Ente Photos + Garage S3 Deployment on Incus Containers

Automated deployment of self-hosted Ente Photos with Garage S3 storage on Incus containers.

Author

Roberto Mello (roberto.mello@gmail.com)

Prerequisites

• Linux host with Incus installed and configured
• sudo access
• openssl and git installed
• Network configured for container IP assignment

Quick Start

git clone <this-repo> ente-incus
cd ente-incus
./setup.sh

The interactive script will guide you through configuration.

What Gets Deployed

Container	Purpose
garage-s3	S3-compatible object storage for photos
ente	Museum server (Ente API)
postgres	PostgreSQL database (optional)
step-ca	Internal TLS certificate authority (optional)

Configuration Options

Network

• Static IP addresses for each container
• Support for default bridge or macvlan networks

Storage

• Local: Directory on host mounted into container
• iSCSI: Connect to remote iSCSI target (e.g., Synology NAS)

PostgreSQL

• Create new container, or use existing PostgreSQL server
• Recommendation: For production deployments, use a high availability PostgreSQL setup (e.g., Patroni, Stolon, or managed PostgreSQL service) rather than a single-container deployment

Authentication (OTP)

• Hardcoded: Specify email domain and fixed OTP (simpler for self-hosted)
• SMTP: Real email delivery for OTPs

Build Mode

• Release: Download pre-built binaries from GitHub
• Source: Clone and build from source (requires Go)

Internal TLS (Optional)

• Step-CA provides automatic certificate management for internal services

Generated Files

After running the setup, you'll find:

File	Contents
generated-secrets-*.txt	All passwords and keys (save securely!)
deployment-config-*.env	Non-secret configuration values
generated-proxy-configs/	Reverse proxy configs (Caddy, Traefik, nginx)

Post-Deployment Steps

1. Configure reverse proxy using generated configs in generated-proxy-configs/
2. Set up DNS pointing your domains to the proxy
3. Install Ente app (iOS/Android/Desktop)
4. Configure server endpoint in app settings
5. Create account using your configured email domain

Directory Structure

ente-incus/
├── setup.sh              # Main installer script
├── modules/
│   ├── garage.sh         # Garage S3 deployment
│   ├── ente.sh           # Museum server deployment
│   ├── postgresql.sh     # PostgreSQL deployment
│   └── step-ca.sh        # Step-CA deployment
├── templates/            # (reserved for future templates)
└── README.md

Customization

The modular design allows you to:

• Run individual modules separately
• Modify configuration templates
• Add new storage backends
• Extend with additional services

Troubleshooting

Container won't start

sudo incus list                    # Check container status
sudo incus info <container>        # Detailed info
sudo incus exec <container> -- journalctl -xe

Network issues

sudo incus exec <container> -- ip addr
sudo incus exec <container> -- ping 8.8.8.8

Service not running

sudo incus exec <container> -- systemctl status <service>
sudo incus exec <container> -- journalctl -u <service> -f

Database connection failed

sudo incus exec ente -- pg_isready -h <postgres-ip> -U ente

Re-running Setup

The setup script creates new containers. To redeploy:

# Remove existing containers
sudo incus delete --force garage-s3 ente postgres step-ca

# Run setup again
./setup.sh

Security Notes

• Generated secrets are stored in plaintext files - secure them appropriately
• The hardcoded OTP mode is convenient but less secure than SMTP
• Review firewall rules to limit container network access
• Consider enabling Step-CA for internal TLS

License

MIT