The configuration file, specified by the -c CONFIGFILE command line option, allows you to specify some startup options. These cannot be stored in a configuration zettel because they are needed before Zettelstore can start or because of security reasons. For example, Zettelstore needs to know in advance on which network address it must listen or where zettel are stored. An attacker that is able to change the owner can do anything. Therefore, only the owner of the computer on which Zettelstore runs can change this information.
The file for startup configuration must be created via a text editor in advance.
The syntax of the configuration file is the same as for any zettel metadata. The following keys are supported:
admin-port
Specifies the TCP port through which you can reach the administrator console. A value of 0 (the default) disables it. The administrator console will only be enabled if Zettelstore is started with the run sub-command.
On most operating systems, the value must be greater than 1024 unless you start Zettelstore with the full privileges of a system administrator (which is not recommended).
Default: 0
asset-dir
Allows to specify a directory whose files are allowed be transferred directly with the help of the web server. The URL prefix for these files is /assets/. You can use this if you want to transfer files that are too large for a zettel, such as presentation, PDF, music or video files.
Files within the given directory will not be managed by Zettelstore. They will be managed by Zettelstore just in the very special case that the directory is one of the configured boxes.
If you specify only the URL prefix in your web client, the contents of the directory are listed. To avoid this, create an empty file in the directory named index.html.
Default: , no asset directory is set, the URL prefix /assets/ is invalid.
base-url
Sets the absolute base URL for the service.
Note: url-prefix must be the suffix of base-url, otherwise the web service will not start.  Default: http://127.0.0.1:23123/.
box-uri-X, where X is a number greater or equal to one
Specifies a box where zettel are stored. During startup, X is incremented, starting with one, until no key is found. This allows to configuring than one box.
If no box-uri-1 key is given, the overall effect will be the same as if only box-uri-1 was specified with the value dir://.zettel. In this case, even a key box-uri-2 will be ignored.
debug-mode
If set to true, allows to debug the Zettelstore software (mostly used by Zettelstore developers). Disables any timeout values of the internal web server and does not send some security-related data. Sets log-level to debug. Enables runtime-profiling.
Do not enable it for a production server.
Default: false
default-dir-box-type
Specifies the default value for the (sub-)type of directory boxes, in which Zettel are typically stored.
Default: notify
insecure-cookie
Must be set to true if authentication is enabled and Zettelstore is not accessible via HTTPS (but via HTTP). Otherwise web browsers are free to ignore the authentication cookie.
Default: false
insecure-html
Allows to use HTML, e.g. within supported markup languages, even if this might introduce security-related problems. However, HTML containing the <script> or the <iframe> tag is always ignored. But due to clever ways of combining HTML, CSS, JavaScript, there might be some negative security consequences. Please be aware of this!
Allowed values: html (allow zettel with syntax html), markdown (html, plus allow inline HTML for Markdown markup only), zettelmarkup (markdown, plus allow inline HTML for Zettelmarkup). Any other value is interpreted as secure.
Default: secure.
listen-addr
Configures the network address, where the Zettelstore service is listening for requests. The syntax is: [NETWORKIP]:PORT, where NETWORKIP is the IP address of the networking interface (or something like 0.0.0.0 if you want to listen on all network interfaces), and PORT is the TCP port.
Default value: 127.0.0.1:23123
log-level
Specify the logging level for the whole application or for a given (internal) service, overwriting the level debug set by configuration debug-mode. Can be changed at runtime, even for specific internal services, with the log-level command of the administrator console.
Several specifications are separated by the semicolon character (;, U+003B). Each consists of an optional service name, together with the colon character (:, U+003A), followed by the logging level.
Default: info.
Examples: error will produce just error messages (e.g. no info messages). error;web:debug will emit debugging messages for the web component of Zettelstore while still producing error messages for all other components.
When you are familiar with operating the Zettelstore, you might set the level to error to receive fewer noisy messages from it.
max-request-size
It limits the maximum byte size of a web request body to prevent clients from accidentally or maliciously sending a large request and wasting server resources. The minimum value is 1024.
Default: 16777216 (16 MiB).
owner
Identifier of a zettel that contains data about the owner of the Zettelstore. The owner has full authorization for the Zettelstore. Only if set to some value, user authentication is enabled.
Ensure that the key secret is set to a value of at least 16 bytes, otherwise the Zettelstore will not start for security reasons.
persistent-cookie
A boolean value to make the access cookie persistent. This is helpful if you access the Zettelstore via a mobile device. On these, the operating system is free to stop the web browser and to remove temporary cookies. Therefore, an authenticated user will be logged off.
If true, a persistent cookie is used. Its lifetime exceeds the lifetime of the authentication token by 30 seconds (see option token-lifetime-html).
Default: false
read-only-mode
If set to a true value the Zettelstore service puts into a read-only mode. No changes are possible.
Default: false.
runtime-profiling
A boolean value that enables a web interface to obtain runtime profiling information.
Default: false, but it is set to true if debug-mode is enabled. In this case, it cannot be disabled.
secret
A string value to make the communication with external clients strong enough so that sessions of the web user interface or API access token cannot be altered by some external unfriendly party. The string must have a length of at least 16 bytes.
This value is only needed to be set if authentication is enabled by setting the key owner to some user identification value.
token-lifetime-api, token-lifetime-html
Define lifetime of access tokens in minutes. Values are only valid if authentication is enabled, i.e. key owner is set.
token-lifetime-api is for accessing Zettelstore via its API. Default: 10.
token-lifetime-html specifies the lifetime for the HTML views. It is automatically extended when a new HTML view is rendered. Default: 60.
url-prefix
Add the given string as a prefix to the local part of a Zettelstore local URL/URI when rendering zettel representations. It must begin and end with a slash character (/, U+002F).
Note: url-prefix must be the suffix of base-url, otherwise the web service will not start.
Default: /.
This allows to use a forwarding proxy server in front of the Zettelstore.
verbose-mode
Be more verbose when logging data, if set to a true value.
Default: false