Museum encrypts emails before storing (encrypted_email column).
Cannot query by plaintext email. Instead select the first user_id
which is the admin user created during first-start setup.
Peer authentication fails when running as root but connecting as
user 'ente'. Use PGPASSWORD with -h 127.0.0.1 to force TCP/password
authentication instead of Unix socket peer auth.
Museum requires an S3-compatible object storage backend for file
uploads. The install script had dummy S3 credentials pointing to
localhost:3200 but no service was running there, causing HTTP 500
on /files/upload-url.
- Install MinIO binary with random password
- Create required buckets (b2-eu-cen, wasabi-eu-central-2-v3, scw-eu-fr-v3)
- Configure museum.yaml with proper S3 credentials and bucket names
- MinIO runs on port 3200 (API) and 3201 (console)
- Add hardcoded OTT (123456) for all emails in museum.yaml so users
don't need to search logs for verification codes
- Replace separate helper scripts with single 'ente-setup' command
that handles: admin whitelisting (user_id from DB), CLI account
add, and subscription upgrade in one guided flow
- Simplify JSON notes to single first-start instruction
The admin CLI requires the user to be whitelisted via their numeric
user_id in museum.yaml's internal.admin field. The helper script
ente-upgrade-subscription now:
1. Looks up user_id from PostgreSQL by email
2. Adds internal.admin to museum.yaml if not present
3. Restarts museum
4. Runs the subscription upgrade
This replaces the previous approach that incorrectly assumed the
first user was auto-admin (that fallback only works when internal
section is completely absent AND was unreliable).
The 'internal.admins' field expects user IDs, not emails. Setting it
to an empty array explicitly disables admin access. Without the field,
museum falls back to treating the first registered user as admin,
which is the correct behavior for self-hosted instances.
- Add 'internal: admins: []' section to museum.yaml so admin CLI
commands work after adding email to the list
- Fix --no-limit flag in helper script (requires 'True' argument)
- Add admin setup step to JSON first-start notes
Without these steps the setup cannot be completed:
1. Create account via web UI
2. Get verification code from museum logs
3. Remove subscription limit via CLI
The server defaults to ./static relative to the working directory.
Without WorkingDirectory in the service, it looks at /static which
doesn't exist, causing 404 on the web UI. Set the absolute path
/opt/oxicloud/static in the .env file.
The labca-gui -init flag does not exit after initialization - it starts
the HTTP server and blocks forever, causing the install to hang.
Removed the -init call; the service handles first-run setup via the
browser /setup route automatically. Also removed system user (runs as
root in LXC).
Ente: Remove circular Caddy :8080 reverse_proxy block that conflicted
with Museum binding to the same port. Museum serves directly on 8080.
Garmin-Grafana: Use GARMINCONNECT_EMAIL and GARMINCONNECT_BASE64_PASSWORD
env vars instead of broken heredoc stdin piping through timeout+uv run.
MFA code piped via stdin only when provided.
Delete duplicated frontend/public/json/surrealdb.json and update the canonical json/surrealdb.json file: restore original date_created, adjust description, normalize website URL, change default_credentials.password to null, and add notes about web UI and saved creds. Also include a tiny EOF/newline normalization in json/cliproxyapi.json.
Replace author attribution with "MickLesk (CanbiZ)" in ct/coredns.sh and install/coredns-install.sh. Reformat the categories array in json/coredns.json to a multiline style and adjust trailing newline/whitespace. These are non-functional metadata/formatting changes.
