
- android: Room-backed library with local/cloud storage modes, encrypted
  sync client, and settings UI. The proxy server (URL + token) can be
  configured as a TMDB proxy even in local-only mode.

Crypto is identical across platforms: Argon2id (libsodium crypto_pwhash,
INTERACTIVE) + XChaCha20-Poly1305 in a versioned "UMTS" envelope, so a
snapshot encrypted on one client decrypts on the other.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-06-21 00:35:54 +02:00

43 lines
1.9 KiB
Text

# --- umt-tmdb-proxy configuration ---------------------------------------
# Copy to .env and fill in. All values are read from the environment.
# Where the server listens (inside the container / on the host).
LISTEN_ADDR=:8080
# Externally reachable base URL of this proxy (no trailing slash).
# This is also what users enter as "Proxy-URL" in the desktop app.
PUBLIC_URL=https://tmdb.example.com
# The single shared TMDB v3 API key the whole group will use.
TMDB_API_KEY=your_tmdb_v3_key
# --- Authentik / OIDC ---------------------------------------------------
# Issuer is the OIDC provider URL from your Authentik application
# (e.g. https://auth.example.com/application/o/watchlist-proxy/).
OIDC_ISSUER=https://auth.example.com/application/o/watchlist-proxy/
OIDC_CLIENT_ID=your_client_id
OIDC_CLIENT_SECRET=your_client_secret
# Must exactly match a Redirect URI configured in Authentik.
# Defaults to PUBLIC_URL + /callback if left empty.
OIDC_REDIRECT_URL=https://tmdb.example.com/callback
# Optional: restrict access to members of these Authentik groups
# (comma-separated). Requires a "groups" scope/claim mapping in Authentik.
# ALLOWED_GROUPS=watchlist,friends
# A long random secret used to sign issued access tokens. KEEP IT PRIVATE.
# Generate with: openssl rand -base64 48
SESSION_SECRET=change-me-to-a-long-random-string
# How long an issued desktop-app token stays valid (in days).
TOKEN_TTL_DAYS=90
# --- Library-Sync (optional) -------------------------------------------
# PostgreSQL-DSN für den verschlüsselten Bibliotheks-Sync. Leer lassen, um
# den Sync zu deaktivieren (dann läuft der Server als reiner TMDB-Proxy).
# Der Server speichert nur Chiffretext (Ende-zu-Ende, Zero-Knowledge).
# Bei Nutzung von docker-compose.yml wird dies automatisch gesetzt.
# DATABASE_URL=postgres://umt:change-me@db:5432/umt?sslmode=disable
# Passwort des Postgres-Containers (nur für docker-compose.yml relevant).
POSTGRES_PASSWORD=change-me