Server Guide
Zann server provides the API, shared vaults, and token issuance for CLI access.
Overview
Section titled “Overview”- HTTP API for clients (desktop and CLI)
- Shared vault encryption and access control
- Service account tokens for automation
Running locally (Docker Compose)
Section titled “Running locally (Docker Compose)”git clone https://github.com/constXife/zanncd zanndocker compose up -dPrebuilt image
Section titled “Prebuilt image”docker pull constxife/zann-server:latestConfiguration
Section titled “Configuration”Start from config/config.example.yaml and supply required secrets via env:
ZANN_PASSWORD_PEPPERZANN_TOKEN_PEPPERZANN_SMK_FILEorserver.master_keyZANN_CONFIG_PATH
Environment variables
Section titled “Environment variables”Common env vars:
ZANN_CONFIG_PATH- path to the server config fileZANN_ENV- environment name (prodenables stricter output in health checks)ZANN_PASSWORD_PEPPER/ZANN_PASSWORD_PEPPER_FILEZANN_TOKEN_PEPPER/ZANN_TOKEN_PEPPER_FILEZANN_SMK/ZANN_SMK_FILE
Migrations
Section titled “Migrations”Run database migrations via the server CLI:
zann-server migrateTokens (service accounts)
Section titled “Tokens (service accounts)”Create and manage tokens for CLI automation:
zann-server token create ci-prod infra:/zann-server token listzann-server token revoke <token_id>For server-side bootstrap flows, use the privileged provisioning helpers:
zann-server provision ensure-system-userzann-server provision ensure-vault --name Infrastructure --slug infrazann-server provision set-field --vault infra --path rlyeh/yogg/grafana --key client_id --value grafana-rlyehzann-server provision ensure-token yogg-grafana infra:rlyeh/yogg/grafana read --write-token-file /run/secrets/yogg-zann-tokenHealth endpoint
Section titled “Health endpoint”The server exposes a health check at:
GET /healthIt includes component status (db, db_pool, kdf, oidc) and version info.
Security notes
Section titled “Security notes”- Prefer HTTPS and pin the server fingerprint in clients.
- Keep token scopes narrow and rotate regularly.