Everlock modular self-hosting in one binary
Search RSS feed

Documentation

Last updated in git: 2026-06-11

Image backend

The image family is currently implemented as backend-image-http.

Current state

  • implemented and active
  • served over frontend-http
  • host-dispatched by vhost, similar to sites and OCI
  • authenticated through Everlock users
  • authorized through Everlock grants on http/image/<instance>

What it does

  • provides an HTTP-facing image and media backend
  • supports multiple logical image instances from one Everlock process
  • integrates with jobs for derived work
  • is meant to stay transport-agnostic behind the HTTP frontend
  • generates image captions through the shared everlock-ai-runtime when backend-ai-ssh is enabled — no second model load

Managing instances

Instances are managed through the admin CLI:

/image list
/image create <name> [store=<name>] vhost=<host>
/image set    <name> vhost=<host>
/image unset  <name> vhost=<host>
/image delete <name>

Adding or removing vhosts takes effect immediately without a restart. Creating or deleting an instance requires a restart.

Instance layout

Each instance has:

  • one Everlock store
  • one or more vhost names
  • one Everlock access path http/image/<instance>

The public URL advertised by the instance is derived automatically from the primary vhost (https://<first-vhost>). To use a different scheme or port, set public_url explicitly in config/image-http.toml:

[instances.default]
store = "everlock-image"
vhosts = ["images.example.com"]

[instances.family]
store = "family-images"
vhosts = ["photos.example.net"]
# public_url = "https://photos.example.net"  # only needed to override

The CLI flags --backend-image-http-vhost and --backend-image-http-store remain available as a bootstrap path that creates a single instance named default. The --backend-image-http-public-url flag is still accepted but no longer necessary since the URL is derived from the vhost.

Access control

The image backend uses one Everlock access path per configured image instance:

http/image/<instance>

The default instance name is default, so the default path is:

http/image/default

Role mapping is HTTP-method based:

  • Reader for GET / HEAD / OPTIONS
  • Writer for POST / PUT / PATCH
  • Owner for DELETE

Examples:

/users grant alice http/image/default reader
/users grant alice http/image/default writer
/users grant alice http/image/default owner

Password login for the embedded image app is backed by Everlock users. A user must have at least Reader on the image instance to log in at all.

Public anon access is not implemented for the image backend today.

images backend