Documentation — TenzoShare

checklistPrerequisites

deployed_code

Docker Engine

v24.0+

schema

Docker Compose

v2.0+ plugin

dns

Domain / Port

Port 80 exposed, or a domain pointed at the host

Use docker compose (v2 plugin) — not the legacy docker-compose binary.

rocket_launchQuickstart

1 Clone the repository

git clone https://github.com/marcusottosen/TenzoShare.git
cd tenzoshare

2 Configure environment & generate secrets

cp infrastructure/docker/.env.example infrastructure/docker/.env

# Generate required secrets — paste each output into .env
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out jwt_private.pem
openssl rsa -in jwt_private.pem -pubout -out jwt_public.pem
openssl rand -hex 32   # → PASSWORD_PEPPER
openssl rand -hex 32   # → STORAGE_ENCRYPTION_KEY

3 Deploy

cd infrastructure/docker
docker compose up -d

4 Verify (wait ~30s for healthy state)

docker compose ps

5 Log in

Visit http://localhost in your browser.

Admin credentials are set via BOOTSTRAP_ADMIN_EMAIL and BOOTSTRAP_ADMIN_PASSWORD in your .env.

Default email: [email protected]

lightbulb

Exposing TenzoShare externally? Cloudflare Tunnel is a zero-open-ports option — install cloudflared, point the tunnel at http://localhost:80, and you get HTTPS with no port-forwarding or certificate management needed.

settingsKey Environment Variables

Variable	Required	Description
POSTGRES_PASSWORD	Required	PostgreSQL password
REDIS_PASSWORD	Required	Redis password
JWT_PRIVATE_KEY	Required	RS256 private key (PEM, `\n`-escaped)
JWT_PUBLIC_KEY	Required	RS256 public key (PEM, `\n`-escaped)
PASSWORD_PEPPER	Required	32-byte hex — mixed into all password hashes
STORAGE_ENCRYPTION_KEY	Required	32-byte hex — AES-256-GCM file encryption key
MINIO_ROOT_USER	Required	MinIO admin user
MINIO_ROOT_PASSWORD	Required	MinIO admin password
S3_ACCESS_KEY / S3_SECRET_KEY	Required	S3 credentials (same as MinIO root for local)
BOOTSTRAP_ADMIN_EMAIL	Required	Email for the first admin account
BOOTSTRAP_ADMIN_PASSWORD	Required	Password for the first admin account
BASE_URL	Required	Public URL e.g. `https://share.example.com`
DEV_MODE	Optional	`true` relaxes CORS/cookies for local dev

warning

Write-once values: PASSWORD_PEPPER and STORAGE_ENCRYPTION_KEY — changing them invalidates all existing passwords and encrypted files.

storageStorage Configuration

TenzoShare ships with MinIO out of the box — no extra setup needed. To switch to AWS S3 or any S3-compatible store, update these variables:

Variable	MinIO (default)	AWS S3
S3_ENDPOINT	http://tenzoshare-minio:9000	leave blank
S3_BUCKET	tenzoshare	your bucket name
S3_REGION	us-east-1	your region
S3_ACCESS_KEY	MinIO root user	IAM access key
S3_SECRET_KEY	MinIO root password	IAM secret key
S3_USE_SSL	false	true

tune

Quota, per-user limits, and max upload size are configurable at runtime via the admin portal — no restart needed.

apiAPI Reference

All routes are prefixed with /api/v1 and routed through Traefik on port 80.

Auth /api/v1/auth

POST/registerCreate account

POST/loginGet access + refresh tokens (RS256 JWT)

POST/login/mfaComplete TOTP MFA challenge

POST/refreshRotate tokens

POST/logoutRevoke current token

GET/meCurrent user profile

PATCH/meUpdate profile / change password

POST/mfa/setupEnroll TOTP authenticator

POST/mfa/verifyActivate TOTP after setup

POST/password-reset/requestRequest password reset

POST/password-reset/confirmConfirm password reset

Files /api/v1/files Bearer JWT required

POST/Upload file (multipart, streamed)

GET/List your files

GET/:idFile metadata

DELETE/:idDelete file

GET/:id/presignGet short-lived presigned download URL

GET/:id/downloadDownload (JWT or ?token= param)

GET/usageStorage usage + quota for current user

Transfers /api/v1/transfers Bearer JWT required

POST/Create transfer (attach files, set expiry, password, view-only)

GET/List your transfers

GET/:idTransfer detail

DELETE/:idRevoke transfer

Public Transfer Access /api/v1/t/:slug No auth required

GET/:slugView transfer (password optional)

GET/:slug/files/:fileId/downloadGet download/view URL for a file

File Requests /api/v1/requests Bearer JWT required

POST/Create upload request link

GET/List your requests

GET/:idRequest detail

DELETE/:idDeactivate request

API Keys /api/v1/users/apikeys Bearer JWT required

GET/List your API keys

POST/Create key

DELETE/:idRevoke key

bookFurther Reading

monitoring

Observability

Add docker-compose.observability.yml to get Prometheus, Grafana, Loki, and Tempo.

phonelink_lock

TOTP MFA

Enable per-user via the profile page. Admins can enforce it globally from the admin portal.

preview

View-only Transfers

Set view_only: true at transfer creation — files open inline in-browser, no save dialog.

upload_file

File Requests