Note
A privacy-first communication ecosystem for couples, featuring a self-hosted backend and a specialized Android client.
- Core Features
- Architecture Overview
- 1-Click Production Deployment (Recommended)
- Local Development Setup
- Advanced Production Deployment (Manual)
- Troubleshooting & Commands
- Credits & Open Source Acknowledgements
- π¬ End-to-end encrypted chat (Signal-style key/session model)
- πΌοΈ Encrypted media sharing
- π WebRTC calls via self-hosted signaling + TURN
- ποΈ Private vault + backups
- π‘ Lounge/status experiences (stories, shared interactions)
- π Self-hosted notifications through Ntfy
Tip
See the detailed SYSTEM_ARCHITECTURE.md and REPO_STRUCTURE.md for a deeper dive.
graph TD
A[Android App] <-->|HTTPS API| B[Supabase Kong Gateway]
A <-->|WSS Signaling| C[Node.js Signaling Server]
A <-->|ICE/STUN/TURN| D[Coturn]
B --> E[(PostgreSQL)]
B --> F[Supabase Auth / Realtime / Storage]
A <-->|Private push| G[Ntfy]
The easiest way to deploy the entire production backend (Supabase, WebRTC, Ntfy, Nginx, SSL) is using the automated script on a fresh Ubuntu 22.04 or 24.04 server.
Important
Make sure you have your DNS records pointing to your server IP before running this script. Disable Cloudflare proxying (orange cloud).
curl -fsSL https://enclave.saifmukhtar.dev/install | sudo bashThis script will prompt you for your root domain and automatically provision api.enclave.*, wss.enclave.*, and ntfy.enclave.*.
For local testing and Android development without a public domain. Full details are in SETUP_GUIDE.md.
cp apps/android/local.properties.example apps/android/local.properties
cp backend/server/.env.example backend/server/.env
chmod +x scripts/setup-local.sh
./scripts/setup-local.shConfigure your SDK path in apps/android/local.properties, then:
cd apps/android
./gradlew assembleDebugWarning
This section is for advanced users who want to manually deploy the stack without the 1-click script.
- Provision DNS: Create A records for
api.enclave.<domain>,wss.enclave.<domain>,ntfy.enclave.<domain>pointing to your VPS. - Install Dependencies: Docker, Node.js, PM2, Nginx, Certbot, Coturn.
- Copy Server Files:
rsyncthebackend/server/folder to/opt/enclave-server. - Configure Secrets: Manually generate cryptographic keys and populate
/opt/enclave-server/.env. - Deploy Backend: Run
docker compose up -din the server directory. - Signaling Server: Run
npm install && npm run buildinsignaling-server/, then run with PM2. - Nginx & SSL: Configure Nginx reverse proxies for ports 8000 (API), 8085 (WSS), 2586 (Ntfy) and run Certbot.
- Coturn & Firewall: Update
/etc/turnserver.confand open UFW ports (80, 443, 3478, 5349, and UDP 49152:65535).
- Gradle fails due to missing keys: Confirm all required
local.propertieskeys are present. - WebSocket disconnects in production: Confirm Nginx
Upgrade+Connectionheaders and timeout settings. - TURN not working on mobile data: Verify Coturn ports and UDP relay range are open in UFW.
# View backend stack
docker compose -f backend/server/docker-compose.yml ps
# Restart signaling server
pm2 restart enclave-signaling
# Renew SSL certificates
certbot renewEnclave is built upon the incredible work of the open-source community. We stand on the shoulders of giants.
- Saif Mukhtar
- GitHub: @saifmukhtar
- Portfolio: saifmukhtar.dev
- π Signal Protocol & Libsignal: The absolute gold standard for E2EE cryptography.
- ποΈ Supabase: Powering our auth, realtime, and Postgres infrastructure.
- π‘ WebRTC & Coturn: Enabling seamless, private, high-quality media traversal.
- π Ntfy: Sovereign, self-hosted push notifications.
- π¨ Jetpack Compose & Element X Android: Modern UI/UX patterns.
- π¦ Docker & PM2: Resilient infrastructure deployment.
License: Enclave is proudly licensed under the GNU AGPLv3.