MyPythonMediaServer/config.example.yaml at main · leviathonbeast/MyPythonMediaServer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
# =============================================================================
# Muse — example configuration
# =============================================================================
#
# Copy this file to `config.yaml` (next to the `backend/` package) and edit
# to taste. Any setting may also be overridden via an environment variable
# with the prefix MUSE_ (e.g. MUSE_DATABASE_PATH=/var/muse/muse.db).
#
# Settings precedence (highest first):
#   1. environment variables  (MUSE_*)
#   2. config.yaml
#   3. built-in defaults
# -----------------------------------------------------------------------------

# --- Library --------------------------------------------------------------- #

# One or more directories to scan for music. These appear as the
# "music folders" in Subsonic clients (getMusicFolders).
# Use absolute paths. Symlinks are NOT followed by default.
music_folders:
  - /srv/music
  # - /mnt/nas/music

# Audio file extensions Muse will consider during the scan.
audio_extensions:
  - mp3
  - flac
  - m4a
  - aac
  - ogg
  - opus
  - wma
  - wav

# --- Storage --------------------------------------------------------------- #

# Where to keep the SQLite database. Should be on a local disk (not over a
# network mount) for both performance and corruption safety.
database_path: ./data/muse.db

# Where to cache extracted album artwork as image files.
artwork_cache_dir: ./data/artwork

# --- Scanner --------------------------------------------------------------- #

# Whether to kick off a full scan on every server start.
# Recommended: false in production (use the /api/scan endpoint or a cron job).
scan_on_startup: false

# Number of worker threads used to parse metadata in parallel.
# 4-8 is a good range; metadata parsing is CPU-light but I/O-heavy.
scanner_workers: 4

# How many tracks to batch into a single database transaction during scan.
# Larger = faster; smaller = more granular crash recovery.
scanner_batch_size: 200

# Periodic-rescan watcher. When enabled, a background thread triggers
# `start_scan_async()` every `scanner_watch_interval_seconds`. This is the
# right tool when your music sits on a NAS modified from another machine —
# Linux inotify can't see remote writes, so a real filesystem-event watcher
# would silently never fire. The existing diff-based scanner short-circuits
# on unchanged mtime+size, so an idle tick over a 50k-file library only
# costs a few seconds of stat() work.
scanner_watch_enabled: false
scanner_watch_interval_seconds: 300   # 5 minutes; floor of 30s enforced at runtime

# --- Streaming ------------------------------------------------------------- #

# Paths to ffmpeg and ffprobe. Use "ffmpeg"/"ffprobe" if they are on PATH,
# or absolute paths for static builds or containers without system packages.
ffmpeg_binary: ffmpeg
ffprobe_binary: ffprobe

# Master kill-switch for transcoding. When false, every stream request returns
# the original file regardless of what the client asked for. Useful on
# local-only installs where the transcoding CPU overhead isn't worth it.
transcoding_enabled: true

# Default format when the client doesn't request a specific one.
# "raw" streams files in their original format without transcoding.
# Set to "mp3" or "opus" to transcode by default (handy for mobile streaming).
default_transcode_format: raw

# Default bitrate (kbps) used when transcoding and the client didn't specify.
default_transcode_bitrate: 192

# Hard cap on the bitrate (kbps) the server will ever serve. Clients requesting
# higher, or raw files above this rate, are transcoded down to this limit.
# Unset (commented out) means no cap.
# max_streaming_bitrate: 320

# Buffer size for streaming chunks (bytes). 64 KB is a good default.
stream_chunk_size: 65536

# --- Auth ------------------------------------------------------------------ #

# Initial admin credentials. Used ONLY to bootstrap the user table on first
# run; changing them later in this file does NOT reset the admin password.
# CHANGE THESE BEFORE EXPOSING THE SERVER.
admin_username: admin
admin_password: "CHANGE_ME"

# JWT signing secret for the web UI session tokens. CHANGE THIS to a long
# random string in production. If left as the default, a dev placeholder is
# used — tokens survive restarts but are not safe for production.
jwt_secret: "CHANGE_ME_generate_with_python3_-c_import_secrets_print_secrets.token_hex(32)"

# How long web-UI JWTs stay valid (hours). Default: 24.
# Shorter limits the blast radius of a stolen token and the window during
# which a disabled account can keep using a still-valid web session.
# Bump higher (e.g. 168 for a week) if re-login frequency annoys users.
jwt_expiry_hours: 24

# --- Auth Rate Limit ------------------------------------------------------------------ #

# Rate limit for login attempts. Format: "count/period"
# Examples: "5/minute", "100/hour", "3/second"
# Increase if legitimate users are being blocked; decrease to harden against brute force.
auth_rate_limits: "5/minute"


# --- External integrations ------------------------------------------------- #

# Optional Last.fm API key. When set, artist pages show a short biography
# fetched from Last.fm. Without it, artist pages work fine but show no bio.
# Get a free key at https://www.last.fm/api/account/create
# lastfm_api_key: ""

# --- Network --------------------------------------------------------------- #

# CORS origins for the web UI. List EVERY origin (scheme + host + port) that
# loads the frontend in a browser and calls this API.
#
# Do NOT use "*". With allow_credentials=True (required for JWT / auth headers
# on cross-origin requests), Starlette refuses to emit the CORS header when
# origins is "*", which silently breaks every request from the browser.
cors_origins:
  - "http://localhost:5173"     # Vite dev server
  - "http://127.0.0.1:5173"
#  - "https://yoursite.co.uk"   # production frontend
#  - "http://10.0.10.5:8080"    # LAN-served frontend

# Bind address and port. "0.0.0.0" listens on all interfaces.
host: 0.0.0.0
port: 4040

# Display name sent to Subsonic clients (shown in some client UIs).
server_name: Muse

# Expose FastAPI's auto-generated /docs, /redoc, and /openapi.json publicly.
# Keep false in production — the docs page is a complete map of every endpoint
# and parameter, useful to attackers planning where to probe. Flip to true in
# development if you want Swagger UI handy.
expose_docs: false

# --- Logging --------------------------------------------------------------- #

log_level: INFO   # DEBUG | INFO | WARNING | ERROR