Skip to content

Self-Host Configuration

Configuring your self-hosted instance of Enclosed allows you to customize the application to better suit your environment and requirements. This guide covers the key environment variables you can set to control various aspects of the application, including port settings, security options, and storage configurations.

Environment Variables

Enclosed is configured primarily through environment variables. Below is a list of the available variables, along with their descriptions and default values.

Environment variable Documentation
PORT The port to listen on when using node server. Default value: 8787.
SERVER_API_ROUTES_TIMEOUT_MS The maximum time in milliseconds for a route to complete before timing out. Default value: 5000.
SERVER_CORS_ORIGINS The CORS origin for the api server.
SERVER_USE_HTTPS Whether to enable HTTPS for the server (only in node env). Default value: false.
SERVER_HTTPS_KEY The key for HTTPS (only in node env).
SERVER_HTTPS_CERT The cert for HTTPS (only in node env).
SERVER_HTTPS_CA The CA for HTTPS (only in node env).
SERVER_HTTPS_PFX The pfx for HTTPS (only in node env).
SERVER_HTTPS_PASSPHRASE The passphrase of the PFX cert (only in node env).
NOTES_MAX_ENCRYPTED_PAYLOAD_LENGTH The maximum length of the encrypted payload of a note allowed by the api. Default value: 52428800.
TASK_DELETE_EXPIRED_NOTES_ENABLED Whether to enable a periodic task to delete expired notes (not available for cloudflare). Default value: true.
TASK_DELETE_EXPIRED_NOTES_CRON The frequency with which to run the task to delete expired notes (cron syntax). Default value: 0 * * * *.
TASK_DELETE_EXPIRED_NOTES_RUN_ON_STARTUP Whether the task to delete expired notes should run on startup. Default value: true.
STORAGE_DRIVER_FS_LITE_PATH The path to the directory where the data will be stored (only in node env). Default value: ./.data.
STORAGE_DRIVER_CLOUDFLARE_KV_BINDING The name of the Cloudflare KV binding to use (only in cloudflare env). Default value: notes.
PUBLIC_BASE_API_URL The base URL of the public api, can be an absolute URL (like https://example.com/enclosed) or a path (like /enclosed). Default value: /.
PUBLIC_DEFAULT_DELETE_NOTE_AFTER_READING The default value for the Delete note after reading checkbox in the note creation form. Default value: false.
PUBLIC_DEFAULT_NOTE_TTL_SECONDS The default value for the expiration time of a note in seconds, the value must be one of: 3600 (1 hour), 86400 (1 day), 604800 (1 week), 2592000 (1 month). Default value: 3600.
PUBLIC_IS_SETTING_NO_EXPIRATION_ALLOWED Whether to allow the user to set the note to never expire. Default value: true.
PUBLIC_DEFAULT_NOTE_NO_EXPIRATION The default value for the No expiration checkbox in the note creation form (only used if setting no expiration is allowed). Default value: false.
PUBLIC_IS_AUTHENTICATION_REQUIRED Whether to require authentication to access the public api. Default value: false.
PUBLIC_AUTHENTICATION_IS_USER_REGISTRATION_ALLOWED Whether to allow users to register. Effective only if authentication is required. Default value: true.
AUTHENTICATION_JWT_SECRET The secret used to sign the JWT tokens. Default value: change-me.
AUTHENTICATION_JWT_DURATION_SECONDS The duration in seconds for which the JWT token is valid. Default value: 604800.
AUTHENTICATION_USERS The list of users allowed to authenticate. Comma-separated list of email and bcrypt password hash, like: email1:passwordHash1,email2:passwordHash2. Easily generate the value for this env variable here: https://docs.enclosed.cc/self-hosting/users-authentication-key-generator.

Optional: Native HTTPS Configuration

If you want to use HTTPS without a reverse proxy, you can set the SERVER_USE_HTTPS environment variable to true and provide the necessary certificate and key files.

You can either use a single PFX file or separate key and certificate files. If you use separate files, you can provide the SERVER_HTTPS_KEY, SERVER_HTTPS_CERT, and SERVER_HTTPS_CA environment variables. If you use a PFX file, you can provide the SERVER_HTTPS_PFX and SERVER_HTTPS_PASSPHRASE environment variables.

To generate the necessary key and certificate files, you can use the following command:

bash
openssl req -x509 -newkey rsa:2048 -nodes -sha256 -subj '/CN=localhost' -keyout private-key.pem -out certificate.pem

And if you want to generate a PFX file, you can use the following command:

bash
openssl pkcs12 -certpbe AES-256-CBC -export -out test_cert.pfx -inkey private-key.pem -in certificate.pem -passout pass:sample

Applying Configuration Changes

To apply your configuration changes, ensure that you have exported the environment variables in your shell or included them in your environment configuration file. Then, restart your Enclosed instance to apply the changes.

For Docker deployments, you can pass the environment variables directly when running the container:

bash
docker run \
    -d --name enclosed \
    --restart unless-stopped \
    -p 8787:8787 \
    -v /path/to/local/data:/app/.data \
    -e SERVER_CORS_ORIGINS="https://example.com" \
    ghcr.io/corentin-th/enclosed

Next Steps

Once your instance is configured, you can proceed to explore advanced deployment options or set up monitoring to ensure your Enclosed instance runs smoothly. For a more complex setup, consider using Docker Compose or deploying on a cloud provider.