### Install Frontend Dependencies and Start Dev Server Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Install Node.js dependencies for the frontend and start the development server. ```bash cd website/ yarn install yarn dev ``` -------------------------------- ### Set up MinIO for Yopass File Storage Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md This example demonstrates setting up a local MinIO instance using Docker, creating a bucket, and then starting Yopass to use MinIO as its S3-compatible file store. ```bash docker run -d \ -p 9000:9000 \ -e MINIO_ROOT_USER=minioadmin \ -e MINIO_ROOT_PASSWORD=minioadmin \ minio/minio server /data # Create the bucket mc alias set local http://localhost:9000 minioadmin minioadmin mc mb local/yopass-files # Start Yopass AWS_ACCESS_KEY_ID=minioadmin \ AWS_SECRET_ACCESS_KEY=minioadmin \ yopass-server \ --file-store s3 \ --file-store-s3-bucket yopass-files \ --file-store-s3-endpoint http://localhost:9000 \ --file-store-s3-region us-east-1 ``` -------------------------------- ### Commit Message Examples Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Follow these examples for clear and descriptive commit messages to improve code review and project history. ```bash # Good examples Add streaming upload support for large files Fix one-time secret enforcement in upload flow Update README with new deployment options # Avoid Fix bug Update code WIP ``` -------------------------------- ### Start Local Redis Server Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Run a Redis instance using Docker for local backend development. ```bash docker run -d -p 6379:6379 redis:alpine ``` -------------------------------- ### Run Yopass Backend Server Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Start the Yopass backend server, specifying the Redis connection URL. ```bash go run cmd/yopass-server/main.go --redis=redis://localhost:6379/0 ``` -------------------------------- ### Start Yopass with Docker Compose and Let's Encrypt Source: https://github.com/jhaals/yopass/blob/master/README.md Use this command to start Yopass with Docker Compose, enabling TLS and automatic certificate renewal via Let's Encrypt. Ensure you have pointed your domain to the host and replaced placeholder values in the docker-compose.yml file. ```bash docker-compose up -d ``` -------------------------------- ### Example: Successful Login Log Source: https://github.com/jhaals/yopass/blob/master/docs/audit-logging.md An example of an audit log record for a successful user login event. Includes client IP and user identification details. ```json {"timestamp":"2026-04-09T12:00:00.500000000Z","event":"auth.callback_success","outcome":"success","client_ip":"203.0.113.42","user_email":"alice@corp.example","user_subject":"auth0|abc123"} ``` -------------------------------- ### Backend Code Formatting and Linting Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Commands for formatting and linting the Go backend code. Ensure golangci-lint is installed for linting. ```bash # Format code go fmt ./... # Lint (install golangci-lint first) golangci-lint run # Vet code go vet ./... ``` -------------------------------- ### Start Docker Compose Source: https://github.com/jhaals/yopass/blob/master/docs/quickstart.md Run this command in the directory containing your docker-compose.yml file to start the Yopass service in detached mode. ```bash docker compose up -d ``` -------------------------------- ### Docker Compose Deployment Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Use this snippet for a basic setup of Yopass using Docker Compose. Navigate to the deploy directory and run the command to start the services in detached mode. ```bash cd deploy/ docker-compose up -d ``` -------------------------------- ### Docker Compose Deployment Example Source: https://github.com/jhaals/yopass/blob/master/docs/metrics.md A Docker Compose file to deploy Yopass, Memcached, Prometheus, and Grafana. The metrics port for Yopass is exposed. ```yaml services: yopass: image: jhaals/yopass:latest ports: - "1337:1337" - "9090:9090" # metrics — restrict this in production environment: MEMCACHED: memcached:11211 METRICS_PORT: "9090" depends_on: - memcached memcached: image: memcached prometheus: image: prom/prometheus volumes: - ./prometheus.yml:/etc/prometheus/prometheus.yml ports: - "9091:9090" grafana: image: grafana/grafana ports: - "3000:3000" depends_on: - prometheus ``` -------------------------------- ### Start Yopass with Docker Compose (Insecure) Source: https://github.com/jhaals/yopass/blob/master/README.md Use this command for a simpler Docker Compose setup when you already have a reverse proxy handling TLS. Yopass will be accessible on port 80. ```bash cd deploy/docker-compose/insecure docker-compose up -d ``` -------------------------------- ### Example: Access Denied Log Source: https://github.com/jhaals/yopass/blob/master/docs/audit-logging.md An example of an audit log record when access to a secret is denied due to authentication requirements. Includes the reason for denial. ```json {"timestamp":"2026-04-09T12:01:00.000000001Z","event":"secret.accessed","outcome":"denied","client_ip":"198.51.100.7","secret_id":"k9bXz3mQ2vR7nLpA4wEy5a","require_auth":true,"error":"authentication required"} ``` -------------------------------- ### Run Yopass with Self-Signed Certificates Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md Start the Yopass server using a self-signed certificate and key. This is intended for local development and testing only. ```bash yopass-server --tls-cert tls.crt --tls-key tls.key ``` -------------------------------- ### Start Yopass Server with S3 Storage and Disabled Cleanup Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md Launch the Yopass server configured to use S3 as its file store and disable the built-in cleanup goroutine. This leverages S3's lifecycle rules for object management. ```bash yopass-server \ --file-store s3 \ --file-store-s3-bucket my-yopass-bucket \ --disable-file-cleanup ``` -------------------------------- ### Enable Metrics Port Source: https://github.com/jhaals/yopass/blob/master/docs/metrics.md Start the Yopass server with a specific port for metrics. Metrics are served at `http://host:9090/metrics` and should be firewalled from public access. ```bash yopass-server --metrics-port 9090 ``` -------------------------------- ### Run Yopass Server with Built-in TLS Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md Start the Yopass server with TLS enabled by providing paths to your certificate and private key files. Yopass enforces a minimum TLS version of 1.2. ```bash yopass-server \ --tls-cert /etc/ssl/yopass/tls.crt \ --tls-key /etc/ssl/yopass/tls.key ``` -------------------------------- ### Example: Successful Secret Creation Log Source: https://github.com/jhaals/yopass/blob/master/docs/audit-logging.md An example of an audit log record for a successful secret creation event. Includes metadata like secret ID, expiration, and authentication requirements. ```json {"timestamp":"2026-04-09T12:00:01.123456789Z","event":"secret.created","outcome":"success","client_ip":"203.0.113.42","secret_id":"k9bXz3mQ2vR7nLpA4wEy5a","one_time":true,"expiration_seconds":3600,"require_auth":false,"user_email":"alice@corp.example","user_subject":"auth0|abc123"} ``` -------------------------------- ### Deploy Yopass to Kubernetes Source: https://github.com/jhaals/yopass/blob/master/README.md Basic commands to deploy Yopass to a Kubernetes cluster and forward a local port for access. Note that this is a minimal setup and TLS should be configured for production use. ```bash kubectl apply -f deploy/yopass-k8.yaml kubectl port-forward service/yopass 1337:1337 ``` -------------------------------- ### Yopass Alerting Rules for Prometheus Source: https://github.com/jhaals/yopass/blob/master/docs/metrics.md Example Prometheus alerting rules for Yopass, covering high error rates, high latency, and license expiry. Save as yopass-alerts.yml. ```yaml groups: - name: yopass rules: - alert: YopassHighErrorRate expr: | sum(rate(yopass_http_requests_total{code=~"5.."}[5m])) / sum(rate(yopass_http_requests_total[5m])) > 0.05 for: 5m labels: severity: warning annotations: summary: "Yopass HTTP error rate above 5%" - alert: YopassHighLatency expr: | histogram_quantile(0.95, sum by (le, handler) (rate(yopass_http_request_duration_seconds_bucket[5m])) ) > 2 for: 5m labels: severity: warning annotations: summary: "Yopass p95 latency above 2s on {{ $labels.handler }}" - alert: YopassLicenseExpiringSoon expr: yopass_license_days_until_expiry < 14 labels: severity: warning annotations: summary: "Yopass license expires in {{ $value | humanizeDuration }}" - alert: YopassLicenseExpired expr: yopass_license_days_until_expiry < 0 labels: severity: critical annotations: summary: "Yopass license has expired" ``` -------------------------------- ### Docker Compose with Memcached Source: https://github.com/jhaals/yopass/blob/master/docs/quickstart.md Use this configuration to run Yopass with Memcached as the storage backend. Ensure Docker and Docker Compose are installed and port 1337 is available. ```yaml services: yopass: image: jhaals/yopass:latest ports: - "1337:1337" environment: MEMCACHED: memcached:11211 depends_on: - memcached memcached: image: memcached ``` -------------------------------- ### Enable Read Receipts with License Key Source: https://github.com/jhaals/yopass/blob/master/docs/read-receipts.md Read receipts are enabled automatically when a valid license key is configured. This command starts the yopass server with a license key. ```bash yopass-server --license-key "your-license-key" ``` -------------------------------- ### Docker Compose with Redis Source: https://github.com/jhaals/yopass/blob/master/docs/quickstart.md This configuration sets up Yopass to use Redis for storage. It requires Docker and Docker Compose to be installed and port 1337 to be free. ```yaml services: yopass: image: jhaals/yopass:latest ports: - "1337:1337" environment: DATABASE: redis REDIS: redis://redis:6379/0 depends_on: - redis redis: image: redis:7-alpine ``` -------------------------------- ### Set Yopass License Key in SSM Source: https://github.com/jhaals/yopass/blob/master/deploy/cdk/README.md Stores the Yopass license key in AWS Systems Manager Parameter Store. This is a one-time setup step required before deployment. ```bash aws ssm put-parameter --name /yopass/license-key --type String --value '' ``` -------------------------------- ### Docker Compose Configuration for Yopass Source: https://github.com/jhaals/yopass/blob/master/docs/theming.md This snippet shows a complete Docker Compose setup for Yopass, including its own service and a dependency on Memcached. It highlights environment variables for image version, ports, caching, licensing, application naming, and custom theming. ```yaml services: yopass: image: jhaals/yopass:latest ports: - "1337:1337" environment: MEMCACHED: memcached:11211 LICENSE_KEY: your-license-key APP_NAME: Acme Secrets THEME_LIGHT: corporate THEME_DARK: business THEME_CUSTOM_LIGHT: '{"--color-primary":"oklch(55% 0.2 250)"}' LOGO_URL: /mylogo.svg depends_on: - memcached memcached: image: memcached ``` -------------------------------- ### Nginx Configuration for Reverse Proxy Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md Example Nginx configuration to act as a reverse proxy for Yopass, handling SSL termination and forwarding requests. It includes modern TLS settings and configurations for streaming uploads. ```nginx server { listen 443 ssl; server_name yopass.example.com; ssl_certificate /etc/ssl/yopass/tls.crt; ssl_certificate_key /etc/ssl/yopass/tls.key; # Modern TLS settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; location / { proxy_pass http://127.0.0.1:1337; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; # Required for streaming file uploads proxy_request_buffering off; proxy_buffering off; client_max_body_size 0; } } # Redirect HTTP to HTTPS server { listen 80; server_name yopass.example.com; return 301 https://$host$request_uri; } ``` -------------------------------- ### Docker Compose for Yopass with S3 Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md This snippet configures a Docker Compose setup for Yopass. It specifies the Yopass image, port mapping, and environment variables for S3 file storage, including bucket, region, and AWS credentials. It also sets up a Memcached service and defines dependencies. ```yaml services: yopass: image: jhaals/yopass:latest ports: - "1337:1337" environment: MEMCACHED: memcached:11211 FILE_STORE: s3 FILE_STORE_S3_BUCKET: my-yopass-bucket FILE_STORE_S3_REGION: eu-west-1 AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID} AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY} DISABLE_FILE_CLEANUP: "true" # using S3 lifecycle rules instead depends_on: - memcached memcached: image: memcached ``` -------------------------------- ### Run Yopass Server with Database Backend Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md Use the database backend when file uploads are small or infrequent and you want to keep the deployment simple. No extra configuration is needed. ```bash yopass-server # file-store defaults to the database backend ``` -------------------------------- ### Run Yopass Server with Let's Encrypt Certificates Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md Configure Yopass to use certificates obtained from Let's Encrypt. Ensure the paths to the certificate and key files are correct. ```bash yopass-server \ --tls-cert /etc/letsencrypt/live/yopass.example.com/fullchain.pem \ --tls-key /etc/letsencrypt/live/yopass.example.com/privkey.pem ``` -------------------------------- ### Run Backend Tests Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Commands to run all backend tests, tests with coverage, and tests for specific packages. ```bash # Run all tests go test ./... # Run tests with coverage go test -cover ./... # Run specific package tests go test ./pkg/server/... ``` -------------------------------- ### Frontend Linting and Formatting Commands Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Commands to check code quality and automatically format the frontend codebase. ```bash cd website/ # Lint and check formatting yarn lint # Auto-fix linting issues and format code yarn format # Type checking yarn build ``` -------------------------------- ### Docker Compose for Nginx Proxy with Let's Encrypt Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md Instructions to set up Yopass with Nginx and Let's Encrypt using a provided Docker Compose file. Remember to edit placeholder values for host and email. ```bash cd deploy/with-nginx-proxy-and-letsencrypt # Edit docker-compose.yml and set VIRTUAL_HOST, LETSENCRYPT_HOST, LETSENCRYPT_EMAIL docker-compose up -d ``` -------------------------------- ### Configure Internal Yopass Instance with OIDC Source: https://github.com/jhaals/yopass/blob/master/docs/read-only-mode.md Use this command to set up an internal Yopass instance that requires user sign-in for creating secrets, integrating with OIDC for authentication. ```bash yopass-server \ --license-key "your-license-key" \ --oidc-issuer "https://accounts.google.com" \ --oidc-client-id "..." \ --oidc-client-secret "..." \ --oidc-redirect-url "https://internal.example.com/auth/callback" \ --require-auth ``` -------------------------------- ### CDK Useful Commands Source: https://github.com/jhaals/yopass/blob/master/deploy/cdk/README.md Common commands for managing the CDK application, including building, testing, deploying, and synthesizing CloudFormation templates. ```bash npm run build ``` ```bash npm run watch ``` ```bash npm run test ``` ```bash npx cdk diff ``` ```bash npx cdk synth ``` -------------------------------- ### Build and Zip Lambda Deployment Package Source: https://github.com/jhaals/yopass/blob/master/deploy/cdk/README.md Compiles the Go application for a Linux ARM64 environment and creates a zip archive for Lambda deployment. This is typically part of the build process for the Lambda function. ```bash GOOS=linux GOARCH=arm64 go build -o ./bootstrap -tags lambda.norpc zip deployment.zip bootstrap ``` -------------------------------- ### Enable Audit Logging Source: https://github.com/jhaals/yopass/blob/master/docs/audit-logging.md Enable audit logging by providing a license key. By default, logs are written to stdout. ```bash yopass-server \ --license-key "your-license-key" \ --audit-log ``` -------------------------------- ### Example Webhook Payload Structure Source: https://github.com/jhaals/yopass/blob/master/docs/webhooks.md This is the JSON structure of the HTTP POST request body for webhook events. It includes event details like type, timestamp, and secret identifier. ```json { "event": "secret.viewed", "timestamp": "2026-06-11T13:37:00.000000042Z", "secret_id": "a1b2c3d4e5f6", "kind": "secret", "one_time": true, "expiration_seconds": 3600 } ``` -------------------------------- ### Docker Compose Configuration for Audit Logging Source: https://github.com/jhaals/yopass/blob/master/docs/audit-logging.md Configure YoPass to write audit logs to a file within a Docker Compose setup. Ensure the volume mapping is set up to persist logs. ```yaml services: yopass: image: jhaals/yopass:latest ports: - "1337:1337" environment: MEMCACHED: memcached:11211 LICENSE_KEY: your-license-key AUDIT_LOG: "true" volumes: - ./logs:/var/log/yopass command: yopass-server --audit-log-file /var/log/yopass/audit.log depends_on: - memcached memcached: image: memcached ``` -------------------------------- ### Mix Built-in and Custom Themes Source: https://github.com/jhaals/yopass/blob/master/docs/theming.md Combine a built-in base theme with specific custom overrides for the light color scheme. Requires a license key and uses oklch() color format. ```bash yopass-server \ --license-key "your-license-key" \ --theme-light "corporate" \ --theme-custom-light '{"--color-primary":"oklch(50% 0.22 142)"}' ``` -------------------------------- ### Command-line Configuration for Audit Logging with OIDC Source: https://github.com/jhaals/yopass/blob/master/docs/audit-logging.md Run YoPass server with audit logging enabled and configured for OpenID Connect. This provides user identity in audit records. ```bash yopass-server \ --license-key "your-license-key" \ --audit-log \ --oidc-issuer "https://accounts.google.com" \ --oidc-client-id "123456789-abc.apps.googleusercontent.com" \ --oidc-client-secret "GOCSPX-…" \ --oidc-redirect-url "https://yopass.example.com/auth/callback" ``` -------------------------------- ### Set Application Name Source: https://github.com/jhaals/yopass/blob/master/docs/theming.md Replace the default application name in the UI header and browser tab. Requires a license key. ```bash yopass-server --app-name "Acme Secrets" --license-key "your-license-key" ``` -------------------------------- ### Docker Compose Configuration for Disk File Storage Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md A Docker Compose setup for Yopass using local disk storage. It defines the Yopass service, mounts a volume for file storage, and configures necessary environment variables. ```yaml services: yopass: image: jhaals/yopass:latest ports: - "1337:1337" volumes: - yopass-files:/data/yopass-files environment: MEMCACHED: memcached:11211 FILE_STORE: disk FILE_STORE_PATH: /data/yopass-files MAX_FILE_SIZE: 50MB depends_on: - memcached memcached: image: memcached volumes: yopass-files: ``` -------------------------------- ### Run Yopass with Google OIDC Configuration Source: https://github.com/jhaals/yopass/blob/master/docs/openid-connect.md Configure Yopass to use Google as an OpenID Connect provider by specifying issuer, client ID, client secret, and redirect URL. The server fetches the provider's discovery document on startup. ```bash yopass-server \ --license-key "your-license-key" \ --oidc-issuer "https://accounts.google.com" \ --oidc-client-id "123456789-abc.apps.googleusercontent.com" \ --oidc-client-secret "GOCSPX-…" \ --oidc-redirect-url "https://yopass.example.com/auth/callback" ``` ```bash LICENSE_KEY=your-license-key \ OIDC_ISSUER=https://accounts.google.com \ OIDC_CLIENT_ID=123456789-abc.apps.googleusercontent.com \ OIDC_CLIENT_SECRET=GOCSPX-… \ OIDC_REDIRECT_URL=https://yopass.example.com/auth/callback \ yopass-server ``` -------------------------------- ### Configure Yopass Server with Redis Source: https://github.com/jhaals/yopass/blob/master/README.md Use this command to configure Redis as the storage backend for the Yopass server, specifying the connection URL. ```bash # Redis yopass-server --database redis --redis redis://localhost:6379/0 ``` -------------------------------- ### Run Frontend End-to-End Tests Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Execute the end-to-end tests for the Yopass frontend. ```bash cd website/ # Run end-to-end tests yarn test ``` -------------------------------- ### Backend Project Structure Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Overview of the directory structure for the Yopass backend, following a clean architecture pattern. ```tree cmd/ # CLI applications pkg/ ├── server/ # HTTP server and routing ├── yopass/ # Core business logic └── ... # Other packages ``` -------------------------------- ### Set Custom Themes Source: https://github.com/jhaals/yopass/blob/master/docs/theming.md Define custom themes by providing JSON objects of CSS variables for light and dark color schemes. Requires a license key and uses oklch() color format. ```bash yopass-server \ --license-key "your-license-key" \ --theme-custom-light '{"--color-primary":"oklch(55% 0.2 250)","--color-secondary":"oklch(70% 0.15 180)"}' \ --theme-custom-dark '{"--color-primary":"oklch(65% 0.25 260)","--color-secondary":"oklch(60% 0.18 190)"}' ``` -------------------------------- ### Configure OIDC Session Key for Multi-Instance Deployments Source: https://github.com/jhaals/yopass/blob/master/docs/openid-connect.md Pass the generated session key to each Yopass server instance using the `--oidc-session-key` flag or the `OIDC_SESSION_KEY` environment variable to ensure session consistency across instances. ```bash yopass-server \ --oidc-session-key "3f2a1b…c9d8e7" \ # … other OIDC flags ``` ```bash OIDC_SESSION_KEY=3f2a1b…c9d8e7 yopass-server … ``` -------------------------------- ### Run Yopass with Custom Logo in Docker Source: https://github.com/jhaals/yopass/blob/master/docs/theming.md Build a Docker image with your custom logo and run the Yopass container, specifying the custom logo URL. Ensure the logo is accessible at the specified path. ```bash docker build -t yopass-custom . docker run -p 1337:1337 yopass-custom \ --license-key your-license-key \ --logo-url /mylogo.png ``` -------------------------------- ### Configure OIDC Redirect URL and Frontend URL Source: https://github.com/jhaals/yopass/blob/master/docs/read-only-mode.md This configuration is relevant when the internal instance's URL differs from the OIDC redirect target. It ensures correct redirection after successful sign-in. ```bash yopass-server \ --oidc-redirect-url "https://api.internal.example.com/auth/callback" \ --frontend-url "https://internal.example.com" ``` -------------------------------- ### Frontend Project Structure Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Overview of the directory structure for the Yopass frontend, organized by features and shared components. ```tree src/ ├── app/ # Main application setup ├── features/ # Feature-based components ├── shared/ # Reusable utilities and components │ ├── components/ # UI components │ ├── hooks/ # Custom React hooks │ ├── lib/ # Utility functions │ └── types/ # TypeScript type definitions └── tests/ # Test utilities ``` -------------------------------- ### Configure Max File Size Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md Set the maximum allowed upload file size using human-readable suffixes. Note that without a valid license key, the size is capped at 1MB. ```bash --max-file-size 10KB --max-file-size 512KB --max-file-size 10MB --max-file-size 1.5GB ``` -------------------------------- ### Configure Yopass Server for Disk Storage Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md Configure the disk backend to store encrypted files on the local filesystem. This is suitable for single-node deployments and moderate file sizes. The cleanup interval defaults to 60 seconds. ```bash yopass-server \ --file-store disk \ --file-store-path /data/yopass-files ``` -------------------------------- ### Enable Webhooks with Yopass Server Source: https://github.com/jhaals/yopass/blob/master/docs/webhooks.md Configure the Yopass server to send webhook notifications to a specified URL with a secret for signature verification. Ensure a valid license key is provided when setting the webhook URL. ```bash yopass-server \ --license-key "your-license-key" \ --webhook-url "https://hooks.example.com/yopass" \ --webhook-secret "$(openssl rand -hex 32)" ``` -------------------------------- ### Configure Yopass Server with Memcached Source: https://github.com/jhaals/yopass/blob/master/README.md Use this command to set Memcached as the default storage backend for the Yopass server. ```bash # Memcached (default) yopass-server --memcached localhost:11211 ``` -------------------------------- ### Enable Audit Logging to File Source: https://github.com/jhaals/yopass/blob/master/docs/audit-logging.md Enable audit logging and specify a dedicated file path for audit records. This ensures logs are stored separately from application logs. ```bash yopass-server \ --license-key "your-license-key" \ --audit-log \ --audit-log-file /var/log/yopass/audit.log ``` -------------------------------- ### Enable Read-Only Mode Source: https://github.com/jhaals/yopass/blob/master/docs/read-only-mode.md Run the yopass-server with the --read-only flag to disable secret creation endpoints. In this mode, POST requests to /create/secret and /create/file will return 404 Not Found, while retrieval and deletion endpoints remain active. ```bash yopass-server --read-only ``` -------------------------------- ### Set Built-in Themes Source: https://github.com/jhaals/yopass/blob/master/docs/theming.md Independently set the light and dark themes using DaisyUI theme names. The browser's prefers-color-scheme determines the active theme. Requires a license key. ```bash yopass-server \ --license-key "your-license-key" \ --theme-light "corporate" \ --theme-dark "business" ``` -------------------------------- ### Configure Yopass Server for S3-Compatible Storage Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md Configure the S3 backend for storing files in an S3-compatible service like MinIO. This requires specifying the bucket, endpoint, and region. AWS credentials are loaded from the standard credential chain. ```bash # S3-compatible (MinIO, Cloudflare R2, etc.) yopass-server \ --file-store s3 \ --file-store-s3-bucket my-bucket \ --file-store-s3-endpoint http://minio:9000 \ --file-store-s3-region us-east-1 ``` -------------------------------- ### Generate Self-Signed Certificate for Development Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md Create a self-signed TLS certificate and key for development purposes. Note that self-signed certificates will cause browser warnings and are not suitable for production. ```bash openssl req -x509 -nodes -newkey rsa:4096 \ -keyout tls.key -out tls.crt \ -days 365 -subj "/CN=localhost" ``` -------------------------------- ### Create File Upload with Read Receipt Source: https://github.com/jhaals/yopass/blob/master/docs/read-receipts.md To create a file upload with a read receipt, include the `X-Yopass-Receipt: true` header. The `receipt_token` will be provided in the response. ```bash curl -X POST https://yopass.example.com/create/file \ -H 'Content-Type: application/octet-stream' \ -H 'X-Yopass-Expiration: 86400' \ -H 'X-Yopass-OneTime: true' \ -H 'X-Yopass-Receipt: true' \ --data-binary @encrypted.bin ``` -------------------------------- ### Deploy Yopass Stack with CDK Source: https://github.com/jhaals/yopass/blob/master/deploy/cdk/README.md Deploys the Yopass CloudFormation stack to your AWS account using the AWS CDK CLI. Ensure your AWS credentials and region are configured. ```bash npx cdk deploy ``` -------------------------------- ### Apply S3 Lifecycle Configuration via AWS CLI Source: https://github.com/jhaals/yopass/blob/master/docs/file-storage.md Use the AWS CLI to apply the defined S3 lifecycle configuration to your bucket. Ensure the JSON configuration is saved to a file (e.g., lifecycle.json). ```bash aws s3api put-bucket-lifecycle-configuration \ --bucket my-yopass-bucket \ --lifecycle-configuration file://lifecycle.json ``` -------------------------------- ### Run Yopass Docker Container with Built-in TLS Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md Deploy Yopass using a Docker container with built-in TLS. Mount your certificates into the container and specify their paths using flags. ```bash docker run -p 443:1337 \ -v /etc/letsencrypt/live/yopass.example.com:/certs:ro \ jhaals/yopass:latest \ --memcached memcached:11211 \ --tls-cert /certs/fullchain.pem \ --tls-key /certs/privkey.pem ``` -------------------------------- ### Clone Yopass Repository Source: https://github.com/jhaals/yopass/blob/master/CONTRIBUTING.md Clone the Yopass repository to your local machine and navigate into the project directory. ```bash git clone https://github.com/jhaals/yopass.git cd yopass ``` -------------------------------- ### Split Deployment with Docker Compose Source: https://github.com/jhaals/yopass/blob/master/docs/read-only-mode.md Configure two yopass instances in Docker Compose for a split deployment. The internal instance runs in normal mode and is accessible only via localhost or VPN, while the public instance is exposed to the internet and runs in read-only mode. Both instances connect to the same database. ```yaml services: yopass-internal: image: jhaals/yopass:latest ports: - "127.0.0.1:1337:1337" environment: MEMCACHED: memcached:11211 depends_on: - memcached yopass-public: image: jhaals/yopass:latest ports: - "0.0.0.0:1338:1337" environment: MEMCACHED: memcached:11211 READ_ONLY: "true" depends_on: - memcached memcached: image: memcached ``` -------------------------------- ### Configure Public Yopass Instance (Read-Only) Source: https://github.com/jhaals/yopass/blob/master/docs/read-only-mode.md This command configures a public Yopass instance to be read-only, allowing secret retrieval without requiring authentication. ```bash yopass-server \ --read-only \ --memcached memcached:11211 ``` -------------------------------- ### Caddy Configuration for Reverse Proxy Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md A simple Caddyfile configuration to set up Yopass behind Caddy. Caddy automatically handles TLS certificate provisioning and renewal. ```caddyfile yopass.example.com { reverse_proxy 127.0.0.1:1337 } ``` -------------------------------- ### Obtain Let's Encrypt Certificate with Certbot Source: https://github.com/jhaals/yopass/blob/master/docs/tls.md Use Certbot to obtain a Let's Encrypt certificate for your domain. This is a common method for securing your Yopass instance with trusted certificates. ```bash certbot certonly --standalone -d yopass.example.com ``` -------------------------------- ### Secure Metrics Endpoint with Nginx Basic Auth Source: https://github.com/jhaals/yopass/blob/master/docs/metrics.md Set up Nginx to proxy requests to the metrics endpoint, enforcing basic authentication. Ensure the .htpasswd file is correctly configured. ```nginx server { listen 9090; location /metrics { auth_basic "Prometheus"; auth_basic_user_file /etc/nginx/.htpasswd; proxy_pass http://127.0.0.1:9090; } } ``` -------------------------------- ### Docker Compose for Yopass with OIDC Source: https://github.com/jhaals/yopass/blob/master/docs/openid-connect.md Configure Yopass to use OpenID Connect for authentication by setting environment variables in your Docker Compose file. Ensure OIDC_ISSUER points to your provider's base URL and OIDC_CLIENT_ID/SECRET are correctly set. ```yaml services: yopass: image: jhaals/yopass:latest ports: - "1337:1337" environment: MEMCACHED: memcached:11211 LICENSE_KEY: your-license-key OIDC_ISSUER: https://accounts.google.com OIDC_CLIENT_ID: 123456789-abc.apps.googleusercontent.com OIDC_CLIENT_SECRET: GOCSPX-… OIDC_REDIRECT_URL: https://yopass.example.com/auth/callback REQUIRE_AUTH: "true" OIDC_ALLOWED_DOMAINS: example.com # optional: comma-separated list of allowed email domains OIDC_SESSION_KEY: 3f2a1b…c9d8e7 # required for replicated deployments depends_on: - memcached memcached: image: memcached ``` -------------------------------- ### Enforce Authentication for Secret Creation Source: https://github.com/jhaals/yopass/blob/master/docs/openid-connect.md Add the `--require-auth` flag to prevent unauthenticated users from creating secrets. This prompts users to sign in on the home and upload pages, while secret retrieval remains accessible without authentication. ```bash yopass-server \ --license-key "your-license-key" \ --oidc-issuer "https://accounts.google.com" \ --oidc-client-id "123456789-abc.apps.googleusercontent.com" \ --oidc-client-secret "GOCSPX-…" \ --oidc-redirect-url "https://yopass.example.com/auth/callback" \ --require-auth ``` -------------------------------- ### Configure Log Rotation with logrotate Source: https://github.com/jhaals/yopass/blob/master/docs/audit-logging.md This configuration snippet is for logrotate to manage Yopass audit log files. It sets daily rotation, keeps 90 days of logs, compresses old logs, and uses copytruncate to avoid issues with open file descriptors. ```bash /var/log/yopass/audit.log { daily rotate 90 compress delaycompress missingok notifempty copytruncate } ``` -------------------------------- ### Restrict Metrics Access with UFW Firewall Source: https://github.com/jhaals/yopass/blob/master/docs/metrics.md Configure the Uncomplicated Firewall (ufw) to allow access to the metrics port (9090) only from a specific IP range. Deny all other access to the port. ```bash ufw allow from 10.0.0.0/8 to any port 9090 ufw deny 9090 ```