Cozy

How to self host Cozy, a personal cloud and password manager


Installation

pacman -Syu opensmtpd erlang-nox freeglut cairo chafa ghostscript libheif libjxl libraw librsvg libwebp libwmf libxml2 libzip ocl-icd openexr openjpeg2 djvulibre pango imagemagick-doc nodejs nsjail

Apache CouchDB NoSQL database

/etc/couchdb/local.ini

[admins]
admin = plain-password

[couchdb]
single_node = true

[chttpd]
port = 5984
bind_address = 0.0.0.0

After starting CouchDB for the first time, plain-password will be replaced with the hashed version.

Tip

Set bind_address to 0.0.0.0 to access CouchDB from other nodes.

systemctl enable couchdb

systemctl start couchdb

Test to see if the service is running by running

curl http://127.0.0.1:5984/

You can now access the Fauxton admin interface by going to http://127.0.0.1:5984/_utils


Increase security single node setup

mkdir -pv /etc/systemd/system/couchdb.service.d

/etc/systemd/system/couchdb.service.d/10-bind-locally.conf

[Service]
Environment=ERL_EPMD_ADDRESS=127.0.0.1

/etc/couchdb/vm.args

-kernel inet_dist_use_interface {127,0,0,1}

/etc/cozy/cozy.yml

couchdb:
  url: http://admin:MYSECUREPASSWORD@127.0.0.1:5984/

Register credentials

Retrieve the correct node name

curl -X GET http://admin:MYSECUREPASSWORD@127.0.0.1:5984/_membership

curl -X PUT http://admin:MYSECUREPASSWORD@127.0.0.1:5984/_node/"couchdb@127.0.0.1"/_config/admins/admin -d "\"MYSECUREPASSWORD\""

Configuring Cozy

cp /usr/share/cozy/cozy.example.yaml /etc/cozy/cozy.yml

/etc/cozy/cozy.yml

# server host - flags: --host
#host: 0.0.0.0
host: 192.168.0.207

# server port - flags: --port -p
port: 8080

# how to structure the subdomains for apps - flags: --subdomains
# values:
#  - nested, like https://<app>.<user>.<domain>/ (well suited for self-hosted with Let's Encrypt)
#  - flat, like https://<user>-<app>.<domain>/ (easier when using wildcard TLS certificate)
subdomains: nested

# administration endpoint parameters. this endpoint should be protected
admin:
  # server host - flags: --admin-host
  host: localhost
  # server port - flags: --admin-port
  port: 6060
  # secret file name containing the derived passphrase to access to the
  # administration endpoint. this secret file can be generated using the `cozy-
  # stack config passwd` command. this file should be located in the same path
  # as the configuration file.
  secret_filename: cozy-admin-passphrase

# file system parameters
  # file system url - flags: --fs-url
  # default url is the directory relative to the binary: ./storage

  # url: file://localhost/var/lib/cozy
  # url: swift://openstack/?UserName={{ .Env.OS_USERNAME }}&Password={{ .Env.OS_PASSWORD }}&ProjectName={>

  # Swift FS can be used with advanced parameters to activate TLS properties.
  # For using swift with https, you must use the "swift+https" scheme.
  #
  # root_ca: /ca-certificates.pem
  # client_cert: /client_cert.pem
  # client_key: /client_key
  # pinned_key: 57c8ff33c9c0cfc3ef00e650a1cc910d7ee479a8bc509f6c9209a7c2a11399d6
  # insecure_skip_validation: true
  # can_query_info: true
  # default_layout: 2 # 1 for layout v2 and 2 for layout v3

  # auto_clean_trashed_after:
  #   context_a: 30D
  #   context_b: 3M

  # versioning:
  #   max_number_of_versions_to_keep: 20
  #   min_delay_between_two_versions: 15m
fs:
  url: file:///var/lib/cozy

# vault contains keyfiles informations
# See https://docs.cozy.io/en/cozy-stack/cli/cozy-stack_config_gen-keys/
# to generate the keys
vault:
# the path to the key used to encrypt credentials
  credentials_encryptor_key: /etc/cozy/vault.enc
# the path to the key used to decrypt credentials
  credentials_decryptor_key: /etc/cozy/vault.dec

# couchdb parameters
couchdb:
  # CouchDB URL - flags: --couchdb-url
  # url: http://localhost:5984/
  url: http://admin:MYSECUREPASSWORD@127.0.0.1:5984

# konnectors execution parameters for executing external processes.
konnectors:
# run connectors with node
# cmd: /usr/share/cozy/konnector-node-run.sh
# run connectors with nsjail
  cmd: /usr/share/cozy/konnector-nsjail-run.sh

log:
  # logger level (debug, info, warning, panic, fatal) - flags: --log-level
  level: info
  # send logs to the local syslog - flags: --log-syslog
  syslog: false

# Registries used for applications and konnectors
registries:
  default:
  - https://apps-registry.cozycloud.cc/selfhosted
  - https://apps-registry.cozycloud.cc/banks
  - https://apps-registry.cozycloud.cc/

Configuring Cozy admin password

cozy-stack config passwd /etc/cozy/cozy-admin-passphrase

chown cozy:cozy /etc/cozy/cozy-admin-passphrase

chmod 600 /etc/cozy/cozy-admin-passphrase

Creating vault keys

cozy-stack config gen-keys /etc/cozy/vault

chmod 700 /etc/cozy

chown cozy:cozy /etc/cozy/vault.dec

chmod 600 /etc/cozy/vault.dec

chown cozy:cozy /etc/cozy/vault.enc

chmod 600 /etc/cozy/vault.enc

Enable service

systemctl enable cozy-stack

systemctl start cozy-stack

Creating an instance

Add an instance. You will be prompted for your Cozy admin password,
you might also pass it using COZY_ADMIN_PASSWORD env var

cozy-stack instances add cozy.wildw1ng.com --apps home,settings,store

You will then need to visit https://<instance>.example.tld/?registerToken=<token>
which requires you to have setup a reverse proxy.