Introduce the Kotlin/Compose Android companion app and extend the TMDB proxy into a combo server that synchronizes the whole library as an encrypted snapshot, with all three components (Go server, Android, desktop) sharing one zero-knowledge crypto envelope and JSON schema. - server: add PostgreSQL-backed /sync/library (GET/PUT) with optimistic concurrency (revision + 409 on conflict); sync stays disabled unless DATABASE_URL is set. Add docker-compose with Postgres. - desktop: add libsodium CryptoEnvelope, LibrarySerializer and SyncClient; storage-mode and passphrase settings; a "Sync now" toolbar action with conflict resolution. - android: Room-backed library with local/cloud storage modes, encrypted sync client, and settings UI. The proxy server (URL + token) can be configured as a TMDB proxy even in local-only mode. Crypto is identical across platforms: Argon2id (libsodium crypto_pwhash, INTERACTIVE) + XChaCha20-Poly1305 in a versioned "UMTS" envelope, so a snapshot encrypted on one client decrypts on the other. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
43 lines
1.9 KiB
Text
43 lines
1.9 KiB
Text
# --- umt-tmdb-proxy configuration ---------------------------------------
|
|
# Copy to .env and fill in. All values are read from the environment.
|
|
|
|
# Where the server listens (inside the container / on the host).
|
|
LISTEN_ADDR=:8080
|
|
|
|
# Externally reachable base URL of this proxy (no trailing slash).
|
|
# This is also what users enter as "Proxy-URL" in the desktop app.
|
|
PUBLIC_URL=https://tmdb.example.com
|
|
|
|
# The single shared TMDB v3 API key the whole group will use.
|
|
TMDB_API_KEY=your_tmdb_v3_key
|
|
|
|
# --- Authentik / OIDC ---------------------------------------------------
|
|
# Issuer is the OIDC provider URL from your Authentik application
|
|
# (e.g. https://auth.example.com/application/o/watchlist-proxy/).
|
|
OIDC_ISSUER=https://auth.example.com/application/o/watchlist-proxy/
|
|
OIDC_CLIENT_ID=your_client_id
|
|
OIDC_CLIENT_SECRET=your_client_secret
|
|
# Must exactly match a Redirect URI configured in Authentik.
|
|
# Defaults to PUBLIC_URL + /callback if left empty.
|
|
OIDC_REDIRECT_URL=https://tmdb.example.com/callback
|
|
|
|
# Optional: restrict access to members of these Authentik groups
|
|
# (comma-separated). Requires a "groups" scope/claim mapping in Authentik.
|
|
# ALLOWED_GROUPS=watchlist,friends
|
|
|
|
# A long random secret used to sign issued access tokens. KEEP IT PRIVATE.
|
|
# Generate with: openssl rand -base64 48
|
|
SESSION_SECRET=change-me-to-a-long-random-string
|
|
|
|
# How long an issued desktop-app token stays valid (in days).
|
|
TOKEN_TTL_DAYS=90
|
|
|
|
# --- Library-Sync (optional) -------------------------------------------
|
|
# PostgreSQL-DSN für den verschlüsselten Bibliotheks-Sync. Leer lassen, um
|
|
# den Sync zu deaktivieren (dann läuft der Server als reiner TMDB-Proxy).
|
|
# Der Server speichert nur Chiffretext (Ende-zu-Ende, Zero-Knowledge).
|
|
# Bei Nutzung von docker-compose.yml wird dies automatisch gesetzt.
|
|
# DATABASE_URL=postgres://umt:change-me@db:5432/umt?sslmode=disable
|
|
|
|
# Passwort des Postgres-Containers (nur für docker-compose.yml relevant).
|
|
POSTGRES_PASSWORD=change-me
|