Configuration
All server settings live in a single config.toml file. This page documents every field.
Core Settings
| Field | Description | Example |
|---|---|---|
domain | Your server's domain name | "chat.example.com" |
listen_addr | Address to listen on | ":443" or ":8080" |
data_dir | Path to data directory (DB + files) | "./data" |
transport | Transport mode | "https", "cloudflare", or "vless" |
Security
| Field | Description |
|---|---|
secret | 64-character hex string. Master secret used to derive JWT signing keys and encryption keys via HKDF. Generated by the setup wizard. Never share this. If protected with freedom-mess protect-secret, this field is empty on disk and the encrypted envelope is stored in [encrypted_secret]. |
[encrypted_secret] | Optional AES-256-GCM envelope for the current master secret. The unlock key is derived from the server passphrase with Argon2id. Previous secrets are stored in [[encrypted_previous_secrets]]. Use FREEDOM_MESS_CONFIG_PASSPHRASE_FILE or systemd credentials for unattended restarts. |
previous_secrets | Array of old secrets. When you rotate the master secret, move the old one here. Old messages encrypted with previous secrets can still be decrypted. When protected, these are stored as [[encrypted_previous_secrets]] entries. |
salt | 64-character hex string. Used in HKDF key derivation alongside the secret. Generated by the setup wizard. |
bootstrap_token | UUID for the first invite link. Used once during initial setup. Can be removed after the first user registers. |
Protecting the master secret
Current Linux setup scripts protect new configs automatically. Existing plaintext configs remain supported; to encrypt one in place, run:
freedom-mess protect-secretInteractive starts prompt for the passphrase. For unattended systemd restarts, store the passphrase in an owner-only file and point the service at it:
sudo install -d -o freedom-mess -g freedom-mess -m 700 /etc/freedom-mess
sudo sh -c 'umask 077; cat > /etc/freedom-mess/config-passphrase'
sudo chown freedom-mess:freedom-mess /etc/freedom-mess/config-passphraseEnvironment=FREEDOM_MESS_CONFIG_PASSPHRASE_FILE=/etc/freedom-mess/config-passphraseOn modern systemd deployments, prefer service credentials:
LoadCredential=freedom-mess-config-passphrase:/etc/freedom-mess/config-passphraseTURN Server
| Field | Description | Default |
|---|---|---|
public_ip | Your server's public IP address. Used by the TURN server for WebRTC relay. | Auto-detected |
turn_port | UDP port for the TURN server | 3478 |
[acme] Section (HTTPS Mode)
Used only when transport = "https".
| Field | Description |
|---|---|
email | Email for Let's Encrypt notifications (expiry warnings) |
cert_dir | Directory to store TLS certificates |
http_addr | Address for HTTP-01 challenge listener (default ":80") |
[cloudflare] Section (Cloudflare Mode)
Used only when transport = "cloudflare".
| Field | Description |
|---|---|
trust_proxy | Trust CF-Connecting-IP header (should be true) |
origin_cert | Path to Cloudflare origin certificate (optional, for encrypted origin connection) |
origin_key | Path to Cloudflare origin private key |
[stealth] Section (VLESS Mode)
Used only when transport = "vless".
| Field | Description |
|---|---|
keys.uuid | VLESS client UUID |
keys.private_key | X25519 private key for REALITY |
keys.public_key | X25519 public key (shared with clients) |
keys.short_id | Short ID for client authentication |
sni | Server Name Indication (default "www.microsoft.com") |
fallback_addr | Where non-VLESS traffic is forwarded (the cover website) |
Example config.toml
domain = "chat.example.com"
listen_addr = ":443"
data_dir = "./data"
transport = "https"
secret = "a1b2c3d4...64-char-hex..."
salt = "e5f6a7b8...64-char-hex..."
bootstrap_token = "uuid-here"
public_ip = "203.0.113.10"
turn_port = 3478
[acme]
email = "[email protected]"
cert_dir = "./certs"
http_addr = ":80"
The
config.toml file contains your master secret unless protect-secret has been run. Keep config backups and the unlock passphrase separate. The server enforces file permissions of 0600 (owner read/write only) and will warn if the file is more permissive.