Configuration
All server settings live in a single config.toml file. This page documents every field.
Core Settings
| Field | Description | Example |
domain | Your server's domain name | "chat.example.com" |
listen_addr | Address to listen on | ":443" or ":8080" |
data_dir | Path to data directory (DB + files) | "./data" |
transport | Transport mode | "https", "cloudflare", or "vless" |
Security
| Field | Description |
secret | 64-character hex string. Master secret used to derive JWT signing keys and encryption keys via HKDF. Generated by the setup wizard. Never share this. |
previous_secrets | Array of old secrets. When you rotate the master secret, move the old one here. Old messages encrypted with previous secrets can still be decrypted. |
salt | 64-character hex string. Used in HKDF key derivation alongside the secret. Generated by the setup wizard. |
bootstrap_token | UUID for the first invite link. Used once during initial setup. Can be removed after the first user registers. |
TURN Server
| Field | Description | Default |
public_ip | Your server's public IP address. Used by the TURN server for WebRTC relay. | Auto-detected |
turn_port | UDP port for the TURN server | 3478 |
[acme] Section (HTTPS Mode)
Used only when transport = "https".
| Field | Description |
email | Email for Let's Encrypt notifications (expiry warnings) |
cert_dir | Directory to store TLS certificates |
http_addr | Address for HTTP-01 challenge listener (default ":80") |
[cloudflare] Section (Cloudflare Mode)
Used only when transport = "cloudflare".
| Field | Description |
trust_proxy | Trust CF-Connecting-IP header (should be true) |
origin_cert | Path to Cloudflare origin certificate (optional, for encrypted origin connection) |
origin_key | Path to Cloudflare origin private key |
[stealth] Section (VLESS Mode)
Used only when transport = "vless".
| Field | Description |
keys.uuid | VLESS client UUID |
keys.private_key | X25519 private key for REALITY |
keys.public_key | X25519 public key (shared with clients) |
keys.short_id | Short ID for client authentication |
sni | Server Name Indication (default "www.microsoft.com") |
fallback_addr | Where non-VLESS traffic is forwarded (the cover website) |
Example config.toml
domain = "chat.example.com"
listen_addr = ":443"
data_dir = "./data"
transport = "https"
secret = "a1b2c3d4...64-char-hex..."
salt = "e5f6a7b8...64-char-hex..."
bootstrap_token = "uuid-here"
public_ip = "203.0.113.10"
turn_port = 3478
[acme]
email = "[email protected]"
cert_dir = "./certs"
http_addr = ":80"
The config.toml file contains your master secret and encryption keys. Keep it secure. The server enforces file permissions of 0600 (owner read/write only) and will warn if the file is more permissive.