A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
1# ATCR Hold Service Configuration
2# Generated with defaults — edit as needed.
3
4# Configuration format version.
5version: "0.1"
6# Log level: debug, info, warn, error.
7log_level: info
8# Remote log shipping settings.
9log_shipper:
10 # Log shipping backend: "victoria", "opensearch", or "loki". Empty disables shipping.
11 backend: ""
12 # Remote log service endpoint, e.g. "http://victorialogs:9428".
13 url: ""
14 # Number of log entries to buffer before flushing to the remote service.
15 batch_size: 100
16 # Maximum time between flushes, even if batch is not full.
17 flush_interval: 5s
18 # Basic auth username for the log service (optional).
19 username: ""
20 # Basic auth password for the log service (optional).
21 password: ""
22# S3-compatible blob storage settings.
23storage:
24 # S3-compatible access key (AWS, Storj, Minio, UpCloud).
25 access_key: ""
26 # S3-compatible secret key.
27 secret_key: ""
28 # S3 region, e.g. "us-east-1". Used for request signing.
29 region: us-east-1
30 # S3 bucket for blob storage (REQUIRED). Must already exist.
31 bucket: ""
32 # Custom S3 endpoint for non-AWS providers (e.g. "https://gateway.storjshare.io").
33 endpoint: ""
34# HTTP server and identity settings.
35server:
36 # Listen address, e.g. ":8080" or "0.0.0.0:8080".
37 addr: :8080
38 # Externally reachable URL used for did:web identity (REQUIRED), e.g. "https://hold.example.com".
39 public_url: ""
40 # Allow unauthenticated blob reads. If false, readers need crew membership.
41 public: false
42 # Use localhost for OAuth redirects during development.
43 test_mode: false
44 # Request crawl from this relay on startup to make the embedded PDS discoverable.
45 relay_endpoint: ""
46 # Read timeout for HTTP requests.
47 read_timeout: 5m0s
48 # Write timeout for HTTP requests.
49 write_timeout: 5m0s
50# Auto-registration and bootstrap settings.
51registration:
52 # DID of the hold captain. If set, auto-creates captain and profile records on startup.
53 owner_did: ""
54 # Create a wildcard crew record allowing any authenticated user to join.
55 allow_all_crew: false
56 # URL to fetch avatar image from during bootstrap.
57 profile_avatar_url: https://atcr.io/web-app-manifest-192x192.png
58 # Post to Bluesky when users push images. Synced to captain record on startup.
59 enable_bluesky_posts: false
60 # Deployment region, auto-detected from cloud metadata or S3 config.
61 region: ""
62# Embedded PDS database settings.
63database:
64 # Directory for the embedded PDS database (carstore + SQLite).
65 path: /var/lib/atcr-hold
66 # PDS signing key path. Defaults to {database.path}/signing.key.
67 key_path: ""
68 # libSQL sync URL (libsql://...). Works with Turso cloud, Bunny DB, or self-hosted libsql-server. Leave empty for local-only SQLite.
69 libsql_sync_url: ""
70 # Auth token for libSQL sync. Required if libsql_sync_url is set.
71 libsql_auth_token: ""
72 # How often to sync with remote libSQL server. Default: 60s.
73 libsql_sync_interval: 1m0s
74# Admin panel settings.
75admin:
76 # Enable the web-based admin panel for crew and storage management.
77 enabled: true
78# Garbage collection settings.
79gc:
80 # Enable nightly garbage collection of orphaned blobs and records.
81 enabled: false
82# Storage quota tiers. Empty disables quota enforcement.
83quota:
84 # Quota tiers keyed by rank name. Each tier has a human-readable quota limit.
85 tiers:
86 bosun:
87 # Storage quota limit (e.g. "5GB", "50GB", "1TB").
88 quota: 50GB
89 deckhand:
90 # Storage quota limit (e.g. "5GB", "50GB", "1TB").
91 quota: 5GB
92 quartermaster:
93 # Storage quota limit (e.g. "5GB", "50GB", "1TB").
94 quota: 100GB
95 # Default tier assignment for new crew members.
96 defaults:
97 # Tier assigned to new crew members who don't have an explicit tier.
98 new_crew_tier: deckhand
99# Vulnerability scanner settings. Empty disables scanning.
100scanner:
101 # Shared secret for scanner WebSocket auth. Empty disables scanning.
102 secret: ""