From a7dc0a5b7d23d8994613536b55b5fd50c1e9909b Mon Sep 17 00:00:00 2001 From: Thomas Schweiger Date: Thu, 13 Nov 2025 18:02:50 +0100 Subject: [PATCH 1/2] Update docs with latest env vars --- .../env-vars/activitylog-config-example.yaml | 1 + static/env-vars/activitylog.yaml | 67 ++++ static/env-vars/activitylog_configvars.md | 87 +++--- static/env-vars/activitylog_readme.md | 4 +- static/env-vars/antivirus.yaml | 40 +++ static/env-vars/antivirus_configvars.md | 62 ++-- static/env-vars/antivirus_readme.md | 4 +- static/env-vars/app-provider.yaml | 45 +++ static/env-vars/app-provider_configvars.md | 68 ++-- static/env-vars/app-provider_readme.md | 109 +++++++ static/env-vars/app-registry.yaml | 115 +++++++ static/env-vars/app-registry_configvars.md | 38 +-- static/env-vars/app-registry_readme.md | 6 +- static/env-vars/audit.yaml | 31 ++ static/env-vars/audit_configvars.md | 48 +-- static/env-vars/audit_readme.md | 4 +- static/env-vars/auth-app.yaml | 69 +++++ static/env-vars/auth-app_configvars.md | 78 ++--- static/env-vars/auth-app_readme.md | 14 +- .../env-vars/auth-basic-config-example.yaml | 3 +- static/env-vars/auth-basic.yaml | 76 +++++ static/env-vars/auth-basic_configvars.md | 119 +++---- static/env-vars/auth-basic_readme.md | 8 +- static/env-vars/auth-bearer.yaml | 36 +++ static/env-vars/auth-bearer_configvars.md | 50 +-- static/env-vars/auth-bearer_readme.md | 8 +- static/env-vars/auth-machine.yaml | 31 ++ static/env-vars/auth-machine_configvars.md | 42 +-- static/env-vars/auth-machine_readme.md | 4 +- static/env-vars/auth-service.yaml | 32 ++ static/env-vars/auth-service_configvars.md | 42 +-- static/env-vars/auth-service_readme.md | 8 +- static/env-vars/clientlog.yaml | 33 ++ static/env-vars/clientlog_configvars.md | 48 +-- static/env-vars/clientlog_readme.md | 4 +- .../collaboration-config-example.yaml | 1 + static/env-vars/collaboration.yaml | 63 ++++ static/env-vars/collaboration_configvars.md | 90 +++--- static/env-vars/collaboration_readme.md | 4 +- static/env-vars/eventhistory.yaml | 39 +++ static/env-vars/eventhistory_configvars.md | 56 ++-- static/env-vars/eventhistory_readme.md | 4 +- static/env-vars/extended_configvars.md | 69 +++++ static/env-vars/frontend-config-example.yaml | 4 + static/env-vars/frontend.yaml | 154 ++++++++++ static/env-vars/frontend_configvars.md | 181 +++++------ static/env-vars/frontend_readme.md | 4 +- static/env-vars/gateway.yaml | 72 +++++ static/env-vars/gateway_configvars.md | 116 +++---- static/env-vars/gateway_readme.md | 6 +- static/env-vars/global_configvars.md | 83 ++--- static/env-vars/graph-config-example.yaml | 15 +- static/env-vars/graph.yaml | 169 ++++++++++ static/env-vars/graph_configvars.md | 230 +++++++------- static/env-vars/graph_readme.md | 7 +- static/env-vars/groups-config-example.yaml | 2 +- static/env-vars/groups.yaml | 72 +++++ static/env-vars/groups_configvars.md | 114 +++---- static/env-vars/groups_readme.md | 21 ++ static/env-vars/idm-config-example.yaml | 6 +- static/env-vars/idm.yaml | 31 ++ static/env-vars/idm_configvars.md | 48 +-- static/env-vars/idm_readme.md | 4 +- static/env-vars/idp-config-example.yaml | 10 +- static/env-vars/idp.yaml | 122 ++++++++ static/env-vars/idp_configvars.md | 118 +++---- static/env-vars/idp_readme.md | 4 +- static/env-vars/invitations.yaml | 40 +++ static/env-vars/invitations_configvars.md | 58 ++-- static/env-vars/invitations_readme.md | 4 +- static/env-vars/nats-config-example.yaml | 6 +- static/env-vars/nats.yaml | 27 ++ static/env-vars/nats_configvars.md | 42 +-- static/env-vars/nats_readme.md | 4 +- static/env-vars/notifications.yaml | 57 ++++ static/env-vars/notifications_configvars.md | 88 +++--- static/env-vars/notifications_readme.md | 4 +- static/env-vars/ocdav.yaml | 81 +++++ static/env-vars/ocdav_configvars.md | 70 ++--- static/env-vars/ocdav_readme.md | 6 +- static/env-vars/ocm-config-example.yaml | 10 +- static/env-vars/ocm.yaml | 116 +++++++ static/env-vars/ocm_configvars.md | 110 +++---- static/env-vars/ocm_readme.md | 14 +- static/env-vars/ocs.yaml | 54 ++++ static/env-vars/ocs_configvars.md | 56 ++-- static/env-vars/ocs_readme.md | 4 +- static/env-vars/policies.yaml | 36 +++ static/env-vars/policies_configvars.md | 48 +-- static/env-vars/policies_readme.md | 14 +- .../postprocessing-config-example.yaml | 2 + static/env-vars/postprocessing.yaml | 43 +++ static/env-vars/postprocessing_configvars.md | 66 ++-- static/env-vars/postprocessing_readme.md | 19 +- static/env-vars/proxy-config-example.yaml | 8 +- static/env-vars/proxy.yaml | 240 +++++++++++++++ static/env-vars/proxy_configvars.md | 142 ++++----- static/env-vars/proxy_readme.md | 9 +- static/env-vars/search-config-example.yaml | 28 +- static/env-vars/search.yaml | 78 +++++ static/env-vars/search_configvars.md | 95 +++--- static/env-vars/search_readme.md | 217 +++++-------- static/env-vars/settings.yaml | 73 +++++ static/env-vars/settings_configvars.md | 88 +++--- static/env-vars/settings_readme.md | 4 +- static/env-vars/sharing-config-example.yaml | 4 +- static/env-vars/sharing.yaml | 85 +++++ static/env-vars/sharing_configvars.md | 128 ++++---- static/env-vars/sse.yaml | 50 +++ static/env-vars/sse_configvars.md | 62 ++-- static/env-vars/sse_readme.md | 4 +- static/env-vars/storage-publiclink.yaml | 32 ++ .../env-vars/storage-publiclink_configvars.md | 42 +-- static/env-vars/storage-publiclink_readme.md | 21 ++ static/env-vars/storage-shares.yaml | 33 ++ static/env-vars/storage-shares_configvars.md | 46 +-- static/env-vars/storage-shares_readme.md | 21 ++ .../storage-system-config-example.yaml | 2 +- static/env-vars/storage-system.yaml | 51 +++ static/env-vars/storage-system_configvars.md | 72 ++--- static/env-vars/storage-system_readme.md | 4 +- .../storage-users-config-example.yaml | 16 +- static/env-vars/storage-users.yaml | 204 ++++++++++++ static/env-vars/storage-users_configvars.md | 290 +++++++++--------- static/env-vars/storage-users_readme.md | 4 +- .../env-vars/thumbnails-config-example.yaml | 2 +- static/env-vars/thumbnails.yaml | 72 +++++ static/env-vars/thumbnails_configvars.md | 70 ++--- static/env-vars/thumbnails_readme.md | 10 +- static/env-vars/userlog.yaml | 67 ++++ static/env-vars/userlog_configvars.md | 90 +++--- static/env-vars/userlog_readme.md | 4 +- static/env-vars/users-config-example.yaml | 3 +- static/env-vars/users.yaml | 77 +++++ static/env-vars/users_configvars.md | 123 ++++---- static/env-vars/users_readme.md | 21 ++ static/env-vars/web-config-example.yaml | 8 +- static/env-vars/web.yaml | 131 ++++++++ static/env-vars/web_configvars.md | 112 +++---- static/env-vars/web_readme.md | 6 +- static/env-vars/webdav-config-example.yaml | 2 +- static/env-vars/webdav.yaml | 51 +++ static/env-vars/webdav_configvars.md | 56 ++-- static/env-vars/webdav_readme.md | 6 +- static/env-vars/webfinger.yaml | 44 +++ static/env-vars/webfinger_configvars.md | 52 ++-- static/env-vars/webfinger_readme.md | 4 +- 147 files changed, 5479 insertions(+), 2117 deletions(-) create mode 100644 static/env-vars/activitylog.yaml create mode 100644 static/env-vars/antivirus.yaml create mode 100644 static/env-vars/app-provider.yaml create mode 100755 static/env-vars/app-provider_readme.md create mode 100644 static/env-vars/app-registry.yaml create mode 100644 static/env-vars/audit.yaml create mode 100644 static/env-vars/auth-app.yaml create mode 100644 static/env-vars/auth-basic.yaml create mode 100644 static/env-vars/auth-bearer.yaml create mode 100644 static/env-vars/auth-machine.yaml create mode 100644 static/env-vars/auth-service.yaml create mode 100644 static/env-vars/clientlog.yaml create mode 100644 static/env-vars/collaboration.yaml create mode 100644 static/env-vars/eventhistory.yaml create mode 100644 static/env-vars/frontend.yaml create mode 100644 static/env-vars/gateway.yaml create mode 100644 static/env-vars/graph.yaml create mode 100644 static/env-vars/groups.yaml create mode 100755 static/env-vars/groups_readme.md create mode 100644 static/env-vars/idm.yaml create mode 100644 static/env-vars/idp.yaml create mode 100644 static/env-vars/invitations.yaml create mode 100644 static/env-vars/nats.yaml create mode 100644 static/env-vars/notifications.yaml create mode 100644 static/env-vars/ocdav.yaml create mode 100644 static/env-vars/ocm.yaml create mode 100644 static/env-vars/ocs.yaml create mode 100644 static/env-vars/policies.yaml create mode 100644 static/env-vars/postprocessing.yaml create mode 100644 static/env-vars/proxy.yaml create mode 100644 static/env-vars/search.yaml create mode 100644 static/env-vars/settings.yaml create mode 100644 static/env-vars/sharing.yaml create mode 100644 static/env-vars/sse.yaml create mode 100644 static/env-vars/storage-publiclink.yaml create mode 100755 static/env-vars/storage-publiclink_readme.md create mode 100644 static/env-vars/storage-shares.yaml create mode 100755 static/env-vars/storage-shares_readme.md create mode 100644 static/env-vars/storage-system.yaml create mode 100644 static/env-vars/storage-users.yaml create mode 100644 static/env-vars/thumbnails.yaml create mode 100644 static/env-vars/userlog.yaml create mode 100644 static/env-vars/users.yaml create mode 100755 static/env-vars/users_readme.md create mode 100644 static/env-vars/web.yaml create mode 100644 static/env-vars/webdav.yaml create mode 100644 static/env-vars/webfinger.yaml diff --git a/static/env-vars/activitylog-config-example.yaml b/static/env-vars/activitylog-config-example.yaml index 65bc313a..3ada4ff7 100644 --- a/static/env-vars/activitylog-config-example.yaml +++ b/static/env-vars/activitylog-config-example.yaml @@ -64,3 +64,4 @@ service_account: service_account_id: "" service_account_secret: "" write_buffer_duration: 10s +max_activities: 6000 diff --git a/static/env-vars/activitylog.yaml b/static/env-vars/activitylog.yaml new file mode 100644 index 00000000..7241a2df --- /dev/null +++ b/static/env-vars/activitylog.yaml @@ -0,0 +1,67 @@ +# Autogenerated +# Filename: activitylog.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9197 + token: "" + pprof: false + zpages: false +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +store: + store: nats-js-kv + nodes: + - 127.0.0.1:9233 + database: activitylog + table: "" + ttl: 0s + username: "" + password: "" +reva_gateway: eu.opencloud.api.gateway +grpc_client_tls: null +http: + addr: 127.0.0.1:9195 + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Ocs-Apirequest + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +token_manager: + jwt_secret: "" +translation_path: "" +default_language: en +service_account: + service_account_id: "" + service_account_secret: "" +write_buffer_duration: 10s +max_activities: 6000 diff --git a/static/env-vars/activitylog_configvars.md b/static/env-vars/activitylog_configvars.md index 70f5d9f5..aad2f438 100644 --- a/static/env-vars/activitylog_configvars.md +++ b/static/env-vars/activitylog_configvars.md @@ -1,46 +1,47 @@ Environment variables for the **activitylog** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`ACTIVITYLOG_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`ACTIVITYLOG_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`ACTIVITYLOG_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`ACTIVITYLOG_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`ACTIVITYLOG_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`ACTIVITYLOG_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`ACTIVITYLOG_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`ACTIVITYLOG_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`ACTIVITYLOG_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9197| -|`ACTIVITYLOG_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`ACTIVITYLOG_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`ACTIVITYLOG_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_PERSISTENT_STORE`
`ACTIVITYLOG_STORE`| 1.0.0 |string|The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.|nats-js-kv| -|`OC_PERSISTENT_STORE_NODES`
`ACTIVITYLOG_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`ACTIVITYLOG_STORE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|activitylog| -|`ACTIVITYLOG_STORE_TABLE`| 1.0.0 |string|The database table the store should use.|| -|`OC_PERSISTENT_STORE_TTL`
`ACTIVITYLOG_STORE_TTL`| 1.0.0 |Duration|Time to live for events in the store. See the Environment Variable Types description for more details.|0s| -|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`ACTIVITYLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`ACTIVITYLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|CS3 gateway used to look up user metadata|eu.opencloud.api.gateway| -|`ACTIVITYLOG_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9195| -|`ACTIVITYLOG_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`OC_CORS_ALLOW_ORIGINS`
`ACTIVITYLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`ACTIVITYLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET]| -|`OC_CORS_ALLOW_HEADERS`
`ACTIVITYLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]| -|`OC_CORS_ALLOW_CREDENTIALS`
`ACTIVITYLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`OC_JWT_SECRET`
`ACTIVITYLOG_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_TRANSLATION_PATH`
`ACTIVITYLOG_TRANSLATION_PATH`| 1.0.0 |string|(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.|| -|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.|en| -|`OC_SERVICE_ACCOUNT_ID`
`ACTIVITYLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`ACTIVITYLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| -|`ACTIVITYLOG_WRITE_BUFFER_DURATION`| next |Duration|The duration to wait before flushing the write buffer. This is used to reduce the number of writes to the store.|10s| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`ACTIVITYLOG_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`ACTIVITYLOG_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`ACTIVITYLOG_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`ACTIVITYLOG_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`ACTIVITYLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`ACTIVITYLOG_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`ACTIVITYLOG_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`ACTIVITYLOG_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`ACTIVITYLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9197`| +|`ACTIVITYLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`ACTIVITYLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`ACTIVITYLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_PERSISTENT_STORE`
`ACTIVITYLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`ACTIVITYLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`ACTIVITYLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`activitylog`| +|`ACTIVITYLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`ACTIVITYLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`ACTIVITYLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`ACTIVITYLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`ACTIVITYLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9195`| +|`ACTIVITYLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`ACTIVITYLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`ACTIVITYLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`| +|`OC_CORS_ALLOW_HEADERS`
`ACTIVITYLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`ACTIVITYLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_JWT_SECRET`
`ACTIVITYLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_TRANSLATION_PATH`
`ACTIVITYLOG_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|`en`| +|`OC_SERVICE_ACCOUNT_ID`
`ACTIVITYLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`ACTIVITYLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`ACTIVITYLOG_WRITE_BUFFER_DURATION`| next |Duration|`The duration to wait before flushing the write buffer. This is used to reduce the number of writes to the store.`|`10s`| +|`ACTIVITYLOG_MAX_ACTIVITIES`| next |int|`The maximum number of activities to keep in the store per resource. If the number of activities exceeds this value, the oldest activities will be removed.`|`6000`| diff --git a/static/env-vars/activitylog_readme.md b/static/env-vars/activitylog_readme.md index 6fafb874..108eed5d 100755 --- a/static/env-vars/activitylog_readme.md +++ b/static/env-vars/activitylog_readme.md @@ -1,6 +1,6 @@ --- title: Activitylog -date: 2025-05-22T16:21:16.118598132+02:00 +date: 2025-11-13T17:22:55.092232+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/activitylog @@ -23,7 +23,6 @@ The `activitylog` service is responsible for storing events (activities) per res * [Translations](#translations) * [Translation Rules](#translation-rules) * [Default Language](#default-language) -* [Example Yaml Config](#example-yaml-config) ## The Log Service Ecosystem @@ -62,3 +61,4 @@ which is the source of the texts provided by the code. ## Default Language The default language can be defined via the `OC_DEFAULT_LANGUAGE` environment variable. See the `settings` service for a detailed description. + diff --git a/static/env-vars/antivirus.yaml b/static/env-vars/antivirus.yaml new file mode 100644 index 00000000..9f0249b3 --- /dev/null +++ b/static/env-vars/antivirus.yaml @@ -0,0 +1,40 @@ +# Autogenerated +# Filename: antivirus.yaml + +file: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9277 + token: "" + pprof: false + zpages: false +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +infected-file-handling: delete +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +workers: 10 +scanner: + type: clamav + clamav: + socket: /run/clamav/clamd.ctl + scan_timeout: 5m0s + icap: + scan_timeout: 5m0s + url: icap://127.0.0.1:1344 + service: avscan +max-scan-size: 100MB +max-scan-size-mode: partial diff --git a/static/env-vars/antivirus_configvars.md b/static/env-vars/antivirus_configvars.md index c184e58c..d0f6703e 100644 --- a/static/env-vars/antivirus_configvars.md +++ b/static/env-vars/antivirus_configvars.md @@ -1,34 +1,34 @@ Environment variables for the **antivirus** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_LOG_LEVEL`
`ANTIVIRUS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`ANTIVIRUS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`ANTIVIRUS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`ANTIVIRUS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`ANTIVIRUS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9277| -|`ANTIVIRUS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`ANTIVIRUS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`ANTIVIRUS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_TRACING_ENABLED`
`ANTIVIRUS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`ANTIVIRUS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`ANTIVIRUS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`ANTIVIRUS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`ANTIVIRUS_INFECTED_FILE_HANDLING`| 1.0.0 |string|Defines the behaviour when a virus has been found. Supported options are: 'delete', 'continue' and 'abort '. Delete will delete the file. Continue will mark the file as infected but continues further processing. Abort will keep the file in the uploads folder for further admin inspection and will not move it to its final destination.|delete| -|`OC_EVENTS_ENDPOINT`
`ANTIVIRUS_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`ANTIVIRUS_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`ANTIVIRUS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`ANTIVIRUS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`ANTIVIRUS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`ANTIVIRUS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`ANTIVIRUS_WORKERS`| 1.0.0 |int|The number of concurrent go routines that fetch events from the event queue.|10| -|`ANTIVIRUS_SCANNER_TYPE`| 1.0.0 |ScannerType|The antivirus scanner to use. Supported values are 'clamav' and 'icap'.|clamav| -|`ANTIVIRUS_CLAMAV_SOCKET`| 1.0.0 |string|The socket clamav is running on. Note the default value is an example which needs adaption according your OS.|/run/clamav/clamd.ctl| -|`ANTIVIRUS_CLAMAV_SCAN_TIMEOUT`| 2.1.0 |Duration|Scan timeout for the ClamAV client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.|5m0s| -|`ANTIVIRUS_ICAP_SCAN_TIMEOUT`| 1.0.0 |Duration|Scan timeout for the ICAP client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.|5m0s| -|`ANTIVIRUS_ICAP_URL`| 1.0.0 |string|URL of the ICAP server.|icap://127.0.0.1:1344| -|`ANTIVIRUS_ICAP_SERVICE`| 1.0.0 |string|The name of the ICAP service.|avscan| -|`ANTIVIRUS_MAX_SCAN_SIZE`| 1.0.0 |string|The maximum scan size the virus scanner can handle.0 means unlimited. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.|100MB| -|`ANTIVIRUS_MAX_SCAN_SIZE_MODE`| 2.1.0 |MaxScanSizeMode|Defines the mode of handling files that exceed the maximum scan size. Supported options are: 'skip', which skips files that are bigger than the max scan size, and 'truncate' (default), which only uses the file up to the max size.|partial| -|`ANTIVIRUS_DEBUG_SCAN_OUTCOME`| 1.0.0 |string|A predefined outcome for virus scanning, FOR DEBUG PURPOSES ONLY! (example values: 'found,infected')|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`ANTIVIRUS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`ANTIVIRUS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`ANTIVIRUS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`ANTIVIRUS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`ANTIVIRUS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9277`| +|`ANTIVIRUS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`ANTIVIRUS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`ANTIVIRUS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_TRACING_ENABLED`
`ANTIVIRUS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`ANTIVIRUS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`ANTIVIRUS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`ANTIVIRUS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`ANTIVIRUS_INFECTED_FILE_HANDLING`| 1.0.0 |string|`Defines the behaviour when a virus has been found. Supported options are: 'delete', 'continue' and 'abort '. Delete will delete the file. Continue will mark the file as infected but continues further processing. Abort will keep the file in the uploads folder for further admin inspection and will not move it to its final destination.`|`delete`| +|`OC_EVENTS_ENDPOINT`
`ANTIVIRUS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`ANTIVIRUS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`ANTIVIRUS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`ANTIVIRUS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`ANTIVIRUS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`ANTIVIRUS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`ANTIVIRUS_WORKERS`| 1.0.0 |int|`The number of concurrent go routines that fetch events from the event queue.`|`10`| +|`ANTIVIRUS_SCANNER_TYPE`| 1.0.0 |ScannerType|`The antivirus scanner to use. Supported values are 'clamav' and 'icap'.`|`clamav`| +|`ANTIVIRUS_CLAMAV_SOCKET`| 1.0.0 |string|`The socket clamav is running on. Note the default value is an example which needs adaption according your OS.`|`/run/clamav/clamd.ctl`| +|`ANTIVIRUS_CLAMAV_SCAN_TIMEOUT`| 2.1.0 |Duration|`Scan timeout for the ClamAV client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.`|`5m0s`| +|`ANTIVIRUS_ICAP_SCAN_TIMEOUT`| 1.0.0 |Duration|`Scan timeout for the ICAP client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.`|`5m0s`| +|`ANTIVIRUS_ICAP_URL`| 1.0.0 |string|`URL of the ICAP server.`|`icap://127.0.0.1:1344`| +|`ANTIVIRUS_ICAP_SERVICE`| 1.0.0 |string|`The name of the ICAP service.`|`avscan`| +|`ANTIVIRUS_MAX_SCAN_SIZE`| 1.0.0 |string|`The maximum scan size the virus scanner can handle.0 means unlimited. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.`|`100MB`| +|`ANTIVIRUS_MAX_SCAN_SIZE_MODE`| 2.1.0 |MaxScanSizeMode|`Defines the mode of handling files that exceed the maximum scan size. Supported options are: 'skip', which skips files that are bigger than the max scan size, and 'truncate' (default), which only uses the file up to the max size.`|`partial`| +|`ANTIVIRUS_DEBUG_SCAN_OUTCOME`| 1.0.0 |string|`A predefined outcome for virus scanning, FOR DEBUG PURPOSES ONLY! (example values: 'found,infected')`|``| diff --git a/static/env-vars/antivirus_readme.md b/static/env-vars/antivirus_readme.md index e4eb4cbe..6fd10596 100755 --- a/static/env-vars/antivirus_readme.md +++ b/static/env-vars/antivirus_readme.md @@ -1,6 +1,6 @@ --- title: Antivirus -date: 2025-05-22T16:21:16.118681609+02:00 +date: 2025-11-13T17:22:55.092547+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/antivirus @@ -28,7 +28,6 @@ The `antivirus` service is responsible for scanning files for viruses. * [Operation Modes](#operation-modes) * [Postprocessing](#postprocessing) * [Scaling in Kubernetes](#scaling-in-kubernetes) -* [Example Yaml Config](#example-yaml-config) ## Memory Considerations @@ -107,3 +106,4 @@ The number of concurrent scans can be increased by setting `ANTIVIRUS_WORKERS`, ### Scaling in Kubernetes In kubernetes, `ANTIVIRUS_WORKERS` and `ANTIVIRUS_MAX_SCAN_SIZE` can be used to trigger the horizontal pod autoscaler by requesting a memory size that is below `ANTIVIRUS_MAX_SCAN_SIZE`. Keep in mind that `ANTIVIRUS_MAX_SCAN_SIZE` amount of memory might be held by `ANTIVIRUS_WORKERS` number of go routines. + diff --git a/static/env-vars/app-provider.yaml b/static/env-vars/app-provider.yaml new file mode 100644 index 00000000..eb29648d --- /dev/null +++ b/static/env-vars/app-provider.yaml @@ -0,0 +1,45 @@ +# Autogenerated +# Filename: app-provider.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9165 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9164 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +external_addr: eu.opencloud.api.app-provider +driver: "" +drivers: + wopi: + app_api_key: "" + app_desktop_only: false + app_icon_uri: "" + app_internal_url: "" + app_name: "" + app_url: "" + app_disable_chat: false + insecure: false + wopi_server_iop_secret: "" + wopi_server_external_url: "" + wopi_folder_url_base_url: https://localhost:9200/ + wopi_folder_url_path_template: /f/{{.ResourceID}} diff --git a/static/env-vars/app-provider_configvars.md b/static/env-vars/app-provider_configvars.md index cc3d001e..3d975d82 100644 --- a/static/env-vars/app-provider_configvars.md +++ b/static/env-vars/app-provider_configvars.md @@ -1,37 +1,37 @@ Environment variables for the **app-provider** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`APP_PROVIDER_SERVICE_NAME`| 1.0.0 |string|The name of the service. This needs to be changed when using more than one app provider. Each app provider configured needs to be identified by a unique service name. Possible examples are: 'app-provider-collabora', 'app-provider-onlyoffice', 'app-provider-office365'.|app-provider| -|`OC_TRACING_ENABLED`
`APP_PROVIDER_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`APP_PROVIDER_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`APP_PROVIDER_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`APP_PROVIDER_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`APP_PROVIDER_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`APP_PROVIDER_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`APP_PROVIDER_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`APP_PROVIDER_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`APP_PROVIDER_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9165| -|`APP_PROVIDER_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint|| -|`APP_PROVIDER_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling|false| -|`APP_PROVIDER_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing traces in-memory.|false| -|`APP_PROVIDER_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9164| -|`OC_GRPC_PROTOCOL`
`APP_PROVIDER_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GPRC service.|tcp| -|`OC_JWT_SECRET`
`APP_PROVIDER_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`APP_PROVIDER_EXTERNAL_ADDR`| 1.0.0 |string|Address of the app provider, where the GATEWAY service can reach it.|eu.opencloud.api.app-provider| -|`APP_PROVIDER_DRIVER`| 1.0.0 |string|Driver, the APP PROVIDER services uses. Only 'wopi' is supported as of now.|| -|`APP_PROVIDER_WOPI_APP_API_KEY`| 1.0.0 |string|API key for the wopi app.|| -|`APP_PROVIDER_WOPI_APP_DESKTOP_ONLY`| 1.0.0 |bool|Offer this app only on desktop.|false| -|`APP_PROVIDER_WOPI_APP_ICON_URI`| 1.0.0 |string|URI to an app icon to be used by clients.|| -|`APP_PROVIDER_WOPI_APP_INTERNAL_URL`| 1.0.0 |string|Internal URL to the app, like in your DMZ.|| -|`APP_PROVIDER_WOPI_APP_NAME`| 1.0.0 |string|Human readable app name.|| -|`APP_PROVIDER_WOPI_APP_URL`| 1.0.0 |string|URL for end users to access the app.|| -|`APP_PROVIDER_WOPI_DISABLE_CHAT`
`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|Disable the chat functionality of the office app.|false| -|`APP_PROVIDER_WOPI_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for requests to the WOPI server and the web office application. Do not set this in production environments.|false| -|`APP_PROVIDER_WOPI_WOPI_SERVER_IOP_SECRET`| 1.0.0 |string|Shared secret of the CS3org WOPI server.|| -|`APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL`| 1.0.0 |string|External url of the CS3org WOPI server.|| -|`OC_URL`
`APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL`| 1.0.0 |string|Base url to navigate back from the app to the containing folder in the file list.|https://localhost:9200/| -|`APP_PROVIDER_WOPI_FOLDER_URL_PATH_TEMPLATE`| 1.0.0 |string|Path template to navigate back from the app to the containing folder in the file list. Supported template variables are {{.ResourceInfo.ResourceID}}, {{.ResourceInfo.Mtime.Seconds}}, {{.ResourceInfo.Name}}, {{.ResourceInfo.Path}}, {{.ResourceInfo.Type}}, {{.ResourceInfo.Id.SpaceId}}, {{.ResourceInfo.Id.StorageId}}, {{.ResourceInfo.Id.OpaqueId}}, {{.ResourceInfo.MimeType}}|/f/{{.ResourceID}}| \ No newline at end of file +|---|---|---|---|:---| +|`APP_PROVIDER_SERVICE_NAME`| 1.0.0 |string|`The name of the service. This needs to be changed when using more than one app provider. Each app provider configured needs to be identified by a unique service name. Possible examples are: 'app-provider-collabora', 'app-provider-onlyoffice', 'app-provider-office365'.`|`app-provider`| +|`OC_TRACING_ENABLED`
`APP_PROVIDER_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`APP_PROVIDER_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`APP_PROVIDER_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`APP_PROVIDER_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`APP_PROVIDER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`APP_PROVIDER_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`APP_PROVIDER_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`APP_PROVIDER_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`APP_PROVIDER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9165`| +|`APP_PROVIDER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint`|``| +|`APP_PROVIDER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling`|`false`| +|`APP_PROVIDER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing traces in-memory.`|`false`| +|`APP_PROVIDER_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9164`| +|`OC_GRPC_PROTOCOL`
`APP_PROVIDER_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`| +|`OC_JWT_SECRET`
`APP_PROVIDER_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`APP_PROVIDER_EXTERNAL_ADDR`| 1.0.0 |string|`Address of the app provider, where the GATEWAY service can reach it.`|`eu.opencloud.api.app-provider`| +|`APP_PROVIDER_DRIVER`| 1.0.0 |string|`Driver, the APP PROVIDER services uses. Only 'wopi' is supported as of now.`|``| +|`APP_PROVIDER_WOPI_APP_API_KEY`| 1.0.0 |string|`API key for the wopi app.`|``| +|`APP_PROVIDER_WOPI_APP_DESKTOP_ONLY`| 1.0.0 |bool|`Offer this app only on desktop.`|`false`| +|`APP_PROVIDER_WOPI_APP_ICON_URI`| 1.0.0 |string|`URI to an app icon to be used by clients.`|``| +|`APP_PROVIDER_WOPI_APP_INTERNAL_URL`| 1.0.0 |string|`Internal URL to the app, like in your DMZ.`|``| +|`APP_PROVIDER_WOPI_APP_NAME`| 1.0.0 |string|`Human readable app name.`|``| +|`APP_PROVIDER_WOPI_APP_URL`| 1.0.0 |string|`URL for end users to access the app.`|``| +|`APP_PROVIDER_WOPI_DISABLE_CHAT`
`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|`Disable the chat functionality of the office app.`|`false`| +|`APP_PROVIDER_WOPI_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for requests to the WOPI server and the web office application. Do not set this in production environments.`|`false`| +|`APP_PROVIDER_WOPI_WOPI_SERVER_IOP_SECRET`| 1.0.0 |string|`Shared secret of the CS3org WOPI server.`|``| +|`APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL`| 1.0.0 |string|`External url of the CS3org WOPI server.`|``| +|`OC_URL`
`APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL`| 1.0.0 |string|`Base url to navigate back from the app to the containing folder in the file list.`|`https://localhost:9200/`| +|`APP_PROVIDER_WOPI_FOLDER_URL_PATH_TEMPLATE`| 1.0.0 |string|`Path template to navigate back from the app to the containing folder in the file list. Supported template variables are {{.ResourceInfo.ResourceID}}, {{.ResourceInfo.Mtime.Seconds}}, {{.ResourceInfo.Name}}, {{.ResourceInfo.Path}}, {{.ResourceInfo.Type}}, {{.ResourceInfo.Id.SpaceId}}, {{.ResourceInfo.Id.StorageId}}, {{.ResourceInfo.Id.OpaqueId}}, {{.ResourceInfo.MimeType}}`|`/f/{{.ResourceID}}`| diff --git a/static/env-vars/app-provider_readme.md b/static/env-vars/app-provider_readme.md new file mode 100755 index 00000000..e7d88d64 --- /dev/null +++ b/static/env-vars/app-provider_readme.md @@ -0,0 +1,109 @@ +--- +title: Antivirus +date: 2025-11-12T11:19:19.198072+01:00 +weight: 20 +geekdocRepo: https://github.com/opencloud-eu/opencloud +geekdocEditPath: edit/master/services/app-provider +geekdocFilePath: README.md +geekdocCollapseSection: true +--- + + + +## Abstract + + +The `antivirus` service is responsible for scanning files for viruses. + + +## Table of Contents + +* [Memory Considerations](#memory-considerations) +* [Configuration](#configuration) + * [Antivirus Scanner Type](#antivirus-scanner-type) + * [Maximum Scan Size](#maximum-scan-size) + * [Antivirus Workers](#antivirus-workers) + * [Infected File Handling](#infected-file-handling) + * [Scanner Inaccessibility](#scanner-inaccessibility) +* [Operation Modes](#operation-modes) + * [Postprocessing](#postprocessing) + * [Scaling in Kubernetes](#scaling-in-kubernetes) + +## Memory Considerations + +The antivirus service can consume considerable amounts of memory. +This is relevant to provide or define sufficient memory for the deployment selected. +To avoid out of memory (OOM) situations, the following equation gives a rough overview based on experiences made. +The memory calculation comes without any guarantee, is intended as overview only and subject of change. + +`memory limit` = `max file size` x `workers` x `factor 8 - 14` + +With: +`ANTIVIRUS_WORKERS` == 1 +```plaintext + 50MB file --> factor 14 --> 700MB memory +844MB file --> factor 8,3 --> 7GB memory +``` + +## Configuration + +### Antivirus Scanner Type + +The antivirus service currently supports [ICAP](https://tools.ietf.org/html/rfc3507) and [ClamAV](http://www.clamav.net/index.html) as antivirus scanners. +The `ANTIVIRUS_SCANNER_TYPE` environment variable is used to select the scanner. +The detailed configuration for each scanner heavily depends on the scanner type selected. +See the environment variables for more details. + + - For `icap`, only scanners using the `X-Infection-Found` header are currently supported. + - For `clamav` only local sockets can currently be configured. + +### Maximum Scan Size + +Several factors can make it necessary to limit the maximum filesize the antivirus service uses for scanning. +Use the `ANTIVIRUS_MAX_SCAN_SIZE` environment variable to scan only a given number of bytes, +or to skip the whole resource. + +Even if it's recommended to scan the whole file, several factors like scanner type and version, +bandwidth, performance issues, etc. might make a limit necessary. + +In such cases, the antivirus the max scan size mode can be handy, the following modes are available: + + - `partial`: The file is scanned up to the given size. The rest of the file is not scanned. This is the default mode `ANTIVIRUS_MAX_SCAN_SIZE=partial` + - `skip`: The file is skipped and not scanned. `ANTIVIRUS_MAX_SCAN_SIZE=skip` + +**IMPORTANT** +> Streaming of files to the virus scan service still [needs to be implemented](https://github.com/owncloud/ocis/issues/6803). +> To prevent OOM errors `ANTIVIRUS_MAX_SCAN_SIZE` needs to be set lower than available ram and or the maximum file size that can be scanned by the virus scanner. + +### Antivirus Workers + +The number of concurrent scans can be increased by setting `ANTIVIRUS_WORKERS`. Be aware that this will also increase memory usage. + +### Infected File Handling + +The antivirus service allows three different ways of handling infected files. Those can be set via the `ANTIVIRUS_INFECTED_FILE_HANDLING` environment variable: + + - `delete`: (default): Infected files will be deleted immediately, further postprocessing is cancelled. + - `abort`: (advanced option): Infected files will be kept, further postprocessing is cancelled. Files can be manually retrieved and inspected by an admin. To identify the file for further investigation, the antivirus service logs the abort/infected state including the file ID. The file is located in the `storage/users/uploads` folder of the OpenCloud data directory and persists until it is manually deleted by the admin via the [Manage Unfinished Uploads](https://github.com/opencloud-eu/opencloud/tree/main/services/storage-users#manage-unfinished-uploads) command. + - `continue`: (not recommended): Infected files will be marked via metadata as infected, but postprocessing continues normally. Note: Infected Files are moved to their final destination and therefore not prevented from download, which includes the risk of spreading viruses. + +In all cases, a log entry is added declaring the infection and handling method and a notification via the `userlog` service sent. + +### Scanner Inaccessibility + +In case a scanner is not accessible by the antivirus service like a network outage, service outage or hardware outage, the antivirus service uses the `abort` case for further processing, independent of the actual setting made. In any case, an error is logged noting the inaccessibility of the scanner used. + +## Operation Modes + +The antivirus service can scan files during `postprocessing`. `on demand` scanning is currently not available and might be added in a future release. + +### Postprocessing + +The antivirus service will scan files during postprocessing. It listens for a postprocessing step called `virusscan`. This step can be added in the environment variable `POSTPROCESSING_STEPS`. Read the documentation of the [postprocessing service](https://github.com/opencloud-eu/opencloud/tree/main/services/postprocessing) for more details. + +The number of concurrent scans can be increased by setting `ANTIVIRUS_WORKERS`, but be aware that this will also increase the memory usage. + +### Scaling in Kubernetes + +In kubernetes, `ANTIVIRUS_WORKERS` and `ANTIVIRUS_MAX_SCAN_SIZE` can be used to trigger the horizontal pod autoscaler by requesting a memory size that is below `ANTIVIRUS_MAX_SCAN_SIZE`. Keep in mind that `ANTIVIRUS_MAX_SCAN_SIZE` amount of memory might be held by `ANTIVIRUS_WORKERS` number of go routines. + diff --git a/static/env-vars/app-registry.yaml b/static/env-vars/app-registry.yaml new file mode 100644 index 00000000..ec5985db --- /dev/null +++ b/static/env-vars/app-registry.yaml @@ -0,0 +1,115 @@ +# Autogenerated +# Filename: app-registry.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9243 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9242 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +app_registry: + mimetypes: + - mime_type: application/pdf + extension: pdf + name: PDF + description: PDF document + icon: "" + default_app: "" + allow_creation: false + - mime_type: application/vnd.oasis.opendocument.text + extension: odt + name: OpenDocument + description: OpenDocument text document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.oasis.opendocument.spreadsheet + extension: ods + name: OpenSpreadsheet + description: OpenDocument spreadsheet document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.oasis.opendocument.presentation + extension: odp + name: OpenPresentation + description: OpenDocument presentation document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document + extension: docx + name: Microsoft Word + description: Microsoft Word document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.form + extension: docxf + name: Form Document + description: Form Document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + extension: xlsx + name: Microsoft Excel + description: Microsoft Excel document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation + extension: pptx + name: Microsoft PowerPoint + description: Microsoft PowerPoint document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.jupyter + extension: ipynb + name: Jupyter Notebook + description: Jupyter Notebook + icon: "" + default_app: "" + allow_creation: false + - mime_type: text/markdown + extension: md + name: Markdown file + description: Markdown file + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/compressed-markdown + extension: zmd + name: Compressed markdown file + description: Compressed markdown file + icon: "" + default_app: "" + allow_creation: false + - mime_type: application/vnd.geogebra.slides + extension: ggs + name: GeoGebra Slides + description: GeoGebra Slides + icon: "" + default_app: "" + allow_creation: false diff --git a/static/env-vars/app-registry_configvars.md b/static/env-vars/app-registry_configvars.md index b72c22a2..ea182854 100644 --- a/static/env-vars/app-registry_configvars.md +++ b/static/env-vars/app-registry_configvars.md @@ -1,22 +1,22 @@ Environment variables for the **app-registry** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`APP_REGISTRY_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`APP_REGISTRY_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`APP_REGISTRY_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`APP_REGISTRY_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`APP_REGISTRY_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`APP_REGISTRY_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`APP_REGISTRY_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`APP_REGISTRY_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`APP_REGISTRY_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9243| -|`APP_REGISTRY_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`APP_REGISTRY_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`APP_REGISTRY_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`APP_REGISTRY_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9242| -|`OC_GRPC_PROTOCOL`
`APP_REGISTRY_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`APP_REGISTRY_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`APP_REGISTRY_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`APP_REGISTRY_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`APP_REGISTRY_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`APP_REGISTRY_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`APP_REGISTRY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`APP_REGISTRY_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`APP_REGISTRY_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`APP_REGISTRY_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`APP_REGISTRY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9243`| +|`APP_REGISTRY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`APP_REGISTRY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`APP_REGISTRY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`APP_REGISTRY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9242`| +|`OC_GRPC_PROTOCOL`
`APP_REGISTRY_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`APP_REGISTRY_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| diff --git a/static/env-vars/app-registry_readme.md b/static/env-vars/app-registry_readme.md index 5730cde2..58201f0b 100755 --- a/static/env-vars/app-registry_readme.md +++ b/static/env-vars/app-registry_readme.md @@ -1,6 +1,6 @@ --- title: App Registry -date: 2025-05-22T16:21:16.118757091+02:00 +date: 2025-11-13T17:22:55.092655+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/app-registry @@ -20,14 +20,13 @@ Administrators can set default applications on a per MIME type basis and also al ## Table of Contents -* [MIME Type Configuration / Creation Allow List](#mime-type-configuration--creation-allow-list) +* [MIME Type Configuration / Creation Allow List](#mime-type-configuration-/-creation-allow-list) * [MIME Type Configuration](#mime-type-configuration) * [Endpoint Access](#endpoint-access) * [Listing available apps and mime types](#listing-available-apps-and-mime-types) * [Open a File With OpenCloud Web](#open-a-file-with-opencloud-web) * [Open a File With the App Provider](#open-a-file-with-the-app-provider) * [Creating a File With the App Provider](#creating-a-file-with-the-app-provider) -* [Example Yaml Config](#example-yaml-config) ## MIME Type Configuration / Creation Allow List @@ -471,3 +470,4 @@ You will receive a file id of the freshly created file, which you can use to ope "message": "the file already exists" } ``` + diff --git a/static/env-vars/audit.yaml b/static/env-vars/audit.yaml new file mode 100644 index 00000000..6d9864ce --- /dev/null +++ b/static/env-vars/audit.yaml @@ -0,0 +1,31 @@ +# Autogenerated +# Filename: audit.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9229 + token: "" + pprof: false + zpages: false +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +auditlog: + log_to_console: true + log_to_file: false + filepath: "" + format: json diff --git a/static/env-vars/audit_configvars.md b/static/env-vars/audit_configvars.md index 06a885e0..31c9fa66 100644 --- a/static/env-vars/audit_configvars.md +++ b/static/env-vars/audit_configvars.md @@ -1,27 +1,27 @@ Environment variables for the **audit** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`AUDIT_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`AUDIT_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`AUDIT_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`AUDIT_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`AUDIT_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`AUDIT_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`AUDIT_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`AUDIT_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`AUDIT_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9229| -|`AUDIT_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`AUDIT_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`AUDIT_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_EVENTS_ENDPOINT`
`AUDIT_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`AUDIT_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`AUDIT_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`AUDIT_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`AUDIT_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`AUDIT_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`AUDIT_LOG_TO_CONSOLE`| 1.0.0 |bool|Logs to stdout if set to 'true'. Independent of the LOG_TO_FILE option.|true| -|`AUDIT_LOG_TO_FILE`| 1.0.0 |bool|Logs to file if set to 'true'. Independent of the LOG_TO_CONSOLE option.|false| -|`AUDIT_FILEPATH`| 1.0.0 |string|Filepath of the logfile. Mandatory if LOG_TO_FILE is set to 'true'.|| -|`AUDIT_FORMAT`| 1.0.0 |string|Log format. Supported values are '' (empty) and 'json'. Using 'json' is advised, '' (empty) renders the 'minimal' format. See the text description for more details.|json| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`AUDIT_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`AUDIT_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`AUDIT_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`AUDIT_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`AUDIT_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`AUDIT_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`AUDIT_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`AUDIT_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`AUDIT_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9229`| +|`AUDIT_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUDIT_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUDIT_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_EVENTS_ENDPOINT`
`AUDIT_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`AUDIT_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`AUDIT_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`AUDIT_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`AUDIT_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`AUDIT_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`AUDIT_LOG_TO_CONSOLE`| 1.0.0 |bool|`Logs to stdout if set to 'true'. Independent of the LOG_TO_FILE option.`|`true`| +|`AUDIT_LOG_TO_FILE`| 1.0.0 |bool|`Logs to file if set to 'true'. Independent of the LOG_TO_CONSOLE option.`|`false`| +|`AUDIT_FILEPATH`| 1.0.0 |string|`Filepath of the logfile. Mandatory if LOG_TO_FILE is set to 'true'.`|``| +|`AUDIT_FORMAT`| 1.0.0 |string|`Log format. Supported values are '' (empty) and 'json'. Using 'json' is advised, '' (empty) renders the 'minimal' format. See the text description for more details.`|`json`| diff --git a/static/env-vars/audit_readme.md b/static/env-vars/audit_readme.md index 0324b541..f187fd9f 100755 --- a/static/env-vars/audit_readme.md +++ b/static/env-vars/audit_readme.md @@ -1,6 +1,6 @@ --- title: Audit -date: 2025-05-22T16:21:16.118824137+02:00 +date: 2025-11-13T17:22:55.092897+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/audit @@ -44,5 +44,5 @@ The audit service logs: ## Table of Contents -* [Example Yaml Config](#example-yaml-config) + diff --git a/static/env-vars/auth-app.yaml b/static/env-vars/auth-app.yaml new file mode 100644 index 00000000..b5e41b01 --- /dev/null +++ b/static/env-vars/auth-app.yaml @@ -0,0 +1,69 @@ +# Autogenerated +# Filename: auth-app.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9245 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9246 + tls: null + protocol: tcp +http: + addr: 127.0.0.1:9247 + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - DELETE + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Ocs-Apirequest + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +grpc_client_tls: null +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +machine_auth_api_key: "" +allow_impersonation: false +storage_driver: jsoncs3 +storage_drivers: + jsoncs3: + provider_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" + password_generator: diceware + password_generator_options: + diceware: + number_of_words: 6 + randon: + password_length: 0 diff --git a/static/env-vars/auth-app_configvars.md b/static/env-vars/auth-app_configvars.md index 1a00f8d6..723c8a87 100644 --- a/static/env-vars/auth-app_configvars.md +++ b/static/env-vars/auth-app_configvars.md @@ -1,42 +1,42 @@ Environment variables for the **auth-app** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`AUTH_APP_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`AUTH_APP_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`AUTH_APP_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`AUTH_APP_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`AUTH_APP_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`AUTH_APP_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`AUTH_APP_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`AUTH_APP_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`AUTH_APP_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9245| -|`AUTH_APP_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`AUTH_APP_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`AUTH_APP_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing traces in-memory.|false| -|`AUTH_APP_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9246| -|`OC_GRPC_PROTOCOL`
`AUTH_APP_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`AUTH_APP_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9247| -|`AUTH_APP_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`OC_CORS_ALLOW_ORIGINS`
`AUTH_APP_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`AUTH_APP_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET POST DELETE]| -|`OC_CORS_ALLOW_HEADERS`
`AUTH_APP_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]| -|`OC_CORS_ALLOW_CREDENTIALS`
`AUTH_APP_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`OC_JWT_SECRET`
`AUTH_APP_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the encoding of the user's group memberships in the access token. This reduces the token size, especially when users are members of a large number of groups.|false| -|`OC_MACHINE_AUTH_API_KEY`
`AUTH_APP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|The machine auth API key used to validate internal requests necessary to access resources from other services.|| -|`AUTH_APP_ENABLE_IMPERSONATION`| 1.0.0 |bool|Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments.|false| -|`AUTH_APP_STORAGE_DRIVER`| next |string|Driver to be used to persist the app tokes . Supported values are 'jsoncs3', 'json'.|jsoncs3| -|`AUTH_APP_JSONCS3_PROVIDER_ADDR`| next |string|GRPC address of the STORAGE-SYSTEM service.|eu.opencloud.api.storage-system| -|`OC_SYSTEM_USER_ID`
`AUTH_APP_JSONCS3_SYSTEM_USER_ID`| next |string|ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|| -|`OC_SYSTEM_USER_IDP`
`AUTH_APP_JSONCS3_SYSTEM_USER_IDP`| next |string|IDP of the OpenCloud STORAGE-SYSTEM system user.|internal| -|`OC_SYSTEM_USER_API_KEY`
`AUTH_APP_JSONCS3_SYSTEM_USER_API_KEY`| next |string|API key for the STORAGE-SYSTEM system user.|| -|`AUTH_APP_JSONCS3_PASSWORD_GENERATOR`| next |string|The password generator that should be used for generating app tokens. Supported values are: 'diceware' and 'random'.|diceware| -|`AUTH_APP_JSONCS3_DICEWARE_NUMBER_OF_WORDS`| next |int|The number of words the generated passphrase will have.|6| -|`AUTH_APP_JSONCS3_RANDOM_PASSWORD_LENGTH`| next |int|The number of charactors the generated passwords will have.|0| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`AUTH_APP_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`AUTH_APP_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`AUTH_APP_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`AUTH_APP_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`AUTH_APP_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`AUTH_APP_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`AUTH_APP_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`AUTH_APP_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`AUTH_APP_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9245`| +|`AUTH_APP_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_APP_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_APP_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing traces in-memory.`|`false`| +|`AUTH_APP_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9246`| +|`OC_GRPC_PROTOCOL`
`AUTH_APP_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`AUTH_APP_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9247`| +|`AUTH_APP_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`AUTH_APP_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`AUTH_APP_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST DELETE]`| +|`OC_CORS_ALLOW_HEADERS`
`AUTH_APP_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`AUTH_APP_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_JWT_SECRET`
`AUTH_APP_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`| +|`OC_MACHINE_AUTH_API_KEY`
`AUTH_APP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`|``| +|`AUTH_APP_ENABLE_IMPERSONATION`| 1.0.0 |bool|`Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments.`|`false`| +|`AUTH_APP_STORAGE_DRIVER`| next |string|`Driver to be used to persist the app tokes . Supported values are 'jsoncs3', 'json'.`|`jsoncs3`| +|`AUTH_APP_JSONCS3_PROVIDER_ADDR`| next |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`AUTH_APP_JSONCS3_SYSTEM_USER_ID`| next |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`AUTH_APP_JSONCS3_SYSTEM_USER_IDP`| next |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`AUTH_APP_JSONCS3_SYSTEM_USER_API_KEY`| next |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`AUTH_APP_JSONCS3_PASSWORD_GENERATOR`| next |string|`The password generator that should be used for generating app tokens. Supported values are: 'diceware' and 'random'.`|`diceware`| +|`AUTH_APP_JSONCS3_DICEWARE_NUMBER_OF_WORDS`| next |int|`The number of words the generated passphrase will have.`|`6`| +|`AUTH_APP_JSONCS3_RANDOM_PASSWORD_LENGTH`| next |int|`The number of charactors the generated passwords will have.`|`0`| diff --git a/static/env-vars/auth-app_readme.md b/static/env-vars/auth-app_readme.md index 7d167992..4d8c3363 100755 --- a/static/env-vars/auth-app_readme.md +++ b/static/env-vars/auth-app_readme.md @@ -1,6 +1,6 @@ --- title: Auth-App -date: 2025-05-22T16:21:16.118867889+02:00 +date: 2025-11-13T17:22:55.093061+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/auth-app @@ -30,9 +30,8 @@ PROXY_ENABLE_APP_AUTH=false # mandatory, disables app authentication. In ca * [Managing App Tokens](#managing-app-tokens) * [Via API](#via-api) * [Via Impersonation API](#via-impersonation-api) - * [Via CLI (developer only)](#via-cli-developer-only) + * [Via CLI (developer only)](#via-cli-(developer-only)) * [Authenticating using App Tokens](#authenticating-using-app-tokens) -* [Example Yaml Config](#example-yaml-config) ## App Tokens @@ -85,20 +84,20 @@ The `auth-app` service provides an API to create (POST), list (GET) and delete ( ``` Note that the `token` value in the response to the "List Tokens` request is not the actual - app token, but a hashed value of the token. So this value cannot be used for authenticating + app token, but the UUID of the token. So this value cannot be used for authenticating with the token. Example output: ``` [ { - "token": "$2a$11$EyudDGAJ18bBf5NG6PL9Ru9gygZAu0oPyLawdieNjGozcbXyyuUhG", + "token": "155f402e-1c5c-411c-92d4-92f3b612cd99" "expiration_date": "2024-08-08T13:44:31.025199075+02:00", "created_date": "2024-08-07T13:44:31+02:00", "label": "Generated via Impersonation API" }, { - "token": "$2a$11$dfRBQrxRMPg8fvyvkFwaX.IPoIUiokvhzK.YNI/pCafk0us3MyPzy", + "token": "8c606bdb-e22e-4094-9304-732fd4702bc9" "expiration_date": "2024-08-08T13:46:41.936052281+02:00", "created_date": "2024-08-07T13:46:42+02:00", "label": "Generated via Impersonation API" @@ -109,7 +108,7 @@ The `auth-app` service provides an API to create (POST), list (GET) and delete ( * **Delete a token**\ The DELETE request requires: * A `token` key/value pair in the form of `token=`. The value needs to be the hashed value as returned by the `List Tokens` respone.\ - Example: `token=$2$Z3s2K7816M4vuSpd5` + Example: `token=8c606bdb-e22e-4094-9304-732fd4702bc9` ```bash curl --request DELETE 'https:///auth-app/tokens?token={value}' \ --header 'accept: application/json' @@ -162,3 +161,4 @@ and the token value as returned by the "Create Token" request. curl -u : 'https:///graph/v1.0/me' \ --header 'accept: application/json' ``` + diff --git a/static/env-vars/auth-basic-config-example.yaml b/static/env-vars/auth-basic-config-example.yaml index 5da6efc7..99958aae 100644 --- a/static/env-vars/auth-basic-config-example.yaml +++ b/static/env-vars/auth-basic-config-example.yaml @@ -32,7 +32,7 @@ auth_provider: ldap auth_providers: ldap: uri: ldaps://localhost:9235 - ca_cert: /home/chaser/.opencloud/idm/ldap.crt + ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt insecure: false bind_dn: uid=reva,ou=sysusers,o=libregraph-idm bind_password: "" @@ -51,6 +51,7 @@ auth_providers: ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm user_schema: id: openCloudUUID + tenant_id: "" id_is_octet_string: false mail: mail display_name: displayname diff --git a/static/env-vars/auth-basic.yaml b/static/env-vars/auth-basic.yaml new file mode 100644 index 00000000..d3f951d5 --- /dev/null +++ b/static/env-vars/auth-basic.yaml @@ -0,0 +1,76 @@ +# Autogenerated +# Filename: auth-basic.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9147 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9146 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +auth_provider: ldap +auth_providers: + ldap: + uri: ldaps://localhost:9235 + ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt + insecure: false + bind_dn: uid=reva,ou=sysusers,o=libregraph-idm + bind_password: "" + user_base_dn: ou=users,o=libregraph-idm + group_base_dn: ou=groups,o=libregraph-idm + user_scope: sub + group_scope: sub + user_filter: "" + group_filter: "" + user_object_class: inetOrgPerson + group_object_class: groupOfNames + login_attributes: + - uid + idp: https://localhost:9200 + disable_user_mechanism: attribute + ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm + user_schema: + id: openCloudUUID + tenant_id: "" + id_is_octet_string: false + mail: mail + display_name: displayname + user_name: uid + user_enabled: openCloudUserEnabled + group_schema: + id: openCloudUUID + id_is_octet_string: false + mail: mail + display_name: cn + group_name: cn + member: member + owncloudsql: + db_username: owncloud + db_password: "" + db_host: mysql + db_port: 3306 + db_name: owncloud + idp: https://localhost:9200 + nobody: 90 + join_username: false + join_owncloud_uuid: false diff --git a/static/env-vars/auth-basic_configvars.md b/static/env-vars/auth-basic_configvars.md index f603f8e6..62e2b5d1 100644 --- a/static/env-vars/auth-basic_configvars.md +++ b/static/env-vars/auth-basic_configvars.md @@ -1,62 +1,63 @@ Environment variables for the **auth-basic** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`AUTH_BASIC_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`AUTH_BASIC_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`AUTH_BASIC_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`AUTH_BASIC_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`AUTH_BASIC_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`AUTH_BASIC_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`AUTH_BASIC_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`AUTH_BASIC_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`AUTH_BASIC_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9147| -|`AUTH_BASIC_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`AUTH_BASIC_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`AUTH_BASIC_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing traces in-memory.|false| -|`AUTH_BASIC_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9146| -|`OC_GRPC_PROTOCOL`
`AUTH_BASIC_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`AUTH_BASIC_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.|false| -|`AUTH_BASIC_AUTH_MANAGER`| 1.0.0 |string|The authentication manager to check if credentials are valid. Supported value is 'ldap'.|ldap| -|`OC_LDAP_URI`
`AUTH_BASIC_LDAP_URI`| 1.0.0 |string|URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'|ldaps://localhost:9235| -|`OC_LDAP_CACERT`
`AUTH_BASIC_LDAP_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.|/home/chaser/.opencloud/idm/ldap.crt| -|`OC_LDAP_INSECURE`
`AUTH_BASIC_LDAP_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.|false| -|`OC_LDAP_BIND_DN`
`AUTH_BASIC_LDAP_BIND_DN`| 1.0.0 |string|LDAP DN to use for simple bind authentication with the target LDAP server.|uid=reva,ou=sysusers,o=libregraph-idm| -|`OC_LDAP_BIND_PASSWORD`
`AUTH_BASIC_LDAP_BIND_PASSWORD`| 1.0.0 |string|Password to use for authenticating the 'bind_dn'.|| -|`OC_LDAP_USER_BASE_DN`
`AUTH_BASIC_LDAP_USER_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP users.|ou=users,o=libregraph-idm| -|`OC_LDAP_GROUP_BASE_DN`
`AUTH_BASIC_LDAP_GROUP_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP groups.|ou=groups,o=libregraph-idm| -|`OC_LDAP_USER_SCOPE`
`AUTH_BASIC_LDAP_USER_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.|sub| -|`OC_LDAP_GROUP_SCOPE`
`AUTH_BASIC_LDAP_GROUP_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.|sub| -|`OC_LDAP_USER_FILTER`
`AUTH_BASIC_LDAP_USER_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.|| -|`OC_LDAP_GROUP_FILTER`
`AUTH_BASIC_LDAP_GROUP_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for group searches.|| -|`OC_LDAP_USER_OBJECTCLASS`
`AUTH_BASIC_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|The object class to use for users in the default user search filter ('inetOrgPerson').|inetOrgPerson| -|`OC_LDAP_GROUP_OBJECTCLASS`
`AUTH_BASIC_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|The object class to use for groups in the default group search filter ('groupOfNames').|groupOfNames| -|`LDAP_LOGIN_ATTRIBUTES`
`AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES`| 1.0.0 |[]string|A list of user object attributes that can be used for login. See the Environment Variable Types description for more details.|[uid]| -|`OC_URL`
`OC_OIDC_ISSUER`
`AUTH_BASIC_IDP_URL`| 1.0.0 |string|The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.|https://localhost:9200| -|`OC_LDAP_DISABLE_USER_MECHANISM`
`AUTH_BASIC_DISABLE_USER_MECHANISM`| 1.0.0 |string|An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.|attribute| -|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`AUTH_BASIC_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.|cn=DisabledUsersGroup,ou=groups,o=libregraph-idm| -|`OC_LDAP_USER_SCHEMA_ID`
`AUTH_BASIC_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.|openCloudUUID| -|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.|false| -|`OC_LDAP_USER_SCHEMA_MAIL`
`AUTH_BASIC_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|LDAP Attribute to use for the email address of users.|mail| -|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|LDAP Attribute to use for the displayname of users.|displayname| -|`OC_LDAP_USER_SCHEMA_USERNAME`
`AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|LDAP Attribute to use for username of users.|uid| -|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|LDAP attribute to use as a flag telling if the user is enabled or disabled.|openCloudUserEnabled| -|`OC_LDAP_GROUP_SCHEMA_ID`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).|openCloudUUID| -|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.|false| -|`OC_LDAP_GROUP_SCHEMA_MAIL`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|LDAP Attribute to use for the email address of groups (can be empty).|mail| -|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).|cn| -|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|LDAP Attribute to use for the name of groups.|cn| -|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|LDAP Attribute that is used for group members.|member| -|`AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|Database user to use for authenticating with the owncloud database.|owncloud| -|`AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|Password for the database user.|| -|`AUTH_BASIC_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|Hostname of the database server.|mysql| -|`AUTH_BASIC_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|Network port to use for the database connection.|3306| -|`AUTH_BASIC_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|Name of the owncloud database.|owncloud| -|`AUTH_BASIC_OWNCLOUDSQL_IDP`| 1.0.0 |string|The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.|https://localhost:9200| -|`AUTH_BASIC_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|Fallback number if no numeric UID and GID properties are provided.|90| -|`AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|Join the user properties table to read usernames|false| -|`AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|Join the user properties table to read user ID's.|false| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`AUTH_BASIC_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`AUTH_BASIC_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`AUTH_BASIC_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`AUTH_BASIC_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`AUTH_BASIC_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`AUTH_BASIC_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`AUTH_BASIC_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`AUTH_BASIC_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`AUTH_BASIC_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9147`| +|`AUTH_BASIC_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_BASIC_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_BASIC_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing traces in-memory.`|`false`| +|`AUTH_BASIC_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9146`| +|`OC_GRPC_PROTOCOL`
`AUTH_BASIC_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`AUTH_BASIC_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`| +|`AUTH_BASIC_AUTH_MANAGER`| 1.0.0 |string|`The authentication manager to check if credentials are valid. Supported value is 'ldap'.`|`ldap`| +|`OC_LDAP_URI`
`AUTH_BASIC_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldaps://localhost:9235`| +|`OC_LDAP_CACERT`
`AUTH_BASIC_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/Users/t.schweiger/.opencloud/idm/ldap.crt`| +|`OC_LDAP_INSECURE`
`AUTH_BASIC_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`OC_LDAP_BIND_DN`
`AUTH_BASIC_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`AUTH_BASIC_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`OC_LDAP_USER_BASE_DN`
`AUTH_BASIC_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_GROUP_BASE_DN`
`AUTH_BASIC_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`AUTH_BASIC_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_GROUP_SCOPE`
`AUTH_BASIC_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_USER_FILTER`
`AUTH_BASIC_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_GROUP_FILTER`
`AUTH_BASIC_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`AUTH_BASIC_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`| +|`OC_LDAP_GROUP_OBJECTCLASS`
`AUTH_BASIC_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`| +|`LDAP_LOGIN_ATTRIBUTES`
`AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES`| 1.0.0 |[]string|`A list of user object attributes that can be used for login. See the Environment Variable Types description for more details.`|`[uid]`| +|`OC_URL`
`OC_OIDC_ISSUER`
`AUTH_BASIC_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`OC_LDAP_DISABLE_USER_MECHANISM`
`AUTH_BASIC_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.`|`attribute`| +|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`AUTH_BASIC_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCHEMA_ID`
`AUTH_BASIC_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`| +|`OC_LDAP_USER_SCHEMA_TENANT_ID`
`AUTH_BASIC_LDAP_USER_SCHEMA_TENANT_ID`| next |string|`LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.`|``| +|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.`|`false`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`AUTH_BASIC_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`| +|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`| +|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`| +|`OC_LDAP_GROUP_SCHEMA_ID`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).`|`openCloudUUID`| +|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.`|`false`| +|`OC_LDAP_GROUP_SCHEMA_MAIL`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`| +|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`| +|`AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`| +|`AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|``| +|`AUTH_BASIC_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`| +|`AUTH_BASIC_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`| +|`AUTH_BASIC_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`| +|`AUTH_BASIC_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`AUTH_BASIC_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`| +|`AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames`|`false`| +|`AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user ID's.`|`false`| diff --git a/static/env-vars/auth-basic_readme.md b/static/env-vars/auth-basic_readme.md index 13a96af3..2f5bf86b 100755 --- a/static/env-vars/auth-basic_readme.md +++ b/static/env-vars/auth-basic_readme.md @@ -1,6 +1,6 @@ --- title: Auth-Basic -date: 2025-05-22T16:21:16.118919105+02:00 +date: 2025-11-13T17:22:55.093151+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/auth-basic @@ -22,14 +22,13 @@ To enable `auth-basic`, you first must set `PROXY_ENABLE_BASIC_AUTH` to `true`. ## Table of Contents -* [The `auth` Service Family](#the-auth-service-family) +* [The `auth` Service Family](#the-`auth`-service-family) * [Auth Managers](#auth-managers) * [LDAP Auth Manager](#ldap-auth-manager) * [Other Auth Managers](#other-auth-managers) * [Scalability](#scalability) -* [Example Yaml Config](#example-yaml-config) -## The auth service family +## The `auth` Service Family OpenCloud uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist: - `auth-app` handles authentication of external 3rd party apps @@ -54,3 +53,4 @@ OpenCloud currently supports no other auth manager When using `"ldap"` as auth manager, there is no persistance as requests will just be forwarded to the LDAP server. Therefore, multiple instances of the `auth-basic` service can be started without further configuration. Be aware, that other auth managers might not allow that. + diff --git a/static/env-vars/auth-bearer.yaml b/static/env-vars/auth-bearer.yaml new file mode 100644 index 00000000..f4ef9027 --- /dev/null +++ b/static/env-vars/auth-bearer.yaml @@ -0,0 +1,36 @@ +# Autogenerated +# Filename: auth-bearer.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9149 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9148 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +oidc: + issuer: https://localhost:9200 + insecure: false + id_claim: preferred_username + uid_claim: "" + gid_claim: "" diff --git a/static/env-vars/auth-bearer_configvars.md b/static/env-vars/auth-bearer_configvars.md index dfb2d5a9..90a263d2 100644 --- a/static/env-vars/auth-bearer_configvars.md +++ b/static/env-vars/auth-bearer_configvars.md @@ -1,28 +1,28 @@ Environment variables for the **auth-bearer** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`AUTH_BEARER_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`AUTH_BEARER_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`AUTH_BEARER_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`AUTH_BEARER_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`AUTH_BEARER_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`AUTH_BEARER_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`AUTH_BEARER_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`AUTH_BEARER_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`AUTH_BEARER_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9149| -|`AUTH_BEARER_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`AUTH_BEARER_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`AUTH_BEARER_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`AUTH_BEARER_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9148| -|`OC_GRPC_PROTOCOL`
`AUTH_BEARER_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`AUTH_BEARER_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.|false| -|`OC_URL`
`OC_OIDC_ISSUER`
`AUTH_BEARER_OIDC_ISSUER`| 1.0.0 |string|URL of the OIDC issuer. It defaults to URL of the builtin IDP.|https://localhost:9200| -|`OC_INSECURE`
`AUTH_BEARER_OIDC_INSECURE`| 1.0.0 |bool|Allow insecure connections to the OIDC issuer.|false| -|`AUTH_BEARER_OIDC_ID_CLAIM`| 1.0.0 |string|Name of the claim, which holds the user identifier.|preferred_username| -|`AUTH_BEARER_OIDC_UID_CLAIM`| 1.0.0 |string|Name of the claim, which holds the UID.|| -|`AUTH_BEARER_OIDC_GID_CLAIM`| 1.0.0 |string|Name of the claim, which holds the GID.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`AUTH_BEARER_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`AUTH_BEARER_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`AUTH_BEARER_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`AUTH_BEARER_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`AUTH_BEARER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`AUTH_BEARER_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`AUTH_BEARER_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`AUTH_BEARER_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`AUTH_BEARER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9149`| +|`AUTH_BEARER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_BEARER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_BEARER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`AUTH_BEARER_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9148`| +|`OC_GRPC_PROTOCOL`
`AUTH_BEARER_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`AUTH_BEARER_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`| +|`OC_URL`
`OC_OIDC_ISSUER`
`AUTH_BEARER_OIDC_ISSUER`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`| +|`OC_INSECURE`
`AUTH_BEARER_OIDC_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the OIDC issuer.`|`false`| +|`AUTH_BEARER_OIDC_ID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the user identifier.`|`preferred_username`| +|`AUTH_BEARER_OIDC_UID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the UID.`|``| +|`AUTH_BEARER_OIDC_GID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the GID.`|``| diff --git a/static/env-vars/auth-bearer_readme.md b/static/env-vars/auth-bearer_readme.md index d95a0cc1..86d4114e 100755 --- a/static/env-vars/auth-bearer_readme.md +++ b/static/env-vars/auth-bearer_readme.md @@ -1,6 +1,6 @@ --- title: Auth-Bearer -date: 2025-05-22T16:21:16.118961645+02:00 +date: 2025-11-13T17:22:55.093335+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/auth-bearer @@ -18,12 +18,11 @@ The OpenCloud Auth Bearer service communicates with the configured OpenID Connec ## Table of Contents -* [The auth Service Family](#the-auth-service-family) +* [The `auth` Service Family](#the-`auth`-service-family) * [Built in OpenID Connect Identity Provider](#built-in-openid-connect-identity-provider) * [Scalability](#scalability) -* [Example Yaml Config](#example-yaml-config) -## The auth Service Family +## The `auth` Service Family OpenCloud uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist: - `auth-app` handles authentication of external 3rd party apps @@ -41,3 +40,4 @@ A default OpenCloud deployment will start a [built in OpenID Connect identity pr There is no persistance or caching. The proxy caches verified auth bearer tokens. Requests will be forwarded to the identity provider. Therefore, multiple instances of the `auth-bearer` service can be started without further configuration. Currently, the auth registry used by the gateway can only use a single instance of the service. To use more than one auth provider per deployment you need to scale the gateway. This will change when we use the service registry in more places and use micro clients to select an instance of a service. + diff --git a/static/env-vars/auth-machine.yaml b/static/env-vars/auth-machine.yaml new file mode 100644 index 00000000..070c15d6 --- /dev/null +++ b/static/env-vars/auth-machine.yaml @@ -0,0 +1,31 @@ +# Autogenerated +# Filename: auth-machine.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9167 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9166 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +machine_auth_api_key: "" diff --git a/static/env-vars/auth-machine_configvars.md b/static/env-vars/auth-machine_configvars.md index 114e0960..797d7b58 100644 --- a/static/env-vars/auth-machine_configvars.md +++ b/static/env-vars/auth-machine_configvars.md @@ -1,24 +1,24 @@ Environment variables for the **auth-machine** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`AUTH_MACHINE_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`AUTH_MACHINE_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`AUTH_MACHINE_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`AUTH_MACHINE_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`AUTH_MACHINE_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`AUTH_MACHINE_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`AUTH_MACHINE_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`AUTH_MACHINE_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`AUTH_MACHINE_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9167| -|`AUTH_MACHINE_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`AUTH_MACHINE_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`AUTH_MACHINE_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`AUTH_MACHINE_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9166| -|`OC_GRPC_PROTOCOL`
`AUTH_MACHINE_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`AUTH_MACHINE_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.|false| -|`OC_MACHINE_AUTH_API_KEY`
`AUTH_MACHINE_API_KEY`| 1.0.0 |string|Machine auth API key used to validate internal requests necessary for the access to resources from other services.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`AUTH_MACHINE_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`AUTH_MACHINE_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`AUTH_MACHINE_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`AUTH_MACHINE_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`AUTH_MACHINE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`AUTH_MACHINE_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`AUTH_MACHINE_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`AUTH_MACHINE_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`AUTH_MACHINE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9167`| +|`AUTH_MACHINE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_MACHINE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_MACHINE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`AUTH_MACHINE_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9166`| +|`OC_GRPC_PROTOCOL`
`AUTH_MACHINE_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`AUTH_MACHINE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`| +|`OC_MACHINE_AUTH_API_KEY`
`AUTH_MACHINE_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``| diff --git a/static/env-vars/auth-machine_readme.md b/static/env-vars/auth-machine_readme.md index 5408e3a9..58c0edf1 100755 --- a/static/env-vars/auth-machine_readme.md +++ b/static/env-vars/auth-machine_readme.md @@ -1,6 +1,6 @@ --- title: Auth-Machine -date: 2025-05-22T16:21:16.119009124+02:00 +date: 2025-11-13T17:22:55.093564+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/auth-machine @@ -27,7 +27,6 @@ OpenCloud uses serveral authentication services for different use cases. All ser * [User Impersonation](#user-impersonation) * [Deprecation](#deprecation) -* [Example Yaml Config](#example-yaml-config) ## User Impersonation @@ -36,3 +35,4 @@ When one OpenCloud service is trying to talk to other OpenCloud services, it nee ## Deprecation With the upcoming `auth-service` service, the `auth-machine` service will be used less frequently and is probably a candidate for deprecation. + diff --git a/static/env-vars/auth-service.yaml b/static/env-vars/auth-service.yaml new file mode 100644 index 00000000..8a2230df --- /dev/null +++ b/static/env-vars/auth-service.yaml @@ -0,0 +1,32 @@ +# Autogenerated +# Filename: auth-service.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9198 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9199 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +service_account: + service_account_id: "" + service_account_secret: "" diff --git a/static/env-vars/auth-service_configvars.md b/static/env-vars/auth-service_configvars.md index c34be811..cfad01cb 100644 --- a/static/env-vars/auth-service_configvars.md +++ b/static/env-vars/auth-service_configvars.md @@ -1,24 +1,24 @@ Environment variables for the **auth-service** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`AUTH_SERVICE_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`AUTH_SERVICE_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`AUTH_SERVICE_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`AUTH_SERVICE_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`AUTH_SERVICE_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`AUTH_SERVICE_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`AUTH_SERVICE_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`AUTH_SERVICE_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`AUTH_SERVICE_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9198| -|`AUTH_SERVICE_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`AUTH_SERVICE_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`AUTH_SERVICE_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`AUTH_SERVICE_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9199| -|`OC_GRPC_PROTOCOL`
`AUTH_SERVICE_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`AUTH_SERVICE_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_SERVICE_ACCOUNT_ID`
`AUTH_SERVICE_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`AUTH_SERVICE_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`AUTH_SERVICE_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`AUTH_SERVICE_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`AUTH_SERVICE_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`AUTH_SERVICE_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`AUTH_SERVICE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`AUTH_SERVICE_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`AUTH_SERVICE_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`AUTH_SERVICE_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`AUTH_SERVICE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9198`| +|`AUTH_SERVICE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_SERVICE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_SERVICE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`AUTH_SERVICE_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9199`| +|`OC_GRPC_PROTOCOL`
`AUTH_SERVICE_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`AUTH_SERVICE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`AUTH_SERVICE_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`AUTH_SERVICE_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| diff --git a/static/env-vars/auth-service_readme.md b/static/env-vars/auth-service_readme.md index f9455ebd..9b9187d8 100755 --- a/static/env-vars/auth-service_readme.md +++ b/static/env-vars/auth-service_readme.md @@ -1,6 +1,6 @@ --- title: Auth-Service -date: 2025-05-22T16:21:16.119064568+02:00 +date: 2025-11-13T17:22:55.093816+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/auth-service @@ -18,12 +18,11 @@ The OpenCloud Auth Service is used to authenticate service accounts. Compared to ## Table of Contents -* [The auth Service Family](#the-auth-service-family) +* [The `auth` Service Family](#the-`auth`-service-family) * [Service Accounts](#service-accounts) * [Configuring Service Accounts](#configuring-service-accounts) -* [Example Yaml Config](#example-yaml-config) -## The auth Service Family +## The `auth` Service Family OpenCloud uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist: - `auth-app` handles authentication of external 3rd party apps @@ -39,3 +38,4 @@ Service accounts are user accounts that are only used for inter service communic ## Configuring Service Accounts By using the envvars `OC_SERVICE_ACCOUNT_ID` and `OC_SERVICE_ACCOUNT_SECRET`, one can configure the ID and the secret of the service user. The secret can be rotated regulary to increase security. For activating a new secret, all services where the envvars are used need to be restarted. The secret is always and only stored in memory and never written into any persistant store. Though you can use any string for the service account, it is recommmended to use a UUIDv4 string. + diff --git a/static/env-vars/clientlog.yaml b/static/env-vars/clientlog.yaml new file mode 100644 index 00000000..a3af04f3 --- /dev/null +++ b/static/env-vars/clientlog.yaml @@ -0,0 +1,33 @@ +# Autogenerated +# Filename: clientlog.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9260 + token: "" + pprof: false + zpages: false +grpc_client_tls: null +token_manager: + jwt_secret: "" +reva_gateway: eu.opencloud.api.gateway +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +service_account: + service_account_id: "" + service_account_secret: "" diff --git a/static/env-vars/clientlog_configvars.md b/static/env-vars/clientlog_configvars.md index 54f3eb93..e876b156 100644 --- a/static/env-vars/clientlog_configvars.md +++ b/static/env-vars/clientlog_configvars.md @@ -1,27 +1,27 @@ Environment variables for the **clientlog** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`CLIENTLOG_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`CLIENTLOG_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`CLIENTLOG_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`CLIENTLOG_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`CLIENTLOG_USERLOG_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`CLIENTLOG_USERLOG_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`CLIENTLOG_USERLOG_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`CLIENTLOG_USERLOG_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`CLIENTLOG_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9260| -|`CLIENTLOG_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`CLIENTLOG_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`CLIENTLOG_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_JWT_SECRET`
`CLIENTLOG_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|CS3 gateway used to look up user metadata|eu.opencloud.api.gateway| -|`OC_EVENTS_ENDPOINT`
`CLIENTLOG_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`CLIENTLOG_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`CLIENTLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`CLIENTLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`CLIENTLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`CLIENTLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_SERVICE_ACCOUNT_ID`
`CLIENTLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`CLIENTLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`CLIENTLOG_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`CLIENTLOG_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`CLIENTLOG_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`CLIENTLOG_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`CLIENTLOG_USERLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`CLIENTLOG_USERLOG_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`CLIENTLOG_USERLOG_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`CLIENTLOG_USERLOG_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`CLIENTLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9260`| +|`CLIENTLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`CLIENTLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`CLIENTLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_JWT_SECRET`
`CLIENTLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`OC_EVENTS_ENDPOINT`
`CLIENTLOG_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`CLIENTLOG_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`CLIENTLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`CLIENTLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`CLIENTLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`CLIENTLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`CLIENTLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`CLIENTLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| diff --git a/static/env-vars/clientlog_readme.md b/static/env-vars/clientlog_readme.md index 5f9c53fd..02c6600d 100755 --- a/static/env-vars/clientlog_readme.md +++ b/static/env-vars/clientlog_readme.md @@ -1,6 +1,6 @@ --- title: Clientlog Service -date: 2025-05-22T16:21:16.119110815+02:00 +date: 2025-11-13T17:22:55.094245+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/clientlog @@ -20,7 +20,6 @@ The `clientlog` service is responsible for composing machine readable notificati * [The Log Service Ecosystem](#the-log-service-ecosystem) * [Clientlog Events](#clientlog-events) -* [Example Yaml Config](#example-yaml-config) ## The Log Service Ecosystem @@ -32,3 +31,4 @@ Log services like the `userlog`, `clientlog` and `sse` are responsible for compo ## Clientlog Events The messages the `clientlog` service sends are intended for the use by clients, not by users. The client might for example be informed that a file has finished post-processing. With that, the client can make the file available to the user without additional server queries. + diff --git a/static/env-vars/collaboration-config-example.yaml b/static/env-vars/collaboration-config-example.yaml index fb5efc53..3d1764ec 100644 --- a/static/env-vars/collaboration-config-example.yaml +++ b/static/env-vars/collaboration-config-example.yaml @@ -45,6 +45,7 @@ cs3api: datagateway: insecure: false grpc_client_tls: null + app_registration_interval: 30s tracing: enabled: false type: "" diff --git a/static/env-vars/collaboration.yaml b/static/env-vars/collaboration.yaml new file mode 100644 index 00000000..1076bcf5 --- /dev/null +++ b/static/env-vars/collaboration.yaml @@ -0,0 +1,63 @@ +# Autogenerated +# Filename: collaboration.yaml + +app: + name: Collabora + product: "" + description: Open office documents with Collabora + icon: image-edit + addr: https://127.0.0.1:9980 + insecure: false + proofkeys: + disable: false + duration: 12h + licensecheckenable: false +store: + store: nats-js-kv + nodes: + - 127.0.0.1:9233 + database: collaboration + table: "" + ttl: 30m0s + username: "" + password: "" +token_manager: + jwt_secret: "" +grpc: + addr: 127.0.0.1:9301 + protocol: tcp +http: + addr: 127.0.0.1:9300 + tls: + enabled: false + cert: "" + key: "" +wopi: + wopisrc: https://localhost:9300 + secret: "" + disable_chat: false + proxy_url: "" + proxy_secret: "" + short_tokens: false +cs3api: + gateway: + name: eu.opencloud.api.gateway + datagateway: + insecure: false + grpc_client_tls: null + app_registration_interval: 30s +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9304 + token: "" + pprof: false + zpages: false diff --git a/static/env-vars/collaboration_configvars.md b/static/env-vars/collaboration_configvars.md index 4f46a5cf..b46f67b3 100644 --- a/static/env-vars/collaboration_configvars.md +++ b/static/env-vars/collaboration_configvars.md @@ -1,47 +1,49 @@ Environment variables for the **collaboration** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`COLLABORATION_APP_NAME`| 1.0.0 |string|The name of the app which is shown to the user. You can chose freely but you are limited to a single word without special characters or whitespaces. We recommend to use pascalCase like 'CollaboraOnline'.|Collabora| -|`COLLABORATION_APP_PRODUCT`| 1.0.0 |string|The WebOffice app, either Collabora, OnlyOffice, Microsoft365 or MicrosoftOfficeOnline.|| -|`COLLABORATION_APP_DESCRIPTION`| 1.0.0 |string|App description|Open office documents with Collabora| -|`COLLABORATION_APP_ICON`| 1.0.0 |string|Icon for the app|image-edit| -|`COLLABORATION_APP_ADDR`| 1.0.0 |string|The URL where the WOPI app is located, such as \https://127.0.0.1:8080.|https://127.0.0.1:9980| -|`COLLABORATION_APP_INSECURE`| 1.0.0 |bool|Skip TLS certificate verification when connecting to the WOPI app|false| -|`COLLABORATION_APP_PROOF_DISABLE`| 1.0.0 |bool|Disable the proof keys verification|false| -|`COLLABORATION_APP_PROOF_DURATION`| 1.0.0 |string|Duration for the proof keys to be cached in memory, using time.ParseDuration format. If the duration can't be parsed, we'll use the default 12h as duration|12h| -|`COLLABORATION_APP_LICENSE_CHECK_ENABLE`| 1.0.0 |bool|Enable license checking to edit files. Needs to be enabled when using Microsoft365 with the business flow.|false| -|`OC_PERSISTENT_STORE`
`COLLABORATION_STORE`| 1.0.0 |string|The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.|nats-js-kv| -|`OC_PERSISTENT_STORE_NODES`
`COLLABORATION_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`COLLABORATION_STORE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|collaboration| -|`COLLABORATION_STORE_TABLE`| 1.0.0 |string|The database table the store should use.|| -|`OC_PERSISTENT_STORE_TTL`
`COLLABORATION_STORE_TTL`| 1.0.0 |Duration|Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details.|30m0s| -|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`COLLABORATION_STORE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`COLLABORATION_STORE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_JWT_SECRET`
`COLLABORATION_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`COLLABORATION_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9301| -|`OC_GRPC_PROTOCOL`
`COLLABORATION_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`COLLABORATION_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9300| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`COLLABORATION_WOPI_SRC`| 1.0.0 |string|The WOPI source base URL containing schema, host and port. Set this to the schema and domain where the collaboration service is reachable for the wopi app, such as \https://office.example.test.|https://localhost:9300| -|`COLLABORATION_WOPI_SECRET`| 1.0.0 |string|Used to mint and verify WOPI JWT tokens and encrypt and decrypt the REVA JWT token embedded in the WOPI JWT token.|| -|`COLLABORATION_WOPI_DISABLE_CHAT`
`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft.|false| -|`COLLABORATION_WOPI_PROXY_URL`| 1.0.0 |string|The URL to the OpenCloud WOPI proxy. Optional. To use this feature, you need an office365 proxy subscription. If you become part of the Microsoft CSP program (\https://learn.microsoft.com/en-us/partner-center/enroll/csp-overview), you can use WebOffice without a proxy.|| -|`COLLABORATION_WOPI_PROXY_SECRET`| 1.0.0 |string|Optional, the secret to authenticate against the OpenCloud WOPI proxy. This secret can be obtained from OpenCloud via the office365 proxy subscription.|| -|`COLLABORATION_WOPI_SHORTTOKENS`| 1.0.0 |bool|Use short access tokens for WOPI access. This is useful for office packages, like Microsoft Office Online, which have URL length restrictions. If enabled, a persistent store must be configured.|false| -|`OC_REVA_GATEWAY`| 1.0.0 |string|CS3 gateway used to look up user metadata.|eu.opencloud.api.gateway| -|`COLLABORATION_CS3API_DATAGATEWAY_INSECURE`| 1.0.0 |bool|Connect to the CS3API data gateway insecurely.|false| -|`OC_TRACING_ENABLED`
`COLLABORATION_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`COLLABORATION_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`COLLABORATION_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`COLLABORATION_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`COLLABORATION_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`COLLABORATION_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`COLLABORATION_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`COLLABORATION_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`COLLABORATION_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9304| -|`COLLABORATION_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`COLLABORATION_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`COLLABORATION_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| \ No newline at end of file +|---|---|---|---|:---| +|`COLLABORATION_SERVICE_NAME`| 3.6.0 |string|`The name of the service which is registered. You only need to change this when more than one collaboration service is needed.`|`collaboration`| +|`COLLABORATION_APP_NAME`| 1.0.0 |string|`The name of the app which is shown to the user. You can chose freely but you are limited to a single word without special characters or whitespaces. We recommend to use pascalCase like 'CollaboraOnline'.`|`Collabora`| +|`COLLABORATION_APP_PRODUCT`| 1.0.0 |string|`The WebOffice app, either Collabora, OnlyOffice, Microsoft365 or MicrosoftOfficeOnline.`|``| +|`COLLABORATION_APP_DESCRIPTION`| 1.0.0 |string|`App description`|`Open office documents with Collabora`| +|`COLLABORATION_APP_ICON`| 1.0.0 |string|`Icon for the app`|`image-edit`| +|`COLLABORATION_APP_ADDR`| 1.0.0 |string|`The URL where the WOPI app is located, such as \https://127.0.0.1:8080.`|`https://127.0.0.1:9980`| +|`COLLABORATION_APP_INSECURE`| 1.0.0 |bool|`Skip TLS certificate verification when connecting to the WOPI app`|`false`| +|`COLLABORATION_APP_PROOF_DISABLE`| 1.0.0 |bool|`Disable the proof keys verification`|`false`| +|`COLLABORATION_APP_PROOF_DURATION`| 1.0.0 |string|`Duration for the proof keys to be cached in memory, using time.ParseDuration format. If the duration can't be parsed, we'll use the default 12h as duration`|`12h`| +|`COLLABORATION_APP_LICENSE_CHECK_ENABLE`| 1.0.0 |bool|`Enable license checking to edit files. Needs to be enabled when using Microsoft365 with the business flow.`|`false`| +|`OC_PERSISTENT_STORE`
`COLLABORATION_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`COLLABORATION_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`COLLABORATION_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`collaboration`| +|`COLLABORATION_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`COLLABORATION_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details.`|`30m0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`COLLABORATION_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`COLLABORATION_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_JWT_SECRET`
`COLLABORATION_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`COLLABORATION_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9301`| +|`OC_GRPC_PROTOCOL`
`COLLABORATION_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`COLLABORATION_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9300`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`COLLABORATION_WOPI_SRC`| 1.0.0 |string|`The WOPI source base URL containing schema, host and port. Set this to the schema and domain where the collaboration service is reachable for the wopi app, such as \https://office.example.test.`|`https://localhost:9300`| +|`COLLABORATION_WOPI_SECRET`| 1.0.0 |string|`Used to mint and verify WOPI JWT tokens and encrypt and decrypt the REVA JWT token embedded in the WOPI JWT token.`|``| +|`COLLABORATION_WOPI_DISABLE_CHAT`
`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|`Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft.`|`false`| +|`COLLABORATION_WOPI_PROXY_URL`| 1.0.0 |string|`The URL to the OpenCloud WOPI proxy. Optional. To use this feature, you need an office365 proxy subscription. If you become part of the Microsoft CSP program (\https://learn.microsoft.com/en-us/partner-center/enroll/csp-overview), you can use WebOffice without a proxy.`|``| +|`COLLABORATION_WOPI_PROXY_SECRET`| 1.0.0 |string|`Optional, the secret to authenticate against the OpenCloud WOPI proxy. This secret can be obtained from OpenCloud via the office365 proxy subscription.`|``| +|`COLLABORATION_WOPI_SHORTTOKENS`| 1.0.0 |bool|`Use short access tokens for WOPI access. This is useful for office packages, like Microsoft Office Online, which have URL length restrictions. If enabled, a persistent store must be configured.`|`false`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata.`|`eu.opencloud.api.gateway`| +|`COLLABORATION_CS3API_DATAGATEWAY_INSECURE`| 1.0.0 |bool|`Connect to the CS3API data gateway insecurely.`|`false`| +|`COLLABORATION_CS3API_APP_REGISTRATION_INTERVAL`| next |Duration|`The interval at which the app provider registers itself.`|`30s`| +|`OC_TRACING_ENABLED`
`COLLABORATION_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`COLLABORATION_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`COLLABORATION_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`COLLABORATION_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`COLLABORATION_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`COLLABORATION_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`COLLABORATION_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`COLLABORATION_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`COLLABORATION_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9304`| +|`COLLABORATION_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`COLLABORATION_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`COLLABORATION_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| diff --git a/static/env-vars/collaboration_readme.md b/static/env-vars/collaboration_readme.md index af2cbeb2..b9dd5669 100755 --- a/static/env-vars/collaboration_readme.md +++ b/static/env-vars/collaboration_readme.md @@ -1,6 +1,6 @@ --- title: Collaboration -date: 2025-05-22T16:21:16.119157012+02:00 +date: 2025-11-13T17:22:55.094416+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/collaboration @@ -31,7 +31,6 @@ Required environment variables: * [Requirements](#requirements) * [WOPI Configuration](#wopi-configuration) * [Storing](#storing) -* [Example Yaml Config](#example-yaml-config) ## Requirements @@ -89,3 +88,4 @@ Store specific notes: - When using `nats-js-kv` it is recommended to set `OC_CACHE_STORE_NODES` to the same value as `OC_EVENTS_ENDPOINT`. That way the cache uses the same nats instance as the event bus. - When using the `nats-js-kv` store, it is possible to set `OC_CACHE_DISABLE_PERSISTENCE` to instruct nats to not persist cache data on disc. + diff --git a/static/env-vars/eventhistory.yaml b/static/env-vars/eventhistory.yaml new file mode 100644 index 00000000..a8d559d1 --- /dev/null +++ b/static/env-vars/eventhistory.yaml @@ -0,0 +1,39 @@ +# Autogenerated +# Filename: eventhistory.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9270 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9274 + tls: null +grpc_client_tls: null +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +store: + store: nats-js-kv + nodes: + - 127.0.0.1:9233 + database: eventhistory + table: "" + ttl: 336h0m0s + username: "" + password: "" diff --git a/static/env-vars/eventhistory_configvars.md b/static/env-vars/eventhistory_configvars.md index 5c2940cb..e41a1d95 100644 --- a/static/env-vars/eventhistory_configvars.md +++ b/static/env-vars/eventhistory_configvars.md @@ -1,31 +1,31 @@ Environment variables for the **eventhistory** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`EVENTHISTORY_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`EVENTHISTORY_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`EVENTHISTORY_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`EVENTHISTORY_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`EVENTHISTORY_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`EVENTHISTORY_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`EVENTHISTORY_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`EVENTHISTORY_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`EVENTHISTORY_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9270| -|`EVENTHISTORY_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`EVENTHISTORY_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`EVENTHISTORY_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`EVENTHISTORY_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9274| -|`OC_EVENTS_ENDPOINT`
`EVENTHISTORY_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`EVENTHISTORY_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`EVENTHISTORY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided.|| -|`OC_EVENTS_ENABLE_TLS`
`EVENTHISTORY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`EVENTHISTORY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`EVENTHISTORY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_PERSISTENT_STORE`
`EVENTHISTORY_STORE`| 1.0.0 |string|The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.|nats-js-kv| -|`OC_PERSISTENT_STORE_NODES`
`EVENTHISTORY_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`EVENTHISTORY_STORE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|eventhistory| -|`EVENTHISTORY_STORE_TABLE`| 1.0.0 |string|The database table the store should use.|| -|`OC_PERSISTENT_STORE_TTL`
`EVENTHISTORY_STORE_TTL`| 1.0.0 |Duration|Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.|336h0m0s| -|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`EVENTHISTORY_STORE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`EVENTHISTORY_STORE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`EVENTHISTORY_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`EVENTHISTORY_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`EVENTHISTORY_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`EVENTHISTORY_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`EVENTHISTORY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`EVENTHISTORY_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`EVENTHISTORY_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`EVENTHISTORY_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`EVENTHISTORY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9270`| +|`EVENTHISTORY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`EVENTHISTORY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`EVENTHISTORY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`EVENTHISTORY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9274`| +|`OC_EVENTS_ENDPOINT`
`EVENTHISTORY_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`EVENTHISTORY_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`EVENTHISTORY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided.`|``| +|`OC_EVENTS_ENABLE_TLS`
`EVENTHISTORY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`EVENTHISTORY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`EVENTHISTORY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_PERSISTENT_STORE`
`EVENTHISTORY_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`EVENTHISTORY_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`EVENTHISTORY_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`eventhistory`| +|`EVENTHISTORY_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`EVENTHISTORY_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`EVENTHISTORY_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`EVENTHISTORY_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| diff --git a/static/env-vars/eventhistory_readme.md b/static/env-vars/eventhistory_readme.md index 4e027680..47dd76b4 100755 --- a/static/env-vars/eventhistory_readme.md +++ b/static/env-vars/eventhistory_readme.md @@ -1,6 +1,6 @@ --- title: Eventhistory -date: 2025-05-22T16:21:16.1192089+02:00 +date: 2025-11-13T17:22:55.094497+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/eventhistory @@ -22,7 +22,6 @@ The `eventhistory` consumes all events from the configured event system like NAT * [Consuming](#consuming) * [Storing](#storing) * [Retrieving](#retrieving) -* [Example Yaml Config](#example-yaml-config) ## Prerequisites @@ -54,3 +53,4 @@ Store specific notes: ## Retrieving Other services can call the `eventhistory` service via a gRPC call to retrieve events. The request must contain the event ID that should be retrieved. + diff --git a/static/env-vars/extended_configvars.md b/static/env-vars/extended_configvars.md index d7b1debe..01e7e344 100644 --- a/static/env-vars/extended_configvars.md +++ b/static/env-vars/extended_configvars.md @@ -2,10 +2,25 @@ | Name | Type | Description | Default Value | |---|---|---|---| +`CI` | | | | +`CI` | | | | +`CI` | | | | +`CI_SYSTEM_NAME` | | | | +`CI_SYSTEM_NAME` | | | | +`CI_SYSTEM_NAME` | | | | `CS3_GATEWAY` | | | | `CS3_GATEWAY` | | | | +`CS3_GATEWAY` | | | | +`CS3_GATEWAY` | | | | +`CS3_GATEWAY` | | | | +`CS3_MACHINE_AUTH_API_KEY` | | | | `CS3_MACHINE_AUTH_API_KEY` | | | | `CS3_MACHINE_AUTH_API_KEY` | | | | +`CS3_MACHINE_AUTH_API_KEY` | | | | +`CS3_MACHINE_AUTH_API_KEY` | | | | +`DAYS` | | | | +`DAYS` | | | | +`DAYS` | | | | `DAYS` | | | | `DAYS` | | | | `GITHUB_API_TOKEN` | | | | @@ -43,6 +58,16 @@ `MICRO_LOG_LEVEL` | | | | `MICRO_LOG_LEVEL` | | | | `MICRO_LOG_LEVEL` | | | | +`MICRO_LOG_LEVEL` | | | | +`MICRO_LOG_LEVEL` | | | | +`MICRO_LOG_LEVEL` | | | | +`MICRO_LOG_LEVEL` | | | | +`MICRO_LOG_LEVEL` | | | | +`MICRO_LOG_LEVEL` | | | | +`MIDDLEWARE_PROJECT_DIR` | | | | +`MONTH` | | | | +`MONTH` | | | | +`MONTH` | | | | `MONTH` | | | | `MONTH` | | | | `NEXTCLOUD` | | | | @@ -51,40 +76,84 @@ `NEXTCLOUD` | | | | `OC_BASE_DATA_PATH` | | | | `OC_BASE_DATA_PATH` | | | | +`OC_BASE_DATA_PATH` | | | | +`OC_BASE_DATA_PATH` | | | | +`OC_BASE_DATA_PATH` | | | | +`OC_CONFIG_DIR` | | | | +`OC_CONFIG_DIR` | | | | +`OC_CONFIG_DIR` | | | | `OC_CONFIG_DIR` | | | | `OC_CONFIG_DIR` | | | | `OC_GRPC_MAX_RECEIVED_MESSAGE_SIZE` | | | | +`OX_BLACKLISTED_PACKAGES` | | | | +`OX_WHITELISTED_PACKAGES` | | | | `REDIS_ADDRESS` | | | | `REVA_APPPROVIDER_IOPSECRET` | | | | `REVA_SMTP_SENDER_PASSWORD` | | | | `RUN_CMD_TEST` | | | | `RUN_CMD_TEST` | | | | +`RUN_CMD_TEST` | | | | +`RUN_CMD_TEST` | | | | +`RUN_CMD_TEST` | | | | `RUN_LDAP_TESTS` | | | | `RUN_LDAP_TESTS` | | | | `SQL_ADDRESS` | | | | `SQL_DBNAME` | | | | `SQL_PASSWORD` | | | | `SQL_USERNAME` | | | | +`USE_TESTCONTAINERS` | | | | +`USE_TESTCONTAINERS` | | | | +`USE_TESTCONTAINERS` | | | | `YEAR` | | | | `YEAR` | | | | +`YEAR` | | | | +`YEAR` | | | | +`YEAR` | | | | +`_registryAddressEnv` | | | | +`_registryAddressEnv` | | | | +`_registryAddressEnv` | | | | +`_registryAddressEnv` | | | | `_registryAddressEnv` | | | | `_registryAddressEnv` | | | | `_registryAddressEnv` | | | | `_registryAddressEnv` | | | | +`_registryAddressEnv` | | | | +`_registryAddressEnv` | | | | +`_registryEnv` | | | | +`_registryEnv` | | | | `_registryEnv` | | | | `_registryEnv` | | | | +`_registryEnv` | | | | +`_registryPasswordEnv` | | | | +`_registryPasswordEnv` | | | | `_registryPasswordEnv` | | | | `_registryPasswordEnv` | | | | +`_registryPasswordEnv` | | | | +`_registryRegisterIntervalEnv` | | | | +`_registryRegisterIntervalEnv` | | | | +`_registryRegisterIntervalEnv` | | | | `_registryRegisterIntervalEnv` | | | | `_registryRegisterIntervalEnv` | | | | `_registryRegisterTTLEnv` | | | | `_registryRegisterTTLEnv` | | | | +`_registryRegisterTTLEnv` | | | | +`_registryRegisterTTLEnv` | | | | +`_registryRegisterTTLEnv` | | | | `_registryUsernameEnv` | | | | `_registryUsernameEnv` | | | | +`_registryUsernameEnv` | | | | +`_registryUsernameEnv` | | | | +`_registryUsernameEnv` | | | | +`_serverMaxConnectionAgeEnv` | | | | +`_serverMaxConnectionAgeEnv` | | | | +`_serverMaxConnectionAgeEnv` | | | | `_serverMaxConnectionAgeEnv` | | | | `_serverMaxConnectionAgeEnv` | | | | `_serverMaxConnectionAgeEnv` | | | | +`parts[0]` | | | | +`parts[0]` | | | | +`parts[0]` | | | | \ No newline at end of file diff --git a/static/env-vars/frontend-config-example.yaml b/static/env-vars/frontend-config-example.yaml index b019f2a7..572ec050 100644 --- a/static/env-vars/frontend-config-example.yaml +++ b/static/env-vars/frontend-config-example.yaml @@ -123,7 +123,9 @@ checksums: preferred_upload_type: sha1 read_only_user_attributes: [] ldap_server_write_enabled: true +edit_login_allowed_disabled: false full_text_search: false +check_for_updates: true middleware: auth: credentials_by_user_agent: {} @@ -148,3 +150,5 @@ password_policy: min_special_characters: 1 banned_passwords_list: "" configurable_notifications: false +groupware: + enabled: false diff --git a/static/env-vars/frontend.yaml b/static/env-vars/frontend.yaml new file mode 100644 index 00000000..092bfef4 --- /dev/null +++ b/static/env-vars/frontend.yaml @@ -0,0 +1,154 @@ +# Autogenerated +# Filename: frontend.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9141 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9140 + protocol: tcp + prefix: "" + cors: + allow_origins: + - https://localhost:9200 + allow_methods: + - OPTIONS + - HEAD + - GET + - PUT + - POST + - PATCH + - DELETE + - MKCOL + - PROPFIND + - PROPPATCH + - MOVE + - COPY + - REPORT + - SEARCH + allow_headers: + - Origin + - Accept + - Content-Type + - Depth + - Authorization + - Ocs-Apirequest + - If-None-Match + - If-Match + - Destination + - Overwrite + - X-Request-Id + - X-Requested-With + - Tus-Resumable + - Tus-Checksum-Algorithm + - Upload-Concat + - Upload-Length + - Upload-Metadata + - Upload-Defer-Length + - Upload-Expires + - Upload-Checksum + - Upload-Offset + - X-HTTP-Method-Override + - Cache-Control + allow_credentials: false +transfer_secret: "" +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +machine_auth_api_key: "" +skip_user_groups_in_token: false +enable_favorites: false +max_quota: 0 +upload_max_chunk_size: 10000000 +upload_http_method_override: "" +default_upload_protocol: tus +enable_federated_sharing_incoming: false +enable_federated_sharing_outgoing: false +search_min_length: 3 +edition: "" +disable_sse: false +default_link_permissions: 1 +public_url: https://localhost:9200 +max_concurrency: 1 +app_handler: + insecure: false + secure_view_app_addr: eu.opencloud.api.collaboration +archiver: + max_num_files: 10000 + max_size: 1073741824 + insecure: false +data_gateway: + prefix: data +ocs: + prefix: ocs + share_prefix: /Shares + home_namespace: /users/{{.Id.OpaqueId}} + additional_info_attribute: '{{.Mail}}' + stat_cache_type: memory + stat_cache_nodes: + - 127.0.0.1:9233 + stat_cache_database: cache-stat + stat_cache_table: "" + stat_cache_ttl: 5m0s + stat_cache_disable_persistence: false + stat_cache_auth_username: "" + stat_cache_auth_password: "" + enable_denials: false + list_ocm_shares: true + include_ocm_sharees: false + public_sharing_share_must_have_password: true + public_sharing_writeableshare_must_have_password: false + show_email_in_results: false +checksums: + supported_types: + - sha1 + - md5 + - adler32 + preferred_upload_type: sha1 +read_only_user_attributes: [] +ldap_server_write_enabled: true +edit_login_allowed_disabled: false +full_text_search: false +check_for_updates: true +middleware: + auth: + credentials_by_user_agent: {} +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +grpc_client_tls: null +auto_accept_shares: true +service_account: + service_account_id: "" + service_account_secret: "" +password_policy: + min_characters: 8 + min_lowercase_characters: 1 + min_uppercase_characters: 1 + min_digits: 1 + min_special_characters: 1 + banned_passwords_list: "" +configurable_notifications: false +groupware: + enabled: false diff --git a/static/env-vars/frontend_configvars.md b/static/env-vars/frontend_configvars.md index a3fc784e..14a6fb74 100644 --- a/static/env-vars/frontend_configvars.md +++ b/static/env-vars/frontend_configvars.md @@ -1,10 +1,10 @@ -2025-05-22-16-21-09 +2025-11-13-17-19-28 # Deprecation Notice | Deprecation Info | Deprecation Version | Removal Version | Deprecation Replacement | -|---|---|---|---| +|---|---|---|:---| | The OCS API is deprecated | 1.0.0 | next-prod | | | The OCS API is deprecated | 1.0.0 | next-prod | | | The OCS API is deprecated | 1.0.0 | next-prod | | @@ -24,90 +24,93 @@ Environment variables for the **frontend** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`FRONTEND_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`FRONTEND_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`FRONTEND_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`FRONTEND_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`FRONTEND_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`FRONTEND_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`FRONTEND_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`FRONTEND_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`FRONTEND_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9141| -|`FRONTEND_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`FRONTEND_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`FRONTEND_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`FRONTEND_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9140| -|`FRONTEND_HTTP_PROTOCOL`| 1.0.0 |string|The transport protocol of the HTTP service.|tcp| -|`FRONTEND_HTTP_PREFIX`| 1.0.0 |string|The Path prefix where the frontend can be accessed (defaults to /).|| -|`OC_CORS_ALLOW_ORIGINS`
`FRONTEND_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[https://localhost:9200]| -|`OC_CORS_ALLOW_METHODS`
`FRONTEND_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[OPTIONS HEAD GET PUT POST PATCH DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]| -|`OC_CORS_ALLOW_HEADERS`
`FRONTEND_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]| -|`OC_CORS_ALLOW_CREDENTIALS`
`FRONTEND_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|false| -|`OC_TRANSFER_SECRET`| 1.0.0 |string|Transfer secret for signing file up- and download requests.|| -|`OC_JWT_SECRET`
`FRONTEND_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_MACHINE_AUTH_API_KEY`
`FRONTEND_MACHINE_AUTH_API_KEY`| 1.0.0 |string|The machine auth API key used to validate internal requests necessary to access resources from other services.|| -|`FRONTEND_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`FRONTEND_ENABLE_FAVORITES`| 1.0.0 |bool|Enables the support for favorites in the clients.|false| -|`OC_SPACES_MAX_QUOTA`
`FRONTEND_MAX_QUOTA`| 1.0.0 |uint64|Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities.|0| -|`FRONTEND_UPLOAD_MAX_CHUNK_SIZE`| 1.0.0 |int|Sets the max chunk sizes in bytes for uploads via the clients.|10000000| -|`FRONTEND_UPLOAD_HTTP_METHOD_OVERRIDE`| 1.0.0 |string|Advise TUS to replace PATCH requests by POST requests.|| -|`FRONTEND_DEFAULT_UPLOAD_PROTOCOL`| 1.0.0 |string|The default upload protocol to use in clients. Currently only 'tus' is available. See the developer API documentation for more details about TUS.|tus| -|`OC_ENABLE_OCM`
`FRONTEND_ENABLE_FEDERATED_SHARING_INCOMING`| 1.0.0 |bool|Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed.|false| -|`OC_ENABLE_OCM`
`FRONTEND_ENABLE_FEDERATED_SHARING_OUTGOING`| 1.0.0 |bool|Changing this value is NOT supported. Enables support for outgoing federated sharing for clients. The backend behaviour is not changed.|false| -|`FRONTEND_SEARCH_MIN_LENGTH`| 1.0.0 |int|Minimum number of characters to enter before a client should start a search for Share receivers. This setting can be used to customize the user experience if e.g too many results are displayed.|3| -|`OC_EDITION`
`FRONTEND_EDITION`| 1.0.0 |string|Edition of OpenCloud. Used for branding purposes.|| -|`OC_DISABLE_SSE`
`FRONTEND_DISABLE_SSE`| 1.0.0 |bool|When set to true, clients are informed that the Server-Sent Events endpoint is not accessible.|false| -|`FRONTEND_DEFAULT_LINK_PERMISSIONS`| 1.0.0 |int|Defines the default permissions a link is being created with. Possible values are 0 (= internal link, for instance members only) and 1 (= public link with viewer permissions). Defaults to 1.|1| -|`OC_URL`
`FRONTEND_PUBLIC_URL`| 1.0.0 |string|The public facing URL of the OpenCloud frontend.|https://localhost:9200| -|`OC_MAX_CONCURRENCY`
`FRONTEND_MAX_CONCURRENCY`| 1.0.0 |int|Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.|1| -|`OC_INSECURE`
`FRONTEND_APP_HANDLER_INSECURE`| 1.0.0 |bool|Allow insecure connections to the frontend.|false| -|`FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR`| 1.0.0 |string|Service name or address of the app provider to use for secure view. Should match the service name or address of the registered CS3 app provider.|eu.opencloud.api.collaboration| -|`FRONTEND_ARCHIVER_MAX_NUM_FILES`| 1.0.0 |int64|Max number of files that can be packed into an archive.|10000| -|`FRONTEND_ARCHIVER_MAX_SIZE`| 1.0.0 |int64|Max size in bytes of the zip archive the archiver can create.|1073741824| -|`OC_INSECURE`
`FRONTEND_ARCHIVER_INSECURE`| 1.0.0 |bool|Allow insecure connections to the archiver.|false| -|`FRONTEND_DATA_GATEWAY_PREFIX`| 1.0.0 |string|Path prefix for the data gateway.|data| -|`FRONTEND_OCS_PREFIX`| 1.0.0 |string|URL path prefix for the OCS service. Note that the string must not start with '/'.|ocs| -|`FRONTEND_OCS_SHARE_PREFIX`| 1.0.0 |string|Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'.|/Shares| -|`FRONTEND_OCS_PERSONAL_NAMESPACE`| 1.0.0 |string|Home namespace identifier.|/users/{{.Id.OpaqueId}}| -|`FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE`| 1.0.0 |string|Additional information attribute for the user like {{.Mail}}.|{{.Mail}}| -|`OC_CACHE_STORE`
`FRONTEND_OCS_STAT_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|memory| -|`OC_CACHE_STORE_NODES`
`FRONTEND_OCS_STAT_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|cache-stat| -|`FRONTEND_OCS_STAT_CACHE_TABLE`| 1.0.0 |string|The database table the store should use.|| -|`OC_CACHE_TTL`
`FRONTEND_OCS_STAT_CACHE_TTL`| 1.0.0 |Duration|Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.|5m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME`| 1.0.0 |string|The username to use for authentication. Only applies when using the 'nats-js-kv' store type.|| -|`OC_CACHE_AUTH_PASSWORD`
`FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD`| 1.0.0 |string|The password to use for authentication. Only applies when using the 'nats-js-kv' store type.|| -|`FRONTEND_OCS_ENABLE_DENIALS`| 1.0.0 |bool|EXPERIMENTAL: enable the feature to deny access on folders.|false| -|`OC_ENABLE_OCM`
`FRONTEND_OCS_LIST_OCM_SHARES`| 1.0.0 |bool|Include OCM shares when listing shares. See the OCM service documentation for more details.|true| -|`OC_ENABLE_OCM`
`FRONTEND_OCS_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|Include OCM sharees when listing sharees.|false| -|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`
`FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|Set this to true if you want to enforce passwords on all public shares.|true| -|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`
`FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false.|false| -|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.|false| -|`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.|[sha1 md5 adler32]| -|`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.|sha1| -|`FRONTEND_READONLY_USER_ATTRIBUTES`| 1.0.0 |[]string|A list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.memberOf' (groups), 'user.accountEnabled' (login allowed), 'drive.quota' (quota). See the Environment Variable Types description for more details.|[]| -|`OC_LDAP_SERVER_WRITE_ENABLED`
`FRONTEND_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).|true| -|`FRONTEND_FULL_TEXT_SEARCH_ENABLED`| 1.0.0 |bool|Set to true to signal the web client that full-text search is enabled.|false| -|`OC_EVENTS_ENDPOINT`
`FRONTEND_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`FRONTEND_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`FRONTEND_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`FRONTEND_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`FRONTEND_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`FRONTEND_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`FRONTEND_AUTO_ACCEPT_SHARES`| 1.0.0 |bool|Defines if shares should be auto accepted by default. Users can change this setting individually in their profile.|true| -|`OC_SERVICE_ACCOUNT_ID`
`FRONTEND_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`FRONTEND_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| -|`OC_PASSWORD_POLICY_DISABLED`
`FRONTEND_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|Disable the password policy. Defaults to false if not set.|false| -|`OC_PASSWORD_POLICY_MIN_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|Define the minimum password length. Defaults to 8 if not set.|8| -|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|Define the minimum number of uppercase letters. Defaults to 1 if not set.|1| -|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|Define the minimum number of lowercase letters. Defaults to 1 if not set.|1| -|`OC_PASSWORD_POLICY_MIN_DIGITS`
`FRONTEND_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|Define the minimum number of digits. Defaults to 1 if not set.|1| -|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.|1| -|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`
`FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.|| -|`FRONTEND_CONFIGURABLE_NOTIFICATIONS`| 1.0.0 |bool|Allow configuring notifications via web client.|false| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`FRONTEND_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`FRONTEND_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`FRONTEND_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`FRONTEND_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`FRONTEND_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`FRONTEND_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`FRONTEND_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`FRONTEND_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`FRONTEND_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9141`| +|`FRONTEND_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`FRONTEND_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`FRONTEND_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`FRONTEND_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9140`| +|`FRONTEND_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`FRONTEND_HTTP_PREFIX`| 1.0.0 |string|`The Path prefix where the frontend can be accessed (defaults to /).`|``| +|`OC_CORS_ALLOW_ORIGINS`
`FRONTEND_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`FRONTEND_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT POST PATCH DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`| +|`OC_CORS_ALLOW_HEADERS`
`FRONTEND_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`FRONTEND_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_TRANSFER_SECRET`| 1.0.0 |string|`Transfer secret for signing file up- and download requests.`|``| +|`OC_JWT_SECRET`
`FRONTEND_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_MACHINE_AUTH_API_KEY`
`FRONTEND_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`|``| +|`FRONTEND_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`FRONTEND_ENABLE_FAVORITES`| 1.0.0 |bool|`Enables the support for favorites in the clients.`|`false`| +|`OC_SPACES_MAX_QUOTA`
`FRONTEND_MAX_QUOTA`| 1.0.0 |uint64|`Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities.`|`0`| +|`FRONTEND_UPLOAD_MAX_CHUNK_SIZE`| 1.0.0 |int|`Sets the max chunk sizes in bytes for uploads via the clients.`|`10000000`| +|`FRONTEND_UPLOAD_HTTP_METHOD_OVERRIDE`| 1.0.0 |string|`Advise TUS to replace PATCH requests by POST requests.`|``| +|`FRONTEND_DEFAULT_UPLOAD_PROTOCOL`| 1.0.0 |string|`The default upload protocol to use in clients. Currently only 'tus' is available. See the developer API documentation for more details about TUS.`|`tus`| +|`OC_ENABLE_OCM`
`FRONTEND_ENABLE_FEDERATED_SHARING_INCOMING`| 1.0.0 |bool|`Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed.`|`false`| +|`OC_ENABLE_OCM`
`FRONTEND_ENABLE_FEDERATED_SHARING_OUTGOING`| 1.0.0 |bool|`Changing this value is NOT supported. Enables support for outgoing federated sharing for clients. The backend behaviour is not changed.`|`false`| +|`FRONTEND_SEARCH_MIN_LENGTH`| 1.0.0 |int|`Minimum number of characters to enter before a client should start a search for Share receivers. This setting can be used to customize the user experience if e.g too many results are displayed.`|`3`| +|`OC_EDITION`
`FRONTEND_EDITION`| 1.0.0 |string|`Edition of OpenCloud. Used for branding purposes.`|``| +|`OC_DISABLE_SSE`
`FRONTEND_DISABLE_SSE`| 1.0.0 |bool|`When set to true, clients are informed that the Server-Sent Events endpoint is not accessible.`|`false`| +|`FRONTEND_DEFAULT_LINK_PERMISSIONS`| 1.0.0 |int|`Defines the default permissions a link is being created with. Possible values are 0 (= internal link, for instance members only) and 1 (= public link with viewer permissions). Defaults to 1.`|`1`| +|`OC_URL`
`FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|`https://localhost:9200`| +|`OC_MAX_CONCURRENCY`
`FRONTEND_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`| +|`OC_INSECURE`
`FRONTEND_APP_HANDLER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the frontend.`|`false`| +|`FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR`| 1.0.0 |string|`Service name or address of the app provider to use for secure view. Should match the service name or address of the registered CS3 app provider.`|`eu.opencloud.api.collaboration`| +|`FRONTEND_ARCHIVER_MAX_NUM_FILES`| 1.0.0 |int64|`Max number of files that can be packed into an archive.`|`10000`| +|`FRONTEND_ARCHIVER_MAX_SIZE`| 1.0.0 |int64|`Max size in bytes of the zip archive the archiver can create.`|`1073741824`| +|`OC_INSECURE`
`FRONTEND_ARCHIVER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the archiver.`|`false`| +|`FRONTEND_DATA_GATEWAY_PREFIX`| 1.0.0 |string|`Path prefix for the data gateway.`|`data`| +|`FRONTEND_OCS_PREFIX`| 1.0.0 |string|`URL path prefix for the OCS service. Note that the string must not start with '/'.`|`ocs`| +|`FRONTEND_OCS_SHARE_PREFIX`| 1.0.0 |string|`Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'.`|`/Shares`| +|`FRONTEND_OCS_PERSONAL_NAMESPACE`| 1.0.0 |string|`Home namespace identifier.`|`/users/{{.Id.OpaqueId}}`| +|`FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE`| 1.0.0 |string|`Additional information attribute for the user like {{.Mail}}.`|`{{.Mail}}`| +|`OC_CACHE_STORE`
`FRONTEND_OCS_STAT_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`FRONTEND_OCS_STAT_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-stat`| +|`FRONTEND_OCS_STAT_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_CACHE_TTL`
`FRONTEND_OCS_STAT_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``| +|`FRONTEND_OCS_ENABLE_DENIALS`| 1.0.0 |bool|`EXPERIMENTAL: enable the feature to deny access on folders.`|`false`| +|`OC_ENABLE_OCM`
`FRONTEND_OCS_LIST_OCM_SHARES`| 1.0.0 |bool|`Include OCM shares when listing shares. See the OCM service documentation for more details.`|`true`| +|`OC_ENABLE_OCM`
`FRONTEND_OCS_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing sharees.`|`false`| +|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`
`FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on all public shares.`|`true`| +|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`
`FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false.`|`false`| +|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|`Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.`|`false`| +|`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|`[sha1 md5 adler32]`| +|`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|`sha1`| +|`FRONTEND_READONLY_USER_ATTRIBUTES`| 1.0.0 |[]string|`A list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.memberOf' (groups), 'user.accountEnabled' (login allowed), 'drive.quota' (quota). See the Environment Variable Types description for more details.`|`[]`| +|`OC_LDAP_SERVER_WRITE_ENABLED`
`FRONTEND_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|`Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).`|`true`| +|`FRONTEND_EDIT_LOGIN_ALLOWED_DISABLED`| 3.4.0 |bool|`Used to set if login is allowed/forbidden for for User.`|`false`| +|`FRONTEND_FULL_TEXT_SEARCH_ENABLED`| 1.0.0 |bool|`Set to true to signal the web client that full-text search is enabled.`|`false`| +|`FRONTEND_CHECK_FOR_UPDATES`| 3.6.0 |bool|`Enable automatic checking for updates. Defaults to true.`|`true`| +|`OC_EVENTS_ENDPOINT`
`FRONTEND_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`FRONTEND_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`FRONTEND_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`FRONTEND_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`FRONTEND_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`FRONTEND_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`FRONTEND_AUTO_ACCEPT_SHARES`| 1.0.0 |bool|`Defines if shares should be auto accepted by default. Users can change this setting individually in their profile.`|`true`| +|`OC_SERVICE_ACCOUNT_ID`
`FRONTEND_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`FRONTEND_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`OC_PASSWORD_POLICY_DISABLED`
`FRONTEND_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|`Disable the password policy. Defaults to false if not set.`|`false`| +|`OC_PASSWORD_POLICY_MIN_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|`Define the minimum password length. Defaults to 8 if not set.`|`8`| +|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of uppercase letters. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of lowercase letters. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_DIGITS`
`FRONTEND_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|`Define the minimum number of digits. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|`Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`
`FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|`Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.`|``| +|`FRONTEND_CONFIGURABLE_NOTIFICATIONS`| 1.0.0 |bool|`Allow configuring notifications via web client.`|`false`| +|`FRONTEND_GROUPWARE_ENABLED`| 3.7.0 |bool|`Enable groupware features. Defaults to false.`|`false`| diff --git a/static/env-vars/frontend_readme.md b/static/env-vars/frontend_readme.md index c6741c20..2e4ae5f0 100755 --- a/static/env-vars/frontend_readme.md +++ b/static/env-vars/frontend_readme.md @@ -1,6 +1,6 @@ --- title: Frontend -date: 2025-05-22T16:21:16.119266067+02:00 +date: 2025-11-13T17:22:55.094687+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/frontend @@ -34,7 +34,6 @@ The frontend service translates various OpenCloud related HTTP APIs to CS3 reque * [The Password Policy Capability](#the-password-policy-capability) * [Password Enforcement for all Public Links](#password-enforcement-for-all-public-links) * [Password Enforcement for Writeable Public Links](#password-enforcement-for-writeable-public-links) -* [Example Yaml Config](#example-yaml-config) ## Endpoints Overview @@ -174,3 +173,4 @@ For public accessible writable shares, a password can be enforced. To change the Note that changing this environment variable only makes sense if\ `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`\ is set to `false`. + diff --git a/static/env-vars/gateway.yaml b/static/env-vars/gateway.yaml new file mode 100644 index 00000000..cca54e1e --- /dev/null +++ b/static/env-vars/gateway.yaml @@ -0,0 +1,72 @@ +# Autogenerated +# Filename: gateway.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9143 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9142 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +commit_share_to_storage_grant: true +share_folder_name: Shares +disable_home_creation_on_login: true +transfer_secret: "" +transfer_expires: 86400 +cache: + provider_cache_store: noop + provider_cache_nodes: + - 127.0.0.1:9233 + provider_cache_database: cache-providers + provider_cache_ttl: 5m0s + provider_cache_disable_persistence: false + provider_cache_auth_username: "" + provider_cache_auth_password: "" + create_home_cache_store: memory + create_home_cache_nodes: + - 127.0.0.1:9233 + create_home_cache_database: cache-createhome + create_home_cache_ttl: 5m0s + create_home_cache_disable_persistence: false + create_home_cache_auth_username: "" + create_home_cache_auth_password: "" +frontend_public_url: https://localhost:9200 +users_endpoint: eu.opencloud.api.users +groups_endpoint: eu.opencloud.api.groups +permissions_endpoint: eu.opencloud.api.settings +sharing_endpoint: eu.opencloud.api.sharing +auth_app_endpoint: eu.opencloud.api.auth-app +auth_basic_endpoint: eu.opencloud.api.auth-basic +auth_bearer_endpoint: "" +auth_machine_endpoint: eu.opencloud.api.auth-machine +auth_service_endpoint: eu.opencloud.api.auth-service +storage_public_link_endpoint: eu.opencloud.api.storage-publiclink +storage_users_endpoint: eu.opencloud.api.storage-users +storage_shares_endpoint: eu.opencloud.api.storage-shares +app_registry_endpoint: eu.opencloud.api.app-registry +ocm_endpoint: eu.opencloud.api.ocm +storage_registry: + driver: spaces + rules: [] + json: "" + storage_users_mount_id: "" diff --git a/static/env-vars/gateway_configvars.md b/static/env-vars/gateway_configvars.md index 8d590139..568a1816 100644 --- a/static/env-vars/gateway_configvars.md +++ b/static/env-vars/gateway_configvars.md @@ -1,61 +1,61 @@ Environment variables for the **gateway** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`GATEWAY_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`GATEWAY_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`GATEWAY_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`GATEWAY_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`GATEWAY_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`GATEWAY_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`GATEWAY_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`GATEWAY_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`GATEWAY_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9143| -|`GATEWAY_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`GATEWAY_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`GATEWAY_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_GATEWAY_GRPC_ADDR`
`GATEWAY_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9142| -|`OC_GRPC_PROTOCOL`
`GATEWAY_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`GATEWAY_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`GATEWAY_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`GATEWAY_COMMIT_SHARE_TO_STORAGE_GRANT`| 1.0.0 |bool|Commit shares to storage grants. This grants access to shared resources for the share receiver directly on the storage.|true| -|`GATEWAY_SHARE_FOLDER_NAME`| 1.0.0 |string|Name of the share folder in users' home space.|Shares| -|`GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN`| 1.0.0 |bool|Disable creation of the home space on login.|true| -|`OC_TRANSFER_SECRET`| 1.0.0 |string|The storage transfer secret.|| -|`GATEWAY_TRANSFER_EXPIRES`| 1.0.0 |int|Expiry for the gateway tokens.|86400| -|`OC_CACHE_STORE`
`GATEWAY_PROVIDER_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|noop| -|`OC_CACHE_STORE_NODES`
`GATEWAY_PROVIDER_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|cache-providers| -|`OC_CACHE_TTL`
`GATEWAY_PROVIDER_CACHE_TTL`| 1.0.0 |Duration|Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.|5m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`GATEWAY_PROVIDER_CACHE_AUTH_USERNAME`| 1.0.0 |string|The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD`| 1.0.0 |string|The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_STORE`
`GATEWAY_CREATE_HOME_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|memory| -|`OC_CACHE_STORE_NODES`
`GATEWAY_CREATE_HOME_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|cache-createhome| -|`OC_CACHE_TTL`
`GATEWAY_CREATE_HOME_CACHE_TTL`| 1.0.0 |Duration|Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.|5m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME`| 1.0.0 |string|The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD`| 1.0.0 |string|The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_URL`
`GATEWAY_FRONTEND_PUBLIC_URL`| 1.0.0 |string|The public facing URL of the OpenCloud frontend.|https://localhost:9200| -|`GATEWAY_USERS_ENDPOINT`| 1.0.0 |string|The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.users| -|`GATEWAY_GROUPS_ENDPOINT`| 1.0.0 |string|The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.groups| -|`GATEWAY_PERMISSIONS_ENDPOINT`| 1.0.0 |string|The endpoint of the permissions service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.settings| -|`GATEWAY_SHARING_ENDPOINT`| 1.0.0 |string|The endpoint of the shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.sharing| -|`GATEWAY_AUTH_APP_ENDPOINT`| 1.0.0 |string|The endpoint of the auth-app service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.auth-app| -|`GATEWAY_AUTH_BASIC_ENDPOINT`| 1.0.0 |string|The endpoint of the auth-basic service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.auth-basic| -|`GATEWAY_AUTH_BEARER_ENDPOINT`| 1.0.0 |string|The endpoint of the auth-bearer service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|| -|`GATEWAY_AUTH_MACHINE_ENDPOINT`| 1.0.0 |string|The endpoint of the auth-machine service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.auth-machine| -|`GATEWAY_AUTH_SERVICE_ENDPOINT`| 1.0.0 |string|The endpoint of the auth-service service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.auth-service| -|`GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT`| 1.0.0 |string|The endpoint of the storage-publiclink service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.storage-publiclink| -|`GATEWAY_STORAGE_USERS_ENDPOINT`| 1.0.0 |string|The endpoint of the storage-users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.storage-users| -|`GATEWAY_STORAGE_SHARES_ENDPOINT`| 1.0.0 |string|The endpoint of the storage-shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.storage-shares| -|`GATEWAY_APP_REGISTRY_ENDPOINT`| 1.0.0 |string|The endpoint of the app-registry service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.app-registry| -|`GATEWAY_OCM_ENDPOINT`| 1.0.0 |string|The endpoint of the ocm service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.|eu.opencloud.api.ocm| -|`GATEWAY_STORAGE_REGISTRY_DRIVER`| 1.0.0 |string|The driver name of the storage registry to use.|spaces| -|`GATEWAY_STORAGE_REGISTRY_RULES`| 1.0.0 |[]string|The rules for the storage registry. See the Environment Variable Types description for more details.|[]| -|`GATEWAY_STORAGE_REGISTRY_CONFIG_JSON`| 1.0.0 |string|Additional configuration for the storage registry in json format.|| -|`GATEWAY_STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`GATEWAY_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`GATEWAY_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`GATEWAY_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`GATEWAY_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`GATEWAY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`GATEWAY_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`GATEWAY_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`GATEWAY_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`GATEWAY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9143`| +|`GATEWAY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`GATEWAY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`GATEWAY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_GATEWAY_GRPC_ADDR`
`GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9142`| +|`OC_GRPC_PROTOCOL`
`GATEWAY_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`GATEWAY_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`GATEWAY_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`GATEWAY_COMMIT_SHARE_TO_STORAGE_GRANT`| 1.0.0 |bool|`Commit shares to storage grants. This grants access to shared resources for the share receiver directly on the storage.`|`true`| +|`GATEWAY_SHARE_FOLDER_NAME`| 1.0.0 |string|`Name of the share folder in users' home space.`|`Shares`| +|`GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN`| 1.0.0 |bool|`Disable creation of the home space on login.`|`true`| +|`OC_TRANSFER_SECRET`| 1.0.0 |string|`The storage transfer secret.`|``| +|`GATEWAY_TRANSFER_EXPIRES`| 1.0.0 |int|`Expiry for the gateway tokens.`|`86400`| +|`OC_CACHE_STORE`
`GATEWAY_PROVIDER_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`noop`| +|`OC_CACHE_STORE_NODES`
`GATEWAY_PROVIDER_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-providers`| +|`OC_CACHE_TTL`
`GATEWAY_PROVIDER_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`GATEWAY_PROVIDER_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_STORE`
`GATEWAY_CREATE_HOME_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`GATEWAY_CREATE_HOME_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-createhome`| +|`OC_CACHE_TTL`
`GATEWAY_CREATE_HOME_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_URL`
`GATEWAY_FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|`https://localhost:9200`| +|`GATEWAY_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.users`| +|`GATEWAY_GROUPS_ENDPOINT`| 1.0.0 |string|`The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.groups`| +|`GATEWAY_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`The endpoint of the permissions service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.settings`| +|`GATEWAY_SHARING_ENDPOINT`| 1.0.0 |string|`The endpoint of the shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.sharing`| +|`GATEWAY_AUTH_APP_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-app service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-app`| +|`GATEWAY_AUTH_BASIC_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-basic service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-basic`| +|`GATEWAY_AUTH_BEARER_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-bearer service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|``| +|`GATEWAY_AUTH_MACHINE_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-machine service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-machine`| +|`GATEWAY_AUTH_SERVICE_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-service service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-service`| +|`GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-publiclink service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-publiclink`| +|`GATEWAY_STORAGE_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-users`| +|`GATEWAY_STORAGE_SHARES_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-shares`| +|`GATEWAY_APP_REGISTRY_ENDPOINT`| 1.0.0 |string|`The endpoint of the app-registry service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.app-registry`| +|`GATEWAY_OCM_ENDPOINT`| 1.0.0 |string|`The endpoint of the ocm service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.ocm`| +|`GATEWAY_STORAGE_REGISTRY_DRIVER`| 1.0.0 |string|`The driver name of the storage registry to use.`|`spaces`| +|`GATEWAY_STORAGE_REGISTRY_RULES`| 1.0.0 |[]string|`The rules for the storage registry. See the Environment Variable Types description for more details.`|`[]`| +|`GATEWAY_STORAGE_REGISTRY_CONFIG_JSON`| 1.0.0 |string|`Additional configuration for the storage registry in json format.`|``| +|`GATEWAY_STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| diff --git a/static/env-vars/gateway_readme.md b/static/env-vars/gateway_readme.md index 1fee0ae5..05ed4aaf 100755 --- a/static/env-vars/gateway_readme.md +++ b/static/env-vars/gateway_readme.md @@ -1,6 +1,6 @@ --- title: Gateway -date: 2025-05-22T16:21:16.119334305+02:00 +date: 2025-11-13T17:22:55.094903+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/gateway @@ -21,7 +21,6 @@ The gateway service is responsible for passing requests to the storage providers * [Caching](#caching) * [Service Endpoints](#service-endpoints) * [Storage Registry](#storage-registry) -* [Example Yaml Config](#example-yaml-config) ## Caching @@ -29,7 +28,7 @@ The gateway service is using caching as it is highly frequented with the same re - the `provider cache` is caching requests to list or get storage providers. - the `create home cache` is caching requests to create personal spaces (as they only need to be executed once). -Both caches can be configured via the `OC_CACHE_*` envvars (or `GATEWAY_PROVIDER_CACHE_*` and `GATEWAY_CREATE_HOME_CACHE_*` respectively). See the [envvar section](../gateway/gateway-envvars) for details. +Both caches can be configured via the `OC_CACHE_*` envvars (or `GATEWAY_PROVIDER_CACHE_*` and `GATEWAY_CREATE_HOME_CACHE_*` respectively). See the [envvar section](/services/gateway/configuration/#environment-variables) for details. Use `OC_CACHE_STORE` (`GATEWAY_PROVIDER_CACHE_STORE`, `GATEWAY_CREATE_HOME_CACHE_STORE`) to define the type of cache to use: - `memory`: Basic in-memory store and the default. @@ -194,3 +193,4 @@ In order to add another storage provider the CS3 storage registry that is runnin ``` In the above replace `{storage-users-mount-uuid}` with the mount UUID that was generated for the storage-users service. You can find it in the `config.yaml` generated on by `opencloud init`. The last entry `eu.opencloud.api.storage-hello` and its `providerid` `"hello-storage-id"` are an example for in additional storage provider, in this case running `hellofs`, an example minimal storage driver. + diff --git a/static/env-vars/global_configvars.md b/static/env-vars/global_configvars.md index 37d21d89..c2e00332 100644 --- a/static/env-vars/global_configvars.md +++ b/static/env-vars/global_configvars.md @@ -2,39 +2,39 @@ | Name | Introduction Version | Type | Description | Default Value | |---|---|---|---|---| -`IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | Flag to enable or disable the creation of the demo users. | false | +`IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | The default role assignments the demo users should be setup. | false | `OC_ADMIN_USER_ID` | 1.0.0 | string | ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. | | `OC_ASYNC_UPLOADS` | 1.0.0 | bool | Enable asynchronous file uploads. | true | -`OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | Password for the configured store. Only applies when store type 'nats-js-kv' is configured. | | -`OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | Username for the configured store. Only applies when store type 'nats-js-kv' is configured. | | -`OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | storage-system | +`OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | +`OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | +`OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | cache-userinfo | `OC_CACHE_DISABLE_PERSISTENCE` | 1.0.0 | bool | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false | `OC_CACHE_STORE` | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | memory | `OC_CACHE_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] | -`OC_CACHE_TTL` | 1.0.0 | Duration | Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. | 24m0s | -`OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | true | -`OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest] | -`OC_CORS_ALLOW_METHODS` | 1.0.0 | []string | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. | [GET] | -`OC_CORS_ALLOW_ORIGINS` | 1.0.0 | []string | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | [*] | +`OC_CACHE_TTL` | 1.0.0 | Duration | Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. | 10s | +`OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS. See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | false | +`OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override] | +`OC_CORS_ALLOW_METHODS` | 1.0.0 | []string | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. | [OPTIONS HEAD GET PUT PATCH POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH] | +`OC_CORS_ALLOW_ORIGINS` | 1.0.0 | []string | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | [https://localhost:9200] | `OC_DECOMPOSEDFS_PROPAGATOR` | 1.0.0 | string | The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option. | sync | -`OC_DEFAULT_LANGUAGE` | 1.0.0 | string | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. | en | +`OC_DEFAULT_LANGUAGE` | 1.0.0 | string | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. | | `OC_DISABLE_VERSIONING` | 1.0.0 | bool | Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version. | false | `OC_EDITION` | 1.0.0 | string | Edition of OpenCloud. Used for branding purposes. | | -`OC_ENABLE_OCM` | 1.0.0 | bool | Include OCM sharees when listing users. | false | +`OC_ENABLE_OCM` | 1.0.0 | bool | Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed. | false | `OC_EVENTS_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | | `OC_EVENTS_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | | -`OC_EVENTS_CLUSTER` | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. | opencloud-cluster | +`OC_EVENTS_CLUSTER` | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | opencloud-cluster | `OC_EVENTS_ENABLE_TLS` | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false | -`OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | 127.0.0.1:9233 | -`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. | | -`OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the gateway GRPC address. | 127.0.0.1:9142 | +`OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. | 127.0.0.1:9233 | +`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false. | | +`OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the GRPC service. | 127.0.0.1:9142 | `OC_GRPC_CLIENT_TLS_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. | | `OC_GRPC_CLIENT_TLS_MODE` | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. | | -`OC_GRPC_PROTOCOL` | 1.0.0 | string | The transport protocol of the GPRC service. | tcp | +`OC_GRPC_PROTOCOL` | 1.0.0 | string | The transport protocol of the GRPC service. | tcp | `OC_HTTP_TLS_CERTIFICATE` | 1.0.0 | string | Path/File name of the TLS server certificate (in PEM format) for the http services. | | `OC_HTTP_TLS_ENABLED` | 1.0.0 | bool | Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. | false | `OC_HTTP_TLS_KEY` | 1.0.0 | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. | | -`OC_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false | +`OC_INSECURE` | 1.0.0 | bool | Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments. | false | `OC_JWT_SECRET` | 1.0.0 | string | The secret to mint and validate jwt tokens. | | `OC_KEYCLOAK_BASE_PATH` | 1.0.0 | string | The URL to access keycloak. | | `OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client ID to authenticate with keycloak. | | @@ -42,9 +42,9 @@ `OC_KEYCLOAK_CLIENT_SECRET` | 1.0.0 | string | The client secret to use in authentication. | | `OC_KEYCLOAK_INSECURE_SKIP_VERIFY` | 1.0.0 | bool | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. | false | `OC_KEYCLOAK_USER_REALM` | 1.0.0 | string | The realm users are defined. | | -`OC_LDAP_BIND_DN` | 1.0.0 | string | LDAP DN to use for simple bind authentication with the target LDAP server. | uid=reva,ou=sysusers,o=libregraph-idm | +`OC_LDAP_BIND_DN` | 1.0.0 | string | LDAP DN to use for simple bind authentication with the target LDAP server. | uid=idp,ou=sysusers,o=libregraph-idm | `OC_LDAP_BIND_PASSWORD` | 1.0.0 | string | Password to use for authenticating the 'bind_dn'. | | -`OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm. | /home/chaser/.opencloud/idm/ldap.crt | +`OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. | /Users/t.schweiger/.opencloud/idm/ldap.crt | `OC_LDAP_DISABLED_USERS_GROUP_DN` | 1.0.0 | string | The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. | cn=DisabledUsersGroup,ou=groups,o=libregraph-idm | `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. | attribute | `OC_LDAP_GROUP_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP groups. | ou=groups,o=libregraph-idm | @@ -52,32 +52,33 @@ `OC_LDAP_GROUP_OBJECTCLASS` | 1.0.0 | string | The object class to use for groups in the default group search filter ('groupOfNames'). | groupOfNames | `OC_LDAP_GROUP_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). | cn | `OC_LDAP_GROUP_SCHEMA_GROUPNAME` | 1.0.0 | string | LDAP Attribute to use for the name of groups. | cn | -`OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID). | openCloudUUID | -`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs. | false | +`OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. | openCloudUUID | +`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's. | false | `OC_LDAP_GROUP_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of groups (can be empty). | mail | `OC_LDAP_GROUP_SCHEMA_MEMBER` | 1.0.0 | string | LDAP Attribute that is used for group members. | member | -`OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'. | sub | +`OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'. | sub | `OC_LDAP_INSECURE` | 1.0.0 | bool | Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. | false | `OC_LDAP_SERVER_WRITE_ENABLED` | 1.0.0 | bool | Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables). | true | -`OC_LDAP_URI` | 1.0.0 | string | URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' | ldaps://localhost:9235 | +`OC_LDAP_URI` | 1.0.0 | string | Url of the LDAP service to use as IDP. | ldaps://localhost:9235 | `OC_LDAP_USER_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP users. | ou=users,o=libregraph-idm | -`OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled | +`OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP Attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled | `OC_LDAP_USER_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'. | | -`OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | The object class to use for users in the default user search filter ('inetOrgPerson'). | inetOrgPerson | +`OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | LDAP User ObjectClass like 'inetOrgPerson'. | inetOrgPerson | `OC_LDAP_USER_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of users. | displayname | -`OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. | openCloudUUID | -`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs. | false | -`OC_LDAP_USER_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of users. | mail | -`OC_LDAP_USER_SCHEMA_USERNAME` | 1.0.0 | string | LDAP Attribute to use for username of users. | uid | +`OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP User UUID attribute like 'uid'. | openCloudUUID | +`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's. | false | +`OC_LDAP_USER_SCHEMA_MAIL` | 1.0.0 | string | LDAP User email attribute like 'mail'. | mail | +`OC_LDAP_USER_SCHEMA_TENANT_ID` | next | string | LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment. | | +`OC_LDAP_USER_SCHEMA_USERNAME` | 1.0.0 | string | LDAP User name attribute like 'displayName'. | displayName | `OC_LDAP_USER_SCHEMA_USER_TYPE` | 1.0.0 | string | LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'. | openCloudUserType | -`OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'. | sub | +`OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. | sub | `OC_LOG_COLOR` | 1.0.0 | bool | Activates colorized log output. | false | `OC_LOG_FILE` | 1.0.0 | string | The path to the log file. Activates logging to this file if set. | | `OC_LOG_LEVEL` | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. | | `OC_LOG_PRETTY` | 1.0.0 | bool | Activates pretty log output. | false | -`OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | Machine auth API key used to validate internal requests necessary for the access to resources from other services. | | +`OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | Machine auth API key used to validate internal requests necessary to access resources from other services. | | `OC_MAX_CONCURRENCY` | 1.0.0 | int | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 | -`OC_OIDC_ISSUER` | 1.0.0 | string | The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider. | https://localhost:9200 | +`OC_OIDC_ISSUER` | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 | `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` | 1.0.0 | string | Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details. | | `OC_PASSWORD_POLICY_DISABLED` | 1.0.0 | bool | Disable the password policy. Defaults to false if not set. | false | `OC_PASSWORD_POLICY_MIN_CHARACTERS` | 1.0.0 | int | Define the minimum password length. Defaults to 8 if not set. | 8 | @@ -89,24 +90,28 @@ `OC_PERSISTENT_STORE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | `OC_PERSISTENT_STORE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | `OC_PERSISTENT_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] | -`OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. See the Environment Variable Types description for more details. | 0s | -`OC_REVA_GATEWAY` | 1.0.0 | string | CS3 gateway used to look up user metadata | eu.opencloud.api.gateway | +`OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details. | 30m0s | +`OC_REVA_GATEWAY` | 1.0.0 | string | The CS3 gateway endpoint. | eu.opencloud.api.gateway | `OC_SERVICE_ACCOUNT_ID` | 1.0.0 | string | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | `OC_SERVICE_ACCOUNT_SECRET` | 1.0.0 | string | The service account secret. | | `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords on all public shares. | true | `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service. | false | `OC_SHOW_USER_EMAIL_IN_RESULTS` | 1.0.0 | bool | Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. | false | -`OC_SPACES_MAX_QUOTA` | 1.0.0 | uint64 | Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service. | 0 | +`OC_SPACES_MAX_QUOTA` | 1.0.0 | uint64 | Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities. | 0 | `OC_SYSTEM_USER_API_KEY` | 1.0.0 | string | API key for the STORAGE-SYSTEM system user. | | -`OC_SYSTEM_USER_ID` | 1.0.0 | string | ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. | | +`OC_SYSTEM_USER_ID` | 1.0.0 | string | ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. | | `OC_SYSTEM_USER_IDP` | 1.0.0 | string | IDP of the OpenCloud STORAGE-SYSTEM system user. | internal | `OC_TRACING_COLLECTOR` | 1.0.0 | string | The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | | `OC_TRACING_ENABLED` | 1.0.0 | bool | Activates tracing. | false | `OC_TRACING_ENDPOINT` | 1.0.0 | string | The endpoint of the tracing agent. | | `OC_TRACING_TYPE` | 1.0.0 | string | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. | | -`OC_TRANSFER_SECRET` | 1.0.0 | string | The storage transfer secret. | | +`OC_TRANSFER_SECRET` | 1.0.0 | string | Transfer secret for signing file up- and download requests. | | `OC_TRANSLATION_PATH` | 1.0.0 | string | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. | | -`OC_URL` | 1.0.0 | string | Base url to navigate back from the app to the containing folder in the file list. | https://localhost:9200/ | -`OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable the chat functionality of the office app. | false | +`OC_URL` | 1.0.0 | string | Base URL to load themes from. Will be prepended to the theme path. | https://localhost:9200 | +`OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. | false | +`SEARCH_EVENTS_ACK_WAIT` | next | Duration | The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes. | 1m0s | +`SEARCH_EVENTS_MAX_ACK_PENDING` | next | int | The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time. | 1000 | +`STORAGE_GATEWAY_GRPC_ADDR` | 1.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system | +`STORAGE_GRPC_ADDR` | 1.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system | `STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY` | 1.0.0 | Duration | The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details. | 0s | `STORAGE_USERS_PERMISSION_ENDPOINT` | 1.0.0 | string | Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'. | eu.opencloud.api.settings | \ No newline at end of file diff --git a/static/env-vars/graph-config-example.yaml b/static/env-vars/graph-config-example.yaml index 40338524..5d755ea0 100644 --- a/static/env-vars/graph-config-example.yaml +++ b/static/env-vars/graph-config-example.yaml @@ -85,7 +85,7 @@ identity: backend: ldap ldap: uri: ldaps://localhost:9235 - cacert: /home/chaser/.opencloud/idm/ldap.crt + cacert: /Users/t.schweiger/.opencloud/idm/ldap.crt insecure: false bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm bind_password: "" @@ -154,3 +154,16 @@ keycloak: service_account: service_account_id: "" service_account_secret: "" +metadata_config: + gateway_addr: eu.opencloud.api.storage-system + storage_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" +user_soft_delete_retention_time: 0s +store: + nodes: + - 127.0.0.1:9233 + database: graph + username: "" + password: "" diff --git a/static/env-vars/graph.yaml b/static/env-vars/graph.yaml new file mode 100644 index 00000000..4c571479 --- /dev/null +++ b/static/env-vars/graph.yaml @@ -0,0 +1,169 @@ +# Autogenerated +# Filename: graph.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +cache: + store: memory + nodes: + - 127.0.0.1:9233 + database: cache-roles + table: "" + ttl: 336h0m0s + disable_persistence: false + username: "" + password: "" +debug: + addr: 127.0.0.1:9124 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9120 + root: /graph + tls: + enabled: false + cert: "" + key: "" + apitoken: "" + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Purge + - Restore + allow_credentials: true +api: + group_members_patch_limit: 20 + graph_username_match: default + graph_assign_default_user_role: true + graph_identity_search_min_length: 3 + show_email_in_results: false +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +token_manager: + jwt_secret: "" +grpc_client_tls: null +application: + id: "" + displayname: OpenCloud +spaces: + webdav_base: https://localhost:9200 + webdav_path: /dav/spaces/ + default_quota: "1000000000" + extended_space_properties_cache_ttl: 60000000000 + users_cache_ttl: 60000000000 + groups_cache_ttl: 60000000000 + storage_users_address: eu.opencloud.api.storage-users + default_language: "" + translation_path: "" +identity: + backend: ldap + ldap: + uri: ldaps://localhost:9235 + cacert: /Users/t.schweiger/.opencloud/idm/ldap.crt + insecure: false + bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm + bind_password: "" + use_server_uuid: false + use_password_modify_exop: true + write_enabled: true + refint_enabled: false + user_base_dn: ou=users,o=libregraph-idm + user_search_scope: sub + user_filter: "" + user_objectclass: inetOrgPerson + user_mail_attribute: mail + user_displayname_attribute: displayName + user_name_attribute: uid + user_id_attribute: openCloudUUID + user_id_is_octet_string: false + user_type_attribute: openCloudUserType + user_enabled_attribute: openCloudUserEnabled + disable_user_mechanism: attribute + ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm + group_base_dn: ou=groups,o=libregraph-idm + group_create_base_dn: ou=groups,o=libregraph-idm + group_search_scope: sub + group_filter: "" + group_objectclass: groupOfNames + group_name_attribute: cn + group_member_attribute: member + group_id_attribute: openCloudUUID + group_id_is_octet_string: false + education_resources_enabled: false + educationconfig: + school_base_dn: "" + school_search_scope: "" + school_filter: "" + school_objectclass: "" + school_name_attribute: "" + school_number_attribute: "" + school_id_attribute: "" + school_termination_min_grace_days: 0 +include_ocm_sharees: false +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +unified_roles: + available_roles: + - b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 + - a8d5fe5e-96e3-418d-825b-534dbdf22b99 + - fb6c3e19-e378-47e5-b277-9732f9de6e21 + - 58c63c02-1d89-4572-916a-870abc5a1b7d + - 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a + - 1c996275-f1c9-4e71-abdf-a42f6495e960 + - 312c0871-5ef7-4b3a-85b6-0e4074c64049 +max_concurrency: 20 +keycloak: + base_path: "" + client_id: "" + client_secret: "" + client_realm: "" + user_realm: "" + insecure_skip_verify: false +service_account: + service_account_id: "" + service_account_secret: "" +metadata_config: + gateway_addr: eu.opencloud.api.storage-system + storage_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" +user_soft_delete_retention_time: 0s +store: + nodes: + - 127.0.0.1:9233 + database: graph + username: "" + password: "" diff --git a/static/env-vars/graph_configvars.md b/static/env-vars/graph_configvars.md index 6c9d222b..797ff621 100644 --- a/static/env-vars/graph_configvars.md +++ b/static/env-vars/graph_configvars.md @@ -1,113 +1,123 @@ Environment variables for the **graph** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`GRAPH_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`GRAPH_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`GRAPH_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`GRAPH_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`GRAPH_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`GRAPH_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`GRAPH_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`GRAPH_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`OC_CACHE_STORE`
`GRAPH_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|memory| -|`OC_CACHE_STORE_NODES`
`GRAPH_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`GRAPH_CACHE_STORE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|cache-roles| -|`GRAPH_CACHE_STORE_TABLE`| 1.0.0 |string|The database table the store should use.|| -|`OC_CACHE_TTL`
`GRAPH_CACHE_TTL`| 1.0.0 |Duration|Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.|336h0m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`GRAPH_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`GRAPH_CACHE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`GRAPH_CACHE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.|| -|`GRAPH_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9124| -|`GRAPH_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`GRAPH_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`GRAPH_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`GRAPH_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9120| -|`GRAPH_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/graph| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`GRAPH_HTTP_API_TOKEN`| 1.0.0 |string|An optional API bearer token|| -|`OC_CORS_ALLOW_ORIGINS`
`GRAPH_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`GRAPH_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET POST PUT PATCH DELETE OPTIONS]| -|`OC_CORS_ALLOW_HEADERS`
`GRAPH_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]| -|`OC_CORS_ALLOW_CREDENTIALS`
`GRAPH_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`GRAPH_GROUP_MEMBERS_PATCH_LIMIT`| 1.0.0 |int|The amount of group members allowed to be added with a single patch request.|20| -|`GRAPH_USERNAME_MATCH`| 1.0.0 |string|Apply restrictions to usernames. Supported values are 'default' and 'none'. When set to 'default', user names must not start with a number and are restricted to ASCII characters. When set to 'none', no restrictions are applied. The default value is 'default'.|default| -|`GRAPH_ASSIGN_DEFAULT_USER_ROLE`| 1.0.0 |bool|Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user.|true| -|`GRAPH_IDENTITY_SEARCH_MIN_LENGTH`| 1.0.0 |int|The minimum length the search term needs to have for unprivileged users when searching for users or groups.|3| -|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.|false| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_JWT_SECRET`
`GRAPH_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`GRAPH_APPLICATION_ID`| 1.0.0 |string|The OpenCloud application ID shown in the graph. All app roles are tied to this ID.|| -|`GRAPH_APPLICATION_DISPLAYNAME`| 1.0.0 |string|The OpenCloud application name.|OpenCloud| -|`OC_URL`
`GRAPH_SPACES_WEBDAV_BASE`| 1.0.0 |string|The public facing URL of WebDAV.|https://localhost:9200| -|`GRAPH_SPACES_WEBDAV_PATH`| 1.0.0 |string|The WebDAV sub-path for spaces.|/dav/spaces/| -|`GRAPH_SPACES_DEFAULT_QUOTA`| 1.0.0 |string|The default quota in bytes.|1000000000| -|`GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL`| 1.0.0 |int|Max TTL in seconds for the spaces property cache.|60000000000| -|`GRAPH_SPACES_USERS_CACHE_TTL`| 1.0.0 |int|Max TTL in seconds for the spaces users cache.|60000000000| -|`GRAPH_SPACES_GROUPS_CACHE_TTL`| 1.0.0 |int|Max TTL in seconds for the spaces groups cache.|60000000000| -|`GRAPH_SPACES_STORAGE_USERS_ADDRESS`| 1.0.0 |string|The address of the storage-users service.|eu.opencloud.api.storage-users| -|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.|| -|`OC_TRANSLATION_PATH`
`GRAPH_TRANSLATION_PATH`| 1.0.0 |string|(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.|| -|`GRAPH_IDENTITY_BACKEND`| 1.0.0 |string|The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.|ldap| -|`OC_LDAP_URI`
`GRAPH_LDAP_URI`| 1.0.0 |string|URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'|ldaps://localhost:9235| -|`OC_LDAP_CACERT`
`GRAPH_LDAP_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.|/home/chaser/.opencloud/idm/ldap.crt| -|`OC_LDAP_INSECURE`
`GRAPH_LDAP_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.|false| -|`OC_LDAP_BIND_DN`
`GRAPH_LDAP_BIND_DN`| 1.0.0 |string|LDAP DN to use for simple bind authentication with the target LDAP server.|uid=libregraph,ou=sysusers,o=libregraph-idm| -|`OC_LDAP_BIND_PASSWORD`
`GRAPH_LDAP_BIND_PASSWORD`| 1.0.0 |string|Password to use for authenticating the 'bind_dn'.|| -|`GRAPH_LDAP_SERVER_UUID`| 1.0.0 |bool|If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.|false| -|`GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP`| 1.0.0 |bool|Use the 'Password Modify Extended Operation' for updating user passwords.|true| -|`OC_LDAP_SERVER_WRITE_ENABLED`
`GRAPH_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).|true| -|`GRAPH_LDAP_REFINT_ENABLED`| 1.0.0 |bool|Signals that the server has the refint plugin enabled, which makes some actions not needed.|false| -|`OC_LDAP_USER_BASE_DN`
`GRAPH_LDAP_USER_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP users.|ou=users,o=libregraph-idm| -|`OC_LDAP_USER_SCOPE`
`GRAPH_LDAP_USER_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.|sub| -|`OC_LDAP_USER_FILTER`
`GRAPH_LDAP_USER_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.|| -|`OC_LDAP_USER_OBJECTCLASS`
`GRAPH_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|The object class to use for users in the default user search filter ('inetOrgPerson').|inetOrgPerson| -|`OC_LDAP_USER_SCHEMA_MAIL`
`GRAPH_LDAP_USER_EMAIL_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use for the email address of users.|mail| -|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use for the display name of users.|displayName| -|`OC_LDAP_USER_SCHEMA_USERNAME`
`GRAPH_LDAP_USER_NAME_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use for username of users.|uid| -|`OC_LDAP_USER_SCHEMA_ID`
`GRAPH_LDAP_USER_UID_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.|openCloudUUID| -|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's.|false| -|`OC_LDAP_USER_SCHEMA_USER_TYPE`
`GRAPH_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.|openCloudUserType| -|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`GRAPH_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use as a flag telling if the user is enabled or disabled.|openCloudUserEnabled| -|`OC_LDAP_DISABLE_USER_MECHANISM`
`GRAPH_DISABLE_USER_MECHANISM`| 1.0.0 |string|An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.|attribute| -|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`GRAPH_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.|cn=DisabledUsersGroup,ou=groups,o=libregraph-idm| -|`OC_LDAP_GROUP_BASE_DN`
`GRAPH_LDAP_GROUP_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP groups.|ou=groups,o=libregraph-idm| -|`GRAPH_LDAP_GROUP_CREATE_BASE_DN`| 1.0.0 |string|Parent DN under which new groups are created. This DN needs to be subordinate to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups outside of this subtree are treated as readonly groups and cannot be updated.|ou=groups,o=libregraph-idm| -|`OC_LDAP_GROUP_SCOPE`
`GRAPH_LDAP_GROUP_SEARCH_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.|sub| -|`OC_LDAP_GROUP_FILTER`
`GRAPH_LDAP_GROUP_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for group searches.|| -|`OC_LDAP_GROUP_OBJECTCLASS`
`GRAPH_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|The object class to use for groups in the default group search filter ('groupOfNames').|groupOfNames| -|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`GRAPH_LDAP_GROUP_NAME_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use for the name of groups.|cn| -|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute that is used for group members.|member| -|`OC_LDAP_GROUP_SCHEMA_ID`
`GRAPH_LDAP_GROUP_ID_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.|openCloudUUID| -|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID's.|false| -|`GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED`| 1.0.0 |bool|Enable LDAP support for managing education related resources.|false| -|`GRAPH_LDAP_SCHOOL_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP schools.|| -|`GRAPH_LDAP_SCHOOL_SEARCH_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'.|| -|`GRAPH_LDAP_SCHOOL_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for school searches.|| -|`GRAPH_LDAP_SCHOOL_OBJECTCLASS`| 1.0.0 |string|The object class to use for schools in the default school search filter.|| -|`GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use for the name of a school.|| -|`GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use for the number of a school.|| -|`GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.|| -|`GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS`| 1.0.0 |int|When setting a 'terminationDate' for a school, require the date to be at least this number of days in the future.|0| -|`OC_ENABLE_OCM`
`GRAPH_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|Include OCM sharees when listing users.|false| -|`OC_EVENTS_ENDPOINT`
`GRAPH_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`GRAPH_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|opencloud-cluster| -|`OC_INSECURE`
`GRAPH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`GRAPH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`GRAPH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`GRAPH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`GRAPH_AVAILABLE_ROLES`| 1.0.0 |[]string|A comma separated list of roles that are available for assignment.|[b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049]| -|`OC_MAX_CONCURRENCY`
`GRAPH_MAX_CONCURRENCY`| 1.0.0 |int|The maximum number of concurrent requests the service will handle.|20| -|`OC_KEYCLOAK_BASE_PATH`
`GRAPH_KEYCLOAK_BASE_PATH`| 1.0.0 |string|The URL to access keycloak.|| -|`OC_KEYCLOAK_CLIENT_ID`
`GRAPH_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|The client id to authenticate with keycloak.|| -|`OC_KEYCLOAK_CLIENT_SECRET`
`GRAPH_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|The client secret to use in authentication.|| -|`OC_KEYCLOAK_CLIENT_REALM`
`GRAPH_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|The realm the client is defined in.|| -|`OC_KEYCLOAK_USER_REALM`
`GRAPH_KEYCLOAK_USER_REALM`| 1.0.0 |string|The realm users are defined.|| -|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`
`GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.|false| -|`OC_SERVICE_ACCOUNT_ID`
`GRAPH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`GRAPH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`GRAPH_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`GRAPH_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`GRAPH_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`GRAPH_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`GRAPH_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`GRAPH_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`GRAPH_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`GRAPH_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`OC_CACHE_STORE`
`GRAPH_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`GRAPH_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`GRAPH_CACHE_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-roles`| +|`GRAPH_CACHE_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_CACHE_TTL`
`GRAPH_CACHE_TTL`| 1.0.0 |Duration|`Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`GRAPH_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`GRAPH_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`GRAPH_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`GRAPH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9124`| +|`GRAPH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`GRAPH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`GRAPH_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`GRAPH_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9120`| +|`GRAPH_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/graph`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`GRAPH_HTTP_API_TOKEN`| 1.0.0 |string|`An optional API bearer token`|``| +|`OC_CORS_ALLOW_ORIGINS`
`GRAPH_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`GRAPH_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`GRAPH_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`GRAPH_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`GRAPH_GROUP_MEMBERS_PATCH_LIMIT`| 1.0.0 |int|`The amount of group members allowed to be added with a single patch request.`|`20`| +|`GRAPH_USERNAME_MATCH`| 1.0.0 |string|`Apply restrictions to usernames. Supported values are 'default' and 'none'. When set to 'default', user names must not start with a number and are restricted to ASCII characters. When set to 'none', no restrictions are applied. The default value is 'default'.`|`default`| +|`GRAPH_ASSIGN_DEFAULT_USER_ROLE`| 1.0.0 |bool|`Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user.`|`true`| +|`GRAPH_IDENTITY_SEARCH_MIN_LENGTH`| 1.0.0 |int|`The minimum length the search term needs to have for unprivileged users when searching for users or groups.`|`3`| +|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|`Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.`|`false`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_JWT_SECRET`
`GRAPH_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`GRAPH_APPLICATION_ID`| 1.0.0 |string|`The OpenCloud application ID shown in the graph. All app roles are tied to this ID.`|``| +|`GRAPH_APPLICATION_DISPLAYNAME`| 1.0.0 |string|`The OpenCloud application name.`|`OpenCloud`| +|`OC_URL`
`GRAPH_SPACES_WEBDAV_BASE`| 1.0.0 |string|`The public facing URL of WebDAV.`|`https://localhost:9200`| +|`GRAPH_SPACES_WEBDAV_PATH`| 1.0.0 |string|`The WebDAV sub-path for spaces.`|`/dav/spaces/`| +|`GRAPH_SPACES_DEFAULT_QUOTA`| 1.0.0 |string|`The default quota in bytes.`|`1000000000`| +|`GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces property cache.`|`60000000000`| +|`GRAPH_SPACES_USERS_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces users cache.`|`60000000000`| +|`GRAPH_SPACES_GROUPS_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces groups cache.`|`60000000000`| +|`GRAPH_SPACES_STORAGE_USERS_ADDRESS`| 1.0.0 |string|`The address of the storage-users service.`|`eu.opencloud.api.storage-users`| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``| +|`OC_TRANSLATION_PATH`
`GRAPH_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| +|`GRAPH_IDENTITY_BACKEND`| 1.0.0 |string|`The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.`|`ldap`| +|`OC_LDAP_URI`
`GRAPH_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldaps://localhost:9235`| +|`OC_LDAP_CACERT`
`GRAPH_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/Users/t.schweiger/.opencloud/idm/ldap.crt`| +|`OC_LDAP_INSECURE`
`GRAPH_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`OC_LDAP_BIND_DN`
`GRAPH_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=libregraph,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`GRAPH_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`GRAPH_LDAP_SERVER_UUID`| 1.0.0 |bool|`If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.`|`false`| +|`GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP`| 1.0.0 |bool|`Use the 'Password Modify Extended Operation' for updating user passwords.`|`true`| +|`OC_LDAP_SERVER_WRITE_ENABLED`
`GRAPH_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|`Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).`|`true`| +|`GRAPH_LDAP_REFINT_ENABLED`| 1.0.0 |bool|`Signals that the server has the refint plugin enabled, which makes some actions not needed.`|`false`| +|`OC_LDAP_USER_BASE_DN`
`GRAPH_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`GRAPH_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_USER_FILTER`
`GRAPH_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`GRAPH_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`GRAPH_LDAP_USER_EMAIL_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`| +|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the display name of users.`|`displayName`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`GRAPH_LDAP_USER_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`| +|`OC_LDAP_USER_SCHEMA_ID`
`GRAPH_LDAP_USER_UID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`| +|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`| +|`OC_LDAP_USER_SCHEMA_USER_TYPE`
`GRAPH_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.`|`openCloudUserType`| +|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`GRAPH_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`| +|`OC_LDAP_DISABLE_USER_MECHANISM`
`GRAPH_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.`|`attribute`| +|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`GRAPH_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`| +|`OC_LDAP_GROUP_BASE_DN`
`GRAPH_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`| +|`GRAPH_LDAP_GROUP_CREATE_BASE_DN`| 1.0.0 |string|`Parent DN under which new groups are created. This DN needs to be subordinate to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups outside of this subtree are treated as readonly groups and cannot be updated.`|`ou=groups,o=libregraph-idm`| +|`OC_LDAP_GROUP_SCOPE`
`GRAPH_LDAP_GROUP_SEARCH_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_GROUP_FILTER`
`GRAPH_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``| +|`OC_LDAP_GROUP_OBJECTCLASS`
`GRAPH_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`| +|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`GRAPH_LDAP_GROUP_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`| +|`OC_LDAP_GROUP_SCHEMA_ID`
`GRAPH_LDAP_GROUP_ID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`| +|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`| +|`GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED`| 1.0.0 |bool|`Enable LDAP support for managing education related resources.`|`false`| +|`GRAPH_LDAP_SCHOOL_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP schools.`|``| +|`GRAPH_LDAP_SCHOOL_SEARCH_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'.`|``| +|`GRAPH_LDAP_SCHOOL_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for school searches.`|``| +|`GRAPH_LDAP_SCHOOL_OBJECTCLASS`| 1.0.0 |string|`The object class to use for schools in the default school search filter.`|``| +|`GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the name of a school.`|``| +|`GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the number of a school.`|``| +|`GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.`|``| +|`GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS`| 1.0.0 |int|`When setting a 'terminationDate' for a school, require the date to be at least this number of days in the future.`|`0`| +|`OC_ENABLE_OCM`
`GRAPH_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing users.`|`false`| +|`OC_EVENTS_ENDPOINT`
`GRAPH_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`GRAPH_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`opencloud-cluster`| +|`OC_INSECURE`
`GRAPH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`GRAPH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`GRAPH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`GRAPH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`GRAPH_AVAILABLE_ROLES`| 1.0.0 |[]string|`A comma separated list of roles that are available for assignment.`|`[b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049]`| +|`OC_MAX_CONCURRENCY`
`GRAPH_MAX_CONCURRENCY`| 1.0.0 |int|`The maximum number of concurrent requests the service will handle.`|`20`| +|`OC_KEYCLOAK_BASE_PATH`
`GRAPH_KEYCLOAK_BASE_PATH`| 1.0.0 |string|`The URL to access keycloak.`|``| +|`OC_KEYCLOAK_CLIENT_ID`
`GRAPH_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|`The client id to authenticate with keycloak.`|``| +|`OC_KEYCLOAK_CLIENT_SECRET`
`GRAPH_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|`The client secret to use in authentication.`|``| +|`OC_KEYCLOAK_CLIENT_REALM`
`GRAPH_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|`The realm the client is defined in.`|``| +|`OC_KEYCLOAK_USER_REALM`
`GRAPH_KEYCLOAK_USER_REALM`| 1.0.0 |string|`The realm users are defined.`|``| +|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`
`GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|`Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.`|`false`| +|`OC_SERVICE_ACCOUNT_ID`
`GRAPH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`GRAPH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`GRAPH_STORAGE_GATEWAY_GRPC_ADDR`
`STORAGE_GATEWAY_GRPC_ADDR`| next |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`GRAPH_STORAGE_GRPC_ADDR`
`STORAGE_GRPC_ADDR`| next |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`GRAPH_SYSTEM_USER_ID`| next |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`GRAPH_SYSTEM_USER_IDP`| next |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`| next |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`GRAPH_USER_SOFT_DELETE_RETENTION_TIME`| next |Duration|`The time after which a soft-deleted user is permanently deleted. If set to 0 (default), there is no soft delete retention time and users are deleted immediately after being soft-deleted. If set to a positive value, the user will be kept in the system for that duration before being permanently deleted.`|`0s`| +|`OC_PERSISTENT_STORE_NODES`
`GRAPH_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`GRAPH_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`graph`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`GRAPH_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`GRAPH_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| diff --git a/static/env-vars/graph_readme.md b/static/env-vars/graph_readme.md index 6b2a0ae2..449a7f71 100755 --- a/static/env-vars/graph_readme.md +++ b/static/env-vars/graph_readme.md @@ -1,6 +1,6 @@ --- title: Graph -date: 2025-05-22T16:21:16.119397744+02:00 +date: 2025-11-13T17:22:55.095124+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/graph @@ -34,7 +34,6 @@ for a detailed specification of the API implemented by the graph service. * [Translation Rules](#translation-rules) * [Default Language](#default-language) * [Unified Role Management](#unified-role-management) -* [Example Yaml Config](#example-yaml-config) ## Sequence Diagram @@ -160,9 +159,8 @@ The default language can be defined via the `OC_DEFAULT_LANGUAGE` environment va Unified Roles are roles granted a user for sharing and can be enabled or disabled. A CLI command is provided to list existing roles and their state among other data. -:::info +::: info Note that a disabled role does not lose previously assigned permissions. It only means that the role is not available for new assignments. -::: The following roles are **enabled** by default: @@ -216,3 +214,4 @@ The output of this command includes the following information for each role: +--------------------------------------+----------+--------------------------------+--------------------------------+------------------------------------------+ ``` + diff --git a/static/env-vars/groups-config-example.yaml b/static/env-vars/groups-config-example.yaml index f400c81b..1fd59de5 100644 --- a/static/env-vars/groups-config-example.yaml +++ b/static/env-vars/groups-config-example.yaml @@ -32,7 +32,7 @@ driver: ldap drivers: ldap: uri: ldaps://localhost:9235 - ca_cert: /home/chaser/.opencloud/idm/ldap.crt + ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt insecure: false bind_dn: uid=reva,ou=sysusers,o=libregraph-idm bind_password: "" diff --git a/static/env-vars/groups.yaml b/static/env-vars/groups.yaml new file mode 100644 index 00000000..76024bb9 --- /dev/null +++ b/static/env-vars/groups.yaml @@ -0,0 +1,72 @@ +# Autogenerated +# Filename: groups.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9161 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9160 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +driver: ldap +drivers: + ldap: + uri: ldaps://localhost:9235 + ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt + insecure: false + bind_dn: uid=reva,ou=sysusers,o=libregraph-idm + bind_password: "" + user_base_dn: ou=users,o=libregraph-idm + group_base_dn: ou=groups,o=libregraph-idm + user_scope: sub + group_scope: sub + group_substring_filter_type: any + user_filter: "" + group_filter: "" + user_object_class: inetOrgPerson + group_object_class: groupOfNames + idp: https://localhost:9200 + user_schema: + id: openCloudUUID + id_is_octet_string: false + mail: mail + display_name: displayname + user_name: uid + group_schema: + id: openCloudUUID + id_is_octet_string: false + mail: mail + display_name: cn + group_name: cn + member: member + owncloudsql: + db_username: owncloud + db_password: "" + db_host: mysql + db_port: 3306 + db_name: owncloud + idp: https://localhost:9200 + nobody: 90 + join_username: false + join_owncloud_uuid: false + enable_medial_search: false diff --git a/static/env-vars/groups_configvars.md b/static/env-vars/groups_configvars.md index 4cad1a07..b39ce647 100644 --- a/static/env-vars/groups_configvars.md +++ b/static/env-vars/groups_configvars.md @@ -1,60 +1,60 @@ Environment variables for the **groups** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`GROUPS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`GROUPS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`GROUPS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`GROUPS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`GROUPS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`GROUPS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`GROUPS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`GROUPS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`GROUPS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9161| -|`GROUPS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`GROUPS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`GROUPS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`GROUPS_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9160| -|`OC_GRPC_PROTOCOL`
`GROUPS_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`GROUPS_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`GROUPS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`GROUPS_DRIVER`| 1.0.0 |string|The driver which should be used by the groups service. Supported values are 'ldap' and 'owncloudsql'.|ldap| -|`OC_LDAP_URI`
`GROUPS_LDAP_URI`| 1.0.0 |string|URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'|ldaps://localhost:9235| -|`OC_LDAP_CACERT`
`GROUPS_LDAP_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.|/home/chaser/.opencloud/idm/ldap.crt| -|`OC_LDAP_INSECURE`
`GROUPS_LDAP_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.|false| -|`OC_LDAP_BIND_DN`
`GROUPS_LDAP_BIND_DN`| 1.0.0 |string|LDAP DN to use for simple bind authentication with the target LDAP server.|uid=reva,ou=sysusers,o=libregraph-idm| -|`OC_LDAP_BIND_PASSWORD`
`GROUPS_LDAP_BIND_PASSWORD`| 1.0.0 |string|Password to use for authenticating the 'bind_dn'.|| -|`OC_LDAP_USER_BASE_DN`
`GROUPS_LDAP_USER_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP users.|ou=users,o=libregraph-idm| -|`OC_LDAP_GROUP_BASE_DN`
`GROUPS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP groups.|ou=groups,o=libregraph-idm| -|`OC_LDAP_USER_SCOPE`
`GROUPS_LDAP_USER_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.|sub| -|`OC_LDAP_GROUP_SCOPE`
`GROUPS_LDAP_GROUP_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.|sub| -|`LDAP_GROUP_SUBSTRING_FILTER_TYPE`
`GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|Type of substring search filter to use for substring searches for groups. Supported values are 'initial', 'final' and 'any'. The value 'initial' is used for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches|any| -|`OC_LDAP_USER_FILTER`
`GROUPS_LDAP_USER_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.|| -|`OC_LDAP_GROUP_FILTER`
`GROUPS_LDAP_GROUP_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for group searches.|| -|`OC_LDAP_USER_OBJECTCLASS`
`GROUPS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|The object class to use for users in the default user search filter ('inetOrgPerson').|inetOrgPerson| -|`OC_LDAP_GROUP_OBJECTCLASS`
`GROUPS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|The object class to use for groups in the default group search filter ('groupOfNames').|groupOfNames| -|`OC_URL`
`OC_OIDC_ISSUER`
`GROUPS_IDP_URL`| 1.0.0 |string|The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider.|https://localhost:9200| -|`OC_LDAP_USER_SCHEMA_ID`
`GROUPS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.|openCloudUUID| -|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.|false| -|`OC_LDAP_USER_SCHEMA_MAIL`
`GROUPS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|LDAP Attribute to use for the email address of users.|mail| -|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|LDAP Attribute to use for the displayname of users.|displayname| -|`OC_LDAP_USER_SCHEMA_USERNAME`
`GROUPS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|LDAP Attribute to use for username of users.|uid| -|`OC_LDAP_GROUP_SCHEMA_ID`
`GROUPS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.|openCloudUUID| -|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.|false| -|`OC_LDAP_GROUP_SCHEMA_MAIL`
`GROUPS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|LDAP Attribute to use for the email address of groups (can be empty).|mail| -|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).|cn| -|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|LDAP Attribute to use for the name of groups.|cn| -|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`GROUPS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|LDAP Attribute that is used for group members.|member| -|`GROUPS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|Database user to use for authenticating with the owncloud database.|owncloud| -|`GROUPS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|Password for the database user.|| -|`GROUPS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|Hostname of the database server.|mysql| -|`GROUPS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|Network port to use for the database connection.|3306| -|`GROUPS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|Name of the owncloud database.|owncloud| -|`GROUPS_OWNCLOUDSQL_IDP`| 1.0.0 |string|The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.|https://localhost:9200| -|`GROUPS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|Fallback number if no numeric UID and GID properties are provided.|90| -|`GROUPS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|Join the user properties table to read usernames.|false| -|`GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|Join the user properties table to read user IDs.|false| -|`GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.|false| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`GROUPS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`GROUPS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`GROUPS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`GROUPS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`GROUPS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`GROUPS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`GROUPS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`GROUPS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`GROUPS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9161`| +|`GROUPS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`GROUPS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`GROUPS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`GROUPS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9160`| +|`OC_GRPC_PROTOCOL`
`GROUPS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`GROUPS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`GROUPS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`GROUPS_DRIVER`| 1.0.0 |string|`The driver which should be used by the groups service. Supported values are 'ldap' and 'owncloudsql'.`|`ldap`| +|`OC_LDAP_URI`
`GROUPS_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldaps://localhost:9235`| +|`OC_LDAP_CACERT`
`GROUPS_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/Users/t.schweiger/.opencloud/idm/ldap.crt`| +|`OC_LDAP_INSECURE`
`GROUPS_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`OC_LDAP_BIND_DN`
`GROUPS_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`GROUPS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`OC_LDAP_USER_BASE_DN`
`GROUPS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_GROUP_BASE_DN`
`GROUPS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`GROUPS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_GROUP_SCOPE`
`GROUPS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`LDAP_GROUP_SUBSTRING_FILTER_TYPE`
`GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for groups. Supported values are 'initial', 'final' and 'any'. The value 'initial' is used for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|`any`| +|`OC_LDAP_USER_FILTER`
`GROUPS_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_GROUP_FILTER`
`GROUPS_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`GROUPS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`| +|`OC_LDAP_GROUP_OBJECTCLASS`
`GROUPS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`| +|`OC_URL`
`OC_OIDC_ISSUER`
`GROUPS_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider.`|`https://localhost:9200`| +|`OC_LDAP_USER_SCHEMA_ID`
`GROUPS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.`|`openCloudUUID`| +|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`GROUPS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`| +|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`GROUPS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`| +|`OC_LDAP_GROUP_SCHEMA_ID`
`GROUPS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`| +|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`| +|`OC_LDAP_GROUP_SCHEMA_MAIL`
`GROUPS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`| +|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`GROUPS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`| +|`GROUPS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`| +|`GROUPS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|``| +|`GROUPS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`| +|`GROUPS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`| +|`GROUPS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`| +|`GROUPS_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`GROUPS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`| +|`GROUPS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames.`|`false`| +|`GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user IDs.`|`false`| +|`GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|`Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.`|`false`| diff --git a/static/env-vars/groups_readme.md b/static/env-vars/groups_readme.md new file mode 100755 index 00000000..50dd82e8 --- /dev/null +++ b/static/env-vars/groups_readme.md @@ -0,0 +1,21 @@ +--- +title: Groups +date: 2025-11-12T16:20:03.607824+01:00 +weight: 20 +geekdocRepo: https://github.com/opencloud-eu/opencloud +geekdocEditPath: edit/master/services/groups +geekdocFilePath: README.md +geekdocCollapseSection: true +--- + + + +## Abstract + + +The `groups` service provides group management functionality within OpenCloud. + +## Table of Contents + + + diff --git a/static/env-vars/idm-config-example.yaml b/static/env-vars/idm-config-example.yaml index b527a2ae..b4b6223c 100644 --- a/static/env-vars/idm-config-example.yaml +++ b/static/env-vars/idm-config-example.yaml @@ -18,9 +18,9 @@ debug: zpages: false idm: ldaps_addr: 127.0.0.1:9235 - cert: /home/chaser/.opencloud/idm/ldap.crt - key: /home/chaser/.opencloud/idm/ldap.key - database: /home/chaser/.opencloud/idm/idm.boltdb + cert: /Users/t.schweiger/.opencloud/idm/ldap.crt + key: /Users/t.schweiger/.opencloud/idm/ldap.key + database: /Users/t.schweiger/.opencloud/idm/idm.boltdb create_demo_users: false demo_users_issuer_url: https://localhost:9200 service_user_passwords: diff --git a/static/env-vars/idm.yaml b/static/env-vars/idm.yaml new file mode 100644 index 00000000..f3587e26 --- /dev/null +++ b/static/env-vars/idm.yaml @@ -0,0 +1,31 @@ +# Autogenerated +# Filename: idm.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9239 + token: "" + pprof: false + zpages: false +idm: + ldaps_addr: 127.0.0.1:9235 + cert: /Users/t.schweiger/.opencloud/idm/ldap.crt + key: /Users/t.schweiger/.opencloud/idm/ldap.key + database: /Users/t.schweiger/.opencloud/idm/idm.boltdb +create_demo_users: false +demo_users_issuer_url: https://localhost:9200 +service_user_passwords: + admin_password: "" + idm_password: "" + reva_password: "" + idp_password: "" +admin_user_id: "" diff --git a/static/env-vars/idm_configvars.md b/static/env-vars/idm_configvars.md index ee23bf31..84fc5cb0 100644 --- a/static/env-vars/idm_configvars.md +++ b/static/env-vars/idm_configvars.md @@ -1,27 +1,27 @@ Environment variables for the **idm** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`IDM_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`IDM_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`IDM_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`IDM_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`IDM_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`IDM_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`IDM_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`IDM_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`IDM_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9239| -|`IDM_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`IDM_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`IDM_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`IDM_LDAPS_ADDR`| 1.0.0 |string|Listen address for the LDAPS listener (ip-addr:port).|127.0.0.1:9235| -|`IDM_LDAPS_CERT`| 1.0.0 |string|File name of the TLS server certificate for the LDAPS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.|/home/chaser/.opencloud/idm/ldap.crt| -|`IDM_LDAPS_KEY`| 1.0.0 |string|File name for the TLS certificate key for the server certificate. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.|/home/chaser/.opencloud/idm/ldap.key| -|`IDM_DATABASE_PATH`| 1.0.0 |string|Full path to the IDM backend database. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.|/home/chaser/.opencloud/idm/idm.boltdb| -|`IDM_CREATE_DEMO_USERS`| 1.0.0 |bool|Flag to enable or disable the creation of the demo users.|false| -|`OC_URL`
`OC_OIDC_ISSUER`| 1.0.0 |string|The OIDC issuer URL to assign to the demo users.|https://localhost:9200| -|`IDM_ADMIN_PASSWORD`| 1.0.0 |string|Password to set for the OpenCloud 'admin' user. Either cleartext or an argon2id hash.|| -|`IDM_SVC_PASSWORD`| 1.0.0 |string|Password to set for the 'idm' service user. Either cleartext or an argon2id hash.|| -|`IDM_REVASVC_PASSWORD`| 1.0.0 |string|Password to set for the 'reva' service user. Either cleartext or an argon2id hash.|| -|`IDM_IDPSVC_PASSWORD`| 1.0.0 |string|Password to set for the 'idp' service user. Either cleartext or an argon2id hash.|| -|`OC_ADMIN_USER_ID`
`IDM_ADMIN_USER_ID`| 1.0.0 |string|ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`IDM_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`IDM_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`IDM_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`IDM_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`IDM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`IDM_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`IDM_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`IDM_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`IDM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9239`| +|`IDM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`IDM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`IDM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`IDM_LDAPS_ADDR`| 1.0.0 |string|`Listen address for the LDAPS listener (ip-addr:port).`|`127.0.0.1:9235`| +|`IDM_LDAPS_CERT`| 1.0.0 |string|`File name of the TLS server certificate for the LDAPS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/Users/t.schweiger/.opencloud/idm/ldap.crt`| +|`IDM_LDAPS_KEY`| 1.0.0 |string|`File name for the TLS certificate key for the server certificate. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/Users/t.schweiger/.opencloud/idm/ldap.key`| +|`IDM_DATABASE_PATH`| 1.0.0 |string|`Full path to the IDM backend database. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/Users/t.schweiger/.opencloud/idm/idm.boltdb`| +|`IDM_CREATE_DEMO_USERS`| 1.0.0 |bool|`Flag to enable or disable the creation of the demo users.`|`false`| +|`OC_URL`
`OC_OIDC_ISSUER`| 1.0.0 |string|`The OIDC issuer URL to assign to the demo users.`|`https://localhost:9200`| +|`IDM_ADMIN_PASSWORD`| 1.0.0 |string|`Password to set for the OpenCloud 'admin' user. Either cleartext or an argon2id hash.`|``| +|`IDM_SVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'idm' service user. Either cleartext or an argon2id hash.`|``| +|`IDM_REVASVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'reva' service user. Either cleartext or an argon2id hash.`|``| +|`IDM_IDPSVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'idp' service user. Either cleartext or an argon2id hash.`|``| +|`OC_ADMIN_USER_ID`
`IDM_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``| diff --git a/static/env-vars/idm_readme.md b/static/env-vars/idm_readme.md index df0acd59..fd3a561d 100755 --- a/static/env-vars/idm_readme.md +++ b/static/env-vars/idm_readme.md @@ -1,6 +1,6 @@ --- title: IDM -date: 2025-05-22T16:21:16.119463799+02:00 +date: 2025-11-13T17:22:55.095332+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/idm @@ -23,5 +23,5 @@ Note: IDM is limited in its functionality. It only supports a subset of the LDAP ## Table of Contents -* [Example Yaml Config](#example-yaml-config) + diff --git a/static/env-vars/idp-config-example.yaml b/static/env-vars/idp-config-example.yaml index 859f26b8..90ae3a4c 100644 --- a/static/env-vars/idp-config-example.yaml +++ b/static/env-vars/idp-config-example.yaml @@ -19,8 +19,8 @@ debug: http: addr: 127.0.0.1:9130 root: / - tls_cert: /home/chaser/.opencloud/idp/server.crt - tls_key: /home/chaser/.opencloud/idp/server.key + tls_cert: /Users/t.schweiger/.opencloud/idp/server.crt + tls_key: /Users/t.schweiger/.opencloud/idp/server.key tls: false reva: address: eu.opencloud.api.gateway @@ -43,7 +43,7 @@ idp: allow_scope: [] allow_client_guests: false allow_dynamic_client_registration: false - encrypt_secret_file: /home/chaser/.opencloud/idp/encryption.key + encrypt_secret_file: /Users/t.schweiger/.opencloud/idp/encryption.key listen: "" identifierdefaultbannerlogo: "" default_sign_in_page_text: "" @@ -53,7 +53,7 @@ idp: signing_kid: private-key signing_method: PS256 signing_private_key_files: - - /home/chaser/.opencloud/idp/private-key.pem + - /Users/t.schweiger/.opencloud/idp/private-key.pem validation_keys_path: "" cookiebackenduri: "" cookienames: [] @@ -107,7 +107,7 @@ clients: application_type: native ldap: uri: ldaps://localhost:9235 - cacert: /home/chaser/.opencloud/idm/ldap.crt + cacert: /Users/t.schweiger/.opencloud/idm/ldap.crt bind_dn: uid=idp,ou=sysusers,o=libregraph-idm bind_password: "" base_dn: ou=users,o=libregraph-idm diff --git a/static/env-vars/idp.yaml b/static/env-vars/idp.yaml new file mode 100644 index 00000000..7cfce2d7 --- /dev/null +++ b/static/env-vars/idp.yaml @@ -0,0 +1,122 @@ +# Autogenerated +# Filename: idp.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9134 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9130 + root: / + tls_cert: /Users/t.schweiger/.opencloud/idp/server.crt + tls_key: /Users/t.schweiger/.opencloud/idp/server.key + tls: false +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +machine_auth_api_key: "" +asset: + asset: "" + login-background-url: "" +idp: + iss: https://localhost:9200 + identity_manager: ldap + uri_base_path: "" + sign_in_uri: "" + signed_out_uri: "" + authorization_endpoint_uri: "" + ldap_insecure: false + trusted_proxy: [] + allow_scope: [] + allow_client_guests: false + allow_dynamic_client_registration: false + encrypt_secret_file: /Users/t.schweiger/.opencloud/idp/encryption.key + listen: "" + identifierdefaultbannerlogo: "" + default_sign_in_page_text: "" + default_logo_target_uri: https://opencloud.eu + identifierdefaultusernamehinttext: "" + identifieruilocales: [] + signing_kid: private-key + signing_method: PS256 + signing_private_key_files: + - /Users/t.schweiger/.opencloud/idp/private-key.pem + validation_keys_path: "" + cookiebackenduri: "" + cookienames: [] + cookiesamesite: 3 + access_token_duration_seconds: 300 + id_token_duration_seconds: 300 + refresh_token_duration_seconds: 2592000 + dynamic_client_secret_duration_seconds: 0 +clients: +- id: web + name: OpenCloud Web App + trusted: true + secret: "" + redirect_uris: + - '{{OC_URL}}/' + - '{{OC_URL}}/oidc-callback.html' + - '{{OC_URL}}/oidc-silent-redirect.html' + post_logout_redirect_uris: [] + origins: + - '{{OC_URL}}' + application_type: "" +- id: OpenCloudDesktop + name: OpenCloud Desktop Client + trusted: false + secret: "" + redirect_uris: + - http://127.0.0.1 + - http://localhost + post_logout_redirect_uris: [] + origins: [] + application_type: native +- id: OpenCloudAndroid + name: OpenCloud Android App + trusted: false + secret: "" + redirect_uris: + - oc://android.opencloud.eu + post_logout_redirect_uris: + - oc://android.opencloud.eu + origins: [] + application_type: native +- id: OpenCloudIOS + name: OpenCloud iOS App + trusted: false + secret: "" + redirect_uris: + - oc://ios.opencloud.eu + post_logout_redirect_uris: + - oc://ios.opencloud.eu + origins: [] + application_type: native +ldap: + uri: ldaps://localhost:9235 + cacert: /Users/t.schweiger/.opencloud/idm/ldap.crt + bind_dn: uid=idp,ou=sysusers,o=libregraph-idm + bind_password: "" + base_dn: ou=users,o=libregraph-idm + scope: sub + login_attribute: uid + email_attribute: mail + name_attribute: displayName + uuid_attribute: openCloudUUID + uuid_attribute_type: text + user_enabled_attribute: openCloudUserEnabled + filter: "" + objectclass: inetOrgPerson diff --git a/static/env-vars/idp_configvars.md b/static/env-vars/idp_configvars.md index 5775f8f2..e3d2d36b 100644 --- a/static/env-vars/idp_configvars.md +++ b/static/env-vars/idp_configvars.md @@ -1,62 +1,62 @@ Environment variables for the **idp** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`IDP_PASSWORD_RESET_URI`| 1.0.0 |string|The URI where a user can reset their password.|| -|`OC_TRACING_ENABLED`
`IDP_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`IDP_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`IDP_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`IDP_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`IDP_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`IDP_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`IDP_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`IDP_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`IDP_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9134| -|`IDP_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`IDP_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`IDP_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`IDP_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9130| -|`IDP_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`IDP_TRANSPORT_TLS_CERT`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.|/home/chaser/.opencloud/idp/server.crt| -|`IDP_TRANSPORT_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.|/home/chaser/.opencloud/idp/server.key| -|`IDP_TLS`| 1.0.0 |bool|Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to 'true', the key and cert files need to be configured and present.|false| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_MACHINE_AUTH_API_KEY`
`IDP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|Machine auth API key used to validate internal requests necessary for the access to resources from other services.|| -|`IDP_ASSET_PATH`| 1.0.0 |string|Serve IDP assets from a path on the filesystem instead of the builtin assets.|| -|`IDP_LOGIN_BACKGROUND_URL`| 1.0.0 |string|Configure an alternative URL to the background image for the login page.|| -|`OC_URL`
`OC_OIDC_ISSUER`
`IDP_ISS`| 1.0.0 |string|The OIDC issuer URL to use.|https://localhost:9200| -|`IDP_IDENTITY_MANAGER`| 1.0.0 |string|The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'.|ldap| -|`IDP_URI_BASE_PATH`| 1.0.0 |string|IDP uri base path (defaults to '').|| -|`IDP_SIGN_IN_URI`| 1.0.0 |string|IDP sign-in url.|| -|`IDP_SIGN_OUT_URI`| 1.0.0 |string|IDP sign-out url.|| -|`IDP_ENDPOINT_URI`| 1.0.0 |string|URL of the IDP endpoint.|| -|`OC_LDAP_INSECURE`
`IDP_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.|false| -|`IDP_ALLOW_CLIENT_GUESTS`| 1.0.0 |bool|Allow guest clients to access OpenCloud.|false| -|`IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION`| 1.0.0 |bool|Allow dynamic client registration.|false| -|`IDP_ENCRYPTION_SECRET_FILE`| 1.0.0 |string|Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.|/home/chaser/.opencloud/idp/encryption.key| -|`IDP_DEFAULT_SIGNIN_PAGE_TEXT`| 2.0.0 |string||| -|`IDP_DEFAULT_LOGO_TARGET_URI`| next |string|Default logo target URI.|https://opencloud.eu| -|`IDP_SIGNING_KID`| 1.0.0 |string|Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.|private-key| -|`IDP_SIGNING_METHOD`| 1.0.0 |string|Signing method of IDP requests like 'PS256'|PS256| -|`IDP_SIGNING_PRIVATE_KEY_FILES`| 1.0.0 |[]string|A list of private key files for signing IDP requests. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. See the Environment Variable Types description for more details.|[/home/chaser/.opencloud/idp/private-key.pem]| -|`IDP_VALIDATION_KEYS_PATH`| 1.0.0 |string|Path to validation keys for IDP requests.|| -|`IDP_ACCESS_TOKEN_EXPIRATION`| 1.0.0 |uint64|'Access token lifespan in seconds (time before an access token is expired).'|300| -|`IDP_ID_TOKEN_EXPIRATION`| 1.0.0 |uint64|ID token lifespan in seconds (time before an ID token is expired).|300| -|`IDP_REFRESH_TOKEN_EXPIRATION`| 1.0.0 |uint64|Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.|2592000| -|`IDP_DYNAMIC_CLIENT_SECRET_DURATION`| 1.0.0 |uint64|Lifespan in seconds of a dynamically registered OIDC client.|0| -|`OC_LDAP_URI`
`IDP_LDAP_URI`| 1.0.0 |string|Url of the LDAP service to use as IDP.|ldaps://localhost:9235| -|`OC_LDAP_CACERT`
`IDP_LDAP_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.|/home/chaser/.opencloud/idm/ldap.crt| -|`OC_LDAP_BIND_DN`
`IDP_LDAP_BIND_DN`| 1.0.0 |string|LDAP DN to use for simple bind authentication with the target LDAP server.|uid=idp,ou=sysusers,o=libregraph-idm| -|`OC_LDAP_BIND_PASSWORD`
`IDP_LDAP_BIND_PASSWORD`| 1.0.0 |string|Password to use for authenticating the 'bind_dn'.|| -|`OC_LDAP_USER_BASE_DN`
`IDP_LDAP_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP users.|ou=users,o=libregraph-idm| -|`OC_LDAP_USER_SCOPE`
`IDP_LDAP_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.|sub| -|`IDP_LDAP_LOGIN_ATTRIBUTE`| 1.0.0 |string|LDAP User attribute to use for login like 'uid'.|uid| -|`OC_LDAP_USER_SCHEMA_MAIL`
`IDP_LDAP_EMAIL_ATTRIBUTE`| 1.0.0 |string|LDAP User email attribute like 'mail'.|mail| -|`OC_LDAP_USER_SCHEMA_USERNAME`
`IDP_LDAP_NAME_ATTRIBUTE`| 1.0.0 |string|LDAP User name attribute like 'displayName'.|displayName| -|`OC_LDAP_USER_SCHEMA_ID`
`IDP_LDAP_UUID_ATTRIBUTE`| 1.0.0 |string|LDAP User UUID attribute like 'uid'.|openCloudUUID| -|`IDP_LDAP_UUID_ATTRIBUTE_TYPE`| 1.0.0 |string|LDAP User uuid attribute type like 'text'.|text| -|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`IDP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to use as a flag telling if the user is enabled or disabled.|openCloudUserEnabled| -|`OC_LDAP_USER_FILTER`
`IDP_LDAP_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.|| -|`OC_LDAP_USER_OBJECTCLASS`
`IDP_LDAP_OBJECTCLASS`| 1.0.0 |string|LDAP User ObjectClass like 'inetOrgPerson'.|inetOrgPerson| \ No newline at end of file +|---|---|---|---|:---| +|`IDP_PASSWORD_RESET_URI`| 1.0.0 |string|`The URI where a user can reset their password.`|``| +|`OC_TRACING_ENABLED`
`IDP_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`IDP_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`IDP_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`IDP_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`IDP_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`IDP_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`IDP_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`IDP_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`IDP_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9134`| +|`IDP_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`IDP_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`IDP_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`IDP_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9130`| +|`IDP_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`IDP_TRANSPORT_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/Users/t.schweiger/.opencloud/idp/server.crt`| +|`IDP_TRANSPORT_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/Users/t.schweiger/.opencloud/idp/server.key`| +|`IDP_TLS`| 1.0.0 |bool|`Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to 'true', the key and cert files need to be configured and present.`|`false`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_MACHINE_AUTH_API_KEY`
`IDP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``| +|`IDP_ASSET_PATH`| 1.0.0 |string|`Serve IDP assets from a path on the filesystem instead of the builtin assets.`|``| +|`IDP_LOGIN_BACKGROUND_URL`| 1.0.0 |string|`Configure an alternative URL to the background image for the login page.`|``| +|`OC_URL`
`OC_OIDC_ISSUER`
`IDP_ISS`| 1.0.0 |string|`The OIDC issuer URL to use.`|`https://localhost:9200`| +|`IDP_IDENTITY_MANAGER`| 1.0.0 |string|`The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'.`|`ldap`| +|`IDP_URI_BASE_PATH`| 1.0.0 |string|`IDP uri base path (defaults to '').`|``| +|`IDP_SIGN_IN_URI`| 1.0.0 |string|`IDP sign-in url.`|``| +|`IDP_SIGN_OUT_URI`| 1.0.0 |string|`IDP sign-out url.`|``| +|`IDP_ENDPOINT_URI`| 1.0.0 |string|`URL of the IDP endpoint.`|``| +|`OC_LDAP_INSECURE`
`IDP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`IDP_ALLOW_CLIENT_GUESTS`| 1.0.0 |bool|`Allow guest clients to access OpenCloud.`|`false`| +|`IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION`| 1.0.0 |bool|`Allow dynamic client registration.`|`false`| +|`IDP_ENCRYPTION_SECRET_FILE`| 1.0.0 |string|`Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/Users/t.schweiger/.opencloud/idp/encryption.key`| +|`IDP_DEFAULT_SIGNIN_PAGE_TEXT`| 2.0.0 |string|``|``| +|`IDP_DEFAULT_LOGO_TARGET_URI`| next |string|`Default logo target URI.`|`https://opencloud.eu`| +|`IDP_SIGNING_KID`| 1.0.0 |string|`Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.`|`private-key`| +|`IDP_SIGNING_METHOD`| 1.0.0 |string|`Signing method of IDP requests like 'PS256'`|`PS256`| +|`IDP_SIGNING_PRIVATE_KEY_FILES`| 1.0.0 |[]string|`A list of private key files for signing IDP requests. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. See the Environment Variable Types description for more details.`|`[/Users/t.schweiger/.opencloud/idp/private-key.pem]`| +|`IDP_VALIDATION_KEYS_PATH`| 1.0.0 |string|`Path to validation keys for IDP requests.`|``| +|`IDP_ACCESS_TOKEN_EXPIRATION`| 1.0.0 |uint64|`'Access token lifespan in seconds (time before an access token is expired).'`|`300`| +|`IDP_ID_TOKEN_EXPIRATION`| 1.0.0 |uint64|`ID token lifespan in seconds (time before an ID token is expired).`|`300`| +|`IDP_REFRESH_TOKEN_EXPIRATION`| 1.0.0 |uint64|`Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.`|`2592000`| +|`IDP_DYNAMIC_CLIENT_SECRET_DURATION`| 1.0.0 |uint64|`Lifespan in seconds of a dynamically registered OIDC client.`|`0`| +|`OC_LDAP_URI`
`IDP_LDAP_URI`| 1.0.0 |string|`Url of the LDAP service to use as IDP.`|`ldaps://localhost:9235`| +|`OC_LDAP_CACERT`
`IDP_LDAP_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/Users/t.schweiger/.opencloud/idm/ldap.crt`| +|`OC_LDAP_BIND_DN`
`IDP_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=idp,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`IDP_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`OC_LDAP_USER_BASE_DN`
`IDP_LDAP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`IDP_LDAP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`IDP_LDAP_LOGIN_ATTRIBUTE`| 1.0.0 |string|`LDAP User attribute to use for login like 'uid'.`|`uid`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`IDP_LDAP_EMAIL_ATTRIBUTE`| 1.0.0 |string|`LDAP User email attribute like 'mail'.`|`mail`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`IDP_LDAP_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP User name attribute like 'displayName'.`|`displayName`| +|`OC_LDAP_USER_SCHEMA_ID`
`IDP_LDAP_UUID_ATTRIBUTE`| 1.0.0 |string|`LDAP User UUID attribute like 'uid'.`|`openCloudUUID`| +|`IDP_LDAP_UUID_ATTRIBUTE_TYPE`| 1.0.0 |string|`LDAP User uuid attribute type like 'text'.`|`text`| +|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`IDP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`| +|`OC_LDAP_USER_FILTER`
`IDP_LDAP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`IDP_LDAP_OBJECTCLASS`| 1.0.0 |string|`LDAP User ObjectClass like 'inetOrgPerson'.`|`inetOrgPerson`| diff --git a/static/env-vars/idp_readme.md b/static/env-vars/idp_readme.md index 10eecc29..9b2fb1b6 100755 --- a/static/env-vars/idp_readme.md +++ b/static/env-vars/idp_readme.md @@ -1,6 +1,6 @@ --- title: IDP -date: 2025-05-22T16:21:16.119513502+02:00 +date: 2025-11-13T17:22:55.095406+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/idp @@ -26,7 +26,6 @@ Note that translations provided by the IDP service are not maintained via OpenCl * [Configuration](#configuration) * [Custom Clients](#custom-clients) -* [Example Yaml Config](#example-yaml-config) ## Configuration @@ -100,3 +99,4 @@ clients: + diff --git a/static/env-vars/invitations.yaml b/static/env-vars/invitations.yaml new file mode 100644 index 00000000..a62e602e --- /dev/null +++ b/static/env-vars/invitations.yaml @@ -0,0 +1,40 @@ +# Autogenerated +# Filename: invitations.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9269 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9265 + root: /graph/v1.0 + cors: + allow_origins: + - https://localhost:9200 + allow_methods: [] + allow_headers: [] + allow_credentials: false + tls: + enabled: false + cert: "" + key: "" +keycloak: + base_path: "" + client_id: "" + client_secret: "" + client_realm: "" + user_realm: "" + insecure_skip_verify: false +token_manager: + jwt_secret: "" diff --git a/static/env-vars/invitations_configvars.md b/static/env-vars/invitations_configvars.md index f3165a3e..f6232ec7 100644 --- a/static/env-vars/invitations_configvars.md +++ b/static/env-vars/invitations_configvars.md @@ -1,32 +1,32 @@ Environment variables for the **invitations** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`INVITATIONS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`INVITATIONS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`INVITATIONS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`INVITATIONS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`INVITATIONS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`INVITATIONS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`INVITATIONS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`INVITATIONS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`INVITATIONS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9269| -|`INVITATIONS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`INVITATIONS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`INVITATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`INVITATIONS_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9265| -|`INVITATIONS_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/graph/v1.0| -|`OC_CORS_ALLOW_ORIGINS`
`INVITATIONS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[https://localhost:9200]| -|`OC_CORS_ALLOW_METHODS`
`INVITATIONS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[]| -|`OC_CORS_ALLOW_HEADERS`
`INVITATIONS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[]| -|`OC_CORS_ALLOW_CREDENTIALS`
`INVITATIONS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|false| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`OC_KEYCLOAK_BASE_PATH`
`INVITATIONS_KEYCLOAK_BASE_PATH`| 1.0.0 |string|The URL to access keycloak.|| -|`OC_KEYCLOAK_CLIENT_ID`
`INVITATIONS_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|The client ID to authenticate with keycloak.|| -|`OC_KEYCLOAK_CLIENT_SECRET`
`INVITATIONS_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|The client secret to use in authentication.|| -|`OC_KEYCLOAK_CLIENT_REALM`
`INVITATIONS_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|The realm the client is defined in.|| -|`OC_KEYCLOAK_USER_REALM`
`INVITATIONS_KEYCLOAK_USER_REALM`| 1.0.0 |string|The realm users are defined.|| -|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`
`INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.|false| -|`OC_JWT_SECRET`
`INVITATIONS_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`INVITATIONS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`INVITATIONS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`INVITATIONS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`INVITATIONS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`INVITATIONS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`INVITATIONS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`INVITATIONS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`INVITATIONS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`INVITATIONS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9269`| +|`INVITATIONS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`INVITATIONS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`INVITATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`INVITATIONS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9265`| +|`INVITATIONS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/graph/v1.0`| +|`OC_CORS_ALLOW_ORIGINS`
`INVITATIONS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`INVITATIONS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[]`| +|`OC_CORS_ALLOW_HEADERS`
`INVITATIONS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`INVITATIONS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_KEYCLOAK_BASE_PATH`
`INVITATIONS_KEYCLOAK_BASE_PATH`| 1.0.0 |string|`The URL to access keycloak.`|``| +|`OC_KEYCLOAK_CLIENT_ID`
`INVITATIONS_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|`The client ID to authenticate with keycloak.`|``| +|`OC_KEYCLOAK_CLIENT_SECRET`
`INVITATIONS_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|`The client secret to use in authentication.`|``| +|`OC_KEYCLOAK_CLIENT_REALM`
`INVITATIONS_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|`The realm the client is defined in.`|``| +|`OC_KEYCLOAK_USER_REALM`
`INVITATIONS_KEYCLOAK_USER_REALM`| 1.0.0 |string|`The realm users are defined.`|``| +|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`
`INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|`Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.`|`false`| +|`OC_JWT_SECRET`
`INVITATIONS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| diff --git a/static/env-vars/invitations_readme.md b/static/env-vars/invitations_readme.md index 06e90746..692f6ba2 100755 --- a/static/env-vars/invitations_readme.md +++ b/static/env-vars/invitations_readme.md @@ -1,6 +1,6 @@ --- title: Invitations -date: 2025-05-22T16:21:16.119557585+02:00 +date: 2025-11-13T17:22:55.095488+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/invitations @@ -28,7 +28,6 @@ The corresponding CS3 API [user types](https://cs3org.github.io/cs3apis/#cs3.ide * [Keycloak Realm Configuration](#keycloak-realm-configuration) * [Backend Configuration](#backend-configuration) * [Bridging Provisioning Delay](#bridging-provisioning-delay) -* [Example Yaml Config](#example-yaml-config) ## Provisioning Backends @@ -66,3 +65,4 @@ After Keycloak has been configured, the invitation service needs to be configure ## Bridging Provisioning Delay Consider that when a guest account has to be provisioned in an external user management, there might be a delay between creating the user and the user being available in the local OpenCloud system. + diff --git a/static/env-vars/nats-config-example.yaml b/static/env-vars/nats-config-example.yaml index 8623983a..522970d7 100644 --- a/static/env-vars/nats-config-example.yaml +++ b/static/env-vars/nats-config-example.yaml @@ -20,8 +20,8 @@ nats: host: 127.0.0.1 port: 9233 clusterid: opencloud-cluster - store_dir: /home/chaser/.opencloud/nats - tls_cert: /home/chaser/.opencloud/nats/tls.crt - tls_key: /home/chaser/.opencloud/nats/tls.key + store_dir: /Users/t.schweiger/.opencloud/nats + tls_cert: /Users/t.schweiger/.opencloud/nats/tls.crt + tls_key: /Users/t.schweiger/.opencloud/nats/tls.key tls_skip_verify_client_cert: false enable_tls: false diff --git a/static/env-vars/nats.yaml b/static/env-vars/nats.yaml new file mode 100644 index 00000000..e3d9cad4 --- /dev/null +++ b/static/env-vars/nats.yaml @@ -0,0 +1,27 @@ +# Autogenerated +# Filename: nats.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9234 + token: "" + pprof: false + zpages: false +nats: + host: 127.0.0.1 + port: 9233 + clusterid: opencloud-cluster + store_dir: /Users/t.schweiger/.opencloud/nats + tls_cert: /Users/t.schweiger/.opencloud/nats/tls.crt + tls_key: /Users/t.schweiger/.opencloud/nats/tls.key + tls_skip_verify_client_cert: false + enable_tls: false diff --git a/static/env-vars/nats_configvars.md b/static/env-vars/nats_configvars.md index ac86776a..b242f576 100644 --- a/static/env-vars/nats_configvars.md +++ b/static/env-vars/nats_configvars.md @@ -1,24 +1,24 @@ Environment variables for the **nats** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`NATS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`NATS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`NATS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`NATS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`NATS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`NATS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`NATS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`NATS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`NATS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9234| -|`NATS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`NATS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`NATS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`NATS_NATS_HOST`| 1.0.0 |string|Bind address.|127.0.0.1| -|`NATS_NATS_PORT`| 1.0.0 |int|Bind port.|9233| -|`NATS_NATS_CLUSTER_ID`| 1.0.0 |string|ID of the NATS cluster.|opencloud-cluster| -|`NATS_NATS_STORE_DIR`| 1.0.0 |string|The directory where the filesystem storage will store NATS JetStream data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.|/home/chaser/.opencloud/nats| -|`NATS_TLS_CERT`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.|/home/chaser/.opencloud/nats/tls.crt| -|`NATS_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.|/home/chaser/.opencloud/nats/tls.key| -|`OC_INSECURE`
`NATS_TLS_SKIP_VERIFY_CLIENT_CERT`| 1.0.0 |bool|Whether the NATS server should skip the client certificate verification during the TLS handshake.|false| -|`OC_EVENTS_ENABLE_TLS`
`NATS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`NATS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`NATS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`NATS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`NATS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`NATS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`NATS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`NATS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`NATS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`NATS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9234`| +|`NATS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`NATS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`NATS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`NATS_NATS_HOST`| 1.0.0 |string|`Bind address.`|`127.0.0.1`| +|`NATS_NATS_PORT`| 1.0.0 |int|`Bind port.`|`9233`| +|`NATS_NATS_CLUSTER_ID`| 1.0.0 |string|`ID of the NATS cluster.`|`opencloud-cluster`| +|`NATS_NATS_STORE_DIR`| 1.0.0 |string|`The directory where the filesystem storage will store NATS JetStream data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/Users/t.schweiger/.opencloud/nats`| +|`NATS_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/Users/t.schweiger/.opencloud/nats/tls.crt`| +|`NATS_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/Users/t.schweiger/.opencloud/nats/tls.key`| +|`OC_INSECURE`
`NATS_TLS_SKIP_VERIFY_CLIENT_CERT`| 1.0.0 |bool|`Whether the NATS server should skip the client certificate verification during the TLS handshake.`|`false`| +|`OC_EVENTS_ENABLE_TLS`
`NATS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| diff --git a/static/env-vars/nats_readme.md b/static/env-vars/nats_readme.md index 7f221350..ae9d050b 100755 --- a/static/env-vars/nats_readme.md +++ b/static/env-vars/nats_readme.md @@ -1,6 +1,6 @@ --- title: Nats -date: 2025-05-22T16:21:16.119601417+02:00 +date: 2025-11-13T17:22:55.095558+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/nats @@ -24,7 +24,6 @@ Services can `Publish` events to the nats service and nats will store these even * [Default Registry](#default-registry) * [Persistance](#persistance) * [TLS Encryption](#tls-encryption) -* [Example Yaml Config](#example-yaml-config) ## Underlying Technology @@ -45,3 +44,4 @@ Connections to the nats service (`Publisher`/`Consumer` see above) can be TLS en Certificate files can also be set via global variables starting with `OC_`, for details see the environment variable list. Note that using TLS is highly recommended for productive environments, especially when using container orchestration with Kubernetes. + diff --git a/static/env-vars/notifications.yaml b/static/env-vars/notifications.yaml new file mode 100644 index 00000000..e1e98487 --- /dev/null +++ b/static/env-vars/notifications.yaml @@ -0,0 +1,57 @@ +# Autogenerated +# Filename: notifications.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9174 + token: "" + pprof: false + zpages: false +opencloud_url: https://localhost:9200 +notifications: + SMTP: + smtp_host: "" + smtp_port: 0 + smtp_sender: "" + smtp_username: "" + smtp_password: "" + insecure: false + smtp_authentication: "" + smtp_encryption: none + events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" + email_template_path: "" + translation_path: "" + default_language: "" + reva_gateway: eu.opencloud.api.gateway + grpc_client_tls: null +grpc_client_tls: + mode: "" + cacert: "" +service_account: + service_account_id: "" + service_account_secret: "" +store: + store: nats-js-kv + nodes: + - 127.0.0.1:9233 + database: notifications + table: "" + ttl: 336h0m0s + username: "" + password: "" diff --git a/static/env-vars/notifications_configvars.md b/static/env-vars/notifications_configvars.md index 2acc737c..63ec4501 100644 --- a/static/env-vars/notifications_configvars.md +++ b/static/env-vars/notifications_configvars.md @@ -1,47 +1,47 @@ Environment variables for the **notifications** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`NOTIFICATIONS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`NOTIFICATIONS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`NOTIFICATIONS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`NOTIFICATIONS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`NOTIFICATIONS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`NOTIFICATIONS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`NOTIFICATIONS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`NOTIFICATIONS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`NOTIFICATIONS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9174| -|`NOTIFICATIONS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`NOTIFICATIONS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`NOTIFICATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_URL`
`NOTIFICATIONS_WEB_UI_URL`| 1.0.0 |string|The public facing URL of the OpenCloud Web UI, used e.g. when sending notification eMails|https://localhost:9200| -|`NOTIFICATIONS_SMTP_HOST`| 1.0.0 |string|SMTP host to connect to.|| -|`NOTIFICATIONS_SMTP_PORT`| 1.0.0 |int|Port of the SMTP host to connect to.|0| -| `NOTIFICATIONS_SMTP_SENDER` | 1.0.0 | string | Sender address of emails that will be sent (e.g. 'OpenCloud <noreply@example.com>'). | | -|`NOTIFICATIONS_SMTP_USERNAME`| 1.0.0 |string|Username for the SMTP host to connect to.|| -|`NOTIFICATIONS_SMTP_PASSWORD`| 1.0.0 |string|Password for the SMTP host to connect to.|| -|`NOTIFICATIONS_SMTP_INSECURE`| 1.0.0 |bool|Allow insecure connections to the SMTP server.|false| -|`NOTIFICATIONS_SMTP_AUTHENTICATION`| 1.0.0 |string|Authentication method for the SMTP communication. Possible values are 'login', 'plain', 'crammd5', 'none' or 'auto'. If set to 'auto' or unset, the authentication method is automatically negotiated with the server.|| -|`NOTIFICATIONS_SMTP_ENCRYPTION`| 1.0.0 |string|Encryption method for the SMTP communication. Possible values are 'starttls', 'ssltls' and 'none'.|none| -|`OC_EVENTS_ENDPOINT`
`NOTIFICATIONS_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`NOTIFICATIONS_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`NOTIFICATIONS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`NOTIFICATIONS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`NOTIFICATIONS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`NOTIFICATIONS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EMAIL_TEMPLATE_PATH`
`NOTIFICATIONS_EMAIL_TEMPLATE_PATH`| 1.0.0 |string|Path to Email notification templates overriding embedded ones.|| -|`OC_TRANSLATION_PATH`
`NOTIFICATIONS_TRANSLATION_PATH`| 1.0.0 |string|(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.|| -|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|CS3 gateway used to look up user metadata|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_SERVICE_ACCOUNT_ID`
`NOTIFICATIONS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`NOTIFICATIONS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| -|`OC_PERSISTENT_STORE`
`NOTIFICATIONS_STORE`| 1.0.0 |string|The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.|nats-js-kv| -|`OC_PERSISTENT_STORE_NODES`
`NOTIFICATIONS_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`NOTIFICATIONS_STORE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|notifications| -|`NOTIFICATIONS_STORE_TABLE`| 1.0.0 |string|The database table the store should use.|| -|`OC_PERSISTENT_STORE_TTL`
`NOTIFICATIONS_STORE_TTL`| 1.0.0 |Duration|Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.|336h0m0s| -|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`NOTIFICATIONS_STORE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`NOTIFICATIONS_STORE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`NOTIFICATIONS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`NOTIFICATIONS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`NOTIFICATIONS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`NOTIFICATIONS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`NOTIFICATIONS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`NOTIFICATIONS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`NOTIFICATIONS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`NOTIFICATIONS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`NOTIFICATIONS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9174`| +|`NOTIFICATIONS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`NOTIFICATIONS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`NOTIFICATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_URL`
`NOTIFICATIONS_WEB_UI_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud Web UI, used e.g. when sending notification eMails`|`https://localhost:9200`| +|`NOTIFICATIONS_SMTP_HOST`| 1.0.0 |string|`SMTP host to connect to.`|``| +|`NOTIFICATIONS_SMTP_PORT`| 1.0.0 |int|`Port of the SMTP host to connect to.`|`0`| +|`NOTIFICATIONS_SMTP_SENDER`| 1.0.0 |string|`Sender address of emails that will be sent (e.g. 'OpenCloud '.`|``| +|`NOTIFICATIONS_SMTP_USERNAME`| 1.0.0 |string|`Username for the SMTP host to connect to.`|``| +|`NOTIFICATIONS_SMTP_PASSWORD`| 1.0.0 |string|`Password for the SMTP host to connect to.`|``| +|`NOTIFICATIONS_SMTP_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the SMTP server.`|`false`| +|`NOTIFICATIONS_SMTP_AUTHENTICATION`| 1.0.0 |string|`Authentication method for the SMTP communication. Possible values are 'login', 'plain', 'crammd5', 'none' or 'auto'. If set to 'auto' or unset, the authentication method is automatically negotiated with the server.`|``| +|`NOTIFICATIONS_SMTP_ENCRYPTION`| 1.0.0 |string|`Encryption method for the SMTP communication. Possible values are 'starttls', 'ssltls' and 'none'.`|`none`| +|`OC_EVENTS_ENDPOINT`
`NOTIFICATIONS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`NOTIFICATIONS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`NOTIFICATIONS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`NOTIFICATIONS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`NOTIFICATIONS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`NOTIFICATIONS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EMAIL_TEMPLATE_PATH`
`NOTIFICATIONS_EMAIL_TEMPLATE_PATH`| 1.0.0 |string|`Path to Email notification templates overriding embedded ones.`|``| +|`OC_TRANSLATION_PATH`
`NOTIFICATIONS_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`NOTIFICATIONS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`NOTIFICATIONS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`OC_PERSISTENT_STORE`
`NOTIFICATIONS_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`NOTIFICATIONS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`NOTIFICATIONS_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`notifications`| +|`NOTIFICATIONS_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`NOTIFICATIONS_STORE_TTL`| 1.0.0 |Duration|`Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`NOTIFICATIONS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`NOTIFICATIONS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| diff --git a/static/env-vars/notifications_readme.md b/static/env-vars/notifications_readme.md index 70b2ce54..c0eb0743 100755 --- a/static/env-vars/notifications_readme.md +++ b/static/env-vars/notifications_readme.md @@ -1,6 +1,6 @@ --- title: Notification -date: 2025-05-22T16:21:16.119647113+02:00 +date: 2025-11-13T17:22:55.095635+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/notifications @@ -25,7 +25,6 @@ The notification service is responsible for sending emails to users informing th * [Translations](#translations) * [Translation Rules](#translation-rules) * [Default Language](#default-language) -* [Example Yaml Config](#example-yaml-config) ## Email Notification Templates @@ -128,3 +127,4 @@ which is the source of the texts provided by the code. ## Default Language The default language can be defined via the `OC_DEFAULT_LANGUAGE` environment variable. See the `settings` service for a detailed description. + diff --git a/static/env-vars/ocdav.yaml b/static/env-vars/ocdav.yaml new file mode 100644 index 00000000..0e57a2a2 --- /dev/null +++ b/static/env-vars/ocdav.yaml @@ -0,0 +1,81 @@ +# Autogenerated +# Filename: ocdav.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9163 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9350 + protocol: tcp + prefix: "" + cors: + allow_origins: + - https://localhost:9200 + allow_methods: + - OPTIONS + - HEAD + - GET + - PUT + - POST + - DELETE + - MKCOL + - PROPFIND + - PROPPATCH + - MOVE + - COPY + - REPORT + - SEARCH + allow_headers: + - Origin + - Accept + - Content-Type + - Depth + - Authorization + - Ocs-Apirequest + - If-None-Match + - If-Match + - Destination + - Overwrite + - X-Request-Id + - X-Requested-With + - Tus-Resumable + - Tus-Checksum-Algorithm + - Upload-Concat + - Upload-Length + - Upload-Metadata + - Upload-Defer-Length + - Upload-Expires + - Upload-Checksum + - Upload-Offset + - X-HTTP-Method-Override + - Cache-Control + allow_credentials: false +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +webdav_namespace: /users/{{.Id.OpaqueId}} +files_namespace: /users/{{.Id.OpaqueId}} +shares_namespace: /Shares +ocm_namespace: /public +public_url: https://localhost:9200 +insecure: false +gateway_request_timeout: 84300 +machine_auth_api_key: "" +allow_propfind_depth_infinity: false diff --git a/static/env-vars/ocdav_configvars.md b/static/env-vars/ocdav_configvars.md index 68d065a2..b63591e4 100644 --- a/static/env-vars/ocdav_configvars.md +++ b/static/env-vars/ocdav_configvars.md @@ -1,38 +1,38 @@ Environment variables for the **ocdav** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`OCDAV_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`OCDAV_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`OCDAV_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`OCDAV_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`OCDAV_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`OCDAV_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`OCDAV_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`OCDAV_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`OCDAV_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9163| -|`OCDAV_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`OCDAV_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`OCDAV_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OCDAV_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9350| -|`OCDAV_HTTP_PROTOCOL`| 1.0.0 |string|The transport protocol of the HTTP service.|tcp| -|`OCDAV_HTTP_PREFIX`| 1.0.0 |string|A URL path prefix for the handler.|| -|`OC_CORS_ALLOW_ORIGINS`
`OCDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[https://localhost:9200]| -|`OC_CORS_ALLOW_METHODS`
`OCDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]| -|`OC_CORS_ALLOW_HEADERS`
`OCDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]| -|`OC_CORS_ALLOW_CREDENTIALS`
`OCDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|false| -|`OC_JWT_SECRET`
`OCDAV_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OCDAV_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`OCDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|Jail requests to /dav/webdav into this CS3 namespace. Supports template layouting with CS3 User properties.|/users/{{.Id.OpaqueId}}| -|`OCDAV_FILES_NAMESPACE`| 1.0.0 |string|Jail requests to /dav/files/{username} into this CS3 namespace. Supports template layouting with CS3 User properties.|/users/{{.Id.OpaqueId}}| -|`OCDAV_SHARES_NAMESPACE`| 1.0.0 |string|The human readable path for the share jail. Relative to a users personal space root. Upcased intentionally.|/Shares| -|`OCDAV_OCM_NAMESPACE`| 1.0.0 |string|The human readable path prefix for the ocm shares.|/public| -|`OC_URL`
`OCDAV_PUBLIC_URL`| 1.0.0 |string|URL where OpenCloud is reachable for users.|https://localhost:9200| -|`OC_INSECURE`
`OCDAV_INSECURE`| 1.0.0 |bool|Allow insecure connections to the GATEWAY service.|false| -|`OCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.|84300| -|`OC_MACHINE_AUTH_API_KEY`
`OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|Machine auth API key used to validate internal requests necessary for the access to resources from other services.|| -|`OC_EDITION`
`OCDAV_EDITION`| 1.0.0 |string|Edition of OpenCloud. Used for branding purposes.|| -|`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.|false| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`OCDAV_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`OCDAV_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`OCDAV_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`OCDAV_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`OCDAV_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`OCDAV_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`OCDAV_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`OCDAV_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`OCDAV_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9163`| +|`OCDAV_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`OCDAV_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`OCDAV_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OCDAV_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9350`| +|`OCDAV_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`OCDAV_HTTP_PREFIX`| 1.0.0 |string|`A URL path prefix for the handler.`|``| +|`OC_CORS_ALLOW_ORIGINS`
`OCDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`OCDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`| +|`OC_CORS_ALLOW_HEADERS`
`OCDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`OCDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_JWT_SECRET`
`OCDAV_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OCDAV_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`OCDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/webdav into this CS3 namespace. Supports template layouting with CS3 User properties.`|`/users/{{.Id.OpaqueId}}`| +|`OCDAV_FILES_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/files/{username} into this CS3 namespace. Supports template layouting with CS3 User properties.`|`/users/{{.Id.OpaqueId}}`| +|`OCDAV_SHARES_NAMESPACE`| 1.0.0 |string|`The human readable path for the share jail. Relative to a users personal space root. Upcased intentionally.`|`/Shares`| +|`OCDAV_OCM_NAMESPACE`| 1.0.0 |string|`The human readable path prefix for the ocm shares.`|`/public`| +|`OC_URL`
`OCDAV_PUBLIC_URL`| 1.0.0 |string|`URL where OpenCloud is reachable for users.`|`https://localhost:9200`| +|`OC_INSECURE`
`OCDAV_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the GATEWAY service.`|`false`| +|`OCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|`84300`| +|`OC_MACHINE_AUTH_API_KEY`
`OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``| +|`OC_EDITION`
`OCDAV_EDITION`| 1.0.0 |string|`Edition of OpenCloud. Used for branding purposes.`|``| +|`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|`false`| diff --git a/static/env-vars/ocdav_readme.md b/static/env-vars/ocdav_readme.md index 194d2ea1..37f85d0d 100755 --- a/static/env-vars/ocdav_readme.md +++ b/static/env-vars/ocdav_readme.md @@ -1,6 +1,6 @@ --- title: ocDAV -date: 2025-05-22T16:21:16.119699251+02:00 +date: 2025-11-13T17:22:55.09574+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/ocdav @@ -13,9 +13,9 @@ geekdocCollapseSection: true ## Abstract -The ocdav service provides the WebDAV API which is required by OpenCloud clients. Previews (thumbnails) are provided by the [WebDAV service](../webdav/Webdav-info). +The ocdav service provides the WebDAV API which is required by OpenCloud clients. Previews (thumbnails) are provided by the [WebDAV service](../webdav). ## Table of Contents -* [Example Yaml Config](./ocdav-envvars) + diff --git a/static/env-vars/ocm-config-example.yaml b/static/env-vars/ocm-config-example.yaml index a633511a..f0deeb82 100644 --- a/static/env-vars/ocm-config-example.yaml +++ b/static/env-vars/ocm-config-example.yaml @@ -90,27 +90,27 @@ ocm_invite_manager: driver: json drivers: json: - file: /home/chaser/.opencloud/storage/ocm/ocminvites.json + file: /Users/t.schweiger/.opencloud/storage/ocm/ocminvites.json token_expiration: 24h0m0s timeout: 30s insecure: false ocm_provider_authorizer_driver: json ocm_provider_authorizer_drivers: json: - providers: /home/chaser/.opencloud/config/ocmproviders.json + providers: /Users/t.schweiger/.opencloud/config/ocmproviders.json ocm_share_provider: driver: json drivers: json: - file: /home/chaser/.opencloud/storage/ocm/ocmshares.json + file: /Users/t.schweiger/.opencloud/storage/ocm/ocmshares.json insecure: false webapp_template: "" ocm_core: driver: json drivers: json: - file: /home/chaser/.opencloud/storage/ocm/ocmshares.json + file: /Users/t.schweiger/.opencloud/storage/ocm/ocmshares.json ocm_storage_provider: insecure: false - storage_root: /home/chaser/.opencloud/storage/ocm + storage_root: /Users/t.schweiger/.opencloud/storage/ocm data_server_url: http://localhost:9280/data diff --git a/static/env-vars/ocm.yaml b/static/env-vars/ocm.yaml new file mode 100644 index 00000000..72e2bd20 --- /dev/null +++ b/static/env-vars/ocm.yaml @@ -0,0 +1,116 @@ +# Autogenerated +# Filename: ocm.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9281 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9280 + protocol: tcp + prefix: "" + cors: + allow_origins: + - https://localhost:9200 + allow_methods: + - OPTIONS + - HEAD + - GET + - PUT + - POST + - DELETE + - MKCOL + - PROPFIND + - PROPPATCH + - MOVE + - COPY + - REPORT + - SEARCH + allow_headers: + - Origin + - Accept + - Content-Type + - Depth + - Authorization + - Ocs-Apirequest + - If-None-Match + - If-Match + - Destination + - Overwrite + - X-Request-Id + - X-Requested-With + - Tus-Resumable + - Tus-Checksum-Algorithm + - Upload-Concat + - Upload-Length + - Upload-Metadata + - Upload-Defer-Length + - Upload-Expires + - Upload-Checksum + - Upload-Offset + - X-HTTP-Method-Override + - Cache-Control + allow_credentials: false +middleware: + auth: + credentials_by_user_agent: {} +grpc: + addr: 127.0.0.1:9282 + tls: null + protocol: "" +grpc_client_tls: null +service_account: + service_account_id: "" + service_account_secret: "" +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +ocmd: + prefix: ocm + expose_recipient_display_name: false +sciencemesh: + prefix: sciencemesh + science_mesh_directory_url: "" +ocm_invite_manager: + driver: json + drivers: + json: + file: /Users/t.schweiger/.opencloud/storage/ocm/ocminvites.json + token_expiration: 24h0m0s + timeout: 30s + insecure: false +ocm_provider_authorizer_driver: json +ocm_provider_authorizer_drivers: + json: + providers: /Users/t.schweiger/.opencloud/config/ocmproviders.json +ocm_share_provider: + driver: json + drivers: + json: + file: /Users/t.schweiger/.opencloud/storage/ocm/ocmshares.json + insecure: false + webapp_template: "" +ocm_core: + driver: json + drivers: + json: + file: /Users/t.schweiger/.opencloud/storage/ocm/ocmshares.json +ocm_storage_provider: + insecure: false + storage_root: /Users/t.schweiger/.opencloud/storage/ocm + data_server_url: http://localhost:9280/data diff --git a/static/env-vars/ocm_configvars.md b/static/env-vars/ocm_configvars.md index c3ccbccd..4393392f 100644 --- a/static/env-vars/ocm_configvars.md +++ b/static/env-vars/ocm_configvars.md @@ -1,58 +1,58 @@ Environment variables for the **ocm** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`OCM_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`OCM_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`OCM_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`OCM_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`OCM_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`OCM_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`OCM_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`OCM_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`OCM_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9281| -|`OCM_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`OCM_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`OCM_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OCM_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9280| -|`OCM_HTTP_PROTOCOL`| 1.0.0 |string|The transport protocol of the HTTP service.|tcp| -|`OCM_HTTP_PREFIX`| 1.0.0 |string|The path prefix where OCM can be accessed (defaults to /).|| -|`OC_CORS_ALLOW_ORIGINS`
`OCM_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[https://localhost:9200]| -|`OC_CORS_ALLOW_METHODS`
`OCM_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]| -|`OC_CORS_ALLOW_HEADERS`
`OCM_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]| -|`OC_CORS_ALLOW_CREDENTIALS`
`OCM_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|false| -|`OCM_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9282| -|`OC_GRPC_PROTOCOL`
`OCM_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|| -|`OC_SERVICE_ACCOUNT_ID`
`OCM_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`OCM_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| -|`OC_EVENTS_ENDPOINT`
`OCM_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`OCM_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`OCM_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`OCM_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided OCM_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`OCM_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`OCM_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`OCM_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_JWT_SECRET`
`OCM_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OCM_OCMD_PREFIX`| 1.0.0 |string|URL path prefix for the OCMD service. Note that the string must not start with '/'.|ocm| -|`OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME`| 1.0.0 |bool|Expose the display name of OCM share recipients.|false| -|`OCM_SCIENCEMESH_PREFIX`| 1.0.0 |string|URL path prefix for the ScienceMesh service. Note that the string must not start with '/'.|sciencemesh| -|`OCM_MESH_DIRECTORY_URL`| 1.0.0 |string|URL of the mesh directory service.|| -|`OCM_OCM_INVITE_MANAGER_DRIVER`| 1.0.0 |string|Driver to be used to persist OCM invites. Supported value is only 'json'.|json| -|`OCM_OCM_INVITE_MANAGER_JSON_FILE`| 1.0.0 |string|Path to the JSON file where OCM invite data will be stored. This file is maintained by the instance and must not be changed manually. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/ocm.|/home/chaser/.opencloud/storage/ocm/ocminvites.json| -|`OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION`| 1.0.0 |Duration|Expiry duration for invite tokens.|24h0m0s| -|`OCM_OCM_INVITE_MANAGER_TIMEOUT`| 1.0.0 |Duration|Timeout specifies a time limit for requests made to OCM endpoints.|30s| -|`OCM_OCM_INVITE_MANAGER_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for the OCM connections. Do not set this in production environments.|false| -|`SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER`| 1.0.0 |string|Driver to be used to persist ocm invites. Supported value is only 'json'.|json| -|`OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE`| 1.0.0 |string|Path to the JSON file where ocm invite data will be stored. Defaults to $OC_CONFIG_DIR/ocmproviders.json.|/home/chaser/.opencloud/config/ocmproviders.json| -|`OCM_OCM_SHARE_PROVIDER_DRIVER`| 1.0.0 |string|Driver to be used for the OCM share provider. Supported value is only 'json'.|json| -|`OCM_OCM_SHAREPROVIDER_JSON_FILE`| 1.0.0 |string|Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.|/home/chaser/.opencloud/storage/ocm/ocmshares.json| -|`OCM_OCM_SHARE_PROVIDER_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for the OCM connections. Do not set this in production environments.|false| -|`OCM_WEBAPP_TEMPLATE`| 1.0.0 |string|Template for the webapp url.|| -|`OCM_OCM_CORE_DRIVER`| 1.0.0 |string|Driver to be used for the OCM core. Supported value is only 'json'.|json| -|`OCM_OCM_CORE_JSON_FILE`| 1.0.0 |string|Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.|/home/chaser/.opencloud/storage/ocm/ocmshares.json| -|`OCM_OCM_STORAGE_PROVIDER_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for the OCM connections. Do not set this in production environments.|false| -|`OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT`| 1.0.0 |string|Directory where the ocm storage provider persists its data like tus upload info files.|/home/chaser/.opencloud/storage/ocm| -|`OCM_OCM_STORAGE_DATA_SERVER_URL`| 1.0.0 |string|URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.|http://localhost:9280/data| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`OCM_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`OCM_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`OCM_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`OCM_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`OCM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`OCM_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`OCM_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`OCM_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`OCM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9281`| +|`OCM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`OCM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`OCM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OCM_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9280`| +|`OCM_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`OCM_HTTP_PREFIX`| 1.0.0 |string|`The path prefix where OCM can be accessed (defaults to /).`|``| +|`OC_CORS_ALLOW_ORIGINS`
`OCM_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`OCM_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`| +|`OC_CORS_ALLOW_HEADERS`
`OCM_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`OCM_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OCM_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9282`| +|`OC_GRPC_PROTOCOL`
`OCM_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`OCM_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`OCM_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`OC_EVENTS_ENDPOINT`
`OCM_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`OCM_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OCM_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`OCM_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided OCM_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`OCM_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`OCM_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`OCM_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_JWT_SECRET`
`OCM_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OCM_OCMD_PREFIX`| 1.0.0 |string|`URL path prefix for the OCMD service. Note that the string must not start with '/'.`|`ocm`| +|`OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME`| 1.0.0 |bool|`Expose the display name of OCM share recipients.`|`false`| +|`OCM_SCIENCEMESH_PREFIX`| 1.0.0 |string|`URL path prefix for the ScienceMesh service. Note that the string must not start with '/'.`|`sciencemesh`| +|`OCM_MESH_DIRECTORY_URL`| 1.0.0 |string|`URL of the mesh directory service.`|``| +|`OCM_OCM_INVITE_MANAGER_DRIVER`| 1.0.0 |string|`Driver to be used to persist OCM invites. Supported value is only 'json'.`|`json`| +|`OCM_OCM_INVITE_MANAGER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM invite data will be stored. This file is maintained by the instance and must not be changed manually. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/ocm.`|`/Users/t.schweiger/.opencloud/storage/ocm/ocminvites.json`| +|`OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION`| 1.0.0 |Duration|`Expiry duration for invite tokens.`|`24h0m0s`| +|`OCM_OCM_INVITE_MANAGER_TIMEOUT`| 1.0.0 |Duration|`Timeout specifies a time limit for requests made to OCM endpoints.`|`30s`| +|`OCM_OCM_INVITE_MANAGER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`| +|`SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER`| 1.0.0 |string|`Driver to be used to persist ocm invites. Supported value is only 'json'.`|`json`| +|`OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE`| 1.0.0 |string|`Path to the JSON file where ocm invite data will be stored. Defaults to $OC_CONFIG_DIR/ocmproviders.json.`|`/Users/t.schweiger/.opencloud/config/ocmproviders.json`| +|`OCM_OCM_SHARE_PROVIDER_DRIVER`| 1.0.0 |string|`Driver to be used for the OCM share provider. Supported value is only 'json'.`|`json`| +|`OCM_OCM_SHAREPROVIDER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/Users/t.schweiger/.opencloud/storage/ocm/ocmshares.json`| +|`OCM_OCM_SHARE_PROVIDER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`| +|`OCM_WEBAPP_TEMPLATE`| 1.0.0 |string|`Template for the webapp url.`|``| +|`OCM_OCM_CORE_DRIVER`| 1.0.0 |string|`Driver to be used for the OCM core. Supported value is only 'json'.`|`json`| +|`OCM_OCM_CORE_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/Users/t.schweiger/.opencloud/storage/ocm/ocmshares.json`| +|`OCM_OCM_STORAGE_PROVIDER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`| +|`OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT`| 1.0.0 |string|`Directory where the ocm storage provider persists its data like tus upload info files.`|`/Users/t.schweiger/.opencloud/storage/ocm`| +|`OCM_OCM_STORAGE_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.`|`http://localhost:9280/data`| diff --git a/static/env-vars/ocm_readme.md b/static/env-vars/ocm_readme.md index 6aa08bcb..6b1cf2d0 100755 --- a/static/env-vars/ocm_readme.md +++ b/static/env-vars/ocm_readme.md @@ -1,6 +1,6 @@ --- title: OCM -date: 2025-05-22T16:21:16.119743324+02:00 +date: 2025-11-13T17:22:55.095814+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/ocm @@ -33,7 +33,6 @@ Internal GRPC APIs: * [Trust Between Instances](#trust-between-instances) * [Invitation Workflow](#invitation-workflow) * [Creating Shares](#creating-shares) -* [Example Yaml Config](#example-yaml-config) ## Enable OCM @@ -127,9 +126,8 @@ When all instances of a federation should trust each other, an `ocmproviders.jso ] ``` -:::info +::: info Note: the `domain` must not contain the protocol as it has to match the [GOCDB site object domain](https://developer.sciencemesh.io/docs/technical-documentation/central-database/#site-object). -::: The above federation consists of two instances: `cloud1.opencloud.test` and `cloud2.opencloud.test` that can use the Invitation workflow described below to generate, send and accept invitations. @@ -137,18 +135,18 @@ The above federation consists of two instances: `cloud1.opencloud.test` and `clo Before sharing a resource with a remote user this user has to be invited by the sharer. -In order to do so a POST request is sent to the `generate-invite` endpoint of the sciencemesh API. The generated token is passed on to the receiver, who will then use the `accept-invite` endpoint to accept the invitation. As a result remote users will be added to the `ocminvitemanager` on both sides. See [invitation flow](#invitation-workflow) for the according sequence diagram. +In order to do so a POST request is sent to the `generate-invite` endpoint of the sciencemesh API. The generated token is passed on to the receiver, who will then use the `accept-invite` endpoint to accept the invitation. As a result remote users will be added to the `ocminvitemanager` on both sides. See [invitation flow](invitation_flow) for the according sequence diagram. The data backend of the `ocminvitemanager` is configurable. The only supported backend currently is `json` which stores the data in a json file on disk. ## Creating Shares -:::info +::: info The below info is outdated as we allow creating federated shares using the graph API. Clients can now discover the available sharing roles and invite federated users using the graph API. -::: OCM Shares are currently created using the ocs API, just like regular shares. The difference is the share type, which is 6 (ShareTypeFederatedCloudShare) in this case, and a few additional parameters required for identifying the remote user. -See [Create share flow](#creating-shares) for the according sequence diagram. +See [Create share flow](create_share_flow) for the according sequence diagram. The data backends of the `ocmshareprovider` and `ocmcore` services are configurable. The only supported backend currently is `json` which stores the data in a json file on disk. + diff --git a/static/env-vars/ocs.yaml b/static/env-vars/ocs.yaml new file mode 100644 index 00000000..93a9e6fd --- /dev/null +++ b/static/env-vars/ocs.yaml @@ -0,0 +1,54 @@ +# Autogenerated +# Filename: ocs.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9114 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9110 + root: /ocs + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Cache-Control + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +grpc_client_tls: null +signing_keys: + store: nats-js-kv + addresses: + - 127.0.0.1:9233 + ttl: 12h0m0s + username: "" + password: "" +token_manager: + jwt_secret: "" diff --git a/static/env-vars/ocs_configvars.md b/static/env-vars/ocs_configvars.md index 80824d79..fef90b8e 100644 --- a/static/env-vars/ocs_configvars.md +++ b/static/env-vars/ocs_configvars.md @@ -1,31 +1,31 @@ Environment variables for the **ocs** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`OCS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`OCS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`OCS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`OCS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`OCS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`OCS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`OCS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`OCS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`OCS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9114| -|`OCS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`OCS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`OCS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OCS_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9110| -|`OCS_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/ocs| -|`OC_CORS_ALLOW_ORIGINS`
`OCS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`OCS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET POST PUT PATCH DELETE OPTIONS]| -|`OC_CORS_ALLOW_HEADERS`
`OCS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]| -|`OC_CORS_ALLOW_CREDENTIALS`
`OCS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`OC_CACHE_STORE`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details.|nats-js-kv| -|`OC_CACHE_STORE_NODES`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_TTL`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|Default time to live for signing keys. See the Environment Variable Types description for more details.|12h0m0s| -|`OC_CACHE_AUTH_USERNAME`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_JWT_SECRET`
`OCS_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`OCS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`OCS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`OCS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`OCS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`OCS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`OCS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`OCS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`OCS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`OCS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9114`| +|`OCS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`OCS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`OCS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OCS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9110`| +|`OCS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/ocs`| +|`OC_CORS_ALLOW_ORIGINS`
`OCS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`OCS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`OCS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`OCS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_CACHE_STORE`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|`The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details.`|`nats-js-kv`| +|`OC_CACHE_STORE_NODES`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_TTL`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|`12h0m0s`| +|`OC_CACHE_AUTH_USERNAME`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_JWT_SECRET`
`OCS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| diff --git a/static/env-vars/ocs_readme.md b/static/env-vars/ocs_readme.md index 61bbbf99..ba807715 100755 --- a/static/env-vars/ocs_readme.md +++ b/static/env-vars/ocs_readme.md @@ -1,6 +1,6 @@ --- title: OCS Service -date: 2025-05-22T16:21:16.119792667+02:00 +date: 2025-11-13T17:22:55.095897+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/ocs @@ -20,7 +20,6 @@ The `ocs` service (open collaboration services) serves one purpose: it has an en * [Signing-Keys Endpoint](#signing-keys-endpoint) * [Signing-Keys Store](#signing-keys-store) -* [Example Yaml Config](#example-yaml-config) ## Signing-Keys Endpoint @@ -42,3 +41,4 @@ Store specific notes: - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` in the form of `:/` like `10.10.0.200:26379/mymaster`. - When using `nats-js-kv` it is recommended to set `PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` to the same value as `OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`. That way the proxy uses the same nats instance as the ocs service. - When using `opencloudstoreservice` the `OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` must be set to the service name `eu.opencloud.api.store`. It does not support TTL and stores the presigning keys indefinitely. Also, the store service needs to be started. + diff --git a/static/env-vars/policies.yaml b/static/env-vars/policies.yaml new file mode 100644 index 00000000..2da88c7c --- /dev/null +++ b/static/env-vars/policies.yaml @@ -0,0 +1,36 @@ +# Autogenerated +# Filename: policies.yaml + +grpc: + addr: 127.0.0.1:9125 + tls: null +debug: + addr: 127.0.0.1:9129 + token: "" + pprof: false + zpages: false +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +grpc_client_tls: null +log: + level: "" + pretty: false + color: false + file: "" +engine: + timeout: 10s + policies: [] + mimes: "" +postprocessing: + query: "" +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" diff --git a/static/env-vars/policies_configvars.md b/static/env-vars/policies_configvars.md index f7c9767c..3255645b 100644 --- a/static/env-vars/policies_configvars.md +++ b/static/env-vars/policies_configvars.md @@ -1,27 +1,27 @@ Environment variables for the **policies** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`POLICIES_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9125| -|`POLICIES_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9129| -|`POLICIES_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`POLICIES_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`POLICIES_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_EVENTS_ENDPOINT`
`POLICIES_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`POLICIES_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`POLICIES_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether the server should skip the client certificate verification during the TLS handshake.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`POLICIES_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`POLICIES_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`POLICIES_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_LOG_LEVEL`
`POLICIES_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`POLICIES_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`POLICIES_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`POLICIES_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`POLICIES_ENGINE_TIMEOUT`| 1.0.0 |Duration|Sets the timeout the rego expression evaluation can take. Rules default to deny if the timeout was reached. See the Environment Variable Types description for more details.|10s| -|`POLICIES_ENGINE_MIMES`| 1.0.0 |string|Sets the mimes file path which maps mimetypes to associated file extensions. See the text description for details.|| -|`POLICIES_POSTPROCESSING_QUERY`| 1.0.0 |string|Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Defaults to deny if the variable was not found.|| -|`OC_TRACING_ENABLED`
`POLICIES_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`POLICIES_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`POLICIES_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`POLICIES_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| \ No newline at end of file +|---|---|---|---|:---| +|`POLICIES_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9125`| +|`POLICIES_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9129`| +|`POLICIES_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`POLICIES_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`POLICIES_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_EVENTS_ENDPOINT`
`POLICIES_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`POLICIES_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`POLICIES_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the server should skip the client certificate verification during the TLS handshake.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`POLICIES_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`POLICIES_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`POLICIES_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_LOG_LEVEL`
`POLICIES_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`POLICIES_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`POLICIES_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`POLICIES_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`POLICIES_ENGINE_TIMEOUT`| 1.0.0 |Duration|`Sets the timeout the rego expression evaluation can take. Rules default to deny if the timeout was reached. See the Environment Variable Types description for more details.`|`10s`| +|`POLICIES_ENGINE_MIMES`| 1.0.0 |string|`Sets the mimes file path which maps mimetypes to associated file extensions. See the text description for details.`|``| +|`POLICIES_POSTPROCESSING_QUERY`| 1.0.0 |string|`Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Defaults to deny if the variable was not found.`|``| +|`OC_TRACING_ENABLED`
`POLICIES_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`POLICIES_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`POLICIES_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`POLICIES_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| diff --git a/static/env-vars/policies_readme.md b/static/env-vars/policies_readme.md index c14cdea4..62095de7 100755 --- a/static/env-vars/policies_readme.md +++ b/static/env-vars/policies_readme.md @@ -1,6 +1,6 @@ --- title: Policies -date: 2025-05-22T16:21:16.119843232+02:00 +date: 2025-11-13T17:22:55.095985+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/policies @@ -24,7 +24,7 @@ Policies are written in the [rego query language](https://www.openpolicyagent.or * [Modules](#modules) * [gRPC API](#grpc-api) * [Proxy Middleware](#proxy-middleware) - * [Event Service (Postprocessing)](#event-service-postprocessing) + * [Event Service (Postprocessing)](#event-service-(postprocessing)) * [Defining Policies to Evaluate](#defining-policies-to-evaluate) * [Setting the Query Configuration](#setting-the-query-configuration) * [Proxy](#proxy) @@ -32,7 +32,6 @@ Policies are written in the [rego query language](https://www.openpolicyagent.or * [Rego Key Match](#rego-key-match) * [Extend Mimetype File Extension Mapping](#extend-mimetype-file-extension-mapping) * [Example Policies](#example-policies) -* [Example Yaml Config](#example-yaml-config) ## General Information @@ -138,7 +137,7 @@ proxy: The same can be achieved by setting the following environment variable: -```bash +```shell export PROXY_POLICIES_QUERY=data.proxy.granted ``` @@ -152,13 +151,13 @@ policies: The same can be achieved by setting the following environment variable: -```bash +```shell export POLICIES_POSTPROCESSING_QUERY=data.postprocessing.granted ``` As soon as that query is configured, the postprocessing service must be informed to use the policies step by setting the environment variable: -```bash +```shell export POSTPROCESSING_STEPS=policies ``` @@ -180,7 +179,7 @@ Note that existing mappings from the host are extended by the definitions from t The path to that file can be provided via a yaml configuration or an environment variable. Note to replace the `OC_CONFIG_DIR` string by an existing path. -```bash +```shell export POLICIES_ENGINE_MIMES=OC_CONFIG_DIR/mime.types ``` @@ -195,3 +194,4 @@ A good example of how such a file should be formatted can be found in the [Apach ## Example Policies The policies service contains a set of preconfigured example policies. See the [deployment examples](https://github.com/opencloud-eu/opencloud/tree/main/deployments/examples) directory for details. The contained policies disallow OpenCloud to create certain file types, both via the proxy middleware and the events service via postprocessing. + diff --git a/static/env-vars/postprocessing-config-example.yaml b/static/env-vars/postprocessing-config-example.yaml index fb33d857..cf59105f 100644 --- a/static/env-vars/postprocessing-config-example.yaml +++ b/static/env-vars/postprocessing-config-example.yaml @@ -34,6 +34,8 @@ postprocessing: enable_tls: false username: "" password: "" + max_ack_pending: 10000 + ack_wait: 1m0s workers: 3 steps: [] delayprocessing: 0s diff --git a/static/env-vars/postprocessing.yaml b/static/env-vars/postprocessing.yaml new file mode 100644 index 00000000..d065c261 --- /dev/null +++ b/static/env-vars/postprocessing.yaml @@ -0,0 +1,43 @@ +# Autogenerated +# Filename: postprocessing.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9255 + token: "" + pprof: false + zpages: false +store: + store: nats-js-kv + nodes: + - 127.0.0.1:9233 + database: postprocessing + table: "" + ttl: 0s + username: "" + password: "" +postprocessing: + events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" + max_ack_pending: 10000 + ack_wait: 1m0s + workers: 3 + steps: [] + delayprocessing: 0s + retry_backoff_duration: 5s + max_retries: 14 diff --git a/static/env-vars/postprocessing_configvars.md b/static/env-vars/postprocessing_configvars.md index ff20fa39..617fb8a1 100644 --- a/static/env-vars/postprocessing_configvars.md +++ b/static/env-vars/postprocessing_configvars.md @@ -1,35 +1,37 @@ Environment variables for the **postprocessing** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`POSTPROCESSING_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`POSTPROCESSING_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`POSTPROCESSING_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`POSTPROCESSING_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`POSTPROCESSING_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`POSTPROCESSING_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`POSTPROCESSING_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`POSTPROCESSING_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`POSTPROCESSING_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9255| -|`POSTPROCESSING_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`POSTPROCESSING_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`POSTPROCESSING_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_PERSISTENT_STORE`
`POSTPROCESSING_STORE`| 1.0.0 |string|The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|nats-js-kv| -|`OC_PERSISTENT_STORE_NODES`
`POSTPROCESSING_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`POSTPROCESSING_STORE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|postprocessing| -|`POSTPROCESSING_STORE_TABLE`| 1.0.0 |string|The database table the store should use.|| -|`OC_PERSISTENT_STORE_TTL`
`POSTPROCESSING_STORE_TTL`| 1.0.0 |Duration|Time to live for events in the store. See the Environment Variable Types description for more details.|0s| -|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`POSTPROCESSING_STORE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`POSTPROCESSING_STORE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_EVENTS_ENDPOINT`
`POSTPROCESSING_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`POSTPROCESSING_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`POSTPROCESSING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether the OpenCloud server should skip the client certificate verification during the TLS handshake.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`POSTPROCESSING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`POSTPROCESSING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`POSTPROCESSING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`POSTPROCESSING_WORKERS`| 1.0.0 |int|The number of concurrent go routines that fetch events from the event queue.|3| -|`POSTPROCESSING_STEPS`| 1.0.0 |[]string|A list of postprocessing steps processed in order of their appearance. Currently supported values by the system are: 'virusscan', 'policies' and 'delay'. Custom steps are allowed. See the documentation for instructions. See the Environment Variable Types description for more details.|[]| -|`POSTPROCESSING_DELAY`| 1.0.0 |Duration|After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. If a duration is set but the keyword 'delay' is not explicitely added to 'POSTPROCESSING_STEPS', the delay step will be processed as last step. In such a case, a log entry will be written on service startup to remind the admin about that situation. See the Environment Variable Types description for more details.|0s| -|`POSTPROCESSING_RETRY_BACKOFF_DURATION`| 1.0.0 |Duration|The base for the exponential backoff duration before retrying a failed postprocessing step. See the Environment Variable Types description for more details.|5s| -|`POSTPROCESSING_MAX_RETRIES`| 1.0.0 |int|The maximum number of retries for a failed postprocessing step.|14| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`POSTPROCESSING_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`POSTPROCESSING_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`POSTPROCESSING_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`POSTPROCESSING_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`POSTPROCESSING_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`POSTPROCESSING_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`POSTPROCESSING_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`POSTPROCESSING_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`POSTPROCESSING_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9255`| +|`POSTPROCESSING_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`POSTPROCESSING_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`POSTPROCESSING_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_PERSISTENT_STORE`
`POSTPROCESSING_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`POSTPROCESSING_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`POSTPROCESSING_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`postprocessing`| +|`POSTPROCESSING_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`POSTPROCESSING_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`POSTPROCESSING_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`POSTPROCESSING_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_EVENTS_ENDPOINT`
`POSTPROCESSING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`POSTPROCESSING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`POSTPROCESSING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the OpenCloud server should skip the client certificate verification during the TLS handshake.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`POSTPROCESSING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`POSTPROCESSING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`POSTPROCESSING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`SEARCH_EVENTS_MAX_ACK_PENDING`| next |int|`The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time.`|`10000`| +|`SEARCH_EVENTS_ACK_WAIT`| next |Duration|`The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes.`|`1m0s`| +|`POSTPROCESSING_WORKERS`| 1.0.0 |int|`The number of concurrent go routines that fetch events from the event queue.`|`3`| +|`POSTPROCESSING_STEPS`| 1.0.0 |[]string|`A list of postprocessing steps processed in order of their appearance. Currently supported values by the system are: 'virusscan', 'policies' and 'delay'. Custom steps are allowed. See the documentation for instructions. See the Environment Variable Types description for more details.`|`[]`| +|`POSTPROCESSING_DELAY`| 1.0.0 |Duration|`After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. If a duration is set but the keyword 'delay' is not explicitely added to 'POSTPROCESSING_STEPS', the delay step will be processed as last step. In such a case, a log entry will be written on service startup to remind the admin about that situation. See the Environment Variable Types description for more details.`|`0s`| +|`POSTPROCESSING_RETRY_BACKOFF_DURATION`| 1.0.0 |Duration|`The base for the exponential backoff duration before retrying a failed postprocessing step. See the Environment Variable Types description for more details.`|`5s`| +|`POSTPROCESSING_MAX_RETRIES`| 1.0.0 |int|`The maximum number of retries for a failed postprocessing step.`|`14`| diff --git a/static/env-vars/postprocessing_readme.md b/static/env-vars/postprocessing_readme.md index 000c92d7..91fca265 100755 --- a/static/env-vars/postprocessing_readme.md +++ b/static/env-vars/postprocessing_readme.md @@ -1,6 +1,6 @@ --- title: Postprocessing -date: 2025-05-22T16:21:16.119909606+02:00 +date: 2025-11-13T17:22:55.096102+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/postprocessing @@ -30,7 +30,7 @@ The `postprocessing` service handles the coordination of asynchronous postproces * [Workflow](#workflow) * [CLI Commands](#cli-commands) * [Resume Postprocessing](#resume-postprocessing) -* [Example Yaml Config](#example-yaml-config) +* [Metrics](#metrics) ## General Prerequisites @@ -149,3 +149,18 @@ Depending if you want to restart/resume all or defined failed uploads, different opencloud postprocessing resume -s "finished" # Equivalent to the above opencloud postprocessing resume -s "virusscan" # Resume all uploads currently in virusscan step ``` + +## Metrics + +The postprocessing service exposes the following prometheus metrics at `/metrics` (as configured using the `POSTPROCESSING_DEBUG_ADDR` env var): + +| Metric Name | Type | Description | Labels | +| --- | --- | --- | --- | +| `opencloud_postprocessing_build_info` | Gauge | Build information | `version` | +| `opencloud_postprocessing_events_outstanding_acks` | Gauge | Number of outstanding acks for events | | +| `opencloud_postprocessing_events_unprocessed` | Gauge | Number of unprocessed events | | +| `opencloud_postprocessing_events_redelivered` | Gauge | Number of redelivered events | | +| `opencloud_postprocessing_in_progress` | Gauge | Number of postprocessing events in progress | | +| `opencloud_postprocessing_finished` | Counter | Number of finished postprocessing events | `status` | +| `opencloud_postprocessing_duration_seconds` | Histogram | Duration of postprocessing operations in seconds | `status` | + diff --git a/static/env-vars/proxy-config-example.yaml b/static/env-vars/proxy-config-example.yaml index 196906f7..50682b4a 100644 --- a/static/env-vars/proxy-config-example.yaml +++ b/static/env-vars/proxy-config-example.yaml @@ -19,8 +19,8 @@ debug: http: addr: 0.0.0.0:9200 root: / - tls_cert: /home/chaser/.opencloud/proxy/server.crt - tls_key: /home/chaser/.opencloud/proxy/server.key + tls_cert: /Users/t.schweiger/.opencloud/proxy/server.crt + tls_key: /Users/t.schweiger/.opencloud/proxy/server.key tls: true reva: address: eu.opencloud.api.gateway @@ -152,6 +152,10 @@ policies: - endpoint: /auth-app/tokens service: eu.opencloud.web.auth-app skip_x_access_token: false + - endpoint: /wopi + service: eu.opencloud.web.collaboration + unprotected: true + skip_x_access_token: true additional_policies: [] oidc: issuer: https://localhost:9200 diff --git a/static/env-vars/proxy.yaml b/static/env-vars/proxy.yaml new file mode 100644 index 00000000..674af780 --- /dev/null +++ b/static/env-vars/proxy.yaml @@ -0,0 +1,240 @@ +# Autogenerated +# Filename: proxy.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9205 + token: "" + pprof: false + zpages: false +http: + addr: 0.0.0.0:9200 + root: / + tls_cert: /Users/t.schweiger/.opencloud/proxy/server.crt + tls_key: /Users/t.schweiger/.opencloud/proxy/server.key + tls: true +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +grpc_client_tls: null +role_quotas: {} +policies: +- name: default + routes: + - endpoint: / + service: eu.opencloud.web.web + unprotected: true + skip_x_access_token: false + - endpoint: /.well-known/ocm + service: eu.opencloud.web.ocm + unprotected: true + skip_x_access_token: false + - endpoint: /.well-known/webfinger + service: eu.opencloud.web.webfinger + unprotected: true + skip_x_access_token: false + - endpoint: /.well-known/openid-configuration + service: eu.opencloud.web.idp + unprotected: true + skip_x_access_token: false + - endpoint: /branding/logo + service: eu.opencloud.web.web + skip_x_access_token: false + - endpoint: /konnect/ + service: eu.opencloud.web.idp + unprotected: true + skip_x_access_token: false + - endpoint: /signin/ + service: eu.opencloud.web.idp + unprotected: true + skip_x_access_token: false + - endpoint: /archiver + service: eu.opencloud.web.frontend + skip_x_access_token: false + - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications/sse + service: eu.opencloud.sse.sse + skip_x_access_token: false + - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications + service: eu.opencloud.web.userlog + skip_x_access_token: false + - type: regex + endpoint: /ocs/v[12].php/cloud/user/signing-key + service: eu.opencloud.web.ocs + skip_x_access_token: false + - type: regex + endpoint: /ocs/v[12].php/config + service: eu.opencloud.web.frontend + unprotected: true + skip_x_access_token: false + - endpoint: /sciencemesh/ + service: eu.opencloud.web.ocm + skip_x_access_token: false + - endpoint: /ocm/ + service: eu.opencloud.web.ocm + skip_x_access_token: false + - endpoint: /ocs/ + service: eu.opencloud.web.frontend + skip_x_access_token: false + - type: query + endpoint: /remote.php/?preview=1 + service: eu.opencloud.web.webdav + skip_x_access_token: false + - type: regex + method: REPORT + endpoint: (/remote.php)?/(web)?dav + service: eu.opencloud.web.webdav + skip_x_access_token: false + - type: query + endpoint: /dav/?preview=1 + service: eu.opencloud.web.webdav + skip_x_access_token: false + - type: query + endpoint: /webdav/?preview=1 + service: eu.opencloud.web.webdav + skip_x_access_token: false + - endpoint: /remote.php/ + service: eu.opencloud.web.ocdav + skip_x_access_token: false + - endpoint: /dav/ + service: eu.opencloud.web.ocdav + skip_x_access_token: false + - endpoint: /webdav/ + service: eu.opencloud.web.ocdav + skip_x_access_token: false + - endpoint: /status + service: eu.opencloud.web.ocdav + unprotected: true + skip_x_access_token: false + - endpoint: /status.php + service: eu.opencloud.web.ocdav + unprotected: true + skip_x_access_token: false + - endpoint: /index.php/ + service: eu.opencloud.web.ocdav + skip_x_access_token: false + - endpoint: /apps/ + service: eu.opencloud.web.ocdav + skip_x_access_token: false + - endpoint: /data + service: eu.opencloud.web.frontend + unprotected: true + skip_x_access_token: false + - endpoint: /app/list + service: eu.opencloud.web.frontend + unprotected: true + skip_x_access_token: false + - endpoint: /app/ + service: eu.opencloud.web.frontend + skip_x_access_token: false + - endpoint: /graph/v1beta1/extensions/org.libregraph/activities + service: eu.opencloud.web.activitylog + skip_x_access_token: false + - endpoint: /graph/v1.0/invitations + service: eu.opencloud.web.invitations + skip_x_access_token: false + - endpoint: /graph/ + service: eu.opencloud.web.graph + skip_x_access_token: false + - endpoint: /api/v0/settings + service: eu.opencloud.web.settings + skip_x_access_token: false + - endpoint: /auth-app/tokens + service: eu.opencloud.web.auth-app + skip_x_access_token: false + - endpoint: /wopi + service: eu.opencloud.web.collaboration + unprotected: true + skip_x_access_token: true +additional_policies: [] +oidc: + issuer: https://localhost:9200 + insecure: false + access_token_verify_method: jwt + skip_user_info: false + user_info_cache: + store: memory + addresses: + - 127.0.0.1:9233 + database: cache-userinfo + table: "" + ttl: 10s + disable_persistence: false + username: "" + password: "" + jwks: + refresh_interval: 60 + refresh_timeout: 10 + refresh_limit: 60 + refresh_unknown_kid: true + rewrite_well_known: false +service_account: + service_account_id: "" + service_account_secret: "" +role_assignment: + driver: default + oidc_role_mapper: + role_claim: roles + role_mapping: + - role_name: admin + claim_value: opencloudAdmin + - role_name: spaceadmin + claim_value: opencloudSpaceAdmin + - role_name: user + claim_value: opencloudUser + - role_name: user-light + claim_value: opencloudGuest +policy_selector: + static: + policy: default + claims: null + regex: null +pre_signed_url: + allowed_http_methods: + - GET + enabled: true + signing_keys: + store: nats-js-kv + addresses: + - 127.0.0.1:9233 + ttl: 12h0m0s + disable_persistence: true + username: "" + password: "" +account_backend: cs3 +user_oidc_claim: preferred_username +user_cs3_claim: username +machine_auth_api_key: "" +auto_provision_accounts: false +auto_provision_claims: + username: preferred_username + email: email + display_name: name + groups: groups +enable_basic_auth: false +insecure_backends: false +backend_https_cacert: "" +auth_middleware: + credentials_by_user_agent: {} + allow_app_auth: true +policies_middleware: + query: "" +csp_config_file_location: "" +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" diff --git a/static/env-vars/proxy_configvars.md b/static/env-vars/proxy_configvars.md index 052fe41b..a9618c4a 100644 --- a/static/env-vars/proxy_configvars.md +++ b/static/env-vars/proxy_configvars.md @@ -1,74 +1,74 @@ Environment variables for the **proxy** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`PROXY_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`PROXY_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`PROXY_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`PROXY_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`PROXY_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`PROXY_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`PROXY_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`PROXY_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`PROXY_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9205| -|`PROXY_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`PROXY_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`PROXY_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`PROXY_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|0.0.0.0:9200| -|`PROXY_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`PROXY_TRANSPORT_TLS_CERT`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.|/home/chaser/.opencloud/proxy/server.crt| -|`PROXY_TRANSPORT_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.|/home/chaser/.opencloud/proxy/server.key| -|`PROXY_TLS`| 1.0.0 |bool|Enable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service an no reverse proxy is used. See the text description for details.|true| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_URL`
`OC_OIDC_ISSUER`
`PROXY_OIDC_ISSUER`| 1.0.0 |string|URL of the OIDC issuer. It defaults to URL of the builtin IDP.|https://localhost:9200| -|`OC_INSECURE`
`PROXY_OIDC_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments.|false| -|`PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD`| 1.0.0 |string|Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IPD's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'.|jwt| -|`PROXY_OIDC_SKIP_USER_INFO`| 1.0.0 |bool|Do not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'.|false| -|`OC_CACHE_STORE`
`PROXY_OIDC_USERINFO_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|memory| -|`OC_CACHE_STORE_NODES`
`PROXY_OIDC_USERINFO_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|cache-userinfo| -|`PROXY_OIDC_USERINFO_CACHE_TABLE`| 1.0.0 |string|The database table the store should use.|| -|`OC_CACHE_TTL`
`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.|10s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.|| -|`PROXY_OIDC_JWKS_REFRESH_INTERVAL`| 1.0.0 |uint64|The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP.|60| -|`PROXY_OIDC_JWKS_REFRESH_TIMEOUT`| 1.0.0 |uint64|The timeout in seconds for an outgoing JWKS request.|10| -|`PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT`| 1.0.0 |uint64|Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud.|60| -|`PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID`| 1.0.0 |bool|If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this.|true| -|`PROXY_OIDC_REWRITE_WELLKNOWN`| 1.0.0 |bool|Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider.|false| -|`OC_SERVICE_ACCOUNT_ID`
`PROXY_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`PROXY_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| -|`PROXY_ROLE_ASSIGNMENT_DRIVER`| 1.0.0 |string|The mechanism that should be used to assign roles to user upon login. Supported values: 'default' or 'oidc'. 'default' will assign the role 'user' to users which don't have a role assigned at the time they login. 'oidc' will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims.|default| -|`PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM`| 1.0.0 |string|The OIDC claim used to create the users role assignment.|roles| -|`PROXY_ENABLE_PRESIGNEDURLS`| 1.0.0 |bool|Allow OCS to get a signing key to sign requests.|true| -|`OC_CACHE_STORE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details.|nats-js-kv| -|`OC_CACHE_STORE_NODES`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_TTL`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|Default time to live for signing keys. See the Environment Variable Types description for more details.|12h0m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true.|true| -|`OC_CACHE_AUTH_USERNAME`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|Account backend the PROXY service should use. Currently only 'cs3' is possible here.|cs3| -|`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.|preferred_username| -|`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.|username| -|`OC_MACHINE_AUTH_API_KEY`
`PROXY_MACHINE_AUTH_API_KEY`| 1.0.0 |string|Machine auth API key used to validate internal requests necessary to access resources from other services.|| -|`PROXY_AUTOPROVISION_ACCOUNTS`| 1.0.0 |bool|Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.|false| -|`PROXY_AUTOPROVISION_CLAIM_USERNAME`| 1.0.0 |string|The name of the OIDC claim that holds the username.|preferred_username| -|`PROXY_AUTOPROVISION_CLAIM_EMAIL`| 1.0.0 |string|The name of the OIDC claim that holds the email.|email| -|`PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME`| 1.0.0 |string|The name of the OIDC claim that holds the display name.|name| -|`PROXY_AUTOPROVISION_CLAIM_GROUPS`| 1.0.0 |string|The name of the OIDC claim that holds the groups.|groups| -|`PROXY_ENABLE_BASIC_AUTH`| 1.0.0 |bool|Set this to true to enable 'basic authentication' (username/password).|false| -|`PROXY_INSECURE_BACKENDS`| 1.0.0 |bool|Disable TLS certificate validation for all HTTP backend connections.|false| -|`PROXY_HTTPS_CACERT`| 1.0.0 |string|Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services.|| -|`PROXY_ENABLE_APP_AUTH`| 1.0.0 |bool|Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work.|true| -|`PROXY_POLICIES_QUERY`| 1.0.0 |string|Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found.|| -|`PROXY_CSP_CONFIG_FILE_LOCATION`| 1.0.0 |string|The location of the CSP configuration file.|| -|`OC_EVENTS_ENDPOINT`
`PROXY_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`PROXY_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|opencloud-cluster| -|`OC_INSECURE`
`PROXY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`PROXY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`PROXY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`PROXY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`PROXY_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`PROXY_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`PROXY_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`PROXY_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`PROXY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`PROXY_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`PROXY_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`PROXY_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`PROXY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9205`| +|`PROXY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`PROXY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`PROXY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`PROXY_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`0.0.0.0:9200`| +|`PROXY_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`PROXY_TRANSPORT_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.`|`/Users/t.schweiger/.opencloud/proxy/server.crt`| +|`PROXY_TRANSPORT_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.`|`/Users/t.schweiger/.opencloud/proxy/server.key`| +|`PROXY_TLS`| 1.0.0 |bool|`Enable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service an no reverse proxy is used. See the text description for details.`|`true`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_URL`
`OC_OIDC_ISSUER`
`PROXY_OIDC_ISSUER`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`| +|`OC_INSECURE`
`PROXY_OIDC_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments.`|`false`| +|`PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD`| 1.0.0 |string|`Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IDP's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'.`|`jwt`| +|`PROXY_OIDC_SKIP_USER_INFO`| 1.0.0 |bool|`Do not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'.`|`false`| +|`OC_CACHE_STORE`
`PROXY_OIDC_USERINFO_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`PROXY_OIDC_USERINFO_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-userinfo`| +|`PROXY_OIDC_USERINFO_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_CACHE_TTL`
`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`10s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`PROXY_OIDC_JWKS_REFRESH_INTERVAL`| 1.0.0 |uint64|`The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP.`|`60`| +|`PROXY_OIDC_JWKS_REFRESH_TIMEOUT`| 1.0.0 |uint64|`The timeout in seconds for an outgoing JWKS request.`|`10`| +|`PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT`| 1.0.0 |uint64|`Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud.`|`60`| +|`PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID`| 1.0.0 |bool|`If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this.`|`true`| +|`PROXY_OIDC_REWRITE_WELLKNOWN`| 1.0.0 |bool|`Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider.`|`false`| +|`OC_SERVICE_ACCOUNT_ID`
`PROXY_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`PROXY_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`PROXY_ROLE_ASSIGNMENT_DRIVER`| 1.0.0 |string|`The mechanism that should be used to assign roles to user upon login. Supported values: 'default' or 'oidc'. 'default' will assign the role 'user' to users which don't have a role assigned at the time they login. 'oidc' will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims.`|`default`| +|`PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM`| 1.0.0 |string|`The OIDC claim used to create the users role assignment.`|`roles`| +|`PROXY_ENABLE_PRESIGNEDURLS`| 1.0.0 |bool|`Allow OCS to get a signing key to sign requests.`|`true`| +|`OC_CACHE_STORE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|`The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details.`|`nats-js-kv`| +|`OC_CACHE_STORE_NODES`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_TTL`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|`12h0m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true.`|`true`| +|`OC_CACHE_AUTH_USERNAME`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|`Account backend the PROXY service should use. Currently only 'cs3' is possible here.`|`cs3`| +|`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|`The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.`|`preferred_username`| +|`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|`The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.`|`username`| +|`OC_MACHINE_AUTH_API_KEY`
`PROXY_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary to access resources from other services.`|``| +|`PROXY_AUTOPROVISION_ACCOUNTS`| 1.0.0 |bool|`Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.`|`false`| +|`PROXY_AUTOPROVISION_CLAIM_USERNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the username.`|`preferred_username`| +|`PROXY_AUTOPROVISION_CLAIM_EMAIL`| 1.0.0 |string|`The name of the OIDC claim that holds the email.`|`email`| +|`PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the display name.`|`name`| +|`PROXY_AUTOPROVISION_CLAIM_GROUPS`| 1.0.0 |string|`The name of the OIDC claim that holds the groups.`|`groups`| +|`PROXY_ENABLE_BASIC_AUTH`| 1.0.0 |bool|`Set this to true to enable 'basic authentication' (username/password).`|`false`| +|`PROXY_INSECURE_BACKENDS`| 1.0.0 |bool|`Disable TLS certificate validation for all HTTP backend connections.`|`false`| +|`PROXY_HTTPS_CACERT`| 1.0.0 |string|`Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services.`|``| +|`PROXY_ENABLE_APP_AUTH`| 1.0.0 |bool|`Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work.`|`true`| +|`PROXY_POLICIES_QUERY`| 1.0.0 |string|`Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found.`|``| +|`PROXY_CSP_CONFIG_FILE_LOCATION`| 1.0.0 |string|`The location of the CSP configuration file.`|``| +|`OC_EVENTS_ENDPOINT`
`PROXY_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`PROXY_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`opencloud-cluster`| +|`OC_INSECURE`
`PROXY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`PROXY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`PROXY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`PROXY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| diff --git a/static/env-vars/proxy_readme.md b/static/env-vars/proxy_readme.md index d41c564e..417bdd95 100755 --- a/static/env-vars/proxy_readme.md +++ b/static/env-vars/proxy_readme.md @@ -1,6 +1,6 @@ --- title: Proxy -date: 2025-05-22T16:21:16.119991019+02:00 +date: 2025-11-13T17:22:55.096208+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/proxy @@ -36,12 +36,10 @@ The proxy service is the only service communicating to the outside and needs the * [Presigned Urls](#presigned-urls) * [Special Settings](#special-settings) * [Metrics](#metrics) - * [1) Single Process Mode](#1-single-process-mode) - - * [2) Standalone Mode](#2-standalone-mode) + * [1) Single Process Mode](#1)-single-process-mode) + * [2) Standalone Mode](#2)-standalone-mode) * [Available Metrics](#available-metrics) * [Prometheus Configuration](#prometheus-configuration) -* [Example Yaml Config](#example-yaml-config) ## Authentication @@ -357,3 +355,4 @@ scrape_configs: static_configs: - targets: ["opencloud:9205"] ``` + diff --git a/static/env-vars/search-config-example.yaml b/static/env-vars/search-config-example.yaml index 7b3ac246..46427ec0 100644 --- a/static/env-vars/search-config-example.yaml +++ b/static/env-vars/search-config-example.yaml @@ -17,6 +17,7 @@ debug: pprof: false zpages: false grpc: + disabled: false addr: 127.0.0.1:9220 tls: null token_manager: @@ -28,20 +29,42 @@ reva: cacert: "" grpc_client_tls: null events: + disabled: false endpoint: 127.0.0.1:9233 cluster: opencloud-cluster async_uploads: true - num_consumers: 0 + num_consumers: 1 debounce_duration: 1000 tls_insecure: false tls_root_ca_certificate: "" enable_tls: false username: "" password: "" + max_ack_pending: 1000 + ack_wait: 1m0s engine: type: bleve bleve: - data_path: /home/chaser/.opencloud/search + data_path: /Users/t.schweiger/.opencloud/search + open_search: + client: + addresses: [] + username: "" + password: "" + header: {} + ca_cert: [] + retry_on_status: [] + disable_retry: false + enable_retry_on_timeout: false + max_retries: 0 + compress_request_body: false + discover_nodes_on_start: false + discover_nodes_interval: 0s + enable_metrics: false + enable_debug_logger: false + insecure: false + resource_index: + name: opencloud-resource extractor: type: basic cs3_allow_insecure: false @@ -49,6 +72,7 @@ extractor: tika_url: http://127.0.0.1:9998 clean_stop_words: true content_extraction_size_limit: 20971520 +batch_size: 500 service_account: service_account_id: "" service_account_secret: "" diff --git a/static/env-vars/search.yaml b/static/env-vars/search.yaml new file mode 100644 index 00000000..abdea4bf --- /dev/null +++ b/static/env-vars/search.yaml @@ -0,0 +1,78 @@ +# Autogenerated +# Filename: search.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9224 + token: "" + pprof: false + zpages: false +grpc: + disabled: false + addr: 127.0.0.1:9220 + tls: null +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +grpc_client_tls: null +events: + disabled: false + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + async_uploads: true + num_consumers: 1 + debounce_duration: 1000 + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" + max_ack_pending: 1000 + ack_wait: 1m0s +engine: + type: bleve + bleve: + data_path: /Users/t.schweiger/.opencloud/search + open_search: + client: + addresses: [] + username: "" + password: "" + header: {} + ca_cert: [] + retry_on_status: [] + disable_retry: false + enable_retry_on_timeout: false + max_retries: 0 + compress_request_body: false + discover_nodes_on_start: false + discover_nodes_interval: 0s + enable_metrics: false + enable_debug_logger: false + insecure: false + resource_index: + name: opencloud-resource +extractor: + type: basic + cs3_allow_insecure: false + tika: + tika_url: http://127.0.0.1:9998 + clean_stop_words: true +content_extraction_size_limit: 20971520 +batch_size: 500 +service_account: + service_account_id: "" + service_account_secret: "" diff --git a/static/env-vars/search_configvars.md b/static/env-vars/search_configvars.md index f94556d6..dcbe3b21 100644 --- a/static/env-vars/search_configvars.md +++ b/static/env-vars/search_configvars.md @@ -1,40 +1,61 @@ Environment variables for the **search** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`SEARCH_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`SEARCH_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`SEARCH_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`SEARCH_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`SEARCH_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`SEARCH_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`SEARCH_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`SEARCH_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`SEARCH_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9224| -|`SEARCH_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`SEARCH_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`SEARCH_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`SEARCH_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9220| -|`OC_JWT_SECRET`
`SEARCH_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_EVENTS_ENDPOINT`
`SEARCH_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`SEARCH_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_ASYNC_UPLOADS`
`SEARCH_EVENTS_ASYNC_UPLOADS`| 1.0.0 |bool|Enable asynchronous file uploads.|true| -|`SEARCH_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|The amount of concurrent event consumers to start. Event consumers are used for searching files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The default value is 0.|0| -|`SEARCH_EVENTS_REINDEX_DEBOUNCE_DURATION`| 1.0.0 |int|The duration in milliseconds the reindex debouncer waits before triggering a reindex of a space that was modified.|1000| -|`OC_INSECURE`
`SEARCH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`SEARCH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`SEARCH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`SEARCH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`SEARCH_ENGINE_TYPE`| 1.0.0 |string|Defines which search engine to use. Defaults to 'bleve'. Supported values are: 'bleve'.|bleve| -|`SEARCH_ENGINE_BLEVE_DATA_PATH`| 1.0.0 |string|The directory where the filesystem will store search data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/search.|/home/chaser/.opencloud/search| -|`SEARCH_EXTRACTOR_TYPE`| 1.0.0 |string|Defines the content extraction engine. Defaults to 'basic'. Supported values are: 'basic' and 'tika'.|basic| -|`OC_INSECURE`
`SEARCH_EXTRACTOR_CS3SOURCE_INSECURE`| 1.0.0 |bool|Ignore untrusted SSL certificates when connecting to the CS3 source.|false| -|`SEARCH_EXTRACTOR_TIKA_TIKA_URL`| 1.0.0 |string|URL of the tika server.|http://127.0.0.1:9998| -|`SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS`| 1.0.0 |bool|Defines if stop words should be cleaned or not. See the documentation for more details.|true| -|`SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT`| 1.0.0 |uint64|Maximum file size in bytes that is allowed for content extraction.|20971520| -|`OC_SERVICE_ACCOUNT_ID`
`SEARCH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`SEARCH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`SEARCH_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`SEARCH_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`SEARCH_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`SEARCH_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`SEARCH_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`SEARCH_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`SEARCH_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`SEARCH_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`SEARCH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9224`| +|`SEARCH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`SEARCH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`SEARCH_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`SEARCH_GRPC_DISABLED`| next |bool|`Disables the GRPC service. Set this to true if the service should only handle events.`|`false`| +|`SEARCH_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9220`| +|`OC_JWT_SECRET`
`SEARCH_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`SEARCH_EVENTS_DISABLED`| next |bool|`Disables listening for events. Set this to true if the service should only handle GRPC requests.`|`false`| +|`OC_EVENTS_ENDPOINT`
`SEARCH_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`SEARCH_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_ASYNC_UPLOADS`
`SEARCH_EVENTS_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`| +|`SEARCH_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|`The amount of concurrent event consumers to start. Event consumers are used for searching files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands.`|`1`| +|`SEARCH_EVENTS_REINDEX_DEBOUNCE_DURATION`| 1.0.0 |int|`The duration in milliseconds the reindex debouncer waits before triggering a reindex of a space that was modified.`|`1000`| +|`OC_INSECURE`
`SEARCH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`SEARCH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`SEARCH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`SEARCH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`SEARCH_EVENTS_MAX_ACK_PENDING`| next |int|`The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time.`|`1000`| +|`SEARCH_EVENTS_ACK_WAIT`| next |Duration|`The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes.`|`1m0s`| +|`SEARCH_ENGINE_TYPE`| 1.0.0 |string|`Defines which search engine to use. Defaults to 'bleve'. Supported values are: 'bleve'.`|`bleve`| +|`SEARCH_ENGINE_BLEVE_DATA_PATH`| 1.0.0 |string|`The directory where the filesystem will store search data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/search.`|`/Users/t.schweiger/.opencloud/search`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ADDRESSES`| next |[]string|`The addresses of the OpenSearch nodes..`|`[]`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_USERNAME`| next |string|`Username for HTTP Basic Authentication.`|``| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_PASSWORD`| next |string|`Password for HTTP Basic Authentication.`|``| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_HEADER`| next |Header|`HTTP headers to include in requests.`|`map[]`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT`| next |[]uint8|`CA certificate for TLS connections.`|`[]`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_RETRY_ON_STATUS`| next |[]int|`HTTP status codes that trigger a retry.`|`[]`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISABLE_RETRY`| next |bool|`Disable retries on errors.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_RETRY_ON_TIMEOUT`| next |bool|`Enable retries on timeout.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_MAX_RETRIES`| next |int|`Maximum number of retries for requests.`|`0`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_COMPRESS_REQUEST_BODY`| next |bool|`Compress request bodies.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_ON_START`| next |bool|`Discover nodes on service start.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_INTERVAL`| next |Duration|`Interval for discovering nodes.`|`0s`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_METRICS`| next |bool|`Enable metrics collection.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_DEBUG_LOGGER`| next |bool|`Enable debug logging.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_INSECURE`| next |bool|`Skip TLS certificate verification.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_RESOURCE_INDEX_NAME`| next |string|`The name of the OpenSearch index for resources.`|`opencloud-resource`| +|`SEARCH_EXTRACTOR_TYPE`| 1.0.0 |string|`Defines the content extraction engine. Defaults to 'basic'. Supported values are: 'basic' and 'tika'.`|`basic`| +|`OC_INSECURE`
`SEARCH_EXTRACTOR_CS3SOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the CS3 source.`|`false`| +|`SEARCH_EXTRACTOR_TIKA_TIKA_URL`| 1.0.0 |string|`URL of the tika server.`|`http://127.0.0.1:9998`| +|`SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS`| 1.0.0 |bool|`Defines if stop words should be cleaned or not. See the documentation for more details.`|`true`| +|`SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT`| 1.0.0 |uint64|`Maximum file size in bytes that is allowed for content extraction.`|`20971520`| +|`SEARCH_BATCH_SIZE`| 1.0.0 |int|`The number of documents to process in a single batch. Defaults to 500.`|`500`| +|`OC_SERVICE_ACCOUNT_ID`
`SEARCH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`SEARCH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| diff --git a/static/env-vars/search_readme.md b/static/env-vars/search_readme.md index 1663c2ae..c7cca45d 100755 --- a/static/env-vars/search_readme.md +++ b/static/env-vars/search_readme.md @@ -1,6 +1,6 @@ --- title: Search -date: 2025-05-22T16:21:16.120089975+02:00 +date: 2025-11-13T17:22:55.096414+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/search @@ -13,64 +13,78 @@ geekdocCollapseSection: true ## Abstract -The search service is responsible for metadata and content extraction, stores that data as index and makes it searchable. The following clarifies the extraction terms _metadata_ and _content_: +The search service is responsible for metadata and content extraction, +the retrieved data is indexed and made searchable. -* Metadata: all data that _describes_ the file like `Name`, `Size`, `MimeType`, `Tags` and `Mtime`. -* Content: all data that _relates to content_ of the file like `words`, `geo data`, `exif data` etc. +The search service runs out of the box with the shipped default `basic` configuration. +No further configuration is needed. + +Note that as of now, the search service cannot be scaled. +Consider using dedicated hardware for this service in case more resources are needed. ## Table of Contents -* [General Considerations](#general-considerations) -* [Search engines](#search-engines) +* [Search backends](#search-backends) + * [Bleve](#bleve) + * [OpenSearch](#opensearch) * [Query language](#query-language) -* [Extraction Engines](#extraction-engines) -* [Content Extraction](#content-extraction) - * [Basic Extractor](#basic-extractor) - * [Tika Extractor](#tika-extractor) -* [Search Functionality](#search-functionality) - * [Indexing](#indexing) - * [Search](#search) - * [State Changes which Trigger Indexing](#state-changes-which-trigger-indexing) - * [Resource Trashed](#resource-trashed) - * [Resource Deleted](#resource-deleted) - * [Resource Restored](#resource-restored) - * [Resource Moved](#resource-moved) - * [Folder Created](#folder-created) - * [File Created](#file-created) - * [File Version Restored](#file-version-restored) - * [Resource Tag Added](#resource-tag-added) - * [Resource Tag Removed](#resource-tag-removed) - * [File Uploaded - Synchronous](#file-uploaded---synchronous) - * [File Uploaded - Asynchronous](#file-uploaded---asynchronous) +* [Content analysis / Extraction](#content-analysis-/-extraction) + * [Basic](#basic) + * [Tika](#tika) * [Manually Trigger Re-Indexing a Space](#manually-trigger-re-indexing-a-space) -* [Notes](#notes) -* [Example Yaml Config](#example-yaml-config) +* [Metrics](#metrics) + +## Search backends + +To store and query the indexed data, a search backend is needed. + +As of now, the search service supports the following backends: + +- [bleve](https://github.com/blevesearch/bleve) (default) +- [opensearch](https://opensearch.org/) -## General Considerations +### Bleve -* To use the search service, an event system needs to be configured for all services like NATS, which is shipped and preconfigured. -* The search service consumes events and does not block other tasks. -* When looking for content extraction, [Apache Tika - a content analysis toolkit](https://tika.apache.org) can be used but needs to be installed separately. +Bleve is a lightweight, embedded full-text search engine written in Go and is the default search backend. +It is straightforward to set up and requires no additional services to run. -Extractions are stored as index via the search service. Consider that indexing requires adequate storage capacity - and the space requirement will grow. To avoid filling up the filesystem with the index and rendering OpenCloud unusable, the index should reside on its own filesystem. +The following optional settings can be set: -You can change the path to where search maintains its data in case the filesystem gets close to full and you need to relocate the data. Stop the service, move the data, reconfigure the path in the environment variable and restart the service. +* `SEARCH_ENGINE_BLEVE_DATA_PATH=/path/to/bleve/index` (default: `$OC_BASE_DATA_PATH/search`): Path to store the bleve index. -When using content extraction, more resources and time are needed, because the content of the file needs to be analyzed. This is especially true for big and multiple concurrent files. +### OpenSearch -The search service runs out of the box with the shipped default `basic` configuration. No further configuration is needed, except when using content extraction. +OpenSearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. +Additionally, it provides advanced features like clustering, replication, and sharding. -Note that as of now, the search service can not be scaled. Consider using a dedicated hardware for this service in case more resources are needed. +To enable OpenSearch as a backend, the following settings must be set: -## Search engines +* `SEARCH_ENGINE_TYPE=open-search` +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ADDRESSES=http://YOUR-OPENSEARCH.URL:9200` (comma-separated list of OpenSearch addresses) -By default, the search service is shipped with [bleve](https://github.com/blevesearch/bleve) as its primary search engine. The available engines can be extended by implementing the [Engine](https://github.com/opencloud-eu/opencloud/blob/main/services/search/pkg/engine/engine.go) interface and making that engine available. +Additionally, the following optional settings can be set: + +* `SEARCH_ENGINE_OPEN_SEARCH_RESOURCE_INDEX_NAME=val` (default: `opencloud-resource`): Name of the OpenSearch index +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_USERNAME=val`: Username for HTTP Basic Authentication. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_PASSWORD=val`: Password for HTTP Basic Authentication. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_HEADER=val`: HTTP headers to include in requests. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT=val` CA certificate for TLS connections. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_RETRY_ON_STATUS=val` HTTP status codes that trigger a retry. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISABLE_RETRY=val` Disable retries on errors. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_RETRY_ON_TIMEOUT=val`: Enable retries on timeout. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_MAX_RETRIES=val`: Maximum number of retries for requests. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_COMPRESS_REQUEST_BODY=val`: Compress request bodies. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_ON_START=val`: Discover nodes on service start. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_INTERVAL=val`: Interval for discovering nodes. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_METRICS=val`: Enable metrics collection. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_DEBUG_LOGGER=val`: Enable debug logging. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_INSECURE=val`: Skip TLS certificate verification. ## Query language -By default, [KQL](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference) is used as query language, -for an overview of how the syntax works, please read the [microsoft documentation](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). +By default, [KQL](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference) is used as the query language. +For an overview of how to write kql queries, please read the [microsoft documentation](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). Not all parts are supported, the following list gives an overview of parts that are not implemented yet: @@ -81,126 +95,65 @@ Not all parts are supported, the following list gives an overview of parts that * NEAR operator * Date intervals - In [this ADR](https://github.com/owncloud/ocis/blob/docs/ocis/adr/0020-file-search-query-language.md) you can read why KQL whas chosen. +In [this ADR](https://github.com/owncloud/ocis/blob/docs/ocis/adr/0020-file-search-query-language.md) you can read why KQL was chosen. -## Extraction Engines +## Content analysis / Extraction -The search service provides the following extraction engines and their results are used as index for searching: +The search service supports the following content extraction methods: -* The embedded `basic` configuration provides metadata extraction which is always on. -* The `tika` configuration, which _additionally_ provides content extraction, if installed and configured. +* `Basic`: enabled by default, only provides metadata extraction. +* `Tika`: needs to be installed and configured separately, provides content extraction for many file types. -## Content Extraction +Note that the file content has to be transferred to the search service internally for content extraction, +which is resource-intensive and can lead to delays with larger documents. -The search service is able to manage and retrieve many types of information. For this purpose the following content extractors are included: +### Basic -### Basic Extractor +This extractor is the simplest one and just uses the resource information provided by OpenCloud. +It does not do any further content analysis. -This extractor is the most simple one and just uses the resource information provided by OpenCloud. It does not do any further analysis. The following fields are included in the index: `Name`, `Size`, `MimeType`, `Tags`, `Mtime`. +### Tika -### Tika Extractor +The main difference is that this extractor is able to analyze and extract data from more advanced file types like PDF, DOCX, PPTX, etc. +However, [Apache Tika](https://tika.apache.org/) is required for this task. +Read the [Getting Started with Apache Tika](https://tika.apache.org/2.6.0/gettingstarted.html) guide on how to install and run Tika or use a ready to run [Tika container](https://hub.docker.com/r/apache/tika). +See the [Tika container usage document](https://github.com/apache/tika-docker#usage) for a quickstart. -This extractor is more advanced compared to the [Basic extractor](#basic-extractor). The main difference is that this extractor is able to search file contents. -However, [Apache Tika](https://tika.apache.org/) is required for this task. Read the [Getting Started with Apache Tika](https://tika.apache.org/2.6.0/gettingstarted.html) guide on how to install and run Tika or use a ready to run [Tika container](https://hub.docker.com/r/apache/tika). See the [Tika container usage document](https://github.com/apache/tika-docker#usage) for a quickstart. Note that at the time of writing, containers are only available for the amd64 platform. +As soon as Tika is installed and configured, the search service needs to be told to use it. -As soon as Tika is installed and accessible, the search service must be configured for the use with Tika. The following settings must be set: +The following settings must be set: * `SEARCH_EXTRACTOR_TYPE=tika` * `SEARCH_EXTRACTOR_TIKA_TIKA_URL=http://YOUR-TIKA.URL` -When the search service can reach Tika, it begins to read out the content on demand. Note that files must be downloaded during the process, which can lead to delays with larger documents. - -Content extraction and handling the extracted content can be very resource intensive. Content extraction is therefore limited to files with a certain file size. The default limit is 20MB and can be configured using the `SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT` variable. - -When extracting content, you can specify whether [stop words](https://en.wikipedia.org/wiki/Stop_word) like `I`, `you`, `the` are ignored or not. Noramlly, these stop words are removed automatically. To keep them, the environment variable `SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS` must be set to `false`. - -When using the Tika container and docker-compose, consider the following: - -* See the [opencloud-compose](https://github.com/opencloud-eu/opencloud-compose) example. -* Containers for the linked service are reachable at a hostname identical to the alias or the service name if no alias was specified. - -If using the `tika` extractor, make sure to also set `FRONTEND_FULL_TEXT_SEARCH_ENABLED` in the frontend service to `true`. This will tell the webclient that full-text search has been enabled. - -## Search Functionality - -The search service consists of two main parts which are file `indexing` and file `search`. - -### Indexing - -Every time a resource changes its state, a corresponding event is triggered. Based on the event, the search service processes the file and adds the result to its index. There are a few more steps between accepting the file and updating the index. - -### Search - -A query via the search service will return results based on the index created. - -### State Changes which Trigger Indexing - -The following state changes in the life cycle of a file can trigger the creation of an index or an update: - -#### Resource Trashed - -The service checks its index to see if the file has been processed. If an index entry exists, the index will be marked as deleted. In consequence, the file won't appear in search requests anymore. The index entry stays intact and could be restored via [Resource Restored](#resource-restored). - -#### Resource Deleted - -The service checks its index to see if the file has been processed. If an index entry exists, the index will be finally deleted. In consequence, the file won't appear in search requests anymore. - -#### Resource Restored - -This step is the counterpart of [Resource Trashed](#resource-trashed). When a file is deleted, is isn't removed from the index, instead the service just marks it as deleted. This mark is removed when the file has been restored, and it shows up in search results again. - -#### Resource Moved - -This comes into play whenever a file or folder is renamed or moved. The search index then updates the resource location path or starts indexing if no index has been created so far for all items affected. See [Notes](#notes) for an example. - -#### Folder Created - -The creation of a folder always triggers indexing. The search service extracts all necessary information and stores it in the search index - -#### File Created - -This case is similar to [Folder created](#folder-created) with the difference that a file can contain far more valuable information. This gets interesting but time-consuming when data content needs to be analyzed and indexed. Content extraction is part of the search service if configured. - -#### File Version Restored - -Since OpenCloud is capable of storing multiple versions of the same file, the search service also needs to take care of those versions. When a file version is restored, the service starts to extract all needed information, creates the index and makes the file discoverable. - -#### Resource Tag Added - -Whenever a resource gets a new tag, the service takes care of it and makes that resource discoverable by the tag. - -#### Resource Tag Removed - -This is the counterpart of [Resource tag added](#resource-tag-added). It takes care that a tag gets unassigned from the referenced resource. - -#### File Uploaded - Synchronous - -This case only triggers indexing if `async post processing` is disabled. If so, the service starts to extract all needed file information, stores it in the index and makes it discoverable. - -#### File Uploaded - Asynchronous +Additionally, the following optional settings can be set: -This is exactly the same as [File uploaded - synchronous](#file-uploaded---synchronous) with the only difference that it is used for asynchronous uploads. +* `SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS=true` (default: `true`): ignore stop words like `I`, `you`, `the` during content extraction. ## Manually Trigger Re-Indexing a Space The service includes a command-line interface to trigger re-indexing a space: -```bash +```shell opencloud search index --space $SPACE_ID ``` It can also be used to re-index all spaces: -```bash +```shell opencloud search index --all-spaces ``` -Note that either `--space $SPACE_ID` or `--all-spaces` must be set. +## Metrics -## Notes +The search service exposes the following prometheus metrics at `/metrics` (as configured using the `SEARCH_DEBUG_ADDR` env var): -The indexing process tries to be self-healing in some situations. +| Metric Name | Type | Description | Labels | +| --- | --- | --- | --- | +| `opencloud_search_build_info` | Gauge | Build information | `version` | +| `opencloud_search_events_outstanding_acks` | Gauge | Number of outstanding acks for events | | +| `opencloud_search_events_unprocessed` | Gauge | Number of unprocessed events | | +| `opencloud_search_events_redelivered` | Gauge | Number of redelivered events | | +| `opencloud_search_search_duration_seconds` | Histogram | Duration of search operations in seconds | `status` | +| `opencloud_search_index_duration_seconds` | Histogram | Duration of indexing operations in seconds | `status` | -In the following example, let's assume a file tree `foo/bar/baz` exists. -If the folder `bar` gets renamed to `new-bar`, the path to `baz` is no longer `foo/bar/baz` but `foo/new-bar/baz`. -The search service checks the change and either just updates the path in the index or creates a new index for all items affected if none was present. diff --git a/static/env-vars/settings.yaml b/static/env-vars/settings.yaml new file mode 100644 index 00000000..93d18d73 --- /dev/null +++ b/static/env-vars/settings.yaml @@ -0,0 +1,73 @@ +# Autogenerated +# Filename: settings.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9194 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9190 + tls: + enabled: false + cert: "" + key: "" + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + allow_credentials: true +grpc: + addr: 127.0.0.1:9191 + tls: null +grpc_client_tls: null +metadata_config: + gateway_addr: eu.opencloud.api.storage-system + storage_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" + cache: + store: memory + addresses: + - 127.0.0.1:9233 + database: settings-cache + files_table: settings_files + directories_table: settings_dirs + ttl: 10m0s + disable_persistence: false + username: "" + password: "" +bundles_path: "" +admin_user_id: "" +token_manager: + jwt_secret: "" +set_default_assignments: false +service_account_ids: +- service-user-id +default_language: "" +translation_path: "" diff --git a/static/env-vars/settings_configvars.md b/static/env-vars/settings_configvars.md index a7cdb75a..304d4537 100644 --- a/static/env-vars/settings_configvars.md +++ b/static/env-vars/settings_configvars.md @@ -1,47 +1,47 @@ Environment variables for the **settings** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`SETTINGS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`SETTINGS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`SETTINGS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`SETTINGS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`SETTINGS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`SETTINGS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`SETTINGS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`SETTINGS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`SETTINGS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9194| -|`SETTINGS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`SETTINGS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`SETTINGS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`SETTINGS_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9190| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`SETTINGS_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`OC_CORS_ALLOW_ORIGINS`
`SETTINGS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`SETTINGS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET POST PUT PATCH DELETE OPTIONS]| -|`OC_CORS_ALLOW_HEADERS`
`SETTINGS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id]| -|`OC_CORS_ALLOW_CREDENTIALS`
`SETTINGS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`SETTINGS_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9191| -|`SETTINGS_STORAGE_GATEWAY_GRPC_ADDR`
`STORAGE_GATEWAY_GRPC_ADDR`| 1.0.0 |string|GRPC address of the STORAGE-SYSTEM service.|eu.opencloud.api.storage-system| -|`SETTINGS_STORAGE_GRPC_ADDR`
`STORAGE_GRPC_ADDR`| 1.0.0 |string|GRPC address of the STORAGE-SYSTEM service.|eu.opencloud.api.storage-system| -|`OC_SYSTEM_USER_ID`
`SETTINGS_SYSTEM_USER_ID`| 1.0.0 |string|ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|| -|`OC_SYSTEM_USER_IDP`
`SETTINGS_SYSTEM_USER_IDP`| 1.0.0 |string|IDP of the OpenCloud STORAGE-SYSTEM system user.|internal| -|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|API key for the STORAGE-SYSTEM system user.|| -|`OC_CACHE_STORE`
`SETTINGS_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|memory| -|`OC_CACHE_STORE_NODES`
`SETTINGS_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|settings-cache| -|`SETTINGS_FILE_CACHE_TABLE`| 1.0.0 |string|The database table the store should use for the file cache.|settings_files| -|`SETTINGS_DIRECTORY_CACHE_TABLE`| 1.0.0 |string|The database table the store should use for the directory cache.|settings_dirs| -|`OC_CACHE_TTL`
`SETTINGS_CACHE_TTL`| 1.0.0 |Duration|Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.|10m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`SETTINGS_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`SETTINGS_CACHE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`SETTINGS_CACHE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.|| -|`SETTINGS_BUNDLES_PATH`| 1.0.0 |string|The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.|| -|`OC_ADMIN_USER_ID`
`SETTINGS_ADMIN_USER_ID`| 1.0.0 |string|ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.|| -|`OC_JWT_SECRET`
`SETTINGS_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`SETTINGS_SETUP_DEFAULT_ASSIGNMENTS`
`IDM_CREATE_DEMO_USERS`| 1.0.0 |bool|The default role assignments the demo users should be setup.|false| -|`SETTINGS_SERVICE_ACCOUNT_IDS`
`OC_SERVICE_ACCOUNT_ID`| 1.0.0 |[]string|The list of all service account IDs. These will be assigned the hidden 'service-account' role. Note: When using 'OC_SERVICE_ACCOUNT_ID' this will contain only one value while 'SETTINGS_SERVICE_ACCOUNT_IDS' can have multiple. See the 'auth-service' service description for more details about service accounts.|[service-user-id]| -|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.|| -|`OC_TRANSLATION_PATH`
`SETTINGS_TRANSLATION_PATH`| 1.0.0 |string|(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`SETTINGS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`SETTINGS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`SETTINGS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`SETTINGS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`SETTINGS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`SETTINGS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`SETTINGS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`SETTINGS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`SETTINGS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9194`| +|`SETTINGS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`SETTINGS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`SETTINGS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`SETTINGS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9190`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`SETTINGS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`SETTINGS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`SETTINGS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`SETTINGS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`SETTINGS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`SETTINGS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9191`| +|`SETTINGS_STORAGE_GATEWAY_GRPC_ADDR`
`STORAGE_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`SETTINGS_STORAGE_GRPC_ADDR`
`STORAGE_GRPC_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SETTINGS_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SETTINGS_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`OC_CACHE_STORE`
`SETTINGS_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`SETTINGS_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`settings-cache`| +|`SETTINGS_FILE_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use for the file cache.`|`settings_files`| +|`SETTINGS_DIRECTORY_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use for the directory cache.`|`settings_dirs`| +|`OC_CACHE_TTL`
`SETTINGS_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`10m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`SETTINGS_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`SETTINGS_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`SETTINGS_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`SETTINGS_BUNDLES_PATH`| 1.0.0 |string|`The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.`|``| +|`OC_ADMIN_USER_ID`
`SETTINGS_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``| +|`OC_JWT_SECRET`
`SETTINGS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`IDM_CREATE_DEMO_USERS`
`SETTINGS_SETUP_DEFAULT_ASSIGNMENTS`| 1.0.0 |bool|`The default role assignments the demo users should be setup.`|`false`| +|`SETTINGS_SERVICE_ACCOUNT_IDS`
`OC_SERVICE_ACCOUNT_ID`| 1.0.0 |[]string|`The list of all service account IDs. These will be assigned the hidden 'service-account' role. Note: When using 'OC_SERVICE_ACCOUNT_ID' this will contain only one value while 'SETTINGS_SERVICE_ACCOUNT_IDS' can have multiple. See the 'auth-service' service description for more details about service accounts.`|`[service-user-id]`| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``| +|`OC_TRANSLATION_PATH`
`SETTINGS_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| diff --git a/static/env-vars/settings_readme.md b/static/env-vars/settings_readme.md index b587a601..637abe07 100755 --- a/static/env-vars/settings_readme.md +++ b/static/env-vars/settings_readme.md @@ -1,6 +1,6 @@ --- title: Settings -date: 2025-05-22T16:21:16.120183351+02:00 +date: 2025-11-13T17:22:55.096511+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/settings @@ -27,7 +27,6 @@ The `settings` service provides functionality for other services to register new * [Translation Rules](#translation-rules) * [Default Language](#default-language) * [Custom Roles](#custom-roles) -* [Example Yaml Config](#example-yaml-config) ## Settings Managed @@ -476,3 +475,4 @@ Example File: } ] ``` + diff --git a/static/env-vars/sharing-config-example.yaml b/static/env-vars/sharing-config-example.yaml index 41556a87..09b12312 100644 --- a/static/env-vars/sharing-config-example.yaml +++ b/static/env-vars/sharing-config-example.yaml @@ -46,7 +46,7 @@ user_sharing_drivers: cache_ttl: 0 max_concurrency: 1 json: - file: /home/chaser/.opencloud/storage/shares.json + file: /Users/t.schweiger/.opencloud/storage/shares.json cs3: provider_addr: eu.opencloud.api.storage-system system_user_id: "" @@ -62,7 +62,7 @@ user_sharing_drivers: public_sharing_driver: jsoncs3 public_sharing_drivers: json: - file: /home/chaser/.opencloud/storage/publicshares.json + file: /Users/t.schweiger/.opencloud/storage/publicshares.json jsoncs3: provider_addr: eu.opencloud.api.storage-system system_user_id: "" diff --git a/static/env-vars/sharing.yaml b/static/env-vars/sharing.yaml new file mode 100644 index 00000000..9d87e5a7 --- /dev/null +++ b/static/env-vars/sharing.yaml @@ -0,0 +1,85 @@ +# Autogenerated +# Filename: sharing.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9151 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9150 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_cert_path: "" + enable_tls: false + auth_username: "" + auth_password: "" +skip_user_groups_in_token: false +user_sharing_driver: jsoncs3 +user_sharing_drivers: + jsoncs3: + provider_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" + cache_ttl: 0 + max_concurrency: 1 + json: + file: /Users/t.schweiger/.opencloud/storage/shares.json + cs3: + provider_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" + owncloudsql: + db_username: owncloud + db_password: "" + db_host: mysql + db_port: 3306 + db_name: owncloud + user_storage_mount_id: "" +public_sharing_driver: jsoncs3 +public_sharing_drivers: + json: + file: /Users/t.schweiger/.opencloud/storage/publicshares.json + jsoncs3: + provider_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" + cs3: + provider_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" +public_sharing_writeableshare_must_have_password: false +public_sharing_share_must_have_password: true +enable_expired_shares_cleanup: true +password_policy: + min_characters: 8 + min_lowercase_characters: 1 + min_uppercase_characters: 1 + min_digits: 1 + min_special_characters: 1 + banned_passwords_list: "" diff --git a/static/env-vars/sharing_configvars.md b/static/env-vars/sharing_configvars.md index bba60841..37f99146 100644 --- a/static/env-vars/sharing_configvars.md +++ b/static/env-vars/sharing_configvars.md @@ -1,67 +1,67 @@ Environment variables for the **sharing** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`SHARING_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`SHARING_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`SHARING_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`SHARING_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`SHARING_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`SHARING_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`SHARING_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`SHARING_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`SHARING_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9151| -|`SHARING_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`SHARING_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`SHARING_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`SHARING_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9150| -|`OC_GRPC_PROTOCOL`
`SHARING_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`SHARING_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_EVENTS_ENDPOINT`
`SHARING_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`SHARING_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`SHARING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`SHARING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`SHARING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|Username for the events broker.|| -|`OC_EVENTS_AUTH_PASSWORD`
`SHARING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|Password for the events broker.|| -|`SHARING_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`SHARING_USER_DRIVER`| 1.0.0 |string|Driver to be used to persist shares. Supported values are 'jsoncs3', 'json', 'cs3' (deprecated) and 'owncloudsql'.|jsoncs3| -|`SHARING_USER_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|GRPC address of the STORAGE-SYSTEM service.|eu.opencloud.api.storage-system| -|`OC_SYSTEM_USER_ID`
`SHARING_USER_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|| -|`OC_SYSTEM_USER_IDP`
`SHARING_USER_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|IDP of the OpenCloud STORAGE-SYSTEM system user.|internal| -|`OC_SYSTEM_USER_API_KEY`
`SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|API key for the STORAGE-SYSTEM system user.|| -|`SHARING_USER_JSONCS3_CACHE_TTL`| 1.0.0 |int|TTL for the internal caches in seconds.|0| -|`OC_MAX_CONCURRENCY`
`SHARING_USER_JSONCS3_MAX_CONCURRENCY`| 1.0.0 |int|Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.|1| -|`SHARING_USER_JSON_FILE`| 1.0.0 |string|Path to the JSON file where shares will be persisted. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.|/home/chaser/.opencloud/storage/shares.json| -|`SHARING_USER_CS3_PROVIDER_ADDR`| 1.0.0 |string|GRPC address of the STORAGE-SYSTEM service.|eu.opencloud.api.storage-system| -|`OC_SYSTEM_USER_ID`
`SHARING_USER_CS3_SYSTEM_USER_ID`| 1.0.0 |string|ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|| -|`OC_SYSTEM_USER_IDP`
`SHARING_USER_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|IDP of the OpenCloud STORAGE-SYSTEM system user.|internal| -|`OC_SYSTEM_USER_API_KEY`
`SHARING_USER_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|API key for the STORAGE-SYSTEM system user.|| -|`SHARING_USER_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|Username for the database.|owncloud| -|`SHARING_USER_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|Password for the database.|| -|`SHARING_USER_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|Hostname or IP of the database server.|mysql| -|`SHARING_USER_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|Port that the database server is listening on.|3306| -|`SHARING_USER_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|Name of the database to be used.|owncloud| -|`SHARING_USER_OWNCLOUDSQL_USER_STORAGE_MOUNT_ID`| 1.0.0 |string|Mount ID of the ownCloudSQL users storage for mapping ownCloud 10 shares.|| -|`SHARING_PUBLIC_DRIVER`| 1.0.0 |string|Driver to be used to persist public shares. Supported values are 'jsoncs3', 'json' and 'cs3' (deprecated).|jsoncs3| -|`SHARING_PUBLIC_JSON_FILE`| 1.0.0 |string|Path to the JSON file where public share meta-data will be stored. This JSON file contains the information about public shares that have been created. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.|/home/chaser/.opencloud/storage/publicshares.json| -|`SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|GRPC address of the STORAGE-SYSTEM service.|eu.opencloud.api.storage-system| -|`OC_SYSTEM_USER_ID`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|| -|`OC_SYSTEM_USER_IDP`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|IDP of the OpenCloud STORAGE-SYSTEM system user.|internal| -|`OC_SYSTEM_USER_API_KEY`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|API key for the STORAGE-SYSTEM system user.|| -|`SHARING_PUBLIC_CS3_PROVIDER_ADDR`| 1.0.0 |string|GRPC address of the STORAGE-SYSTEM service.|eu.opencloud.api.storage-system| -|`OC_SYSTEM_USER_ID`
`SHARING_PUBLIC_CS3_SYSTEM_USER_ID`| 1.0.0 |string|ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|| -|`OC_SYSTEM_USER_IDP`
`SHARING_PUBLIC_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|IDP of the OpenCloud STORAGE-SYSTEM system user.|internal| -|`OC_SYSTEM_USER_API_KEY`
`SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|API key for the STORAGE-SYSTEM system user.|| -|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`
`SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service.|false| -|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`
`SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|Set this to true if you want to enforce passwords on all public shares.|true| -|`OC_PASSWORD_POLICY_DISABLED`
`SHARING_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|Disable the password policy. Defaults to false if not set.|false| -|`OC_PASSWORD_POLICY_MIN_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|Define the minimum password length. Defaults to 8 if not set.|8| -|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|Define the minimum number of uppercase letters. Defaults to 1 if not set.|1| -|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|Define the minimum number of lowercase letters. Defaults to 1 if not set.|1| -|`OC_PASSWORD_POLICY_MIN_DIGITS`
`SHARING_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|Define the minimum number of digits. Defaults to 1 if not set.|1| -|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.|1| -|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`
`SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`SHARING_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`SHARING_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`SHARING_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`SHARING_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`SHARING_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`SHARING_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`SHARING_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`SHARING_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`SHARING_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9151`| +|`SHARING_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`SHARING_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`SHARING_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`SHARING_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9150`| +|`OC_GRPC_PROTOCOL`
`SHARING_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`SHARING_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_EVENTS_ENDPOINT`
`SHARING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`SHARING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`SHARING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`SHARING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`SHARING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`Username for the events broker.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`SHARING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`Password for the events broker.`|``| +|`SHARING_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`SHARING_USER_DRIVER`| 1.0.0 |string|`Driver to be used to persist shares. Supported values are 'jsoncs3', 'json', 'cs3' (deprecated) and 'owncloudsql'.`|`jsoncs3`| +|`SHARING_USER_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SHARING_USER_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SHARING_USER_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`SHARING_USER_JSONCS3_CACHE_TTL`| 1.0.0 |int|`TTL for the internal caches in seconds.`|`0`| +|`OC_MAX_CONCURRENCY`
`SHARING_USER_JSONCS3_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`| +|`SHARING_USER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where shares will be persisted. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/Users/t.schweiger/.opencloud/storage/shares.json`| +|`SHARING_USER_CS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SHARING_USER_CS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SHARING_USER_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`SHARING_USER_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`SHARING_USER_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Username for the database.`|`owncloud`| +|`SHARING_USER_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database.`|``| +|`SHARING_USER_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname or IP of the database server.`|`mysql`| +|`SHARING_USER_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Port that the database server is listening on.`|`3306`| +|`SHARING_USER_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the database to be used.`|`owncloud`| +|`SHARING_USER_OWNCLOUDSQL_USER_STORAGE_MOUNT_ID`| 1.0.0 |string|`Mount ID of the ownCloudSQL users storage for mapping ownCloud 10 shares.`|``| +|`SHARING_PUBLIC_DRIVER`| 1.0.0 |string|`Driver to be used to persist public shares. Supported values are 'jsoncs3', 'json' and 'cs3' (deprecated).`|`jsoncs3`| +|`SHARING_PUBLIC_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where public share meta-data will be stored. This JSON file contains the information about public shares that have been created. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/Users/t.schweiger/.opencloud/storage/publicshares.json`| +|`SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`SHARING_PUBLIC_CS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SHARING_PUBLIC_CS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SHARING_PUBLIC_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`
`SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service.`|`false`| +|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`
`SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on all public shares.`|`true`| +|`OC_PASSWORD_POLICY_DISABLED`
`SHARING_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|`Disable the password policy. Defaults to false if not set.`|`false`| +|`OC_PASSWORD_POLICY_MIN_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|`Define the minimum password length. Defaults to 8 if not set.`|`8`| +|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of uppercase letters. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of lowercase letters. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_DIGITS`
`SHARING_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|`Define the minimum number of digits. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|`Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`
`SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|`Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.`|``| diff --git a/static/env-vars/sse.yaml b/static/env-vars/sse.yaml new file mode 100644 index 00000000..03db45dd --- /dev/null +++ b/static/env-vars/sse.yaml @@ -0,0 +1,50 @@ +# Autogenerated +# Filename: sse.yaml + +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9139 + token: "" + pprof: false + zpages: false +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +keepalive_interval: 0s +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +http: + addr: 127.0.0.1:9135 + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Ocs-Apirequest + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +token_manager: + jwt_secret: "" diff --git a/static/env-vars/sse_configvars.md b/static/env-vars/sse_configvars.md index 344ce18f..ca25dd83 100644 --- a/static/env-vars/sse_configvars.md +++ b/static/env-vars/sse_configvars.md @@ -1,34 +1,34 @@ Environment variables for the **sse** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_LOG_LEVEL`
`SSE_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`SSE_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`SSE_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`SSE_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`SSE_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9139| -|`SSE_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`SSE_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`SSE_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`OC_TRACING_ENABLED`
`SSE_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`SSE_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`SSE_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`SSE_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`SSE_KEEPALIVE_INTERVAL`| 1.0.0 |Duration|To prevent intermediate proxies from closing the SSE connection, send periodic SSE comments to keep it open.|0s| -|`OC_EVENTS_ENDPOINT`
`SSE_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`SSE_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`SSE_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided SSE_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`SSE_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`SSE_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`SSE_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`SSE_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9135| -|`SSE_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`OC_CORS_ALLOW_ORIGINS`
`SSE_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`SSE_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET]| -|`OC_CORS_ALLOW_HEADERS`
`SSE_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]| -|`OC_CORS_ALLOW_CREDENTIALS`
`SSE_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`OC_JWT_SECRET`
`SSE_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`SSE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`SSE_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`SSE_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`SSE_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`SSE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9139`| +|`SSE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`SSE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`SSE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_TRACING_ENABLED`
`SSE_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`SSE_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`SSE_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`SSE_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`SSE_KEEPALIVE_INTERVAL`| 1.0.0 |Duration|`To prevent intermediate proxies from closing the SSE connection, send periodic SSE comments to keep it open.`|`0s`| +|`OC_EVENTS_ENDPOINT`
`SSE_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`SSE_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`SSE_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SSE_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`SSE_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`SSE_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`SSE_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`SSE_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9135`| +|`SSE_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`SSE_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`SSE_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`| +|`OC_CORS_ALLOW_HEADERS`
`SSE_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`SSE_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_JWT_SECRET`
`SSE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| diff --git a/static/env-vars/sse_readme.md b/static/env-vars/sse_readme.md index 25e5a92a..474dbecc 100755 --- a/static/env-vars/sse_readme.md +++ b/static/env-vars/sse_readme.md @@ -1,6 +1,6 @@ --- title: SSE -date: 2025-05-22T16:21:16.120266287+02:00 +date: 2025-11-13T17:22:55.096997+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/sse @@ -21,7 +21,6 @@ The `sse` service is responsible for sending sse (Server-Sent Events) to a user. * [The Log Service Ecosystem](#the-log-service-ecosystem) * [Subscribing](#subscribing) * [Keep SSE Connections Alive](#keep-sse-connections-alive) -* [Example Yaml Config](#example-yaml-config) ## The Log Service Ecosystem @@ -38,3 +37,4 @@ Clients can subscribe to the `/sse` endpoint to be informed by the server when a Some intermediate proxies drop connections after an idle time with no activity. If this is the case, configure the `SSE_KEEPALIVE_INTERVAL` envvar. This will send periodic SSE comments to keep connections open. + diff --git a/static/env-vars/storage-publiclink.yaml b/static/env-vars/storage-publiclink.yaml new file mode 100644 index 00000000..2b590625 --- /dev/null +++ b/static/env-vars/storage-publiclink.yaml @@ -0,0 +1,32 @@ +# Autogenerated +# Filename: storage-publiclink.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9179 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9178 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +storage_provider: + mount_id: 7993447f-687f-490d-875c-ac95e89a62a4 diff --git a/static/env-vars/storage-publiclink_configvars.md b/static/env-vars/storage-publiclink_configvars.md index 8bfe2ecc..f36a7537 100644 --- a/static/env-vars/storage-publiclink_configvars.md +++ b/static/env-vars/storage-publiclink_configvars.md @@ -1,24 +1,24 @@ Environment variables for the **storage-publiclink** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`STORAGE_PUBLICLINK_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`STORAGE_PUBLICLINK_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`STORAGE_PUBLICLINK_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`STORAGE_PUBLICLINK_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`STORAGE_PUBLICLINK_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`STORAGE_PUBLICLINK_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`STORAGE_PUBLICLINK_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`STORAGE_PUBLICLINK_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`STORAGE_PUBLICLINK_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9179| -|`STORAGE_PUBLICLINK_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`STORAGE_PUBLICLINK_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`STORAGE_PUBLICLINK_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`STORAGE_PUBLICLINK_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9178| -|`OC_GRPC_PROTOCOL`
`STORAGE_PUBLICLINK_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`STORAGE_PUBLICLINK_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`STORAGE_PUBLICLINK_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`STORAGE_PUBLICLINK_STORAGE_PROVIDER_MOUNT_ID`| 1.0.0 |string|Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|7993447f-687f-490d-875c-ac95e89a62a4| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`STORAGE_PUBLICLINK_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`STORAGE_PUBLICLINK_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`STORAGE_PUBLICLINK_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`STORAGE_PUBLICLINK_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`STORAGE_PUBLICLINK_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`STORAGE_PUBLICLINK_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`STORAGE_PUBLICLINK_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`STORAGE_PUBLICLINK_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`STORAGE_PUBLICLINK_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9179`| +|`STORAGE_PUBLICLINK_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`STORAGE_PUBLICLINK_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`STORAGE_PUBLICLINK_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`STORAGE_PUBLICLINK_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9178`| +|`OC_GRPC_PROTOCOL`
`STORAGE_PUBLICLINK_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`STORAGE_PUBLICLINK_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`STORAGE_PUBLICLINK_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`STORAGE_PUBLICLINK_STORAGE_PROVIDER_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|`7993447f-687f-490d-875c-ac95e89a62a4`| diff --git a/static/env-vars/storage-publiclink_readme.md b/static/env-vars/storage-publiclink_readme.md new file mode 100755 index 00000000..c93f426b --- /dev/null +++ b/static/env-vars/storage-publiclink_readme.md @@ -0,0 +1,21 @@ +--- +title: Storage Public Link +date: 2025-11-12T16:20:03.610455+01:00 +weight: 20 +geekdocRepo: https://github.com/opencloud-eu/opencloud +geekdocEditPath: edit/master/services/storage-publiclink +geekdocFilePath: README.md +geekdocCollapseSection: true +--- + + + +## Abstract + + +The `storage-publiclink` service handles public link functionality for shared resources within OpenCloud. + +## Table of Contents + + + diff --git a/static/env-vars/storage-shares.yaml b/static/env-vars/storage-shares.yaml new file mode 100644 index 00000000..364221eb --- /dev/null +++ b/static/env-vars/storage-shares.yaml @@ -0,0 +1,33 @@ +# Autogenerated +# Filename: storage-shares.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9156 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9154 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +mount_id: 7639e57c-4433-4a12-8201-722fd0009154 +readonly: false +user_share_provider_endpoint: eu.opencloud.api.sharing diff --git a/static/env-vars/storage-shares_configvars.md b/static/env-vars/storage-shares_configvars.md index ff6ab96f..f9509d24 100644 --- a/static/env-vars/storage-shares_configvars.md +++ b/static/env-vars/storage-shares_configvars.md @@ -1,26 +1,26 @@ Environment variables for the **storage-shares** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`STORAGE_SHARES_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`STORAGE_SHARES_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`STORAGE_SHARES_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`STORAGE_SHARES_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`STORAGE_SHARES_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`STORAGE_SHARES_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`STORAGE_SHARES_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`STORAGE_SHARES_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`STORAGE_SHARES_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9156| -|`STORAGE_SHARES_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`STORAGE_SHARES_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`STORAGE_SHARES_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`STORAGE_SHARES_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9154| -|`OC_GRPC_PROTOCOL`
`STORAGE_SHARES_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GRPC service.|tcp| -|`OC_JWT_SECRET`
`STORAGE_SHARES_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`STORAGE_SHARES_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`STORAGE_SHARES_MOUNT_ID`| 1.0.0 |string|Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|7639e57c-4433-4a12-8201-722fd0009154| -|`STORAGE_SHARES_READ_ONLY`| 1.0.0 |bool|Set this storage to be read-only.|false| -|`STORAGE_SHARES_USER_SHARE_PROVIDER_ENDPOINT`| 1.0.0 |string|GRPC endpoint of the SHARING service.|eu.opencloud.api.sharing| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`STORAGE_SHARES_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`STORAGE_SHARES_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`STORAGE_SHARES_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`STORAGE_SHARES_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`STORAGE_SHARES_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`STORAGE_SHARES_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`STORAGE_SHARES_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`STORAGE_SHARES_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`STORAGE_SHARES_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9156`| +|`STORAGE_SHARES_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`STORAGE_SHARES_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`STORAGE_SHARES_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`STORAGE_SHARES_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9154`| +|`OC_GRPC_PROTOCOL`
`STORAGE_SHARES_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`STORAGE_SHARES_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`STORAGE_SHARES_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`STORAGE_SHARES_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|`7639e57c-4433-4a12-8201-722fd0009154`| +|`STORAGE_SHARES_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|`false`| +|`STORAGE_SHARES_USER_SHARE_PROVIDER_ENDPOINT`| 1.0.0 |string|`GRPC endpoint of the SHARING service.`|`eu.opencloud.api.sharing`| diff --git a/static/env-vars/storage-shares_readme.md b/static/env-vars/storage-shares_readme.md new file mode 100755 index 00000000..0aa97098 --- /dev/null +++ b/static/env-vars/storage-shares_readme.md @@ -0,0 +1,21 @@ +--- +title: Storage Shares +date: 2025-11-12T16:20:03.610542+01:00 +weight: 20 +geekdocRepo: https://github.com/opencloud-eu/opencloud +geekdocEditPath: edit/master/services/storage-shares +geekdocFilePath: README.md +geekdocCollapseSection: true +--- + + + +## Abstract + + +The `storage-shares` service manages shared storage resources within OpenCloud. + +## Table of Contents + + + diff --git a/static/env-vars/storage-system-config-example.yaml b/static/env-vars/storage-system-config-example.yaml index fb284651..8bb981c6 100644 --- a/static/env-vars/storage-system-config-example.yaml +++ b/static/env-vars/storage-system-config-example.yaml @@ -45,7 +45,7 @@ cache: driver: decomposed drivers: decomposed: - root: /home/chaser/.opencloud/storage/metadata + root: /Users/t.schweiger/.opencloud/storage/metadata max_acquire_lock_cycles: 20 lock_cycle_duration_factor: 30 data_server_url: http://localhost:9216/data diff --git a/static/env-vars/storage-system.yaml b/static/env-vars/storage-system.yaml new file mode 100644 index 00000000..33caa0f6 --- /dev/null +++ b/static/env-vars/storage-system.yaml @@ -0,0 +1,51 @@ +# Autogenerated +# Filename: storage-system.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9217 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9215 + tls: null + protocol: tcp +http: + addr: 127.0.0.1:9216 + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +system_user_id: "" +system_user_api_key: "" +skip_user_groups_in_token: false +cache: + store: memory + nodes: + - 127.0.0.1:9233 + database: storage-system + ttl: 24m0s + disable_persistence: false + auth_username: "" + auth_password: "" +driver: decomposed +drivers: + decomposed: + root: /Users/t.schweiger/.opencloud/storage/metadata + max_acquire_lock_cycles: 20 + lock_cycle_duration_factor: 30 +data_server_url: http://localhost:9216/data diff --git a/static/env-vars/storage-system_configvars.md b/static/env-vars/storage-system_configvars.md index 90ce7e44..920c5a9b 100644 --- a/static/env-vars/storage-system_configvars.md +++ b/static/env-vars/storage-system_configvars.md @@ -1,39 +1,39 @@ Environment variables for the **storage-system** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`STORAGE_SYSTEM_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`STORAGE_SYSTEM_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`STORAGE_SYSTEM_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`STORAGE_SYSTEM_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`STORAGE_SYSTEM_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`STORAGE_SYSTEM_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`STORAGE_SYSTEM_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`STORAGE_SYSTEM_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`STORAGE_SYSTEM_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9217| -|`STORAGE_SYSTEM_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint|| -|`STORAGE_SYSTEM_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling|false| -|`STORAGE_SYSTEM_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`STORAGE_SYSTEM_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9215| -|`OC_GRPC_PROTOCOL`
`STORAGE_SYSTEM_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GPRC service.|tcp| -|`STORAGE_SYSTEM_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9216| -|`STORAGE_SYSTEM_HTTP_PROTOCOL`| 1.0.0 |string|The transport protocol of the HTTP service.|tcp| -|`OC_JWT_SECRET`
`STORAGE_SYSTEM_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`OC_SYSTEM_USER_ID`| 1.0.0 |string|ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.|| -|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|API key for the STORAGE-SYSTEM system user.|| -|`STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`OC_CACHE_STORE`
`STORAGE_SYSTEM_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|memory| -|`OC_CACHE_STORE_NODES`
`STORAGE_SYSTEM_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|storage-system| -|`OC_CACHE_TTL`
`STORAGE_SYSTEM_CACHE_TTL`| 1.0.0 |Duration|Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.|24m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`STORAGE_SYSTEM_CACHE_AUTH_USERNAME`| 1.0.0 |string|Username for the configured store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_SYSTEM_CACHE_AUTH_PASSWORD`| 1.0.0 |string|Password for the configured store. Only applies when store type 'nats-js-kv' is configured.|| -|`STORAGE_SYSTEM_DRIVER`| 1.0.0 |string|The driver which should be used by the service. The only supported driver is 'decomposed'. For backwards compatibility reasons it's also possible to use the 'ocis' driver and configure it using the 'decomposed' options. |decomposed| -|`STORAGE_SYSTEM_OC_ROOT`| 1.0.0 |string|Path for the directory where the STORAGE-SYSTEM service stores it's persistent data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.|/home/chaser/.opencloud/storage/metadata| -|`STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.|20| -|`STORAGE_SYSTEM_OC_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.|30| -|`STORAGE_SYSTEM_DATA_SERVER_URL`| 1.0.0 |string|URL of the data server, needs to be reachable by other services using this service.|http://localhost:9216/data| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`STORAGE_SYSTEM_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`STORAGE_SYSTEM_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`STORAGE_SYSTEM_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`STORAGE_SYSTEM_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`STORAGE_SYSTEM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`STORAGE_SYSTEM_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`STORAGE_SYSTEM_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`STORAGE_SYSTEM_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`STORAGE_SYSTEM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9217`| +|`STORAGE_SYSTEM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint`|``| +|`STORAGE_SYSTEM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling`|`false`| +|`STORAGE_SYSTEM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`STORAGE_SYSTEM_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9215`| +|`OC_GRPC_PROTOCOL`
`STORAGE_SYSTEM_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`| +|`STORAGE_SYSTEM_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9216`| +|`STORAGE_SYSTEM_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`OC_JWT_SECRET`
`STORAGE_SYSTEM_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`OC_CACHE_STORE`
`STORAGE_SYSTEM_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`STORAGE_SYSTEM_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-system`| +|`OC_CACHE_TTL`
`STORAGE_SYSTEM_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`24m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`STORAGE_SYSTEM_CACHE_AUTH_USERNAME`| 1.0.0 |string|`Username for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_SYSTEM_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`Password for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`STORAGE_SYSTEM_DRIVER`| 1.0.0 |string|`The driver which should be used by the service. The only supported driver is 'decomposed'. For backwards compatibility reasons it's also possible to use the 'ocis' driver and configure it using the 'decomposed' options. `|`decomposed`| +|`STORAGE_SYSTEM_OC_ROOT`| 1.0.0 |string|`Path for the directory where the STORAGE-SYSTEM service stores it's persistent data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/Users/t.schweiger/.opencloud/storage/metadata`| +|`STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|`20`| +|`STORAGE_SYSTEM_OC_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.`|`30`| +|`STORAGE_SYSTEM_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by other services using this service.`|`http://localhost:9216/data`| diff --git a/static/env-vars/storage-system_readme.md b/static/env-vars/storage-system_readme.md index ebb1092b..6414c30c 100755 --- a/static/env-vars/storage-system_readme.md +++ b/static/env-vars/storage-system_readme.md @@ -1,6 +1,6 @@ --- title: Storage-System -date: 2025-05-22T16:21:16.120308536+02:00 +date: 2025-11-13T17:22:55.097089+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/storage-system @@ -19,7 +19,6 @@ The OpenCloud Storage-System service persists and caches user related data that ## Table of Contents * [Caching](#caching) -* [Example Yaml Config](#example-yaml-config) ## Caching @@ -39,3 +38,4 @@ Store specific notes: - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `:/` like `10.10.0.200:26379/mymaster`. - When using `nats-js-kv` it is recommended to set `OC_CACHE_STORE_NODES` to the same value as `OC_EVENTS_ENDPOINT`. That way the cache uses the same nats instance as the event bus. - When using the `nats-js-kv` store, it is possible to set `OC_CACHE_DISABLE_PERSISTENCE` to instruct nats to not persist cache data on disc. + diff --git a/static/env-vars/storage-users-config-example.yaml b/static/env-vars/storage-users-config-example.yaml index 3897d52c..c3b0e5d5 100644 --- a/static/env-vars/storage-users-config-example.yaml +++ b/static/env-vars/storage-users-config-example.yaml @@ -79,7 +79,7 @@ drivers: propagator: sync async_propagator_options: propagation_delay: 0s - root: /home/chaser/.opencloud/storage/users + root: /Users/t.schweiger/.opencloud/storage/users user_layout: '{{.Id.OpaqueId}}' permissions_endpoint: eu.opencloud.api.settings personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}' @@ -97,7 +97,7 @@ drivers: propagator: sync async_propagator_options: propagation_delay: 0s - root: /home/chaser/.opencloud/storage/users + root: /Users/t.schweiger/.opencloud/storage/users user_layout: '{{.Id.OpaqueId}}' permissions_endpoint: eu.opencloud.api.settings region: default @@ -106,9 +106,9 @@ drivers: endpoint: "" bucket: "" put_object_disable_content_sha254: false - put_object_disable_multipart: true + put_object_disable_multipart: false put_object_send_content_md5: true - put_object_concurrent_stream_parts: true + put_object_concurrent_stream_parts: false put_object_num_threads: 4 put_object_part_size: 0 personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}' @@ -122,10 +122,10 @@ drivers: async_uploads: true disable_versioning: false owncloudsql: - root: /home/chaser/.opencloud/storage/owncloud + root: /Users/t.schweiger/.opencloud/storage/owncloud share_folder: /Shares user_layout: '{{.Username}}' - upload_info_dir: /home/chaser/.opencloud/storage/uploadinfo + upload_info_dir: /Users/t.schweiger/.opencloud/storage/uploadinfo db_username: owncloud db_password: owncloud db_host: "" @@ -133,7 +133,7 @@ drivers: db_name: owncloud users_provider_endpoint: eu.opencloud.api.users posix: - root: /home/chaser/.opencloud/storage/users + root: /Users/t.schweiger/.opencloud/storage/users propagator: "" async_propagator_options: propagation_delay: 0s @@ -158,7 +158,7 @@ drivers: watch_root: "" inotify_stats_frequency: 5m0s data_server_url: http://localhost:9158/data -data_gateway_url: https://localhost:9200/data +data_gateway_url: http://localhost:9140/data transfer_expires: 86400 events: endpoint: 127.0.0.1:9233 diff --git a/static/env-vars/storage-users.yaml b/static/env-vars/storage-users.yaml new file mode 100644 index 00000000..f64aed8e --- /dev/null +++ b/static/env-vars/storage-users.yaml @@ -0,0 +1,204 @@ +# Autogenerated +# Filename: storage-users.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9159 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9157 + tls: null + protocol: tcp +http: + addr: 127.0.0.1:9158 + protocol: tcp + prefix: data + cors: + allow_origins: + - https://localhost:9200 + allow_methods: + - POST + - HEAD + - PATCH + - OPTIONS + - GET + - DELETE + allow_headers: + - Authorization + - Origin + - X-Requested-With + - X-Request-Id + - X-HTTP-Method-Override + - Content-Type + - Upload-Length + - Upload-Offset + - Tus-Resumable + - Upload-Metadata + - Upload-Defer-Length + - Upload-Concat + - Upload-Incomplete + - Upload-Draft-Interop-Version + allow_credentials: false + expose_headers: + - Upload-Offset + - Location + - Upload-Length + - Tus-Version + - Tus-Resumable + - Tus-Max-Size + - Tus-Extension + - Upload-Metadata + - Upload-Defer-Length + - Upload-Concat + - Upload-Incomplete + - Upload-Draft-Interop-Version + max_age: 86400 +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +graceful_shutdown_timeout: 30 +driver: posix +drivers: + decomposed: + propagator: sync + async_propagator_options: + propagation_delay: 0s + root: /Users/t.schweiger/.opencloud/storage/users + user_layout: '{{.Id.OpaqueId}}' + permissions_endpoint: eu.opencloud.api.settings + personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}' + personalspacepath_template: "" + generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}' + generalspacepath_template: "" + share_folder: /Shares + max_acquire_lock_cycles: 20 + lock_cycle_duration_factor: 30 + max_concurrency: 5 + async_uploads: true + max_quota: 0 + disable_versioning: false + decomposeds3: + propagator: sync + async_propagator_options: + propagation_delay: 0s + root: /Users/t.schweiger/.opencloud/storage/users + user_layout: '{{.Id.OpaqueId}}' + permissions_endpoint: eu.opencloud.api.settings + region: default + access_key: "" + secret_key: "" + endpoint: "" + bucket: "" + put_object_disable_content_sha254: false + put_object_disable_multipart: false + put_object_send_content_md5: true + put_object_concurrent_stream_parts: false + put_object_num_threads: 4 + put_object_part_size: 0 + personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}' + personalspacepath_template: "" + generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}' + generalspacepath_template: "" + share_folder: /Shares + max_acquire_lock_cycles: 20 + lock_cycle_duration_factor: 30 + max_concurrency: 5 + async_uploads: true + disable_versioning: false + owncloudsql: + root: /Users/t.schweiger/.opencloud/storage/owncloud + share_folder: /Shares + user_layout: '{{.Username}}' + upload_info_dir: /Users/t.schweiger/.opencloud/storage/uploadinfo + db_username: owncloud + db_password: owncloud + db_host: "" + db_port: 3306 + db_name: owncloud + users_provider_endpoint: eu.opencloud.api.users + posix: + root: /Users/t.schweiger/.opencloud/storage/users + propagator: "" + async_propagator_options: + propagation_delay: 0s + personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}' + personalspacepath_template: users/{{.User.Id.OpaqueId}} + generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}' + generalspacepath_template: projects/{{.SpaceId}} + permissions_endpoint: eu.opencloud.api.settings + async_uploads: true + scan_debounce_delay: 1s + max_quota: 0 + max_acquire_lock_cycles: 0 + lock_cycle_duration_factor: 0 + max_concurrency: 0 + disable_versioning: false + use_space_groups: false + enable_fs_revisions: false + watch_fs: false + watch_type: "" + watch_path: "" + watch_notification_brokers: "" + watch_root: "" + inotify_stats_frequency: 5m0s +data_server_url: http://localhost:9158/data +data_gateway_url: http://localhost:9140/data +transfer_expires: 86400 +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_cert_path: "" + enable_tls: false + num_consumers: 0 + username: "" + password: "" +filemetadata_cache: + store: memory + nodes: + - 127.0.0.1:9233 + database: storage-users + ttl: 24m0s + disable_persistence: false + username: "" + password: "" +id_cache: + store: nats-js-kv + nodes: + - 127.0.0.1:9233 + database: ids-storage-users + ttl: 24m0s + disable_persistence: false + username: "" + password: "" +mount_id: "" +expose_data_server: false +readonly: false +upload_expiration: 86400 +tasks: + purge_trash_bin: + user_id: "" + personal_delete_before: 720h0m0s + project_delete_before: 720h0m0s +service_account: + service_account_id: "" + service_account_secret: "" +gateway_addr: 127.0.0.1:9142 +machine_auth_api_key: "" +max_attempts_rename_file: 0 diff --git a/static/env-vars/storage-users_configvars.md b/static/env-vars/storage-users_configvars.md index edd95c1e..b448696f 100644 --- a/static/env-vars/storage-users_configvars.md +++ b/static/env-vars/storage-users_configvars.md @@ -1,154 +1,154 @@ -2025-05-22-16-21-09 +2025-11-13-17-19-28 # Deprecation Notice | Deprecation Info | Deprecation Version | Removal Version | Deprecation Replacement | -|---|---|---|---| +|---|---|---|:---| | | next | | | Environment variables for the **storage-users** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`STORAGE_USERS_SERVICE_NAME`| 1.0.0 |string|Service name to use. Change this when starting an additional storage provider with a custom configuration to prevent it from colliding with the default 'storage-users' service.|storage-users| -|`OC_TRACING_ENABLED`
`STORAGE_USERS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`STORAGE_USERS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`STORAGE_USERS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`STORAGE_USERS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`STORAGE_USERS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`STORAGE_USERS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`STORAGE_USERS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`STORAGE_USERS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`STORAGE_USERS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9159| -|`STORAGE_USERS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`STORAGE_USERS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`STORAGE_USERS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`STORAGE_USERS_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9157| -|`OC_GRPC_PROTOCOL`
`STORAGE_USERS_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GPRC service.|tcp| -|`STORAGE_USERS_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9158| -|`STORAGE_USERS_HTTP_PROTOCOL`| 1.0.0 |string|The transport protocol of the HTTP service.|tcp| -|`OC_CORS_ALLOW_ORIGINS`
`STORAGE_USERS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[https://localhost:9200]| -|`OC_CORS_ALLOW_METHODS`
`STORAGE_USERS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[POST HEAD PATCH OPTIONS GET DELETE]| -|`OC_CORS_ALLOW_HEADERS`
`STORAGE_USERS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin X-Requested-With X-Request-Id X-HTTP-Method-Override Content-Type Upload-Length Upload-Offset Tus-Resumable Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]| -|`OC_CORS_ALLOW_CREDENTIALS`
`STORAGE_USERS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|false| -|`OC_CORS_EXPOSE_HEADERS`
`STORAGE_USERS_CORS_EXPOSE_HEADERS`| 1.0.0 |[]string|A list of exposed CORS headers. See following chapter for more details: *Access-Control-Expose-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers. See the Environment Variable Types description for more details.|[Upload-Offset Location Upload-Length Tus-Version Tus-Resumable Tus-Max-Size Tus-Extension Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]| -|`OC_CORS_MAX_AGE`
`STORAGE_USERS_CORS_MAX_AGE`| 1.0.0 |uint|The max cache duration of preflight headers. See following chapter for more details: *Access-Control-Max-Age* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age. See the Environment Variable Types description for more details.|86400| -|`OC_JWT_SECRET`
`STORAGE_USERS_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`STORAGE_USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT`| 1.0.0 |int|The number of seconds to wait for the 'storage-users' service to shutdown cleanly before exiting with an error that gets logged. Note: This setting is only applicable when running the 'storage-users' service as a standalone service. See the text description for more details.|30| -|`STORAGE_USERS_DRIVER`| 1.0.0 |string|The storage driver which should be used by the service. Defaults to 'decomposed', Supported values are: 'decomposed', 'decomposeds3' and 'owncloudsql'. For backwards compatibility reasons it's also possible to use the 'ocis' and 's3ng' driver and configure them using the 'decomposed'/'decomposeds3' options. The 'decomposed' driver stores all data (blob and meta data) in an POSIX compliant volume. The 'decomposeds3' driver stores metadata in a POSIX compliant volume and uploads blobs to the s3 bucket.|posix| -|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_DECOMPOSED_PROPAGATOR`| 1.0.0 |string|The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.|sync| -|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.|0s| -|`STORAGE_USERS_DECOMPOSED_ROOT`| 1.0.0 |string|The directory where the filesystem storage will store blobs and metadata. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.|/home/chaser/.opencloud/storage/users| -|`STORAGE_USERS_DECOMPOSED_USER_LAYOUT`| 1.0.0 |string|Template string for the user storage layout in the user directory.|{{.Id.OpaqueId}}| -|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_DECOMPOSED_PERMISSIONS_ENDPOINT`| 1.0.0 |string|Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.|eu.opencloud.api.settings| -|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|Template string to construct personal space aliases.|{{.SpaceType}}/{{.User.Username \| lower}}| -|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|Template string to construct the paths of the personal space roots.|| -|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|Template string to construct general space aliases.|{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}| -|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|Template string to construct the paths of the projects space roots.|| -|`STORAGE_USERS_DECOMPOSED_SHARE_FOLDER`| 1.0.0 |string|Name of the folder jailing all shares.|/Shares| -|`STORAGE_USERS_DECOMPOSED_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.|20| -|`STORAGE_USERS_DECOMPOSED_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.|30| -|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_DECOMPOSED_MAX_CONCURRENCY`| 1.0.0 |int|Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.|5| -|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|Enable asynchronous file uploads.|true| -|`OC_SPACES_MAX_QUOTA`
`STORAGE_USERS_DECOMPOSED_MAX_QUOTA`| 1.0.0 |uint64|Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.|0| -|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.|false| -|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_DECOMPOSEDS3_PROPAGATOR`| 1.0.0 |string|The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.|sync| -|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.|0s| -|`STORAGE_USERS_DECOMPOSEDS3_ROOT`| 1.0.0 |string|The directory where the filesystem storage will store metadata for blobs. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.|/home/chaser/.opencloud/storage/users| -|`STORAGE_USERS_DECOMPOSEDS3_USER_LAYOUT`| 1.0.0 |string|Template string for the user storage layout in the user directory.|{{.Id.OpaqueId}}| -|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_DECOMPOSEDS3_PERMISSIONS_ENDPOINT`| 1.0.0 |string|Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.|eu.opencloud.api.settings| -|`STORAGE_USERS_DECOMPOSEDS3_REGION`| 1.0.0 |string|Region of the S3 bucket.|default| -|`STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY`| 1.0.0 |string|Access key for the S3 bucket.|| -|`STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY`| 1.0.0 |string|Secret key for the S3 bucket.|| -|`STORAGE_USERS_DECOMPOSEDS3_ENDPOINT`| 1.0.0 |string|Endpoint for the S3 bucket.|| -|`STORAGE_USERS_DECOMPOSEDS3_BUCKET`| 1.0.0 |string|Name of the S3 bucket.|| -|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_CONTENT_SHA256`| 1.0.0 |bool|Disable sending content sha256 when copying objects to S3.|false| -|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_MULTIPART`| 1.0.0 |bool|Disable multipart uploads when copying objects to S3|true| -|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_SEND_CONTENT_MD5`| 1.0.0 |bool|Send a Content-MD5 header when copying objects to S3.|true| -|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_CONCURRENT_STREAM_PARTS`| 1.0.0 |bool|Always precreate parts when copying objects to S3.|true| -|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_NUM_THREADS`| 1.0.0 |uint|Number of concurrent uploads to use when copying objects to S3.|4| -|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_PART_SIZE`| 1.0.0 |uint64|Part size for concurrent uploads to S3. If no value or 0 is set, the library's default value of 16MB is used. The value range is min 5MB and max 5GB.|0| -|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|Template string to construct personal space aliases.|{{.SpaceType}}/{{.User.Username \| lower}}| -|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|Template string to construct the paths of the personal space roots.|| -|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|Template string to construct general space aliases.|{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}| -|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|Template string to construct the paths of the projects space roots.|| -|`STORAGE_USERS_DECOMPOSEDS3_SHARE_FOLDER`| 1.0.0 |string|Name of the folder jailing all shares.|/Shares| -|`STORAGE_USERS_DECOMPOSEDS3_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.|20| -|`STORAGE_USERS_DECOMPOSEDS3_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.|30| -|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_DECOMPOSEDS3_MAX_CONCURRENCY`| 1.0.0 |int|Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value of 100 will be used.|5| -|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|Enable asynchronous file uploads.|true| -|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.|false| -|`STORAGE_USERS_OWNCLOUDSQL_DATADIR`| 1.0.0 |string|The directory where the filesystem storage will store SQL migration data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/owncloud.|/home/chaser/.opencloud/storage/owncloud| -|`STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER`| 1.0.0 |string|Name of the folder jailing all shares.|/Shares| -|`STORAGE_USERS_OWNCLOUDSQL_LAYOUT`| 1.0.0 |string|Path layout to use to navigate into a users folder in an owncloud data directory|{{.Username}}| -|`STORAGE_USERS_OWNCLOUDSQL_UPLOADINFO_DIR`| 1.0.0 |string|The directory where the filesystem will store uploads temporarily. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/uploadinfo.|/home/chaser/.opencloud/storage/uploadinfo| -|`STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|Username for the database.|owncloud| -|`STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|Password for the database.|owncloud| -|`STORAGE_USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|Hostname or IP of the database server.|| -|`STORAGE_USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|Port that the database server is listening on.|3306| -|`STORAGE_USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|Name of the database to be used.|owncloud| -|`STORAGE_USERS_OWNCLOUDSQL_USERS_PROVIDER_ENDPOINT`| 1.0.0 |string|Endpoint of the users provider.|eu.opencloud.api.users| -|`STORAGE_USERS_POSIX_ROOT`| 1.0.0 |string|The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.|/home/chaser/.opencloud/storage/users| -|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_POSIX_PROPAGATOR`| 2.0.0 |string|The propagator used for the posix driver. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.|| -|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.|0s| -|`STORAGE_USERS_POSIX_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|Template string to construct personal space aliases.|{{.SpaceType}}/{{.User.Username \| lower}}| -|`STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|Template string to construct the paths of the personal space roots.|users/{{.User.Id.OpaqueId}}| -|`STORAGE_USERS_POSIX_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|Template string to construct general space aliases.|{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}| -|`STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|Template string to construct the paths of the projects space roots.|projects/{{.SpaceId}}| -|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT`| 1.0.0 |string|Endpoint of the permissions service. The endpoints can differ for 'decomposed', 'posix' and 'decomposeds3'.|eu.opencloud.api.settings| -|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|Enable asynchronous file uploads.|true| -|`STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY`| 1.0.0 |Duration|The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected.|1s| -|`OC_SPACES_MAX_QUOTA`
`STORAGE_USERS_POSIX_MAX_QUOTA`| 2.0.0 |uint64|Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.|0| -|`STORAGE_USERS_POSIX_MAX_ACQUIRE_LOCK_CYCLES`| 2.0.0 |int|When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.|0| -|`STORAGE_USERS_POSIX_LOCK_CYCLE_DURATION_FACTOR`| 2.0.0 |int|When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.|0| -|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_POSIX_MAX_CONCURRENCY`| 2.0.0 |int|Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.|0| -|`OC_DISABLE_VERSIONING`| 2.0.0 |bool|Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.|false| -|`STORAGE_USERS_POSIX_USE_SPACE_GROUPS`| 1.0.0 |bool|Use space groups to manage permissions on spaces.|false| -|`STORAGE_USERS_POSIX_ENABLE_FS_REVISIONS`| 1.0.0 |bool|Allow for generating revisions from changes done to the local storage. Note: This doubles the number of bytes stored on disk because a copy of the current revision is stored to be turned into a revision later.|false| -|`STORAGE_USERS_POSIX_WATCH_FS`| 2.0.0 |bool|Enable the filesystem watcher to detect changes to the filesystem. This is used to detect changes to the filesystem and update the metadata accordingly.|false| -|`STORAGE_USERS_POSIX_WATCH_TYPE`| 1.0.0 |string|Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are 'inotifywait' (default), 'cephfs', 'gpfswatchfolder' and 'gpfsfileauditlogging'.|| -|`STORAGE_USERS_POSIX_WATCH_PATH`| 1.0.0 |string|Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' and 'inotifywait' watcher, in which case it is the path of the file audit log file/base directory to watch.|| -|`STORAGE_USERS_POSIX_WATCH_NOTIFICATION_BROKERS,STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS`| 1.0.0 |string|Comma-separated list of kafka brokers to read the watchfolder events from.|| -|`STORAGE_USERS_POSIX_WATCH_ROOT`| next |string|Path to the watch root directory. Event paths will be considered relative to this path. Only applies to the 'gpswatchfolder' and 'cephfs' watchers.|| -|`STORAGE_USERS_POSIX_INOTIFY_STATS_FREQUENCY`| next |Duration|Frequency to log inotify stats.|5m0s| -|`STORAGE_USERS_DATA_SERVER_URL`| 1.0.0 |string|URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.|http://localhost:9158/data| -|`STORAGE_USERS_DATA_GATEWAY_URL`| 1.0.0 |string|URL of the data gateway server|https://localhost:9200/data| -|`STORAGE_USERS_TRANSFER_EXPIRES`| 1.0.0 |int64|The time after which the token for upload postprocessing expires|86400| -|`OC_EVENTS_ENDPOINT`
`STORAGE_USERS_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`STORAGE_USERS_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`STORAGE_USERS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`STORAGE_USERS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`STORAGE_USERS_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1.|0| -|`OC_EVENTS_AUTH_USERNAME`
`STORAGE_USERS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`STORAGE_USERS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_CACHE_STORE`
`STORAGE_USERS_FILEMETADATA_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|memory| -|`OC_CACHE_STORE_NODES`
`STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|storage-users| -|`OC_CACHE_TTL`
`STORAGE_USERS_FILEMETADATA_CACHE_TTL`| 1.0.0 |Duration|Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.|24m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_STORE`
`STORAGE_USERS_ID_CACHE_STORE`| 1.0.0 |string|The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.|nats-js-kv| -|`OC_CACHE_STORE_NODES`
`STORAGE_USERS_ID_CACHE_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[127.0.0.1:9233]| -|`OC_CACHE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|ids-storage-users| -|`OC_CACHE_TTL`
`STORAGE_USERS_ID_CACHE_TTL`| 1.0.0 |Duration|Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details.|24m0s| -|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.|false| -|`OC_CACHE_AUTH_USERNAME`
`STORAGE_USERS_ID_CACHE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_USERS_ID_CACHE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.|| -|`STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|Mount ID of this storage.|| -|`STORAGE_USERS_EXPOSE_DATA_SERVER`| 1.0.0 |bool|Exposes the data server directly to users and bypasses the data gateway. Ensure that the data server address is reachable by users.|false| -|`STORAGE_USERS_READ_ONLY`| 1.0.0 |bool|Set this storage to be read-only.|false| -|`STORAGE_USERS_UPLOAD_EXPIRATION`| 1.0.0 |int64|Duration in seconds after which uploads will expire. Note that when setting this to a low number, uploads could be cancelled before they are finished and return a 403 to the user.|86400| -|`OC_ADMIN_USER_ID`
`STORAGE_USERS_PURGE_TRASH_BIN_USER_ID`| 1.0.0 |string|ID of the user who collects all necessary information for deletion. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.|| -|`STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE`| 1.0.0 |Duration|Specifies the period of time in which items that have been in the personal trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.|720h0m0s| -|`STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE`| 1.0.0 |Duration|Specifies the period of time in which items that have been in the project trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.|720h0m0s| -|`OC_SERVICE_ACCOUNT_ID`
`STORAGE_USERS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`STORAGE_USERS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| -|`OC_GATEWAY_GRPC_ADDR`
`STORAGE_USERS_GATEWAY_GRPC_ADDR`| 1.0.0 |string|The bind address of the gateway GRPC address.|127.0.0.1:9142| -|`OC_MACHINE_AUTH_API_KEY`
`STORAGE_USERS_MACHINE_AUTH_API_KEY`| 1.0.0 |string|Machine auth API key used to validate internal requests necessary for the access to resources from other services.|| -|`STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE`| 1.0.0 |int|The maximum number of attempts to rename a file when a user restores a file to an existing destination with the same name. The minimum value is 100.|0| \ No newline at end of file +|---|---|---|---|:---| +|`STORAGE_USERS_SERVICE_NAME`| 1.0.0 |string|`Service name to use. Change this when starting an additional storage provider with a custom configuration to prevent it from colliding with the default 'storage-users' service.`|`storage-users`| +|`OC_TRACING_ENABLED`
`STORAGE_USERS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`STORAGE_USERS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`STORAGE_USERS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`STORAGE_USERS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`STORAGE_USERS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`STORAGE_USERS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`STORAGE_USERS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`STORAGE_USERS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`STORAGE_USERS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9159`| +|`STORAGE_USERS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`STORAGE_USERS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`STORAGE_USERS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`STORAGE_USERS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9157`| +|`OC_GRPC_PROTOCOL`
`STORAGE_USERS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`| +|`STORAGE_USERS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9158`| +|`STORAGE_USERS_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`OC_CORS_ALLOW_ORIGINS`
`STORAGE_USERS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`STORAGE_USERS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[POST HEAD PATCH OPTIONS GET DELETE]`| +|`OC_CORS_ALLOW_HEADERS`
`STORAGE_USERS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin X-Requested-With X-Request-Id X-HTTP-Method-Override Content-Type Upload-Length Upload-Offset Tus-Resumable Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`STORAGE_USERS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_CORS_EXPOSE_HEADERS`
`STORAGE_USERS_CORS_EXPOSE_HEADERS`| 1.0.0 |[]string|`A list of exposed CORS headers. See following chapter for more details: *Access-Control-Expose-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers. See the Environment Variable Types description for more details.`|`[Upload-Offset Location Upload-Length Tus-Version Tus-Resumable Tus-Max-Size Tus-Extension Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]`| +|`OC_CORS_MAX_AGE`
`STORAGE_USERS_CORS_MAX_AGE`| 1.0.0 |uint|`The max cache duration of preflight headers. See following chapter for more details: *Access-Control-Max-Age* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age. See the Environment Variable Types description for more details.`|`86400`| +|`OC_JWT_SECRET`
`STORAGE_USERS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`STORAGE_USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT`| 1.0.0 |int|`The number of seconds to wait for the 'storage-users' service to shutdown cleanly before exiting with an error that gets logged. Note: This setting is only applicable when running the 'storage-users' service as a standalone service. See the text description for more details.`|`30`| +|`STORAGE_USERS_DRIVER`| 1.0.0 |string|`The storage driver which should be used by the service. Defaults to 'posix'. Supported values are: 'posix', 'decomposed', 'decomposeds3' and 'owncloudsql'. For backwards compatibility reasons it's also possible to use the 'ocis' and 's3ng' driver and configure them using the 'decomposed'/'decomposeds3' options. The 'posix' driver stores data directly on a POSIX-compliant filesystem. The 'decomposed' driver stores all data (blob and meta data) in a POSIX compliant volume. The 'decomposeds3' driver stores metadata in a POSIX compliant volume and uploads blobs to the s3 bucket.`|`posix`| +|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_DECOMPOSED_PROPAGATOR`| 1.0.0 |string|`The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|`sync`| +|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`| +|`STORAGE_USERS_DECOMPOSED_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store blobs and metadata. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/Users/t.schweiger/.opencloud/storage/users`| +|`STORAGE_USERS_DECOMPOSED_USER_LAYOUT`| 1.0.0 |string|`Template string for the user storage layout in the user directory.`|`{{.Id.OpaqueId}}`| +|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_DECOMPOSED_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.`|`eu.opencloud.api.settings`| +|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`| +|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|``| +|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`| +|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|``| +|`STORAGE_USERS_DECOMPOSED_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`| +|`STORAGE_USERS_DECOMPOSED_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.`|`20`| +|`STORAGE_USERS_DECOMPOSED_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.`|`30`| +|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_DECOMPOSED_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`5`| +|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`| +|`OC_SPACES_MAX_QUOTA`
`STORAGE_USERS_DECOMPOSED_MAX_QUOTA`| 1.0.0 |uint64|`Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.`|`0`| +|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`| +|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_DECOMPOSEDS3_PROPAGATOR`| 1.0.0 |string|`The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|`sync`| +|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`| +|`STORAGE_USERS_DECOMPOSEDS3_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store metadata for blobs. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/Users/t.schweiger/.opencloud/storage/users`| +|`STORAGE_USERS_DECOMPOSEDS3_USER_LAYOUT`| 1.0.0 |string|`Template string for the user storage layout in the user directory.`|`{{.Id.OpaqueId}}`| +|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_DECOMPOSEDS3_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.`|`eu.opencloud.api.settings`| +|`STORAGE_USERS_DECOMPOSEDS3_REGION`| 1.0.0 |string|`Region of the S3 bucket.`|`default`| +|`STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY`| 1.0.0 |string|`Access key for the S3 bucket.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY`| 1.0.0 |string|`Secret key for the S3 bucket.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_ENDPOINT`| 1.0.0 |string|`Endpoint for the S3 bucket.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_BUCKET`| 1.0.0 |string|`Name of the S3 bucket.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_CONTENT_SHA256`| 1.0.0 |bool|`Disable sending content sha256 when copying objects to S3.`|`false`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_MULTIPART`| 1.0.0 |bool|`Disable multipart uploads when copying objects to S3.`|`false`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_SEND_CONTENT_MD5`| 1.0.0 |bool|`Send a Content-MD5 header when copying objects to S3.`|`true`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_CONCURRENT_STREAM_PARTS`| 1.0.0 |bool|`Always precreate parts when copying objects to S3. This is not recommended. It uses a memory buffer. If true, PartSize needs to be set.`|`false`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_NUM_THREADS`| 1.0.0 |uint|`Number of concurrent uploads to use when copying objects to S3.`|`4`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_PART_SIZE`| 1.0.0 |uint64|`Part size for concurrent uploads to S3. If no value or 0 is set, the library automatically calculates the part size according to the total size of the file to be uploaded. The value range is min 5MB and max 5GB.`|`0`| +|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`| +|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`| +|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`| +|`STORAGE_USERS_DECOMPOSEDS3_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|`20`| +|`STORAGE_USERS_DECOMPOSEDS3_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.`|`30`| +|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_DECOMPOSEDS3_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value of 100 will be used.`|`5`| +|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`| +|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`| +|`STORAGE_USERS_OWNCLOUDSQL_DATADIR`| 1.0.0 |string|`The directory where the filesystem storage will store SQL migration data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/owncloud.`|`/Users/t.schweiger/.opencloud/storage/owncloud`| +|`STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`| +|`STORAGE_USERS_OWNCLOUDSQL_LAYOUT`| 1.0.0 |string|`Path layout to use to navigate into a users folder in an owncloud data directory`|`{{.Username}}`| +|`STORAGE_USERS_OWNCLOUDSQL_UPLOADINFO_DIR`| 1.0.0 |string|`The directory where the filesystem will store uploads temporarily. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/uploadinfo.`|`/Users/t.schweiger/.opencloud/storage/uploadinfo`| +|`STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Username for the database.`|`owncloud`| +|`STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database.`|`owncloud`| +|`STORAGE_USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname or IP of the database server.`|``| +|`STORAGE_USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Port that the database server is listening on.`|`3306`| +|`STORAGE_USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the database to be used.`|`owncloud`| +|`STORAGE_USERS_OWNCLOUDSQL_USERS_PROVIDER_ENDPOINT`| 1.0.0 |string|`Endpoint of the users provider.`|`eu.opencloud.api.users`| +|`STORAGE_USERS_POSIX_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/Users/t.schweiger/.opencloud/storage/users`| +|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_POSIX_PROPAGATOR`| 2.0.0 |string|`The propagator used for the posix driver. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|``| +|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`| +|`STORAGE_USERS_POSIX_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`| +|`STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|`users/{{.User.Id.OpaqueId}}`| +|`STORAGE_USERS_POSIX_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`| +|`STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|`projects/{{.SpaceId}}`| +|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed', 'posix' and 'decomposeds3'.`|`eu.opencloud.api.settings`| +|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`| +|`STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY`| 1.0.0 |Duration|`The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected.`|`1s`| +|`OC_SPACES_MAX_QUOTA`
`STORAGE_USERS_POSIX_MAX_QUOTA`| 2.0.0 |uint64|`Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.`|`0`| +|`STORAGE_USERS_POSIX_MAX_ACQUIRE_LOCK_CYCLES`| 2.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.`|`0`| +|`STORAGE_USERS_POSIX_LOCK_CYCLE_DURATION_FACTOR`| 2.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.`|`0`| +|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_POSIX_MAX_CONCURRENCY`| 2.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`0`| +|`OC_DISABLE_VERSIONING`| 2.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`| +|`STORAGE_USERS_POSIX_USE_SPACE_GROUPS`| 1.0.0 |bool|`Use space groups to manage permissions on spaces.`|`false`| +|`STORAGE_USERS_POSIX_ENABLE_FS_REVISIONS`| 1.0.0 |bool|`Allow for generating revisions from changes done to the local storage. Note: This doubles the number of bytes stored on disk because a copy of the current revision is stored to be turned into a revision later.`|`false`| +|`STORAGE_USERS_POSIX_WATCH_FS`| 2.0.0 |bool|`Enable the filesystem watcher to detect changes to the filesystem. This is used to detect changes to the filesystem and update the metadata accordingly.`|`false`| +|`STORAGE_USERS_POSIX_WATCH_TYPE`| 1.0.0 |string|`Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are 'inotifywait' (default), 'cephfs', 'gpfswatchfolder' and 'gpfsfileauditlogging'.`|``| +|`STORAGE_USERS_POSIX_WATCH_PATH`| 1.0.0 |string|`Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' and 'inotifywait' watcher, in which case it is the path of the file audit log file/base directory to watch.`|``| +|`STORAGE_USERS_POSIX_WATCH_NOTIFICATION_BROKERS,STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS`| 1.0.0 |string|`Comma-separated list of kafka brokers to read the watchfolder events from.`|``| +|`STORAGE_USERS_POSIX_WATCH_ROOT`| next |string|`Path to the watch root directory. Event paths will be considered relative to this path. Only applies to the 'gpswatchfolder' and 'cephfs' watchers.`|``| +|`STORAGE_USERS_POSIX_INOTIFY_STATS_FREQUENCY`| next |Duration|`Frequency to log inotify stats.`|`5m0s`| +|`STORAGE_USERS_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.`|`http://localhost:9158/data`| +|`STORAGE_USERS_DATA_GATEWAY_URL`| 1.0.0 |string|`URL of the data gateway server`|`http://localhost:9140/data`| +|`STORAGE_USERS_TRANSFER_EXPIRES`| 1.0.0 |int64|`The time after which the token for upload postprocessing expires`|`86400`| +|`OC_EVENTS_ENDPOINT`
`STORAGE_USERS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`STORAGE_USERS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`STORAGE_USERS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`STORAGE_USERS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`STORAGE_USERS_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|`The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1.`|`0`| +|`OC_EVENTS_AUTH_USERNAME`
`STORAGE_USERS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`STORAGE_USERS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_CACHE_STORE`
`STORAGE_USERS_FILEMETADATA_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-users`| +|`OC_CACHE_TTL`
`STORAGE_USERS_FILEMETADATA_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`24m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_STORE`
`STORAGE_USERS_ID_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_CACHE_STORE_NODES`
`STORAGE_USERS_ID_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`ids-storage-users`| +|`OC_CACHE_TTL`
`STORAGE_USERS_ID_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details.`|`24m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`STORAGE_USERS_ID_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_USERS_ID_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage.`|``| +|`STORAGE_USERS_EXPOSE_DATA_SERVER`| 1.0.0 |bool|`Exposes the data server directly to users and bypasses the data gateway. Ensure that the data server address is reachable by users.`|`false`| +|`STORAGE_USERS_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|`false`| +|`STORAGE_USERS_UPLOAD_EXPIRATION`| 1.0.0 |int64|`Duration in seconds after which uploads will expire. Note that when setting this to a low number, uploads could be cancelled before they are finished and return a 403 to the user.`|`86400`| +|`OC_ADMIN_USER_ID`
`STORAGE_USERS_PURGE_TRASH_BIN_USER_ID`| 1.0.0 |string|`ID of the user who collects all necessary information for deletion. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``| +|`STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE`| 1.0.0 |Duration|`Specifies the period of time in which items that have been in the personal trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.`|`720h0m0s`| +|`STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE`| 1.0.0 |Duration|`Specifies the period of time in which items that have been in the project trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.`|`720h0m0s`| +|`OC_SERVICE_ACCOUNT_ID`
`STORAGE_USERS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`STORAGE_USERS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`OC_GATEWAY_GRPC_ADDR`
`STORAGE_USERS_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the gateway GRPC address.`|`127.0.0.1:9142`| +|`OC_MACHINE_AUTH_API_KEY`
`STORAGE_USERS_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``| +|`STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE`| 1.0.0 |int|`The maximum number of attempts to rename a file when a user restores a file to an existing destination with the same name. The minimum value is 100.`|`0`| diff --git a/static/env-vars/storage-users_readme.md b/static/env-vars/storage-users_readme.md index e904f021..a6352270 100755 --- a/static/env-vars/storage-users_readme.md +++ b/static/env-vars/storage-users_readme.md @@ -1,6 +1,6 @@ --- title: Storage-Users -date: 2025-05-22T16:21:16.120375442+02:00 +date: 2025-11-13T17:22:55.097175+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/storage-users @@ -27,7 +27,6 @@ Purpose and description to be added * [Purge Expired](#purge-expired) * [List and Restore Trash-Bins Items](#list-and-restore-trash-bins-items) * [Caching](#caching) -* [Example Yaml Config](#example-yaml-config) ## Graceful Shutdown @@ -254,3 +253,4 @@ Store specific notes: - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `:/` like `10.10.0.200:26379/mymaster`. - When using `nats-js-kv` it is recommended to set `OC_CACHE_STORE_NODES` to the same value as `OC_EVENTS_ENDPOINT`. That way the cache uses the same nats instance as the event bus. - When using the `nats-js-kv` store, it is possible to set `OC_CACHE_DISABLE_PERSISTENCE` to instruct nats to not persist cache data on disc. + diff --git a/static/env-vars/thumbnails-config-example.yaml b/static/env-vars/thumbnails-config-example.yaml index 2acda547..9a0d9efa 100644 --- a/static/env-vars/thumbnails-config-example.yaml +++ b/static/env-vars/thumbnails-config-example.yaml @@ -60,7 +60,7 @@ thumbnail: - 4320x7680 - 7680x4320 filesystem_storage: - root_directory: /home/chaser/.opencloud/thumbnails + root_directory: /Users/t.schweiger/.opencloud/thumbnails webdav_allow_insecure: false cs3_allow_insecure: false reva_gateway: eu.opencloud.api.gateway diff --git a/static/env-vars/thumbnails.yaml b/static/env-vars/thumbnails.yaml new file mode 100644 index 00000000..468168c4 --- /dev/null +++ b/static/env-vars/thumbnails.yaml @@ -0,0 +1,72 @@ +# Autogenerated +# Filename: thumbnails.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9189 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9185 + tls: null + max_concurrent_requests: 0 +http: + addr: 127.0.0.1:9186 + tls: + enabled: false + cert: "" + key: "" + root: /thumbnails + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Cache-Control + allow_credentials: true +grpc_client_tls: null +thumbnail: + resolutions: + - 16x16 + - 32x32 + - 64x64 + - 128x128 + - 1080x1920 + - 1920x1080 + - 2160x3840 + - 3840x2160 + - 4320x7680 + - 7680x4320 + filesystem_storage: + root_directory: /Users/t.schweiger/.opencloud/thumbnails + webdav_allow_insecure: false + cs3_allow_insecure: false + reva_gateway: eu.opencloud.api.gateway + font_map_file: "" + transfer_secret: "" + data_endpoint: http://127.0.0.1:9186/thumbnails/data + max_input_width: 7680 + max_input_height: 7680 + max_input_image_file_size: 50MB diff --git a/static/env-vars/thumbnails_configvars.md b/static/env-vars/thumbnails_configvars.md index 2ac8f1a4..b42e6157 100644 --- a/static/env-vars/thumbnails_configvars.md +++ b/static/env-vars/thumbnails_configvars.md @@ -1,38 +1,38 @@ Environment variables for the **thumbnails** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`THUMBNAILS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`THUMBNAILS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`THUMBNAILS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`THUMBNAILS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`THUMBNAILS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`THUMBNAILS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`THUMBNAILS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`THUMBNAILS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`THUMBNAILS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9189| -|`THUMBNAILS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`THUMBNAILS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`THUMBNAILS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`THUMBNAILS_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9185| -|`THUMBNAILS_MAX_CONCURRENT_REQUESTS`| 1.0.0 |int|Number of maximum concurrent thumbnail requests. Default is 0 which is unlimited.|0| -|`THUMBNAILS_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9186| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`THUMBNAILS_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/thumbnails| -|`OC_CORS_ALLOW_ORIGINS`
`THUMBNAILS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`THUMBNAILS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET POST PUT PATCH DELETE OPTIONS]| -|`OC_CORS_ALLOW_HEADERS`
`THUMBNAILS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]| -|`OC_CORS_ALLOW_CREDENTIALS`
`THUMBNAILS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`THUMBNAILS_RESOLUTIONS`| 1.0.0 |[]string|The supported list of target resolutions in the format WidthxHeight like 32x32. You can define any resolution as required. See the Environment Variable Types description for more details.|[16x16 32x32 64x64 128x128 1080x1920 1920x1080 2160x3840 3840x2160 4320x7680 7680x4320]| -|`THUMBNAILS_FILESYSTEMSTORAGE_ROOT`| 1.0.0 |string|The directory where the filesystem storage will store the thumbnails. If not defined, the root directory derives from $OC_BASE_DATA_PATH/thumbnails.|/home/chaser/.opencloud/thumbnails| -|`OC_INSECURE`
`THUMBNAILS_WEBDAVSOURCE_INSECURE`| 1.0.0 |bool|Ignore untrusted SSL certificates when connecting to the webdav source.|false| -|`OC_INSECURE`
`THUMBNAILS_CS3SOURCE_INSECURE`| 1.0.0 |bool|Ignore untrusted SSL certificates when connecting to the CS3 source.|false| -|`OC_REVA_GATEWAY`| 1.0.0 |string|CS3 gateway used to look up user metadata|eu.opencloud.api.gateway| -|`THUMBNAILS_TXT_FONTMAP_FILE`| 1.0.0 |string|The path to a font file for txt thumbnails.|| -|`THUMBNAILS_TRANSFER_TOKEN`| 1.0.0 |string|The secret to sign JWT to download the actual thumbnail file.|| -|`THUMBNAILS_DATA_ENDPOINT`| 1.0.0 |string|The HTTP endpoint where the actual thumbnail file can be downloaded.|http://127.0.0.1:9186/thumbnails/data| -|`THUMBNAILS_MAX_INPUT_WIDTH`| 1.0.0 |int|The maximum width of an input image which is being processed.|7680| -|`THUMBNAILS_MAX_INPUT_HEIGHT`| 1.0.0 |int|The maximum height of an input image which is being processed.|7680| -|`THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE`| 1.0.0 |string|The maximum file size of an input image which is being processed. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.|50MB| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`THUMBNAILS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`THUMBNAILS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`THUMBNAILS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`THUMBNAILS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`THUMBNAILS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`THUMBNAILS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`THUMBNAILS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`THUMBNAILS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`THUMBNAILS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9189`| +|`THUMBNAILS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`THUMBNAILS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`THUMBNAILS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`THUMBNAILS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9185`| +|`THUMBNAILS_MAX_CONCURRENT_REQUESTS`| 1.0.0 |int|`Number of maximum concurrent thumbnail requests. Default is 0 which is unlimited.`|`0`| +|`THUMBNAILS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9186`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`THUMBNAILS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/thumbnails`| +|`OC_CORS_ALLOW_ORIGINS`
`THUMBNAILS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`THUMBNAILS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`THUMBNAILS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`THUMBNAILS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`THUMBNAILS_RESOLUTIONS`| 1.0.0 |[]string|`The supported list of target resolutions in the format WidthxHeight like 32x32. You can define any resolution as required. See the Environment Variable Types description for more details.`|`[16x16 32x32 64x64 128x128 1080x1920 1920x1080 2160x3840 3840x2160 4320x7680 7680x4320]`| +|`THUMBNAILS_FILESYSTEMSTORAGE_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store the thumbnails. If not defined, the root directory derives from $OC_BASE_DATA_PATH/thumbnails.`|`/Users/t.schweiger/.opencloud/thumbnails`| +|`OC_INSECURE`
`THUMBNAILS_WEBDAVSOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the webdav source.`|`false`| +|`OC_INSECURE`
`THUMBNAILS_CS3SOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the CS3 source.`|`false`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`THUMBNAILS_TXT_FONTMAP_FILE`| 1.0.0 |string|`The path to a font file for txt thumbnails.`|``| +|`THUMBNAILS_TRANSFER_TOKEN`| 1.0.0 |string|`The secret to sign JWT to download the actual thumbnail file.`|``| +|`THUMBNAILS_DATA_ENDPOINT`| 1.0.0 |string|`The HTTP endpoint where the actual thumbnail file can be downloaded.`|`http://127.0.0.1:9186/thumbnails/data`| +|`THUMBNAILS_MAX_INPUT_WIDTH`| 1.0.0 |int|`The maximum width of an input image which is being processed.`|`7680`| +|`THUMBNAILS_MAX_INPUT_HEIGHT`| 1.0.0 |int|`The maximum height of an input image which is being processed.`|`7680`| +|`THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE`| 1.0.0 |string|`The maximum file size of an input image which is being processed. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.`|`50MB`| diff --git a/static/env-vars/thumbnails_readme.md b/static/env-vars/thumbnails_readme.md index a16ee6c2..20d07927 100755 --- a/static/env-vars/thumbnails_readme.md +++ b/static/env-vars/thumbnails_readme.md @@ -1,6 +1,6 @@ --- title: Thumbnails -date: 2025-05-22T16:21:16.120539831+02:00 +date: 2025-11-13T17:22:55.0974+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/thumbnails @@ -29,7 +29,6 @@ The thumbnails service provides methods to generate thumbnails for various files * [Memory Considerations](#memory-considerations) * [Thumbnails and SecureView](#thumbnails-and-secureview) * [Using libvips for Thumbnail Generation](#using-libvips-for-thumbnail-generation) -* [Example Yaml Config](#example-yaml-config) ## File Locations Overview @@ -130,23 +129,24 @@ enabled at buildtime and has a couple of implications: Support of libvips is disabled by default. To enable it, make sure libvips and its buildtime dependencies are installed in your build environment. For macOS users, add the build time dependencies via: -```bash +```shell brew install vips pkg-config export PKG_CONFIG_PATH="/usr/local/opt/libffi/lib/pkgconfig" ``` Then you just need to set the `ENABLE_VIPS` variable on the `make` command: -```bash +```shell make -C opencloud build ENABLE_VIPS=1 ``` Or include the `enable_vips` build tag in the `go build` command: -```bash +```shell go build -tags enable_vips -o opencloud -o bin/opencloud ./cmd/opencloud ``` When building a docker image using the Dockerfile in the top-level directory of OpenCloud, libvips support is enabled and the libvips shared libraries are included in the resulting docker image. + diff --git a/static/env-vars/userlog.yaml b/static/env-vars/userlog.yaml new file mode 100644 index 00000000..263d9bd3 --- /dev/null +++ b/static/env-vars/userlog.yaml @@ -0,0 +1,67 @@ +# Autogenerated +# Filename: userlog.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9214 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9210 + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Ocs-Apirequest + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +grpc_client_tls: null +token_manager: + jwt_secret: "" +reva_gateway: eu.opencloud.api.gateway +translation_path: "" +default_language: "" +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +max_concurrency: 1 +persistence: + store: memory + nodes: [] + database: userlog + table: events + ttl: 336h0m0s + username: "" + password: "" +disable_sse: false +global_notifications_secret: "" +service_account: + service_account_id: "" + service_account_secret: "" diff --git a/static/env-vars/userlog_configvars.md b/static/env-vars/userlog_configvars.md index dad0e6ed..1b65ce94 100644 --- a/static/env-vars/userlog_configvars.md +++ b/static/env-vars/userlog_configvars.md @@ -1,48 +1,48 @@ Environment variables for the **userlog** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`USERLOG_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`USERLOG_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`USERLOG_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`USERLOG_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`USERLOG_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`USERLOG_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`USERLOG_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`USERLOG_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`USERLOG_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9214| -|`USERLOG_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`USERLOG_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`USERLOG_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`USERLOG_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9210| -|`USERLOG_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`OC_CORS_ALLOW_ORIGINS`
`USERLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`USERLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET]| -|`OC_CORS_ALLOW_HEADERS`
`USERLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]| -|`OC_CORS_ALLOW_CREDENTIALS`
`USERLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`OC_JWT_SECRET`
`USERLOG_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|CS3 gateway used to look up user metadata|eu.opencloud.api.gateway| -|`OC_TRANSLATION_PATH`
`USERLOG_TRANSLATION_PATH`| 1.0.0 |string|(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.|| -|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.|| -|`OC_EVENTS_ENDPOINT`
`USERLOG_EVENTS_ENDPOINT`| 1.0.0 |string|The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.|127.0.0.1:9233| -|`OC_EVENTS_CLUSTER`
`USERLOG_EVENTS_CLUSTER`| 1.0.0 |string|The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.|opencloud-cluster| -|`OC_INSECURE`
`USERLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|Whether to verify the server TLS certificates.|false| -|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.|| -|`OC_EVENTS_ENABLE_TLS`
`USERLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|false| -|`OC_EVENTS_AUTH_USERNAME`
`USERLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_EVENTS_AUTH_PASSWORD`
`USERLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.|| -|`OC_MAX_CONCURRENCY`
`USERLOG_MAX_CONCURRENCY`| 1.0.0 |int|Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.|1| -|`OC_PERSISTENT_STORE`
`USERLOG_STORE`| 1.0.0 |string|The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.|memory| -|`OC_PERSISTENT_STORE_NODES`
`USERLOG_STORE_NODES`| 1.0.0 |[]string|A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.|[]| -|`USERLOG_STORE_DATABASE`| 1.0.0 |string|The database name the configured store should use.|userlog| -|`USERLOG_STORE_TABLE`| 1.0.0 |string|The database table the store should use.|events| -|`OC_PERSISTENT_STORE_TTL`
`USERLOG_STORE_TTL`| 1.0.0 |Duration|Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.|336h0m0s| -|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`USERLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`USERLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.|| -|`OC_DISABLE_SSE,USERLOG_DISABLE_SSE`| 1.0.0 |bool|Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.|false| -|`USERLOG_GLOBAL_NOTIFICATIONS_SECRET`| 1.0.0 |string|The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.|| -|`OC_SERVICE_ACCOUNT_ID`
`USERLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|The ID of the service account the service should use. See the 'auth-service' service description for more details.|| -|`OC_SERVICE_ACCOUNT_SECRET`
`USERLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|The service account secret.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`USERLOG_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`USERLOG_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`USERLOG_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`USERLOG_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`USERLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`USERLOG_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`USERLOG_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`USERLOG_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`USERLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9214`| +|`USERLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`USERLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`USERLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`USERLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9210`| +|`USERLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`USERLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`USERLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`| +|`OC_CORS_ALLOW_HEADERS`
`USERLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`USERLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_JWT_SECRET`
`USERLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`OC_TRANSLATION_PATH`
`USERLOG_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``| +|`OC_EVENTS_ENDPOINT`
`USERLOG_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`USERLOG_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`USERLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`USERLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`USERLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`USERLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_MAX_CONCURRENCY`
`USERLOG_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`| +|`OC_PERSISTENT_STORE`
`USERLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`memory`| +|`OC_PERSISTENT_STORE_NODES`
`USERLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[]`| +|`USERLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`userlog`| +|`USERLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|`events`| +|`OC_PERSISTENT_STORE_TTL`
`USERLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`USERLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`USERLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_DISABLE_SSE,USERLOG_DISABLE_SSE`| 1.0.0 |bool|`Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.`|`false`| +|`USERLOG_GLOBAL_NOTIFICATIONS_SECRET`| 1.0.0 |string|`The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`USERLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`USERLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| diff --git a/static/env-vars/userlog_readme.md b/static/env-vars/userlog_readme.md index 3833374c..7da56224 100755 --- a/static/env-vars/userlog_readme.md +++ b/static/env-vars/userlog_readme.md @@ -1,6 +1,6 @@ --- title: Userlog -date: 2025-05-22T16:21:16.120906259+02:00 +date: 2025-11-13T17:22:55.097508+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/userlog @@ -30,7 +30,6 @@ The `userlog` service is a mediator between the `eventhistory` service and clien * [Translations](#translations) * [Translation Rules](#translation-rules) * [Default Language](#default-language) -* [Example Yaml Config](#example-yaml-config) ## The Log Service Ecosystem @@ -113,3 +112,4 @@ which is the source of the texts provided by the code. ## Default Language The default language can be defined via the `OC_DEFAULT_LANGUAGE` environment variable. See the `settings` service for a detailed description. + diff --git a/static/env-vars/users-config-example.yaml b/static/env-vars/users-config-example.yaml index 541e3cdf..fbf83ed8 100644 --- a/static/env-vars/users-config-example.yaml +++ b/static/env-vars/users-config-example.yaml @@ -32,7 +32,7 @@ driver: ldap drivers: ldap: uri: ldaps://localhost:9235 - ca_cert: /home/chaser/.opencloud/idm/ldap.crt + ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt insecure: false bind_dn: uid=reva,ou=sysusers,o=libregraph-idm bind_password: "" @@ -51,6 +51,7 @@ drivers: ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm user_schema: id: openclouduuid + tenant_id: "" id_is_octet_string: false mail: mail display_name: displayname diff --git a/static/env-vars/users.yaml b/static/env-vars/users.yaml new file mode 100644 index 00000000..d5627c01 --- /dev/null +++ b/static/env-vars/users.yaml @@ -0,0 +1,77 @@ +# Autogenerated +# Filename: users.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9145 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9144 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +driver: ldap +drivers: + ldap: + uri: ldaps://localhost:9235 + ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt + insecure: false + bind_dn: uid=reva,ou=sysusers,o=libregraph-idm + bind_password: "" + user_base_dn: ou=users,o=libregraph-idm + group_base_dn: ou=groups,o=libregraph-idm + user_scope: sub + group_scope: sub + user_substring_filter_type: any + user_filter: "" + group_filter: "" + user_object_class: inetOrgPerson + group_object_class: groupOfNames + idp: https://localhost:9200 + disable_user_mechanism: attribute + user_type_attribute: openCloudUserType + ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm + user_schema: + id: openclouduuid + tenant_id: "" + id_is_octet_string: false + mail: mail + display_name: displayname + user_name: uid + user_enabled: openclouduserenabled + group_schema: + id: openclouduuid + id_is_octet_string: false + mail: mail + display_name: cn + group_name: cn + member: member + owncloudsql: + db_username: owncloud + db_password: secret + db_host: mysql + db_port: 3306 + db_name: owncloud + idp: https://localhost:9200 + nobody: 90 + join_username: false + join_owncloud_uuid: false + enable_medial_search: false diff --git a/static/env-vars/users_configvars.md b/static/env-vars/users_configvars.md index 0f4590e9..149b063e 100644 --- a/static/env-vars/users_configvars.md +++ b/static/env-vars/users_configvars.md @@ -1,64 +1,65 @@ Environment variables for the **users** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`USERS_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`USERS_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`USERS_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`USERS_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`USERS_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`USERS_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`USERS_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`USERS_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`USERS_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9145| -|`USERS_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`USERS_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`USERS_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`USERS_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|127.0.0.1:9144| -|`OC_GRPC_PROTOCOL`
`USERS_GRPC_PROTOCOL`| 1.0.0 |string|The transport protocol of the GPRC service.|tcp| -|`OC_JWT_SECRET`
`USERS_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`OC_REVA_GATEWAY`| 1.0.0 |string|The CS3 gateway endpoint.|eu.opencloud.api.gateway| -|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.|| -|`USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|Disables the loading of user's group memberships from the reva access token.|false| -|`USERS_DRIVER`| 1.0.0 |string|The driver which should be used by the users service. Supported values are 'ldap' and 'owncloudsql'.|ldap| -|`OC_LDAP_URI`
`USERS_LDAP_URI`| 1.0.0 |string|URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'|ldaps://localhost:9235| -|`OC_LDAP_CACERT`
`USERS_LDAP_CACERT`| 1.0.0 |string|Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.|/home/chaser/.opencloud/idm/ldap.crt| -|`OC_LDAP_INSECURE`
`USERS_LDAP_INSECURE`| 1.0.0 |bool|Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.|false| -|`OC_LDAP_BIND_DN`
`USERS_LDAP_BIND_DN`| 1.0.0 |string|LDAP DN to use for simple bind authentication with the target LDAP server.|uid=reva,ou=sysusers,o=libregraph-idm| -|`OC_LDAP_BIND_PASSWORD`
`USERS_LDAP_BIND_PASSWORD`| 1.0.0 |string|Password to use for authenticating the 'bind_dn'.|| -|`OC_LDAP_USER_BASE_DN`
`USERS_LDAP_USER_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP users.|ou=users,o=libregraph-idm| -|`OC_LDAP_GROUP_BASE_DN`
`USERS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|Search base DN for looking up LDAP groups.|ou=groups,o=libregraph-idm| -|`OC_LDAP_USER_SCOPE`
`USERS_LDAP_USER_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.|sub| -|`OC_LDAP_GROUP_SCOPE`
`USERS_LDAP_GROUP_SCOPE`| 1.0.0 |string|LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.|sub| -|`LDAP_USER_SUBSTRING_FILTER_TYPE`
`USERS_LDAP_USER_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches|any| -|`OC_LDAP_USER_FILTER`
`USERS_LDAP_USER_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.|| -|`OC_LDAP_GROUP_FILTER`
`USERS_LDAP_GROUP_FILTER`| 1.0.0 |string|LDAP filter to add to the default filters for group searches.|| -|`OC_LDAP_USER_OBJECTCLASS`
`USERS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|The object class to use for users in the default user search filter like 'inetOrgPerson'.|inetOrgPerson| -|`OC_LDAP_GROUP_OBJECTCLASS`
`USERS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|The object class to use for groups in the default group search filter like 'groupOfNames'.|groupOfNames| -|`OC_URL`
`OC_OIDC_ISSUER`
`USERS_IDP_URL`| 1.0.0 |string|The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.|https://localhost:9200| -|`OC_LDAP_DISABLE_USER_MECHANISM`
`USERS_LDAP_DISABLE_USER_MECHANISM`| 1.0.0 |string|An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.|attribute| -|`OC_LDAP_USER_SCHEMA_USER_TYPE`
`USERS_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.|openCloudUserType| -|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`USERS_LDAP_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.|cn=DisabledUsersGroup,ou=groups,o=libregraph-idm| -|`OC_LDAP_USER_SCHEMA_ID`
`USERS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.|openclouduuid| -|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.|false| -|`OC_LDAP_USER_SCHEMA_MAIL`
`USERS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|LDAP Attribute to use for the email address of users.|mail| -|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`USERS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|LDAP Attribute to use for the displayname of users.|displayname| -|`OC_LDAP_USER_SCHEMA_USERNAME`
`USERS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|LDAP Attribute to use for username of users.|uid| -|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`USERS_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|LDAP attribute to use as a flag telling if the user is enabled or disabled.|openclouduserenabled| -|`OC_LDAP_GROUP_SCHEMA_ID`
`USERS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.|openclouduuid| -|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.|false| -|`OC_LDAP_GROUP_SCHEMA_MAIL`
`USERS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|LDAP Attribute to use for the email address of groups (can be empty).|mail| -|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).|cn| -|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`USERS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|LDAP Attribute to use for the name of groups.|cn| -|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`USERS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|LDAP Attribute that is used for group members.|member| -|`USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|Database user to use for authenticating with the owncloud database.|owncloud| -|`USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|Password for the database user.|secret| -|`USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|Hostname of the database server.|mysql| -|`USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|Network port to use for the database connection.|3306| -|`USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|Name of the owncloud database.|owncloud| -|`USERS_OWNCLOUDSQL_IDP`| 1.0.0 |string|The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.|https://localhost:9200| -|`USERS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|Fallback number if no numeric UID and GID properties are provided.|90| -|`USERS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|Join the user properties table to read usernames|false| -|`USERS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|Join the user properties table to read user IDs.|false| -|`USERS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.|false| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`USERS_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`USERS_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`USERS_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`USERS_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`USERS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`USERS_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`USERS_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`USERS_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`USERS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9145`| +|`USERS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`USERS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`USERS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`USERS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9144`| +|`OC_GRPC_PROTOCOL`
`USERS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`| +|`OC_JWT_SECRET`
`USERS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`USERS_DRIVER`| 1.0.0 |string|`The driver which should be used by the users service. Supported values are 'ldap' and 'owncloudsql'.`|`ldap`| +|`OC_LDAP_URI`
`USERS_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldaps://localhost:9235`| +|`OC_LDAP_CACERT`
`USERS_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/Users/t.schweiger/.opencloud/idm/ldap.crt`| +|`OC_LDAP_INSECURE`
`USERS_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`OC_LDAP_BIND_DN`
`USERS_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`USERS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`OC_LDAP_USER_BASE_DN`
`USERS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_GROUP_BASE_DN`
`USERS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`USERS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_GROUP_SCOPE`
`USERS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|`sub`| +|`LDAP_USER_SUBSTRING_FILTER_TYPE`
`USERS_LDAP_USER_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|`any`| +|`OC_LDAP_USER_FILTER`
`USERS_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_GROUP_FILTER`
`USERS_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`USERS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter like 'inetOrgPerson'.`|`inetOrgPerson`| +|`OC_LDAP_GROUP_OBJECTCLASS`
`USERS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter like 'groupOfNames'.`|`groupOfNames`| +|`OC_URL`
`OC_OIDC_ISSUER`
`USERS_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`OC_LDAP_DISABLE_USER_MECHANISM`
`USERS_LDAP_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.`|`attribute`| +|`OC_LDAP_USER_SCHEMA_USER_TYPE`
`USERS_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.`|`openCloudUserType`| +|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`USERS_LDAP_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCHEMA_ID`
`USERS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openclouduuid`| +|`OC_LDAP_USER_SCHEMA_TENANT_ID`
`USERS_LDAP_USER_SCHEMA_TENANT_ID`| next |string|`LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.`|``| +|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`USERS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`| +|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`USERS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`USERS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`| +|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`USERS_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP attribute to use as a flag telling if the user is enabled or disabled.`|`openclouduserenabled`| +|`OC_LDAP_GROUP_SCHEMA_ID`
`USERS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.`|`openclouduuid`| +|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`| +|`OC_LDAP_GROUP_SCHEMA_MAIL`
`USERS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`| +|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`USERS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`USERS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`| +|`USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`| +|`USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|`secret`| +|`USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`| +|`USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`| +|`USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`| +|`USERS_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`USERS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`| +|`USERS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames`|`false`| +|`USERS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user IDs.`|`false`| +|`USERS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|`Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.`|`false`| diff --git a/static/env-vars/users_readme.md b/static/env-vars/users_readme.md new file mode 100755 index 00000000..2b8717f4 --- /dev/null +++ b/static/env-vars/users_readme.md @@ -0,0 +1,21 @@ +--- +title: Users +date: 2025-11-12T16:20:03.611091+01:00 +weight: 20 +geekdocRepo: https://github.com/opencloud-eu/opencloud +geekdocEditPath: edit/master/services/users +geekdocFilePath: README.md +geekdocCollapseSection: true +--- + + + +## Abstract + + +The `users` service provides user management functionality within OpenCloud. + +## Table of Contents + + + diff --git a/static/env-vars/web-config-example.yaml b/static/env-vars/web-config-example.yaml index b799be23..fd1eb5a5 100644 --- a/static/env-vars/web-config-example.yaml +++ b/static/env-vars/web-config-example.yaml @@ -67,9 +67,9 @@ http: - X-HTTP-Method-Override allow_credentials: false asset: - core_path: /home/user/.opencloud/web/assets/core - themes_path: /home/user/.opencloud/web/assets/themes - apps_path: /home/user/.opencloud/web/assets/apps + core_path: /Users/t.schweiger/.opencloud/web/assets/core + themes_path: /Users/t.schweiger/.opencloud/web/assets/themes + apps_path: /Users/t.schweiger/.opencloud/web/assets/apps file: "" web: theme_server: https://localhost:9200 @@ -96,7 +96,6 @@ web: applications: [] external_apps: [] options: - openAppsInTab: false accountEditLink: null disableFeedbackLink: false feedbackLink: null @@ -122,6 +121,7 @@ web: shares: create: 0 list: 0 + defaultAppId: "" styles: [] scripts: [] custom_translations: [] diff --git a/static/env-vars/web.yaml b/static/env-vars/web.yaml new file mode 100644 index 00000000..99e2d2a8 --- /dev/null +++ b/static/env-vars/web.yaml @@ -0,0 +1,131 @@ +# Autogenerated +# Filename: web.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9104 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9100 + tls: + enabled: false + cert: "" + key: "" + root: / + cache_ttl: 604800 + cors: + allow_origins: + - https://localhost:9200 + allow_methods: + - OPTIONS + - HEAD + - GET + - PUT + - PATCH + - POST + - DELETE + - MKCOL + - PROPFIND + - PROPPATCH + - MOVE + - COPY + - REPORT + - SEARCH + allow_headers: + - Origin + - Accept + - Content-Type + - Depth + - Authorization + - Ocs-Apirequest + - If-None-Match + - If-Match + - Destination + - Overwrite + - X-Request-Id + - X-Requested-With + - Tus-Resumable + - Tus-Checksum-Algorithm + - Upload-Concat + - Upload-Length + - Upload-Metadata + - Upload-Defer-Length + - Upload-Expires + - Upload-Checksum + - Upload-Offset + - X-HTTP-Method-Override + allow_credentials: false +asset: + core_path: /Users/t.schweiger/.opencloud/web/assets/core + themes_path: /Users/t.schweiger/.opencloud/web/assets/themes + apps_path: /Users/t.schweiger/.opencloud/web/assets/apps +file: "" +web: + theme_server: https://localhost:9200 + theme_path: /themes/opencloud/theme.json + config: + server: https://localhost:9200 + oidc: + metadata_url: https://localhost:9200/.well-known/openid-configuration + authority: https://localhost:9200 + client_id: web + response_type: code + scope: openid profile email + post_logout_redirect_uri: "" + apps: + - files + - search + - text-editor + - pdf-viewer + - external + - admin-settings + - epub-reader + - preview + - app-store + applications: [] + external_apps: [] + options: + accountEditLink: null + disableFeedbackLink: false + feedbackLink: null + runningOnEos: false + cernFeatures: false + upload: null + editor: null + contextHelpersReadMore: true + logoutUrl: "" + loginUrl: "" + tokenStorageLocal: true + disabledExtensions: [] + embed: + enabled: "" + target: "" + messagesOrigin: "" + delegateAuthentication: false + delegateAuthenticationOrigin: "" + userListRequiresFilter: false + concurrentRequests: + resourceBatchActions: 0 + sse: 0 + shares: + create: 0 + list: 0 + defaultAppId: "" + styles: [] + scripts: [] + custom_translations: [] +apps: {} +token_manager: + jwt_secret: "" +gateway_addr: eu.opencloud.api.gateway diff --git a/static/env-vars/web_configvars.md b/static/env-vars/web_configvars.md index 4e1ae140..355665ec 100644 --- a/static/env-vars/web_configvars.md +++ b/static/env-vars/web_configvars.md @@ -1,59 +1,59 @@ Environment variables for the **web** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`WEB_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`WEB_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`WEB_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`WEB_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`WEB_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`WEB_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`WEB_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`WEB_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`WEB_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9104| -|`WEB_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`WEB_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`WEB_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`WEB_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9100| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`WEB_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`WEB_CACHE_TTL`| 1.0.0 |int|Cache policy in seconds for OpenCloud Web assets.|604800| -|`OC_CORS_ALLOW_ORIGINS`
`WEB_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[https://localhost:9200]| -|`OC_CORS_ALLOW_METHODS`
`WEB_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[OPTIONS HEAD GET PUT PATCH POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]| -|`OC_CORS_ALLOW_HEADERS`
`WEB_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override]| -|`OC_CORS_ALLOW_CREDENTIALS`
`WEB_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS. See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|false| -|`WEB_ASSET_CORE_PATH`| 1.0.0 |string|Serve OpenCloud Web assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/core|/home/chaser/.opencloud/web/assets/core| -|`OC_ASSET_THEMES_PATH`
`WEB_ASSET_THEMES_PATH`| 1.0.0 |string|Serve OpenCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes|/home/chaser/.opencloud/web/assets/themes| -|`WEB_ASSET_APPS_PATH`| 1.0.0 |string|Serve OpenCloud Web apps assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/apps|/home/chaser/.opencloud/web/assets/apps| -|`WEB_UI_CONFIG_FILE`| 1.0.0 |string|Read the OpenCloud Web json based configuration from this path/file. The config file takes precedence over WEB_OPTION_xxx environment variables. See the text description for more details.|| -|`OC_URL`
`WEB_UI_THEME_SERVER`| 1.0.0 |string|Base URL to load themes from. Will be prepended to the theme path.|https://localhost:9200| -|`WEB_UI_THEME_PATH`| 1.0.0 |string|Path to the theme json file. Will be appended to the URL of the theme server.|/themes/opencloud/theme.json| -|`OC_URL`
`WEB_UI_CONFIG_SERVER`| 1.0.0 |string|URL, where the OpenCloud APIs are reachable for OpenCloud Web.|https://localhost:9200| -|`WEB_OIDC_METADATA_URL`| 1.0.0 |string|URL for the OIDC well-known configuration endpoint. Defaults to the OpenCloud API URL + '/.well-known/openid-configuration'.|https://localhost:9200/.well-known/openid-configuration| -|`OC_URL`
`OC_OIDC_ISSUER`
`WEB_OIDC_AUTHORITY`| 1.0.0 |string|URL of the OIDC issuer. It defaults to URL of the builtin IDP.|https://localhost:9200| -|`OC_OIDC_CLIENT_ID`
`WEB_OIDC_CLIENT_ID`| 1.0.0 |string|The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP.|web| -|`WEB_OIDC_RESPONSE_TYPE`| 1.0.0 |string|The OIDC response type to use for authentication.|code| -|`WEB_OIDC_SCOPE`| 1.0.0 |string|OIDC scopes to request during authentication to authorize access to user details. Defaults to 'openid profile email'. Values are separated by blank. More example values but not limited to are 'address' or 'phone' etc.|openid profile email| -|`WEB_OIDC_POST_LOGOUT_REDIRECT_URI`| 1.0.0 |string|This value needs to point to a valid and reachable web page. The web client will trigger a redirect to that page directly after the logout action. The default value is empty and redirects to the login page.|| -|`WEB_OPTION_OPEN_APPS_IN_TAB`| 1.0.0 |bool|Configures whether apps and extensions should generally open in a new tab. Defaults to false.|false| -|`WEB_OPTION_DISABLE_FEEDBACK_LINK`| 1.0.0 |bool|Set this option to 'true' to disable the feedback link in the top bar. Keeping it enabled by setting the value to 'false' or with the absence of the option, allows OpenCloud to get feedback from your user base through a dedicated survey website.|false| -|`WEB_OPTION_RUNNING_ON_EOS`| 1.0.0 |bool|Set this option to 'true' if running on an EOS storage backend (\https://eos-web.web.cern.ch/eos-web/) to enable its specific features. Defaults to 'false'.|false| -|`WEB_OPTION_CONTEXTHELPERS_READ_MORE`| 1.0.0 |bool|Specifies whether the 'Read more' link should be displayed or not.|true| -|`WEB_OPTION_LOGOUT_URL`| 1.0.0 |string|Adds a link to the user's profile page to point him to an external page, where he can manage his session and devices. This is helpful when an external IdP is used. This option is disabled by default.|| -|`WEB_OPTION_LOGIN_URL`| 1.0.0 |string|Specifies the target URL to the login page. This is helpful when an external IdP is used. This option is disabled by default. Example URL like: \https://www.myidp.com/login.|| -|`WEB_OPTION_TOKEN_STORAGE_LOCAL`| 1.0.0 |bool|Specifies whether the access token will be stored in the local storage when set to 'true' or in the session storage when set to 'false'. If stored in the local storage, login state will be persisted across multiple browser tabs, means no additional logins are required.|true| -|`WEB_OPTION_DISABLED_EXTENSIONS`| 1.0.0 |[]string|A list to disable specific Web extensions identified by their ID. The ID can e.g. be taken from the 'index.ts' file of the web extension. Example: 'com.github.opencloud-eu.web.files.search,com.github.opencloud-eu.web.files.print'. See the Environment Variable Types description for more details.|[]| -|`WEB_OPTION_EMBED_ENABLED`| 1.0.0 |string|Defines whether Web should be running in 'embed' mode. Setting this to 'true' will enable a stripped down version of Web with reduced functionality used to integrate Web into other applications like via iFrame. Setting it to 'false' or not setting it (default) will run Web as usual with all functionality enabled. See the text description for more details.|| -|`WEB_OPTION_EMBED_TARGET`| 1.0.0 |string|Defines how Web is being integrated when running in 'embed' mode. Currently, the only supported options are '' (empty) and 'location'. With '' which is the default, Web will run regular as defined via the 'embed.enabled' config option. With 'location', Web will run embedded as location picker. Resource selection will be disabled and the selected resources array always includes the current folder as the only item. See the text description for more details.|| -|`WEB_OPTION_EMBED_MESSAGES_ORIGIN`| 1.0.0 |string|Defines a URL under which Web can be integrated via iFrame in 'embed' mode. Note that setting this is mandatory when running Web in 'embed' mode. Use '*' as value to allow running the iFrame under any URL, although this is not recommended for security reasons. See the text description for more details.|| -|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION`| 1.0.0 |bool|Defines whether Web should require authentication to be done by the parent application when running in 'embed' mode. If set to 'true' Web will not try to authenticate the user on its own but will require an access token coming from the parent application. Defaults to being unset.|false| -|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN`| 1.0.0 |string|Defines the host to validate the message event origin against when running Web in 'embed' mode with delegated authentication. Defaults to event message origin validation being omitted, which is only recommended for development setups.|| -|`WEB_OPTION_USER_LIST_REQUIRES_FILTER`| 1.0.0 |bool|Defines whether one or more filters must be set in order to list users in the Web admin settings. Set this option to 'true' if running in an environment with a lot of users and listing all users could slow down performance. Defaults to 'false'.|false| -|`WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS`| 1.0.0 |int|Defines the maximum number of concurrent requests per file/folder/space batch action. Defaults to 4.|0| -|`WEB_OPTION_CONCURRENT_REQUESTS_SSE`| 1.0.0 |int|Defines the maximum number of concurrent requests in SSE event handlers. Defaults to 4.|0| -|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE`| 1.0.0 |int|Defines the maximum number of concurrent requests per sharing invite batch. Defaults to 4.|0| -|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST`| 1.0.0 |int|Defines the maximum number of concurrent requests when loading individual share information inside listings. Defaults to 2.|0| -|`OC_JWT_SECRET`
`WEB_JWT_SECRET`| 1.0.0 |string|The secret to mint and validate jwt tokens.|| -|`WEB_GATEWAY_GRPC_ADDR`| 1.0.0 |string|The bind address of the GRPC service.|eu.opencloud.api.gateway| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`WEB_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`WEB_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`WEB_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`WEB_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`WEB_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`WEB_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`WEB_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`WEB_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`WEB_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9104`| +|`WEB_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`WEB_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`WEB_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`WEB_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9100`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`WEB_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`WEB_CACHE_TTL`| 1.0.0 |int|`Cache policy in seconds for OpenCloud Web assets.`|`604800`| +|`OC_CORS_ALLOW_ORIGINS`
`WEB_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`WEB_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT PATCH POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`| +|`OC_CORS_ALLOW_HEADERS`
`WEB_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`WEB_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS. See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`WEB_ASSET_CORE_PATH`| 1.0.0 |string|`Serve OpenCloud Web assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/core`|`/Users/t.schweiger/.opencloud/web/assets/core`| +|`OC_ASSET_THEMES_PATH`
`WEB_ASSET_THEMES_PATH`| 1.0.0 |string|`Serve OpenCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes`|`/Users/t.schweiger/.opencloud/web/assets/themes`| +|`WEB_ASSET_APPS_PATH`| 1.0.0 |string|`Serve OpenCloud Web apps assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/apps`|`/Users/t.schweiger/.opencloud/web/assets/apps`| +|`WEB_UI_CONFIG_FILE`| 1.0.0 |string|`Read the OpenCloud Web json based configuration from this path/file. The config file takes precedence over WEB_OPTION_xxx environment variables. See the text description for more details.`|``| +|`OC_URL`
`WEB_UI_THEME_SERVER`| 1.0.0 |string|`Base URL to load themes from. Will be prepended to the theme path.`|`https://localhost:9200`| +|`WEB_UI_THEME_PATH`| 1.0.0 |string|`Path to the theme json file. Will be appended to the URL of the theme server.`|`/themes/opencloud/theme.json`| +|`OC_URL`
`WEB_UI_CONFIG_SERVER`| 1.0.0 |string|`URL, where the OpenCloud APIs are reachable for OpenCloud Web.`|`https://localhost:9200`| +|`WEB_OIDC_METADATA_URL`| 1.0.0 |string|`URL for the OIDC well-known configuration endpoint. Defaults to the OpenCloud API URL + '/.well-known/openid-configuration'.`|`https://localhost:9200/.well-known/openid-configuration`| +|`OC_URL`
`OC_OIDC_ISSUER`
`WEB_OIDC_AUTHORITY`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`| +|`OC_OIDC_CLIENT_ID`
`WEB_OIDC_CLIENT_ID`| 1.0.0 |string|`The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP.`|`web`| +|`WEB_OIDC_RESPONSE_TYPE`| 1.0.0 |string|`The OIDC response type to use for authentication.`|`code`| +|`WEB_OIDC_SCOPE`| 1.0.0 |string|`OIDC scopes to request during authentication to authorize access to user details. Defaults to 'openid profile email'. Values are separated by blank. More example values but not limited to are 'address' or 'phone' etc.`|`openid profile email`| +|`WEB_OIDC_POST_LOGOUT_REDIRECT_URI`| 1.0.0 |string|`This value needs to point to a valid and reachable web page. The web client will trigger a redirect to that page directly after the logout action. The default value is empty and redirects to the login page.`|``| +|`WEB_OPTION_DISABLE_FEEDBACK_LINK`| 1.0.0 |bool|`Set this option to 'true' to disable the feedback link in the top bar. Keeping it enabled by setting the value to 'false' or with the absence of the option, allows OpenCloud to get feedback from your user base through a dedicated survey website.`|`false`| +|`WEB_OPTION_RUNNING_ON_EOS`| 1.0.0 |bool|`Set this option to 'true' if running on an EOS storage backend (\https://eos-web.web.cern.ch/eos-web/) to enable its specific features. Defaults to 'false'.`|`false`| +|`WEB_OPTION_CONTEXTHELPERS_READ_MORE`| 1.0.0 |bool|`Specifies whether the 'Read more' link should be displayed or not.`|`true`| +|`WEB_OPTION_LOGOUT_URL`| 1.0.0 |string|`Adds a link to the user's profile page to point him to an external page, where he can manage his session and devices. This is helpful when an external IdP is used. This option is disabled by default.`|``| +|`WEB_OPTION_LOGIN_URL`| 1.0.0 |string|`Specifies the target URL to the login page. This is helpful when an external IdP is used. This option is disabled by default. Example URL like: \https://www.myidp.com/login.`|``| +|`WEB_OPTION_TOKEN_STORAGE_LOCAL`| 1.0.0 |bool|`Specifies whether the access token will be stored in the local storage when set to 'true' or in the session storage when set to 'false'. If stored in the local storage, login state will be persisted across multiple browser tabs, means no additional logins are required.`|`true`| +|`WEB_OPTION_DISABLED_EXTENSIONS`| 1.0.0 |[]string|`A list to disable specific Web extensions identified by their ID. The ID can e.g. be taken from the 'index.ts' file of the web extension. Example: 'com.github.opencloud-eu.web.files.search,com.github.opencloud-eu.web.files.print'. See the Environment Variable Types description for more details.`|`[]`| +|`WEB_OPTION_EMBED_ENABLED`| 1.0.0 |string|`Defines whether Web should be running in 'embed' mode. Setting this to 'true' will enable a stripped down version of Web with reduced functionality used to integrate Web into other applications like via iFrame. Setting it to 'false' or not setting it (default) will run Web as usual with all functionality enabled. See the text description for more details.`|``| +|`WEB_OPTION_EMBED_TARGET`| 1.0.0 |string|`Defines how Web is being integrated when running in 'embed' mode. Currently, the only supported options are '' (empty) and 'location'. With '' which is the default, Web will run regular as defined via the 'embed.enabled' config option. With 'location', Web will run embedded as location picker. Resource selection will be disabled and the selected resources array always includes the current folder as the only item. See the text description for more details.`|``| +|`WEB_OPTION_EMBED_MESSAGES_ORIGIN`| 1.0.0 |string|`Defines a URL under which Web can be integrated via iFrame in 'embed' mode. Note that setting this is mandatory when running Web in 'embed' mode. Use '*' as value to allow running the iFrame under any URL, although this is not recommended for security reasons. See the text description for more details.`|``| +|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION`| 1.0.0 |bool|`Defines whether Web should require authentication to be done by the parent application when running in 'embed' mode. If set to 'true' Web will not try to authenticate the user on its own but will require an access token coming from the parent application. Defaults to being unset.`|`false`| +|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN`| 1.0.0 |string|`Defines the host to validate the message event origin against when running Web in 'embed' mode with delegated authentication. Defaults to event message origin validation being omitted, which is only recommended for development setups.`|``| +|`WEB_OPTION_USER_LIST_REQUIRES_FILTER`| 1.0.0 |bool|`Defines whether one or more filters must be set in order to list users in the Web admin settings. Set this option to 'true' if running in an environment with a lot of users and listing all users could slow down performance. Defaults to 'false'.`|`false`| +|`WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS`| 1.0.0 |int|`Defines the maximum number of concurrent requests per file/folder/space batch action. Defaults to 4.`|`0`| +|`WEB_OPTION_CONCURRENT_REQUESTS_SSE`| 1.0.0 |int|`Defines the maximum number of concurrent requests in SSE event handlers. Defaults to 4.`|`0`| +|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE`| 1.0.0 |int|`Defines the maximum number of concurrent requests per sharing invite batch. Defaults to 4.`|`0`| +|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST`| 1.0.0 |int|`Defines the maximum number of concurrent requests when loading individual share information inside listings. Defaults to 2.`|`0`| +|`WEB_OPTION_DEFAULT_APP_ID`| next |string|`Defines the entrypoint for the web ui.`|``| +|`OC_JWT_SECRET`
`WEB_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`WEB_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`eu.opencloud.api.gateway`| diff --git a/static/env-vars/web_readme.md b/static/env-vars/web_readme.md index 2f7fe8ae..acd1ef53 100755 --- a/static/env-vars/web_readme.md +++ b/static/env-vars/web_readme.md @@ -1,6 +1,6 @@ --- title: Web -date: 2025-05-22T16:21:16.121010385+02:00 +date: 2025-11-13T17:22:55.097596+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/web @@ -33,12 +33,11 @@ The web service also provides a minimal API for branding functionality like chan * [Application Configuration](#application-configuration) * [Using Custom Assets](#using-custom-assets) * [Miscellaneous](#miscellaneous) -* [Example Yaml Config](#example-yaml-config) ## Custom Compiled Web Assets If you want to use your custom compiled web client assets instead of the embedded ones, -then you can do that by setting the `WEB_ASSET_PATH` variable to point to your compiled files. +then you can do that by setting the `WEB_ASSET_CORE_PATH` variable to point to your compiled files. See [OpenCloud Web / Getting Started](https://docs.opencloud.eu/clients/web/getting-started/) and [OpenCloud Web / Setup with OpenCloud](https://docs.opencloud.eu/clients/web/backend-opencloud/) for more details. ## Web UI Configuration @@ -204,3 +203,4 @@ This also applies for the `manifest.json` file, if the administrator wants to pr ## Miscellaneous Please note that OpenCloud, in particular the web service, needs a restart to load new applications or changes to the `apps.yaml` file. + diff --git a/static/env-vars/webdav-config-example.yaml b/static/env-vars/webdav-config-example.yaml index ab20c3cb..14900fa7 100644 --- a/static/env-vars/webdav-config-example.yaml +++ b/static/env-vars/webdav-config-example.yaml @@ -44,7 +44,7 @@ http: cert: "" key: "" disablePreviews: false -opencloud_public_url: https://127.0.0.1:9200 +opencloud_public_url: https://localhost:9200 webdav_namespace: /users/{{.Id.OpaqueId}} reva_gateway: eu.opencloud.api.gateway reva_gateway_tls_mode: "" diff --git a/static/env-vars/webdav.yaml b/static/env-vars/webdav.yaml new file mode 100644 index 00000000..a644ed8a --- /dev/null +++ b/static/env-vars/webdav.yaml @@ -0,0 +1,51 @@ +# Autogenerated +# Filename: webdav.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9119 + token: "" + pprof: false + zpages: false +grpc_client_tls: null +http: + addr: 127.0.0.1:9115 + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Cache-Control + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +disablePreviews: false +opencloud_public_url: https://localhost:9200 +webdav_namespace: /users/{{.Id.OpaqueId}} +reva_gateway: eu.opencloud.api.gateway +reva_gateway_tls_mode: "" +reva_gateway_tls_cacert: "" diff --git a/static/env-vars/webdav_configvars.md b/static/env-vars/webdav_configvars.md index 5bc37561..3d88f259 100644 --- a/static/env-vars/webdav_configvars.md +++ b/static/env-vars/webdav_configvars.md @@ -1,31 +1,31 @@ Environment variables for the **webdav** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`WEBDAV_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`WEBDAV_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`WEBDAV_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`WEBDAV_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`WEBDAV_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`WEBDAV_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`WEBDAV_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`WEBDAV_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`WEBDAV_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9119| -|`WEBDAV_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`WEBDAV_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`WEBDAV_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`WEBDAV_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9115| -|`WEBDAV_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`OC_CORS_ALLOW_ORIGINS`
`WEBDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[*]| -|`OC_CORS_ALLOW_METHODS`
`WEBDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[GET POST PUT PATCH DELETE OPTIONS]| -|`OC_CORS_ALLOW_HEADERS`
`WEBDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]| -|`OC_CORS_ALLOW_CREDENTIALS`
`WEBDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|true| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`OC_DISABLE_PREVIEWS`
`WEBDAV_DISABLE_PREVIEWS`| 1.0.0 |bool|Set this option to 'true' to disable rendering of thumbnails triggered via webdav access. Note that when disabled, all access to preview related webdav paths will return a 404.|false| -|`OC_URL`
`OC_PUBLIC_URL`| 1.0.0 |string|URL, where OpenCloud is reachable for users.|https://127.0.0.1:9200| -|`WEBDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|CS3 path layout to use when forwarding /webdav requests|/users/{{.Id.OpaqueId}}| -|`OC_REVA_GATEWAY`| 1.0.0 |string|CS3 gateway used to look up user metadata|eu.opencloud.api.gateway| -|`OC_REVA_GATEWAY_TLS_MODE`| 1.0.0 |string|TLS mode for grpc connection to the CS3 gateway endpoint. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.|| -|`OC_REVA_GATEWAY_TLS_CACERT`| 1.0.0 |string|The root CA certificate used to validate the gateway's TLS certificate.|| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`WEBDAV_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`WEBDAV_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`WEBDAV_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`WEBDAV_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`WEBDAV_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`WEBDAV_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`WEBDAV_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`WEBDAV_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`WEBDAV_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9119`| +|`WEBDAV_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`WEBDAV_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`WEBDAV_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`WEBDAV_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9115`| +|`WEBDAV_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`WEBDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`WEBDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`WEBDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`WEBDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_DISABLE_PREVIEWS`
`WEBDAV_DISABLE_PREVIEWS`| 1.0.0 |bool|`Set this option to 'true' to disable rendering of thumbnails triggered via webdav access. Note that when disabled, all access to preview related webdav paths will return a 404.`|`false`| +|`OC_URL`
`OC_PUBLIC_URL`| 1.0.0 |string|`URL, where OpenCloud is reachable for users.`|`https://localhost:9200`| +|`WEBDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`CS3 path layout to use when forwarding /webdav requests`|`/users/{{.Id.OpaqueId}}`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`OC_REVA_GATEWAY_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the CS3 gateway endpoint. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_REVA_GATEWAY_TLS_CACERT`| 1.0.0 |string|`The root CA certificate used to validate the gateway's TLS certificate.`|``| diff --git a/static/env-vars/webdav_readme.md b/static/env-vars/webdav_readme.md index 2da08f77..ae99a3e1 100755 --- a/static/env-vars/webdav_readme.md +++ b/static/env-vars/webdav_readme.md @@ -1,6 +1,6 @@ --- title: Webdav -date: 2025-05-22T16:21:16.121072401+02:00 +date: 2025-11-13T17:22:55.097697+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/webdav @@ -13,7 +13,7 @@ geekdocCollapseSection: true ## Abstract -The webdav service, like the [ocdav](../ocdav/Ocdav-info) service, provides a HTTP API following the webdav protocol. It receives HTTP calls from requestors like clients and issues gRPC calls to other services executing these requests. After the called service has finished the request, the webdav service will render their responses in `xml` and sends them back to the requestor. +The webdav service, like the [ocdav](../ocdav) service, provides a HTTP API following the webdav protocol. It receives HTTP calls from requestors like clients and issues gRPC calls to other services executing these requests. After the called service has finished the request, the webdav service will render their responses in `xml` and sends them back to the requestor. ## Table of Contents @@ -22,7 +22,6 @@ The webdav service, like the [ocdav](../ocdav/Ocdav-info) service, provides a HT * [Thumbnails](#thumbnails) * [Search](#search) * [Scalability](#scalability) -* [Example Yaml Config](#example-yaml-config) ## Endpoints Overview @@ -43,3 +42,4 @@ See the [search](https://github.com/opencloud-eu/opencloud/tree/main/services/se ## Scalability The webdav service does not persist any data and does not cache any information. Therefore multiple instances of this service can be spawned in a bigger deployment like when using container orchestration with Kubernetes, without any extra configuration. + diff --git a/static/env-vars/webfinger.yaml b/static/env-vars/webfinger.yaml new file mode 100644 index 00000000..a3166530 --- /dev/null +++ b/static/env-vars/webfinger.yaml @@ -0,0 +1,44 @@ +# Autogenerated +# Filename: webfinger.yaml + +tracing: + enabled: false + type: "" + endpoint: "" + collector: "" +log: + level: "" + pretty: false + color: false + file: "" +debug: + addr: 127.0.0.1:9279 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9275 + root: / + cors: + allow_origins: + - https://localhost:9200 + allow_methods: [] + allow_headers: [] + allow_credentials: false + tls: + enabled: false + cert: "" + key: "" +instances: +- claim: sub + regex: .+ + href: '{{.OC_URL}}' + titles: + en: OpenCloud Instance + break: false +relations: +- http://openid.net/specs/connect/1.0/issuer +- http://webfinger.opencloud/rel/server-instance +idp: https://localhost:9200 +opencloud_url: https://localhost:9200 +insecure: false diff --git a/static/env-vars/webfinger_configvars.md b/static/env-vars/webfinger_configvars.md index 85bac7b3..81d0b840 100644 --- a/static/env-vars/webfinger_configvars.md +++ b/static/env-vars/webfinger_configvars.md @@ -1,29 +1,29 @@ Environment variables for the **webfinger** service | Name | Introduction Version | Type | Description | Default Value | -|---|---|---|---|---| -|`OC_TRACING_ENABLED`
`WEBFINGER_TRACING_ENABLED`| 1.0.0 |bool|Activates tracing.|false| -|`OC_TRACING_TYPE`
`WEBFINGER_TRACING_TYPE`| 1.0.0 |string|The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.|| -|`OC_TRACING_ENDPOINT`
`WEBFINGER_TRACING_ENDPOINT`| 1.0.0 |string|The endpoint of the tracing agent.|| -|`OC_TRACING_COLLECTOR`
`WEBFINGER_TRACING_COLLECTOR`| 1.0.0 |string|The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.|| -|`OC_LOG_LEVEL`
`WEBFINGER_LOG_LEVEL`| 1.0.0 |string|The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.|| -|`OC_LOG_PRETTY`
`WEBFINGER_LOG_PRETTY`| 1.0.0 |bool|Activates pretty log output.|false| -|`OC_LOG_COLOR`
`WEBFINGER_LOG_COLOR`| 1.0.0 |bool|Activates colorized log output.|false| -|`OC_LOG_FILE`
`WEBFINGER_LOG_FILE`| 1.0.0 |string|The path to the log file. Activates logging to this file if set.|| -|`WEBFINGER_DEBUG_ADDR`| 1.0.0 |string|Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.|127.0.0.1:9279| -|`WEBFINGER_DEBUG_TOKEN`| 1.0.0 |string|Token to secure the metrics endpoint.|| -|`WEBFINGER_DEBUG_PPROF`| 1.0.0 |bool|Enables pprof, which can be used for profiling.|false| -|`WEBFINGER_DEBUG_ZPAGES`| 1.0.0 |bool|Enables zpages, which can be used for collecting and viewing in-memory traces.|false| -|`WEBFINGER_HTTP_ADDR`| 1.0.0 |string|The bind address of the HTTP service.|127.0.0.1:9275| -|`WEBFINGER_HTTP_ROOT`| 1.0.0 |string|Subdirectory that serves as the root for this HTTP service.|/| -|`OC_CORS_ALLOW_ORIGINS`
`WEBFINGER_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.|[https://localhost:9200]| -|`OC_CORS_ALLOW_METHODS`
`WEBFINGER_CORS_ALLOW_METHODS`| 1.0.0 |[]string|A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.|[]| -|`OC_CORS_ALLOW_HEADERS`
`WEBFINGER_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.|[]| -|`OC_CORS_ALLOW_CREDENTIALS`
`WEBFINGER_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.|false| -|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.|false| -|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|Path/File name of the TLS server certificate (in PEM format) for the http services.|| -|`OC_HTTP_TLS_KEY`| 1.0.0 |string|Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.|| -|`WEBFINGER_RELATIONS`| 1.0.0 |[]string|A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details.|[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]| -|`OC_URL`
`OC_OIDC_ISSUER`
`WEBFINGER_OIDC_ISSUER`| 1.0.0 |string|The identity provider href for the openid-discovery relation.|https://localhost:9200| -|`OC_URL`
`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.|https://localhost:9200| -|`OC_INSECURE`
`WEBFINGER_INSECURE`| 1.0.0 |bool|Allow insecure connections to the WEBFINGER service.|false| \ No newline at end of file +|---|---|---|---|:---| +|`OC_TRACING_ENABLED`
`WEBFINGER_TRACING_ENABLED`| 1.0.0 |bool|`Activates tracing.`|`false`| +|`OC_TRACING_TYPE`
`WEBFINGER_TRACING_TYPE`| 1.0.0 |string|`The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.`|``| +|`OC_TRACING_ENDPOINT`
`WEBFINGER_TRACING_ENDPOINT`| 1.0.0 |string|`The endpoint of the tracing agent.`|``| +|`OC_TRACING_COLLECTOR`
`WEBFINGER_TRACING_COLLECTOR`| 1.0.0 |string|`The HTTP endpoint for sending spans directly to a collector, i.e. \http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.`|``| +|`OC_LOG_LEVEL`
`WEBFINGER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|``| +|`OC_LOG_PRETTY`
`WEBFINGER_LOG_PRETTY`| 1.0.0 |bool|`Activates pretty log output.`|`false`| +|`OC_LOG_COLOR`
`WEBFINGER_LOG_COLOR`| 1.0.0 |bool|`Activates colorized log output.`|`false`| +|`OC_LOG_FILE`
`WEBFINGER_LOG_FILE`| 1.0.0 |string|`The path to the log file. Activates logging to this file if set.`|``| +|`WEBFINGER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9279`| +|`WEBFINGER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`WEBFINGER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`WEBFINGER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`WEBFINGER_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9275`| +|`WEBFINGER_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`WEBFINGER_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`WEBFINGER_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[]`| +|`OC_CORS_ALLOW_HEADERS`
`WEBFINGER_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`WEBFINGER_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`WEBFINGER_RELATIONS`| 1.0.0 |[]string|`A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details.`|`[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]`| +|`OC_URL`
`OC_OIDC_ISSUER`
`WEBFINGER_OIDC_ISSUER`| 1.0.0 |string|`The identity provider href for the openid-discovery relation.`|`https://localhost:9200`| +|`OC_URL`
`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|`The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.`|`https://localhost:9200`| +|`OC_INSECURE`
`WEBFINGER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the WEBFINGER service.`|`false`| diff --git a/static/env-vars/webfinger_readme.md b/static/env-vars/webfinger_readme.md index 16c6df50..453ca630 100755 --- a/static/env-vars/webfinger_readme.md +++ b/static/env-vars/webfinger_readme.md @@ -1,6 +1,6 @@ --- title: Webfinger -date: 2025-05-22T16:21:16.121125161+02:00 +date: 2025-11-13T17:22:55.097774+01:00 weight: 20 geekdocRepo: https://github.com/opencloud-eu/opencloud geekdocEditPath: edit/master/services/webfinger @@ -21,7 +21,6 @@ The webfinger service provides an RFC7033 WebFinger lookup of OpenCloud instance * [OpenID Connect Discovery](#openid-connect-discovery) * [Authenticated Instance Discovery](#authenticated-instance-discovery) * [Configure Different Instances Based on OpenidConnect UserInfo Claims](#configure-different-instances-based-on-openidconnect-userinfo-claims) -* [Example Yaml Config](#example-yaml-config) ## OpenID Connect Discovery @@ -142,3 +141,4 @@ Now, an authenticated webfinger request for `acct:me@example.org` (when logged i ] } ``` + From 0e8746ad2b30d0f6fd2de2ec7734dd4e17007c4f Mon Sep 17 00:00:00 2001 From: Thomas Schweiger Date: Thu, 13 Nov 2025 18:17:13 +0100 Subject: [PATCH 2/2] fix: use latest static env-vars --- .../Services/activitylog/example-config.mdx | 2 +- .../Services/antivirus/example-config.mdx | 2 +- .../Services/app-provider/example-config.mdx | 2 +- .../Services/app-registry/example-config.mdx | 2 +- .../server/Services/audit/example-config.mdx | 2 +- .../Services/auth-app/example-config.mdx | 2 +- .../Services/auth-basic/example-config.mdx | 2 +- .../Services/auth-bearer/example-config.mdx | 2 +- .../Services/auth-machine/example-config.mdx | 2 +- .../Services/auth-service/example-config.mdx | 2 +- .../Services/clientlog/example-config.mdx | 2 +- .../Services/collaboration/example-config.mdx | 2 +- .../Services/eventhistory/example-config.mdx | 2 +- .../Services/frontend/example-config.mdx | 2 +- .../Services/gateway/example-config.mdx | 2 +- .../server/Services/graph/example-config.mdx | 2 +- .../server/Services/groups/example-config.mdx | 2 +- .../server/Services/idm/example-config.mdx | 2 +- .../server/Services/idp/example-config.mdx | 2 +- .../Services/invitations/example-config.mdx | 2 +- .../server/Services/nats/example-config.mdx | 2 +- .../Services/notifications/example-config.mdx | 2 +- .../server/Services/ocdav/example-config.mdx | 2 +- .../server/Services/ocm/example-config.mdx | 2 +- .../server/Services/ocs/example-config.mdx | 2 +- .../Services/policies/example-config.mdx | 2 +- .../postprocessing/example-config.mdx | 2 +- .../server/Services/proxy/example-config.mdx | 2 +- .../server/Services/search/example-config.mdx | 2 +- .../Services/settings/example-config.mdx | 2 +- .../Services/sharing/example-config.mdx | 2 +- .../server/Services/sse/example-config.mdx | 2 +- .../storage-publiclink/example-config.mdx | 2 +- .../storage-shares/example-config.mdx | 2 +- .../storage-system/example-config.mdx | 2 +- .../Services/storage-users/example-config.mdx | 2 +- .../Services/thumbnails/example-config.mdx | 2 +- .../Services/userlog/example-config.mdx | 2 +- .../server/Services/users/example-config.mdx | 2 +- .../server/Services/web/example-config.mdx | 2 +- .../server/Services/webdav/example-config.mdx | 2 +- .../Services/webfinger/example-config.mdx | 2 +- .../env-vars/activitylog-config-example.yaml | 67 ----- static/env-vars/activitylog_readme.md | 0 static/env-vars/antivirus-config-example.yaml | 40 --- static/env-vars/antivirus_readme.md | 0 .../env-vars/app-provider-config-example.yaml | 45 ---- static/env-vars/app-provider_readme.md | 0 .../env-vars/app-registry-config-example.yaml | 115 --------- static/env-vars/app-registry_readme.md | 0 static/env-vars/audit-config-example.yaml | 31 --- static/env-vars/audit_readme.md | 0 static/env-vars/auth-app-config-example.yaml | 69 ----- static/env-vars/auth-app_readme.md | 0 .../env-vars/auth-basic-config-example.yaml | 76 ------ static/env-vars/auth-basic_readme.md | 0 .../env-vars/auth-bearer-config-example.yaml | 36 --- static/env-vars/auth-bearer_readme.md | 0 .../env-vars/auth-machine-config-example.yaml | 31 --- static/env-vars/auth-machine_readme.md | 0 .../env-vars/auth-service-config-example.yaml | 32 --- static/env-vars/auth-service_readme.md | 0 static/env-vars/clientlog-config-example.yaml | 33 --- static/env-vars/clientlog_readme.md | 0 .../collaboration-config-example.yaml | 63 ----- static/env-vars/collaboration_readme.md | 0 .../env-vars/eventhistory-config-example.yaml | 39 --- static/env-vars/eventhistory_readme.md | 0 static/env-vars/frontend-config-example.yaml | 154 ----------- static/env-vars/frontend_readme.md | 0 static/env-vars/gateway-config-example.yaml | 72 ------ static/env-vars/gateway_readme.md | 0 static/env-vars/graph-config-example.yaml | 169 ------------ static/env-vars/graph_readme.md | 0 static/env-vars/groups-config-example.yaml | 72 ------ static/env-vars/groups_readme.md | 0 static/env-vars/idm-config-example.yaml | 31 --- static/env-vars/idm_readme.md | 0 static/env-vars/idp-config-example.yaml | 122 --------- static/env-vars/idp_readme.md | 0 .../env-vars/invitations-config-example.yaml | 40 --- static/env-vars/invitations_readme.md | 0 static/env-vars/nats-config-example.yaml | 27 -- static/env-vars/nats_readme.md | 0 .../notifications-config-example.yaml | 57 ----- static/env-vars/notifications_readme.md | 0 static/env-vars/ocdav-config-example.yaml | 81 ------ static/env-vars/ocdav_readme.md | 0 static/env-vars/ocm-config-example.yaml | 116 --------- static/env-vars/ocm_readme.md | 0 static/env-vars/ocs-config-example.yaml | 54 ---- static/env-vars/ocs_readme.md | 0 static/env-vars/policies-config-example.yaml | 36 --- static/env-vars/policies_readme.md | 0 .../postprocessing-config-example.yaml | 43 ---- static/env-vars/postprocessing_readme.md | 0 static/env-vars/proxy-config-example.yaml | 240 ------------------ static/env-vars/proxy_readme.md | 0 static/env-vars/search-config-example.yaml | 78 ------ static/env-vars/search_readme.md | 0 static/env-vars/settings-config-example.yaml | 73 ------ static/env-vars/settings_readme.md | 0 static/env-vars/sharing-config-example.yaml | 85 ------- static/env-vars/sse-config-example.yaml | 50 ---- static/env-vars/sse_readme.md | 0 .../storage-publiclink-config-example.yaml | 32 --- static/env-vars/storage-publiclink_readme.md | 0 .../storage-shares-config-example.yaml | 33 --- static/env-vars/storage-shares_readme.md | 0 .../storage-system-config-example.yaml | 51 ---- static/env-vars/storage-system_readme.md | 0 .../storage-users-config-example.yaml | 204 --------------- static/env-vars/storage-users_readme.md | 0 .../env-vars/thumbnails-config-example.yaml | 72 ------ static/env-vars/thumbnails_readme.md | 0 static/env-vars/userlog-config-example.yaml | 67 ----- static/env-vars/userlog_readme.md | 0 static/env-vars/users-config-example.yaml | 77 ------ static/env-vars/users_readme.md | 0 static/env-vars/web-config-example.yaml | 131 ---------- static/env-vars/web_readme.md | 0 static/env-vars/webdav-config-example.yaml | 51 ---- static/env-vars/webdav_readme.md | 0 static/env-vars/webfinger-config-example.yaml | 44 ---- static/env-vars/webfinger_readme.md | 0 125 files changed, 42 insertions(+), 3081 deletions(-) delete mode 100644 static/env-vars/activitylog-config-example.yaml mode change 100755 => 100644 static/env-vars/activitylog_readme.md delete mode 100644 static/env-vars/antivirus-config-example.yaml mode change 100755 => 100644 static/env-vars/antivirus_readme.md delete mode 100644 static/env-vars/app-provider-config-example.yaml mode change 100755 => 100644 static/env-vars/app-provider_readme.md delete mode 100644 static/env-vars/app-registry-config-example.yaml mode change 100755 => 100644 static/env-vars/app-registry_readme.md delete mode 100644 static/env-vars/audit-config-example.yaml mode change 100755 => 100644 static/env-vars/audit_readme.md delete mode 100644 static/env-vars/auth-app-config-example.yaml mode change 100755 => 100644 static/env-vars/auth-app_readme.md delete mode 100644 static/env-vars/auth-basic-config-example.yaml mode change 100755 => 100644 static/env-vars/auth-basic_readme.md delete mode 100644 static/env-vars/auth-bearer-config-example.yaml mode change 100755 => 100644 static/env-vars/auth-bearer_readme.md delete mode 100644 static/env-vars/auth-machine-config-example.yaml mode change 100755 => 100644 static/env-vars/auth-machine_readme.md delete mode 100644 static/env-vars/auth-service-config-example.yaml mode change 100755 => 100644 static/env-vars/auth-service_readme.md delete mode 100644 static/env-vars/clientlog-config-example.yaml mode change 100755 => 100644 static/env-vars/clientlog_readme.md delete mode 100644 static/env-vars/collaboration-config-example.yaml mode change 100755 => 100644 static/env-vars/collaboration_readme.md delete mode 100644 static/env-vars/eventhistory-config-example.yaml mode change 100755 => 100644 static/env-vars/eventhistory_readme.md delete mode 100644 static/env-vars/frontend-config-example.yaml mode change 100755 => 100644 static/env-vars/frontend_readme.md delete mode 100644 static/env-vars/gateway-config-example.yaml mode change 100755 => 100644 static/env-vars/gateway_readme.md delete mode 100644 static/env-vars/graph-config-example.yaml mode change 100755 => 100644 static/env-vars/graph_readme.md delete mode 100644 static/env-vars/groups-config-example.yaml mode change 100755 => 100644 static/env-vars/groups_readme.md delete mode 100644 static/env-vars/idm-config-example.yaml mode change 100755 => 100644 static/env-vars/idm_readme.md delete mode 100644 static/env-vars/idp-config-example.yaml mode change 100755 => 100644 static/env-vars/idp_readme.md delete mode 100644 static/env-vars/invitations-config-example.yaml mode change 100755 => 100644 static/env-vars/invitations_readme.md delete mode 100644 static/env-vars/nats-config-example.yaml mode change 100755 => 100644 static/env-vars/nats_readme.md delete mode 100644 static/env-vars/notifications-config-example.yaml mode change 100755 => 100644 static/env-vars/notifications_readme.md delete mode 100644 static/env-vars/ocdav-config-example.yaml mode change 100755 => 100644 static/env-vars/ocdav_readme.md delete mode 100644 static/env-vars/ocm-config-example.yaml mode change 100755 => 100644 static/env-vars/ocm_readme.md delete mode 100644 static/env-vars/ocs-config-example.yaml mode change 100755 => 100644 static/env-vars/ocs_readme.md delete mode 100644 static/env-vars/policies-config-example.yaml mode change 100755 => 100644 static/env-vars/policies_readme.md delete mode 100644 static/env-vars/postprocessing-config-example.yaml mode change 100755 => 100644 static/env-vars/postprocessing_readme.md delete mode 100644 static/env-vars/proxy-config-example.yaml mode change 100755 => 100644 static/env-vars/proxy_readme.md delete mode 100644 static/env-vars/search-config-example.yaml mode change 100755 => 100644 static/env-vars/search_readme.md delete mode 100644 static/env-vars/settings-config-example.yaml mode change 100755 => 100644 static/env-vars/settings_readme.md delete mode 100644 static/env-vars/sharing-config-example.yaml delete mode 100644 static/env-vars/sse-config-example.yaml mode change 100755 => 100644 static/env-vars/sse_readme.md delete mode 100644 static/env-vars/storage-publiclink-config-example.yaml mode change 100755 => 100644 static/env-vars/storage-publiclink_readme.md delete mode 100644 static/env-vars/storage-shares-config-example.yaml mode change 100755 => 100644 static/env-vars/storage-shares_readme.md delete mode 100644 static/env-vars/storage-system-config-example.yaml mode change 100755 => 100644 static/env-vars/storage-system_readme.md delete mode 100644 static/env-vars/storage-users-config-example.yaml mode change 100755 => 100644 static/env-vars/storage-users_readme.md delete mode 100644 static/env-vars/thumbnails-config-example.yaml mode change 100755 => 100644 static/env-vars/thumbnails_readme.md delete mode 100644 static/env-vars/userlog-config-example.yaml mode change 100755 => 100644 static/env-vars/userlog_readme.md delete mode 100644 static/env-vars/users-config-example.yaml mode change 100755 => 100644 static/env-vars/users_readme.md delete mode 100644 static/env-vars/web-config-example.yaml mode change 100755 => 100644 static/env-vars/web_readme.md delete mode 100644 static/env-vars/webdav-config-example.yaml mode change 100755 => 100644 static/env-vars/webdav_readme.md delete mode 100644 static/env-vars/webfinger-config-example.yaml mode change 100755 => 100644 static/env-vars/webfinger_readme.md diff --git a/docs/dev/server/Services/activitylog/example-config.mdx b/docs/dev/server/Services/activitylog/example-config.mdx index df9461c4..eec37fa7 100644 --- a/docs/dev/server/Services/activitylog/example-config.mdx +++ b/docs/dev/server/Services/activitylog/example-config.mdx @@ -4,7 +4,7 @@ id: activitylog-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/activitylog-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/activitylog.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/antivirus/example-config.mdx b/docs/dev/server/Services/antivirus/example-config.mdx index 7d2bf7bc..67969c17 100644 --- a/docs/dev/server/Services/antivirus/example-config.mdx +++ b/docs/dev/server/Services/antivirus/example-config.mdx @@ -4,7 +4,7 @@ id: antivirus-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/antivirus-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/antivirus.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/app-provider/example-config.mdx b/docs/dev/server/Services/app-provider/example-config.mdx index cbeb53ec..1e60afa2 100644 --- a/docs/dev/server/Services/app-provider/example-config.mdx +++ b/docs/dev/server/Services/app-provider/example-config.mdx @@ -4,7 +4,7 @@ id: app-provider-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/app-provider-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/app-provider.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/app-registry/example-config.mdx b/docs/dev/server/Services/app-registry/example-config.mdx index 069d556c..1cd65e21 100644 --- a/docs/dev/server/Services/app-registry/example-config.mdx +++ b/docs/dev/server/Services/app-registry/example-config.mdx @@ -4,7 +4,7 @@ id: app-registry-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/app-registry-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/app-registry.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/audit/example-config.mdx b/docs/dev/server/Services/audit/example-config.mdx index 16f5fef6..ad0f59ec 100644 --- a/docs/dev/server/Services/audit/example-config.mdx +++ b/docs/dev/server/Services/audit/example-config.mdx @@ -4,7 +4,7 @@ id: audit-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/audit-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/audit.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/auth-app/example-config.mdx b/docs/dev/server/Services/auth-app/example-config.mdx index fcf166de..ad0b6cf6 100644 --- a/docs/dev/server/Services/auth-app/example-config.mdx +++ b/docs/dev/server/Services/auth-app/example-config.mdx @@ -4,7 +4,7 @@ id: auth-app-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/auth-app-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/auth-app.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/auth-basic/example-config.mdx b/docs/dev/server/Services/auth-basic/example-config.mdx index 47b946c8..e50ee247 100644 --- a/docs/dev/server/Services/auth-basic/example-config.mdx +++ b/docs/dev/server/Services/auth-basic/example-config.mdx @@ -4,7 +4,7 @@ id: auth-basic-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/auth-basic-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/auth-basic.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/auth-bearer/example-config.mdx b/docs/dev/server/Services/auth-bearer/example-config.mdx index d0ac0921..4e676db9 100644 --- a/docs/dev/server/Services/auth-bearer/example-config.mdx +++ b/docs/dev/server/Services/auth-bearer/example-config.mdx @@ -4,7 +4,7 @@ id: auth-bearer-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/auth-bearer-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/auth-bearer.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/auth-machine/example-config.mdx b/docs/dev/server/Services/auth-machine/example-config.mdx index 3004eebc..1f3c3bfc 100644 --- a/docs/dev/server/Services/auth-machine/example-config.mdx +++ b/docs/dev/server/Services/auth-machine/example-config.mdx @@ -4,7 +4,7 @@ id: auth-machine-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/auth-machine-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/auth-machine.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/auth-service/example-config.mdx b/docs/dev/server/Services/auth-service/example-config.mdx index 2bff7160..2ec4f6a6 100644 --- a/docs/dev/server/Services/auth-service/example-config.mdx +++ b/docs/dev/server/Services/auth-service/example-config.mdx @@ -4,7 +4,7 @@ id: auth-service-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/auth-service-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/auth-service.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/clientlog/example-config.mdx b/docs/dev/server/Services/clientlog/example-config.mdx index 751cf4d7..a8d6fdcd 100644 --- a/docs/dev/server/Services/clientlog/example-config.mdx +++ b/docs/dev/server/Services/clientlog/example-config.mdx @@ -4,7 +4,7 @@ id: clientlog-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/clientlog-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/clientlog.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/collaboration/example-config.mdx b/docs/dev/server/Services/collaboration/example-config.mdx index 26a9a2eb..8eaaf2f9 100644 --- a/docs/dev/server/Services/collaboration/example-config.mdx +++ b/docs/dev/server/Services/collaboration/example-config.mdx @@ -4,7 +4,7 @@ id: collaboration-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/collaboration-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/collaboration.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/eventhistory/example-config.mdx b/docs/dev/server/Services/eventhistory/example-config.mdx index 1649c8ce..2440705a 100644 --- a/docs/dev/server/Services/eventhistory/example-config.mdx +++ b/docs/dev/server/Services/eventhistory/example-config.mdx @@ -4,7 +4,7 @@ id: eventhistory-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/eventhistory-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/eventhistory.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/frontend/example-config.mdx b/docs/dev/server/Services/frontend/example-config.mdx index de235160..3f6ccfcb 100644 --- a/docs/dev/server/Services/frontend/example-config.mdx +++ b/docs/dev/server/Services/frontend/example-config.mdx @@ -4,7 +4,7 @@ id: frontend-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/frontend-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/frontend.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/gateway/example-config.mdx b/docs/dev/server/Services/gateway/example-config.mdx index 7652c5bb..6f6b7c52 100644 --- a/docs/dev/server/Services/gateway/example-config.mdx +++ b/docs/dev/server/Services/gateway/example-config.mdx @@ -4,7 +4,7 @@ id: gateway-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/gateway-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/gateway.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/graph/example-config.mdx b/docs/dev/server/Services/graph/example-config.mdx index ebbaa028..43cd2679 100644 --- a/docs/dev/server/Services/graph/example-config.mdx +++ b/docs/dev/server/Services/graph/example-config.mdx @@ -4,7 +4,7 @@ id: graph-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/graph-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/graph.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/groups/example-config.mdx b/docs/dev/server/Services/groups/example-config.mdx index 33e7cf97..3f3c6762 100644 --- a/docs/dev/server/Services/groups/example-config.mdx +++ b/docs/dev/server/Services/groups/example-config.mdx @@ -4,7 +4,7 @@ id: groups-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/groups-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/groups.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/idm/example-config.mdx b/docs/dev/server/Services/idm/example-config.mdx index f19dff21..747314dd 100644 --- a/docs/dev/server/Services/idm/example-config.mdx +++ b/docs/dev/server/Services/idm/example-config.mdx @@ -4,7 +4,7 @@ id: idm-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/idm-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/idm.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/idp/example-config.mdx b/docs/dev/server/Services/idp/example-config.mdx index b81514ae..5ea5e495 100644 --- a/docs/dev/server/Services/idp/example-config.mdx +++ b/docs/dev/server/Services/idp/example-config.mdx @@ -4,7 +4,7 @@ id: idp-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/idp-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/idp.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/invitations/example-config.mdx b/docs/dev/server/Services/invitations/example-config.mdx index b96124f8..b46960ef 100644 --- a/docs/dev/server/Services/invitations/example-config.mdx +++ b/docs/dev/server/Services/invitations/example-config.mdx @@ -4,7 +4,7 @@ id: invitations-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/invitations-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/invitations.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/nats/example-config.mdx b/docs/dev/server/Services/nats/example-config.mdx index cfe12557..5173aa43 100644 --- a/docs/dev/server/Services/nats/example-config.mdx +++ b/docs/dev/server/Services/nats/example-config.mdx @@ -4,7 +4,7 @@ id: nats-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/nats-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/nats.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/notifications/example-config.mdx b/docs/dev/server/Services/notifications/example-config.mdx index 062ad485..0286a7cd 100644 --- a/docs/dev/server/Services/notifications/example-config.mdx +++ b/docs/dev/server/Services/notifications/example-config.mdx @@ -4,7 +4,7 @@ id: notifications-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/notifications-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/notifications.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/ocdav/example-config.mdx b/docs/dev/server/Services/ocdav/example-config.mdx index 6ece1795..c72287c2 100644 --- a/docs/dev/server/Services/ocdav/example-config.mdx +++ b/docs/dev/server/Services/ocdav/example-config.mdx @@ -4,7 +4,7 @@ id: ocdav-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/ocdav-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/ocdav.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/ocm/example-config.mdx b/docs/dev/server/Services/ocm/example-config.mdx index 4f134aae..11f74402 100644 --- a/docs/dev/server/Services/ocm/example-config.mdx +++ b/docs/dev/server/Services/ocm/example-config.mdx @@ -4,7 +4,7 @@ id: ocm-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/ocm-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/ocm.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/ocs/example-config.mdx b/docs/dev/server/Services/ocs/example-config.mdx index 5f61f93e..e198b6b0 100644 --- a/docs/dev/server/Services/ocs/example-config.mdx +++ b/docs/dev/server/Services/ocs/example-config.mdx @@ -4,7 +4,7 @@ id: ocs-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/ocs-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/ocs.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/policies/example-config.mdx b/docs/dev/server/Services/policies/example-config.mdx index 060c67b8..4c157e77 100644 --- a/docs/dev/server/Services/policies/example-config.mdx +++ b/docs/dev/server/Services/policies/example-config.mdx @@ -4,7 +4,7 @@ id: policies-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/policies-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/policies.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/postprocessing/example-config.mdx b/docs/dev/server/Services/postprocessing/example-config.mdx index f5f1e6f2..01c1c7ff 100644 --- a/docs/dev/server/Services/postprocessing/example-config.mdx +++ b/docs/dev/server/Services/postprocessing/example-config.mdx @@ -4,7 +4,7 @@ id: postprocessing-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/postprocessing-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/postprocessing.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/proxy/example-config.mdx b/docs/dev/server/Services/proxy/example-config.mdx index 825768a5..ab49678c 100644 --- a/docs/dev/server/Services/proxy/example-config.mdx +++ b/docs/dev/server/Services/proxy/example-config.mdx @@ -4,7 +4,7 @@ id: proxy-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/proxy-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/proxy.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/search/example-config.mdx b/docs/dev/server/Services/search/example-config.mdx index b5a0f1a0..29444888 100644 --- a/docs/dev/server/Services/search/example-config.mdx +++ b/docs/dev/server/Services/search/example-config.mdx @@ -4,7 +4,7 @@ id: search-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/search-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/search.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/settings/example-config.mdx b/docs/dev/server/Services/settings/example-config.mdx index fb2aa77d..97402cdd 100644 --- a/docs/dev/server/Services/settings/example-config.mdx +++ b/docs/dev/server/Services/settings/example-config.mdx @@ -4,7 +4,7 @@ id: settings-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/settings-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/settings.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/sharing/example-config.mdx b/docs/dev/server/Services/sharing/example-config.mdx index db162eea..2b71ae14 100644 --- a/docs/dev/server/Services/sharing/example-config.mdx +++ b/docs/dev/server/Services/sharing/example-config.mdx @@ -4,7 +4,7 @@ id: sharing-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/sharing-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/sharing.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/sse/example-config.mdx b/docs/dev/server/Services/sse/example-config.mdx index 389f1ddf..5dbda6b5 100644 --- a/docs/dev/server/Services/sse/example-config.mdx +++ b/docs/dev/server/Services/sse/example-config.mdx @@ -4,7 +4,7 @@ id: sse-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/sse-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/sse.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/storage-publiclink/example-config.mdx b/docs/dev/server/Services/storage-publiclink/example-config.mdx index d7ef4b0f..490b8113 100644 --- a/docs/dev/server/Services/storage-publiclink/example-config.mdx +++ b/docs/dev/server/Services/storage-publiclink/example-config.mdx @@ -4,7 +4,7 @@ id: storage-publiclink-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/storage-publiclink-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/storage-publiclink.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/storage-shares/example-config.mdx b/docs/dev/server/Services/storage-shares/example-config.mdx index ad1f52d9..c9e9beb8 100644 --- a/docs/dev/server/Services/storage-shares/example-config.mdx +++ b/docs/dev/server/Services/storage-shares/example-config.mdx @@ -4,7 +4,7 @@ id: storage-shares-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/storage-shares-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/storage-shares.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/storage-system/example-config.mdx b/docs/dev/server/Services/storage-system/example-config.mdx index 9b5cdefa..c7698a82 100644 --- a/docs/dev/server/Services/storage-system/example-config.mdx +++ b/docs/dev/server/Services/storage-system/example-config.mdx @@ -4,7 +4,7 @@ id: storage-system-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/storage-system-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/storage-system.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/storage-users/example-config.mdx b/docs/dev/server/Services/storage-users/example-config.mdx index ee7397c9..350db018 100644 --- a/docs/dev/server/Services/storage-users/example-config.mdx +++ b/docs/dev/server/Services/storage-users/example-config.mdx @@ -4,7 +4,7 @@ id: storage-users-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/storage-users-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/storage-users.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/thumbnails/example-config.mdx b/docs/dev/server/Services/thumbnails/example-config.mdx index cd550af8..f97a49e7 100644 --- a/docs/dev/server/Services/thumbnails/example-config.mdx +++ b/docs/dev/server/Services/thumbnails/example-config.mdx @@ -4,7 +4,7 @@ id: thumbnails-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/thumbnails-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/thumbnails.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/userlog/example-config.mdx b/docs/dev/server/Services/userlog/example-config.mdx index 4f36fb7b..ab291b9a 100644 --- a/docs/dev/server/Services/userlog/example-config.mdx +++ b/docs/dev/server/Services/userlog/example-config.mdx @@ -4,7 +4,7 @@ id: userlog-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/userlog-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/userlog.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/users/example-config.mdx b/docs/dev/server/Services/users/example-config.mdx index e7785042..f4dfe269 100644 --- a/docs/dev/server/Services/users/example-config.mdx +++ b/docs/dev/server/Services/users/example-config.mdx @@ -4,7 +4,7 @@ id: users-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/users-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/users.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/web/example-config.mdx b/docs/dev/server/Services/web/example-config.mdx index 8c6d77e5..043fa90e 100644 --- a/docs/dev/server/Services/web/example-config.mdx +++ b/docs/dev/server/Services/web/example-config.mdx @@ -4,7 +4,7 @@ id: web-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/web-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/web.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/webdav/example-config.mdx b/docs/dev/server/Services/webdav/example-config.mdx index ef48623e..bba4bb92 100644 --- a/docs/dev/server/Services/webdav/example-config.mdx +++ b/docs/dev/server/Services/webdav/example-config.mdx @@ -4,7 +4,7 @@ id: webdav-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/webdav-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/webdav.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/docs/dev/server/Services/webfinger/example-config.mdx b/docs/dev/server/Services/webfinger/example-config.mdx index ebbb1b48..38528530 100644 --- a/docs/dev/server/Services/webfinger/example-config.mdx +++ b/docs/dev/server/Services/webfinger/example-config.mdx @@ -4,7 +4,7 @@ id: webfinger-example title: Example Config --- -import yamlContent from '!!raw-loader!@site/static/env-vars/webfinger-config-example.yaml'; +import yamlContent from '!!raw-loader!@site/static/env-vars/webfinger.yaml'; import CodeBlock from '@theme/CodeBlock'; {yamlContent} diff --git a/static/env-vars/activitylog-config-example.yaml b/static/env-vars/activitylog-config-example.yaml deleted file mode 100644 index 3ada4ff7..00000000 --- a/static/env-vars/activitylog-config-example.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# Autogenerated -# Filename: activitylog-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9197 - token: "" - pprof: false - zpages: false -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -store: - store: nats-js-kv - nodes: - - 127.0.0.1:9233 - database: activitylog - table: "" - ttl: 0s - username: "" - password: "" -reva_gateway: eu.opencloud.api.gateway -grpc_client_tls: null -http: - addr: 127.0.0.1:9195 - root: / - cors: - allow_origins: - - '*' - allow_methods: - - GET - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - - Ocs-Apirequest - allow_credentials: true - tls: - enabled: false - cert: "" - key: "" -token_manager: - jwt_secret: "" -translation_path: "" -default_language: en -service_account: - service_account_id: "" - service_account_secret: "" -write_buffer_duration: 10s -max_activities: 6000 diff --git a/static/env-vars/activitylog_readme.md b/static/env-vars/activitylog_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/antivirus-config-example.yaml b/static/env-vars/antivirus-config-example.yaml deleted file mode 100644 index 4e2b6e47..00000000 --- a/static/env-vars/antivirus-config-example.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Autogenerated -# Filename: antivirus-config-example.yaml - -file: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9277 - token: "" - pprof: false - zpages: false -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -infected-file-handling: delete -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -workers: 10 -scanner: - type: clamav - clamav: - socket: /run/clamav/clamd.ctl - scan_timeout: 5m0s - icap: - scan_timeout: 5m0s - url: icap://127.0.0.1:1344 - service: avscan -max-scan-size: 100MB -max-scan-size-mode: partial diff --git a/static/env-vars/antivirus_readme.md b/static/env-vars/antivirus_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/app-provider-config-example.yaml b/static/env-vars/app-provider-config-example.yaml deleted file mode 100644 index b100cfa3..00000000 --- a/static/env-vars/app-provider-config-example.yaml +++ /dev/null @@ -1,45 +0,0 @@ -# Autogenerated -# Filename: app-provider-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9165 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9164 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -external_addr: eu.opencloud.api.app-provider -driver: "" -drivers: - wopi: - app_api_key: "" - app_desktop_only: false - app_icon_uri: "" - app_internal_url: "" - app_name: "" - app_url: "" - app_disable_chat: false - insecure: false - wopi_server_iop_secret: "" - wopi_server_external_url: "" - wopi_folder_url_base_url: https://localhost:9200/ - wopi_folder_url_path_template: /f/{{.ResourceID}} diff --git a/static/env-vars/app-provider_readme.md b/static/env-vars/app-provider_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/app-registry-config-example.yaml b/static/env-vars/app-registry-config-example.yaml deleted file mode 100644 index 76757ee9..00000000 --- a/static/env-vars/app-registry-config-example.yaml +++ /dev/null @@ -1,115 +0,0 @@ -# Autogenerated -# Filename: app-registry-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9243 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9242 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -app_registry: - mimetypes: - - mime_type: application/pdf - extension: pdf - name: PDF - description: PDF document - icon: "" - default_app: "" - allow_creation: false - - mime_type: application/vnd.oasis.opendocument.text - extension: odt - name: OpenDocument - description: OpenDocument text document - icon: "" - default_app: "" - allow_creation: true - - mime_type: application/vnd.oasis.opendocument.spreadsheet - extension: ods - name: OpenSpreadsheet - description: OpenDocument spreadsheet document - icon: "" - default_app: "" - allow_creation: true - - mime_type: application/vnd.oasis.opendocument.presentation - extension: odp - name: OpenPresentation - description: OpenDocument presentation document - icon: "" - default_app: "" - allow_creation: true - - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document - extension: docx - name: Microsoft Word - description: Microsoft Word document - icon: "" - default_app: "" - allow_creation: true - - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.form - extension: docxf - name: Form Document - description: Form Document - icon: "" - default_app: "" - allow_creation: true - - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet - extension: xlsx - name: Microsoft Excel - description: Microsoft Excel document - icon: "" - default_app: "" - allow_creation: true - - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation - extension: pptx - name: Microsoft PowerPoint - description: Microsoft PowerPoint document - icon: "" - default_app: "" - allow_creation: true - - mime_type: application/vnd.jupyter - extension: ipynb - name: Jupyter Notebook - description: Jupyter Notebook - icon: "" - default_app: "" - allow_creation: false - - mime_type: text/markdown - extension: md - name: Markdown file - description: Markdown file - icon: "" - default_app: "" - allow_creation: true - - mime_type: application/compressed-markdown - extension: zmd - name: Compressed markdown file - description: Compressed markdown file - icon: "" - default_app: "" - allow_creation: false - - mime_type: application/vnd.geogebra.slides - extension: ggs - name: GeoGebra Slides - description: GeoGebra Slides - icon: "" - default_app: "" - allow_creation: false diff --git a/static/env-vars/app-registry_readme.md b/static/env-vars/app-registry_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/audit-config-example.yaml b/static/env-vars/audit-config-example.yaml deleted file mode 100644 index d400f3ee..00000000 --- a/static/env-vars/audit-config-example.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Autogenerated -# Filename: audit-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9229 - token: "" - pprof: false - zpages: false -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -auditlog: - log_to_console: true - log_to_file: false - filepath: "" - format: json diff --git a/static/env-vars/audit_readme.md b/static/env-vars/audit_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/auth-app-config-example.yaml b/static/env-vars/auth-app-config-example.yaml deleted file mode 100644 index c165282d..00000000 --- a/static/env-vars/auth-app-config-example.yaml +++ /dev/null @@ -1,69 +0,0 @@ -# Autogenerated -# Filename: auth-app-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9245 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9246 - tls: null - protocol: tcp -http: - addr: 127.0.0.1:9247 - root: / - cors: - allow_origins: - - '*' - allow_methods: - - GET - - POST - - DELETE - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - - Ocs-Apirequest - allow_credentials: true - tls: - enabled: false - cert: "" - key: "" -grpc_client_tls: null -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -machine_auth_api_key: "" -allow_impersonation: false -storage_driver: jsoncs3 -storage_drivers: - jsoncs3: - provider_addr: eu.opencloud.api.storage-system - system_user_id: "" - system_user_idp: internal - system_user_api_key: "" - password_generator: diceware - password_generator_options: - diceware: - number_of_words: 6 - randon: - password_length: 0 diff --git a/static/env-vars/auth-app_readme.md b/static/env-vars/auth-app_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/auth-basic-config-example.yaml b/static/env-vars/auth-basic-config-example.yaml deleted file mode 100644 index 99958aae..00000000 --- a/static/env-vars/auth-basic-config-example.yaml +++ /dev/null @@ -1,76 +0,0 @@ -# Autogenerated -# Filename: auth-basic-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9147 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9146 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -auth_provider: ldap -auth_providers: - ldap: - uri: ldaps://localhost:9235 - ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt - insecure: false - bind_dn: uid=reva,ou=sysusers,o=libregraph-idm - bind_password: "" - user_base_dn: ou=users,o=libregraph-idm - group_base_dn: ou=groups,o=libregraph-idm - user_scope: sub - group_scope: sub - user_filter: "" - group_filter: "" - user_object_class: inetOrgPerson - group_object_class: groupOfNames - login_attributes: - - uid - idp: https://localhost:9200 - disable_user_mechanism: attribute - ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm - user_schema: - id: openCloudUUID - tenant_id: "" - id_is_octet_string: false - mail: mail - display_name: displayname - user_name: uid - user_enabled: openCloudUserEnabled - group_schema: - id: openCloudUUID - id_is_octet_string: false - mail: mail - display_name: cn - group_name: cn - member: member - owncloudsql: - db_username: owncloud - db_password: "" - db_host: mysql - db_port: 3306 - db_name: owncloud - idp: https://localhost:9200 - nobody: 90 - join_username: false - join_owncloud_uuid: false diff --git a/static/env-vars/auth-basic_readme.md b/static/env-vars/auth-basic_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/auth-bearer-config-example.yaml b/static/env-vars/auth-bearer-config-example.yaml deleted file mode 100644 index 751d9cee..00000000 --- a/static/env-vars/auth-bearer-config-example.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Autogenerated -# Filename: auth-bearer-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9149 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9148 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -oidc: - issuer: https://localhost:9200 - insecure: false - id_claim: preferred_username - uid_claim: "" - gid_claim: "" diff --git a/static/env-vars/auth-bearer_readme.md b/static/env-vars/auth-bearer_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/auth-machine-config-example.yaml b/static/env-vars/auth-machine-config-example.yaml deleted file mode 100644 index 5d98107a..00000000 --- a/static/env-vars/auth-machine-config-example.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Autogenerated -# Filename: auth-machine-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9167 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9166 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -machine_auth_api_key: "" diff --git a/static/env-vars/auth-machine_readme.md b/static/env-vars/auth-machine_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/auth-service-config-example.yaml b/static/env-vars/auth-service-config-example.yaml deleted file mode 100644 index 2e365b98..00000000 --- a/static/env-vars/auth-service-config-example.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Autogenerated -# Filename: auth-service-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9198 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9199 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -service_account: - service_account_id: "" - service_account_secret: "" diff --git a/static/env-vars/auth-service_readme.md b/static/env-vars/auth-service_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/clientlog-config-example.yaml b/static/env-vars/clientlog-config-example.yaml deleted file mode 100644 index 51f97462..00000000 --- a/static/env-vars/clientlog-config-example.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Autogenerated -# Filename: clientlog-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9260 - token: "" - pprof: false - zpages: false -grpc_client_tls: null -token_manager: - jwt_secret: "" -reva_gateway: eu.opencloud.api.gateway -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -service_account: - service_account_id: "" - service_account_secret: "" diff --git a/static/env-vars/clientlog_readme.md b/static/env-vars/clientlog_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/collaboration-config-example.yaml b/static/env-vars/collaboration-config-example.yaml deleted file mode 100644 index 3d1764ec..00000000 --- a/static/env-vars/collaboration-config-example.yaml +++ /dev/null @@ -1,63 +0,0 @@ -# Autogenerated -# Filename: collaboration-config-example.yaml - -app: - name: Collabora - product: "" - description: Open office documents with Collabora - icon: image-edit - addr: https://127.0.0.1:9980 - insecure: false - proofkeys: - disable: false - duration: 12h - licensecheckenable: false -store: - store: nats-js-kv - nodes: - - 127.0.0.1:9233 - database: collaboration - table: "" - ttl: 30m0s - username: "" - password: "" -token_manager: - jwt_secret: "" -grpc: - addr: 127.0.0.1:9301 - protocol: tcp -http: - addr: 127.0.0.1:9300 - tls: - enabled: false - cert: "" - key: "" -wopi: - wopisrc: https://localhost:9300 - secret: "" - disable_chat: false - proxy_url: "" - proxy_secret: "" - short_tokens: false -cs3api: - gateway: - name: eu.opencloud.api.gateway - datagateway: - insecure: false - grpc_client_tls: null - app_registration_interval: 30s -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9304 - token: "" - pprof: false - zpages: false diff --git a/static/env-vars/collaboration_readme.md b/static/env-vars/collaboration_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/eventhistory-config-example.yaml b/static/env-vars/eventhistory-config-example.yaml deleted file mode 100644 index 5230859f..00000000 --- a/static/env-vars/eventhistory-config-example.yaml +++ /dev/null @@ -1,39 +0,0 @@ -# Autogenerated -# Filename: eventhistory-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9270 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9274 - tls: null -grpc_client_tls: null -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -store: - store: nats-js-kv - nodes: - - 127.0.0.1:9233 - database: eventhistory - table: "" - ttl: 336h0m0s - username: "" - password: "" diff --git a/static/env-vars/eventhistory_readme.md b/static/env-vars/eventhistory_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/frontend-config-example.yaml b/static/env-vars/frontend-config-example.yaml deleted file mode 100644 index 572ec050..00000000 --- a/static/env-vars/frontend-config-example.yaml +++ /dev/null @@ -1,154 +0,0 @@ -# Autogenerated -# Filename: frontend-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9141 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9140 - protocol: tcp - prefix: "" - cors: - allow_origins: - - https://localhost:9200 - allow_methods: - - OPTIONS - - HEAD - - GET - - PUT - - POST - - PATCH - - DELETE - - MKCOL - - PROPFIND - - PROPPATCH - - MOVE - - COPY - - REPORT - - SEARCH - allow_headers: - - Origin - - Accept - - Content-Type - - Depth - - Authorization - - Ocs-Apirequest - - If-None-Match - - If-Match - - Destination - - Overwrite - - X-Request-Id - - X-Requested-With - - Tus-Resumable - - Tus-Checksum-Algorithm - - Upload-Concat - - Upload-Length - - Upload-Metadata - - Upload-Defer-Length - - Upload-Expires - - Upload-Checksum - - Upload-Offset - - X-HTTP-Method-Override - - Cache-Control - allow_credentials: false -transfer_secret: "" -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -machine_auth_api_key: "" -skip_user_groups_in_token: false -enable_favorites: false -max_quota: 0 -upload_max_chunk_size: 10000000 -upload_http_method_override: "" -default_upload_protocol: tus -enable_federated_sharing_incoming: false -enable_federated_sharing_outgoing: false -search_min_length: 3 -edition: "" -disable_sse: false -default_link_permissions: 1 -public_url: https://localhost:9200 -max_concurrency: 1 -app_handler: - insecure: false - secure_view_app_addr: eu.opencloud.api.collaboration -archiver: - max_num_files: 10000 - max_size: 1073741824 - insecure: false -data_gateway: - prefix: data -ocs: - prefix: ocs - share_prefix: /Shares - home_namespace: /users/{{.Id.OpaqueId}} - additional_info_attribute: '{{.Mail}}' - stat_cache_type: memory - stat_cache_nodes: - - 127.0.0.1:9233 - stat_cache_database: cache-stat - stat_cache_table: "" - stat_cache_ttl: 5m0s - stat_cache_disable_persistence: false - stat_cache_auth_username: "" - stat_cache_auth_password: "" - enable_denials: false - list_ocm_shares: true - include_ocm_sharees: false - public_sharing_share_must_have_password: true - public_sharing_writeableshare_must_have_password: false - show_email_in_results: false -checksums: - supported_types: - - sha1 - - md5 - - adler32 - preferred_upload_type: sha1 -read_only_user_attributes: [] -ldap_server_write_enabled: true -edit_login_allowed_disabled: false -full_text_search: false -check_for_updates: true -middleware: - auth: - credentials_by_user_agent: {} -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -grpc_client_tls: null -auto_accept_shares: true -service_account: - service_account_id: "" - service_account_secret: "" -password_policy: - min_characters: 8 - min_lowercase_characters: 1 - min_uppercase_characters: 1 - min_digits: 1 - min_special_characters: 1 - banned_passwords_list: "" -configurable_notifications: false -groupware: - enabled: false diff --git a/static/env-vars/frontend_readme.md b/static/env-vars/frontend_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/gateway-config-example.yaml b/static/env-vars/gateway-config-example.yaml deleted file mode 100644 index 8080728a..00000000 --- a/static/env-vars/gateway-config-example.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Autogenerated -# Filename: gateway-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9143 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9142 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -commit_share_to_storage_grant: true -share_folder_name: Shares -disable_home_creation_on_login: true -transfer_secret: "" -transfer_expires: 86400 -cache: - provider_cache_store: noop - provider_cache_nodes: - - 127.0.0.1:9233 - provider_cache_database: cache-providers - provider_cache_ttl: 5m0s - provider_cache_disable_persistence: false - provider_cache_auth_username: "" - provider_cache_auth_password: "" - create_home_cache_store: memory - create_home_cache_nodes: - - 127.0.0.1:9233 - create_home_cache_database: cache-createhome - create_home_cache_ttl: 5m0s - create_home_cache_disable_persistence: false - create_home_cache_auth_username: "" - create_home_cache_auth_password: "" -frontend_public_url: https://localhost:9200 -users_endpoint: eu.opencloud.api.users -groups_endpoint: eu.opencloud.api.groups -permissions_endpoint: eu.opencloud.api.settings -sharing_endpoint: eu.opencloud.api.sharing -auth_app_endpoint: eu.opencloud.api.auth-app -auth_basic_endpoint: eu.opencloud.api.auth-basic -auth_bearer_endpoint: "" -auth_machine_endpoint: eu.opencloud.api.auth-machine -auth_service_endpoint: eu.opencloud.api.auth-service -storage_public_link_endpoint: eu.opencloud.api.storage-publiclink -storage_users_endpoint: eu.opencloud.api.storage-users -storage_shares_endpoint: eu.opencloud.api.storage-shares -app_registry_endpoint: eu.opencloud.api.app-registry -ocm_endpoint: eu.opencloud.api.ocm -storage_registry: - driver: spaces - rules: [] - json: "" - storage_users_mount_id: "" diff --git a/static/env-vars/gateway_readme.md b/static/env-vars/gateway_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/graph-config-example.yaml b/static/env-vars/graph-config-example.yaml deleted file mode 100644 index 5d755ea0..00000000 --- a/static/env-vars/graph-config-example.yaml +++ /dev/null @@ -1,169 +0,0 @@ -# Autogenerated -# Filename: graph-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -cache: - store: memory - nodes: - - 127.0.0.1:9233 - database: cache-roles - table: "" - ttl: 336h0m0s - disable_persistence: false - username: "" - password: "" -debug: - addr: 127.0.0.1:9124 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9120 - root: /graph - tls: - enabled: false - cert: "" - key: "" - apitoken: "" - cors: - allow_origins: - - '*' - allow_methods: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - - Purge - - Restore - allow_credentials: true -api: - group_members_patch_limit: 20 - graph_username_match: default - graph_assign_default_user_role: true - graph_identity_search_min_length: 3 - show_email_in_results: false -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -token_manager: - jwt_secret: "" -grpc_client_tls: null -application: - id: "" - displayname: OpenCloud -spaces: - webdav_base: https://localhost:9200 - webdav_path: /dav/spaces/ - default_quota: "1000000000" - extended_space_properties_cache_ttl: 60000000000 - users_cache_ttl: 60000000000 - groups_cache_ttl: 60000000000 - storage_users_address: eu.opencloud.api.storage-users - default_language: "" - translation_path: "" -identity: - backend: ldap - ldap: - uri: ldaps://localhost:9235 - cacert: /Users/t.schweiger/.opencloud/idm/ldap.crt - insecure: false - bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm - bind_password: "" - use_server_uuid: false - use_password_modify_exop: true - write_enabled: true - refint_enabled: false - user_base_dn: ou=users,o=libregraph-idm - user_search_scope: sub - user_filter: "" - user_objectclass: inetOrgPerson - user_mail_attribute: mail - user_displayname_attribute: displayName - user_name_attribute: uid - user_id_attribute: openCloudUUID - user_id_is_octet_string: false - user_type_attribute: openCloudUserType - user_enabled_attribute: openCloudUserEnabled - disable_user_mechanism: attribute - ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm - group_base_dn: ou=groups,o=libregraph-idm - group_create_base_dn: ou=groups,o=libregraph-idm - group_search_scope: sub - group_filter: "" - group_objectclass: groupOfNames - group_name_attribute: cn - group_member_attribute: member - group_id_attribute: openCloudUUID - group_id_is_octet_string: false - education_resources_enabled: false - educationconfig: - school_base_dn: "" - school_search_scope: "" - school_filter: "" - school_objectclass: "" - school_name_attribute: "" - school_number_attribute: "" - school_id_attribute: "" - school_termination_min_grace_days: 0 -include_ocm_sharees: false -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -unified_roles: - available_roles: - - b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 - - a8d5fe5e-96e3-418d-825b-534dbdf22b99 - - fb6c3e19-e378-47e5-b277-9732f9de6e21 - - 58c63c02-1d89-4572-916a-870abc5a1b7d - - 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a - - 1c996275-f1c9-4e71-abdf-a42f6495e960 - - 312c0871-5ef7-4b3a-85b6-0e4074c64049 -max_concurrency: 20 -keycloak: - base_path: "" - client_id: "" - client_secret: "" - client_realm: "" - user_realm: "" - insecure_skip_verify: false -service_account: - service_account_id: "" - service_account_secret: "" -metadata_config: - gateway_addr: eu.opencloud.api.storage-system - storage_addr: eu.opencloud.api.storage-system - system_user_id: "" - system_user_idp: internal - system_user_api_key: "" -user_soft_delete_retention_time: 0s -store: - nodes: - - 127.0.0.1:9233 - database: graph - username: "" - password: "" diff --git a/static/env-vars/graph_readme.md b/static/env-vars/graph_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/groups-config-example.yaml b/static/env-vars/groups-config-example.yaml deleted file mode 100644 index 1fd59de5..00000000 --- a/static/env-vars/groups-config-example.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Autogenerated -# Filename: groups-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9161 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9160 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -driver: ldap -drivers: - ldap: - uri: ldaps://localhost:9235 - ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt - insecure: false - bind_dn: uid=reva,ou=sysusers,o=libregraph-idm - bind_password: "" - user_base_dn: ou=users,o=libregraph-idm - group_base_dn: ou=groups,o=libregraph-idm - user_scope: sub - group_scope: sub - group_substring_filter_type: any - user_filter: "" - group_filter: "" - user_object_class: inetOrgPerson - group_object_class: groupOfNames - idp: https://localhost:9200 - user_schema: - id: openCloudUUID - id_is_octet_string: false - mail: mail - display_name: displayname - user_name: uid - group_schema: - id: openCloudUUID - id_is_octet_string: false - mail: mail - display_name: cn - group_name: cn - member: member - owncloudsql: - db_username: owncloud - db_password: "" - db_host: mysql - db_port: 3306 - db_name: owncloud - idp: https://localhost:9200 - nobody: 90 - join_username: false - join_owncloud_uuid: false - enable_medial_search: false diff --git a/static/env-vars/groups_readme.md b/static/env-vars/groups_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/idm-config-example.yaml b/static/env-vars/idm-config-example.yaml deleted file mode 100644 index b4b6223c..00000000 --- a/static/env-vars/idm-config-example.yaml +++ /dev/null @@ -1,31 +0,0 @@ -# Autogenerated -# Filename: idm-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9239 - token: "" - pprof: false - zpages: false -idm: - ldaps_addr: 127.0.0.1:9235 - cert: /Users/t.schweiger/.opencloud/idm/ldap.crt - key: /Users/t.schweiger/.opencloud/idm/ldap.key - database: /Users/t.schweiger/.opencloud/idm/idm.boltdb -create_demo_users: false -demo_users_issuer_url: https://localhost:9200 -service_user_passwords: - admin_password: "" - idm_password: "" - reva_password: "" - idp_password: "" -admin_user_id: "" diff --git a/static/env-vars/idm_readme.md b/static/env-vars/idm_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/idp-config-example.yaml b/static/env-vars/idp-config-example.yaml deleted file mode 100644 index 90ae3a4c..00000000 --- a/static/env-vars/idp-config-example.yaml +++ /dev/null @@ -1,122 +0,0 @@ -# Autogenerated -# Filename: idp-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9134 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9130 - root: / - tls_cert: /Users/t.schweiger/.opencloud/idp/server.crt - tls_key: /Users/t.schweiger/.opencloud/idp/server.key - tls: false -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -machine_auth_api_key: "" -asset: - asset: "" - login-background-url: "" -idp: - iss: https://localhost:9200 - identity_manager: ldap - uri_base_path: "" - sign_in_uri: "" - signed_out_uri: "" - authorization_endpoint_uri: "" - ldap_insecure: false - trusted_proxy: [] - allow_scope: [] - allow_client_guests: false - allow_dynamic_client_registration: false - encrypt_secret_file: /Users/t.schweiger/.opencloud/idp/encryption.key - listen: "" - identifierdefaultbannerlogo: "" - default_sign_in_page_text: "" - default_logo_target_uri: https://opencloud.eu - identifierdefaultusernamehinttext: "" - identifieruilocales: [] - signing_kid: private-key - signing_method: PS256 - signing_private_key_files: - - /Users/t.schweiger/.opencloud/idp/private-key.pem - validation_keys_path: "" - cookiebackenduri: "" - cookienames: [] - cookiesamesite: 3 - access_token_duration_seconds: 300 - id_token_duration_seconds: 300 - refresh_token_duration_seconds: 2592000 - dynamic_client_secret_duration_seconds: 0 -clients: -- id: web - name: OpenCloud Web App - trusted: true - secret: "" - redirect_uris: - - '{{OC_URL}}/' - - '{{OC_URL}}/oidc-callback.html' - - '{{OC_URL}}/oidc-silent-redirect.html' - post_logout_redirect_uris: [] - origins: - - '{{OC_URL}}' - application_type: "" -- id: OpenCloudDesktop - name: OpenCloud Desktop Client - trusted: false - secret: "" - redirect_uris: - - http://127.0.0.1 - - http://localhost - post_logout_redirect_uris: [] - origins: [] - application_type: native -- id: OpenCloudAndroid - name: OpenCloud Android App - trusted: false - secret: "" - redirect_uris: - - oc://android.opencloud.eu - post_logout_redirect_uris: - - oc://android.opencloud.eu - origins: [] - application_type: native -- id: OpenCloudIOS - name: OpenCloud iOS App - trusted: false - secret: "" - redirect_uris: - - oc://ios.opencloud.eu - post_logout_redirect_uris: - - oc://ios.opencloud.eu - origins: [] - application_type: native -ldap: - uri: ldaps://localhost:9235 - cacert: /Users/t.schweiger/.opencloud/idm/ldap.crt - bind_dn: uid=idp,ou=sysusers,o=libregraph-idm - bind_password: "" - base_dn: ou=users,o=libregraph-idm - scope: sub - login_attribute: uid - email_attribute: mail - name_attribute: displayName - uuid_attribute: openCloudUUID - uuid_attribute_type: text - user_enabled_attribute: openCloudUserEnabled - filter: "" - objectclass: inetOrgPerson diff --git a/static/env-vars/idp_readme.md b/static/env-vars/idp_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/invitations-config-example.yaml b/static/env-vars/invitations-config-example.yaml deleted file mode 100644 index 8aa46fe0..00000000 --- a/static/env-vars/invitations-config-example.yaml +++ /dev/null @@ -1,40 +0,0 @@ -# Autogenerated -# Filename: invitations-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9269 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9265 - root: /graph/v1.0 - cors: - allow_origins: - - https://localhost:9200 - allow_methods: [] - allow_headers: [] - allow_credentials: false - tls: - enabled: false - cert: "" - key: "" -keycloak: - base_path: "" - client_id: "" - client_secret: "" - client_realm: "" - user_realm: "" - insecure_skip_verify: false -token_manager: - jwt_secret: "" diff --git a/static/env-vars/invitations_readme.md b/static/env-vars/invitations_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/nats-config-example.yaml b/static/env-vars/nats-config-example.yaml deleted file mode 100644 index 522970d7..00000000 --- a/static/env-vars/nats-config-example.yaml +++ /dev/null @@ -1,27 +0,0 @@ -# Autogenerated -# Filename: nats-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9234 - token: "" - pprof: false - zpages: false -nats: - host: 127.0.0.1 - port: 9233 - clusterid: opencloud-cluster - store_dir: /Users/t.schweiger/.opencloud/nats - tls_cert: /Users/t.schweiger/.opencloud/nats/tls.crt - tls_key: /Users/t.schweiger/.opencloud/nats/tls.key - tls_skip_verify_client_cert: false - enable_tls: false diff --git a/static/env-vars/nats_readme.md b/static/env-vars/nats_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/notifications-config-example.yaml b/static/env-vars/notifications-config-example.yaml deleted file mode 100644 index 352c98a3..00000000 --- a/static/env-vars/notifications-config-example.yaml +++ /dev/null @@ -1,57 +0,0 @@ -# Autogenerated -# Filename: notifications-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9174 - token: "" - pprof: false - zpages: false -opencloud_url: https://localhost:9200 -notifications: - SMTP: - smtp_host: "" - smtp_port: 0 - smtp_sender: "" - smtp_username: "" - smtp_password: "" - insecure: false - smtp_authentication: "" - smtp_encryption: none - events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" - email_template_path: "" - translation_path: "" - default_language: "" - reva_gateway: eu.opencloud.api.gateway - grpc_client_tls: null -grpc_client_tls: - mode: "" - cacert: "" -service_account: - service_account_id: "" - service_account_secret: "" -store: - store: nats-js-kv - nodes: - - 127.0.0.1:9233 - database: notifications - table: "" - ttl: 336h0m0s - username: "" - password: "" diff --git a/static/env-vars/notifications_readme.md b/static/env-vars/notifications_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/ocdav-config-example.yaml b/static/env-vars/ocdav-config-example.yaml deleted file mode 100644 index 797e9ba6..00000000 --- a/static/env-vars/ocdav-config-example.yaml +++ /dev/null @@ -1,81 +0,0 @@ -# Autogenerated -# Filename: ocdav-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9163 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9350 - protocol: tcp - prefix: "" - cors: - allow_origins: - - https://localhost:9200 - allow_methods: - - OPTIONS - - HEAD - - GET - - PUT - - POST - - DELETE - - MKCOL - - PROPFIND - - PROPPATCH - - MOVE - - COPY - - REPORT - - SEARCH - allow_headers: - - Origin - - Accept - - Content-Type - - Depth - - Authorization - - Ocs-Apirequest - - If-None-Match - - If-Match - - Destination - - Overwrite - - X-Request-Id - - X-Requested-With - - Tus-Resumable - - Tus-Checksum-Algorithm - - Upload-Concat - - Upload-Length - - Upload-Metadata - - Upload-Defer-Length - - Upload-Expires - - Upload-Checksum - - Upload-Offset - - X-HTTP-Method-Override - - Cache-Control - allow_credentials: false -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -webdav_namespace: /users/{{.Id.OpaqueId}} -files_namespace: /users/{{.Id.OpaqueId}} -shares_namespace: /Shares -ocm_namespace: /public -public_url: https://localhost:9200 -insecure: false -gateway_request_timeout: 84300 -machine_auth_api_key: "" -allow_propfind_depth_infinity: false diff --git a/static/env-vars/ocdav_readme.md b/static/env-vars/ocdav_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/ocm-config-example.yaml b/static/env-vars/ocm-config-example.yaml deleted file mode 100644 index f0deeb82..00000000 --- a/static/env-vars/ocm-config-example.yaml +++ /dev/null @@ -1,116 +0,0 @@ -# Autogenerated -# Filename: ocm-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9281 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9280 - protocol: tcp - prefix: "" - cors: - allow_origins: - - https://localhost:9200 - allow_methods: - - OPTIONS - - HEAD - - GET - - PUT - - POST - - DELETE - - MKCOL - - PROPFIND - - PROPPATCH - - MOVE - - COPY - - REPORT - - SEARCH - allow_headers: - - Origin - - Accept - - Content-Type - - Depth - - Authorization - - Ocs-Apirequest - - If-None-Match - - If-Match - - Destination - - Overwrite - - X-Request-Id - - X-Requested-With - - Tus-Resumable - - Tus-Checksum-Algorithm - - Upload-Concat - - Upload-Length - - Upload-Metadata - - Upload-Defer-Length - - Upload-Expires - - Upload-Checksum - - Upload-Offset - - X-HTTP-Method-Override - - Cache-Control - allow_credentials: false -middleware: - auth: - credentials_by_user_agent: {} -grpc: - addr: 127.0.0.1:9282 - tls: null - protocol: "" -grpc_client_tls: null -service_account: - service_account_id: "" - service_account_secret: "" -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -ocmd: - prefix: ocm - expose_recipient_display_name: false -sciencemesh: - prefix: sciencemesh - science_mesh_directory_url: "" -ocm_invite_manager: - driver: json - drivers: - json: - file: /Users/t.schweiger/.opencloud/storage/ocm/ocminvites.json - token_expiration: 24h0m0s - timeout: 30s - insecure: false -ocm_provider_authorizer_driver: json -ocm_provider_authorizer_drivers: - json: - providers: /Users/t.schweiger/.opencloud/config/ocmproviders.json -ocm_share_provider: - driver: json - drivers: - json: - file: /Users/t.schweiger/.opencloud/storage/ocm/ocmshares.json - insecure: false - webapp_template: "" -ocm_core: - driver: json - drivers: - json: - file: /Users/t.schweiger/.opencloud/storage/ocm/ocmshares.json -ocm_storage_provider: - insecure: false - storage_root: /Users/t.schweiger/.opencloud/storage/ocm - data_server_url: http://localhost:9280/data diff --git a/static/env-vars/ocm_readme.md b/static/env-vars/ocm_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/ocs-config-example.yaml b/static/env-vars/ocs-config-example.yaml deleted file mode 100644 index ff512367..00000000 --- a/static/env-vars/ocs-config-example.yaml +++ /dev/null @@ -1,54 +0,0 @@ -# Autogenerated -# Filename: ocs-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9114 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9110 - root: /ocs - cors: - allow_origins: - - '*' - allow_methods: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - - Cache-Control - allow_credentials: true - tls: - enabled: false - cert: "" - key: "" -grpc_client_tls: null -signing_keys: - store: nats-js-kv - addresses: - - 127.0.0.1:9233 - ttl: 12h0m0s - username: "" - password: "" -token_manager: - jwt_secret: "" diff --git a/static/env-vars/ocs_readme.md b/static/env-vars/ocs_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/policies-config-example.yaml b/static/env-vars/policies-config-example.yaml deleted file mode 100644 index ac0e05f1..00000000 --- a/static/env-vars/policies-config-example.yaml +++ /dev/null @@ -1,36 +0,0 @@ -# Autogenerated -# Filename: policies-config-example.yaml - -grpc: - addr: 127.0.0.1:9125 - tls: null -debug: - addr: 127.0.0.1:9129 - token: "" - pprof: false - zpages: false -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -grpc_client_tls: null -log: - level: "" - pretty: false - color: false - file: "" -engine: - timeout: 10s - policies: [] - mimes: "" -postprocessing: - query: "" -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" diff --git a/static/env-vars/policies_readme.md b/static/env-vars/policies_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/postprocessing-config-example.yaml b/static/env-vars/postprocessing-config-example.yaml deleted file mode 100644 index cf59105f..00000000 --- a/static/env-vars/postprocessing-config-example.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# Autogenerated -# Filename: postprocessing-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9255 - token: "" - pprof: false - zpages: false -store: - store: nats-js-kv - nodes: - - 127.0.0.1:9233 - database: postprocessing - table: "" - ttl: 0s - username: "" - password: "" -postprocessing: - events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" - max_ack_pending: 10000 - ack_wait: 1m0s - workers: 3 - steps: [] - delayprocessing: 0s - retry_backoff_duration: 5s - max_retries: 14 diff --git a/static/env-vars/postprocessing_readme.md b/static/env-vars/postprocessing_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/proxy-config-example.yaml b/static/env-vars/proxy-config-example.yaml deleted file mode 100644 index 50682b4a..00000000 --- a/static/env-vars/proxy-config-example.yaml +++ /dev/null @@ -1,240 +0,0 @@ -# Autogenerated -# Filename: proxy-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9205 - token: "" - pprof: false - zpages: false -http: - addr: 0.0.0.0:9200 - root: / - tls_cert: /Users/t.schweiger/.opencloud/proxy/server.crt - tls_key: /Users/t.schweiger/.opencloud/proxy/server.key - tls: true -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -grpc_client_tls: null -role_quotas: {} -policies: -- name: default - routes: - - endpoint: / - service: eu.opencloud.web.web - unprotected: true - skip_x_access_token: false - - endpoint: /.well-known/ocm - service: eu.opencloud.web.ocm - unprotected: true - skip_x_access_token: false - - endpoint: /.well-known/webfinger - service: eu.opencloud.web.webfinger - unprotected: true - skip_x_access_token: false - - endpoint: /.well-known/openid-configuration - service: eu.opencloud.web.idp - unprotected: true - skip_x_access_token: false - - endpoint: /branding/logo - service: eu.opencloud.web.web - skip_x_access_token: false - - endpoint: /konnect/ - service: eu.opencloud.web.idp - unprotected: true - skip_x_access_token: false - - endpoint: /signin/ - service: eu.opencloud.web.idp - unprotected: true - skip_x_access_token: false - - endpoint: /archiver - service: eu.opencloud.web.frontend - skip_x_access_token: false - - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications/sse - service: eu.opencloud.sse.sse - skip_x_access_token: false - - endpoint: /ocs/v2.php/apps/notifications/api/v1/notifications - service: eu.opencloud.web.userlog - skip_x_access_token: false - - type: regex - endpoint: /ocs/v[12].php/cloud/user/signing-key - service: eu.opencloud.web.ocs - skip_x_access_token: false - - type: regex - endpoint: /ocs/v[12].php/config - service: eu.opencloud.web.frontend - unprotected: true - skip_x_access_token: false - - endpoint: /sciencemesh/ - service: eu.opencloud.web.ocm - skip_x_access_token: false - - endpoint: /ocm/ - service: eu.opencloud.web.ocm - skip_x_access_token: false - - endpoint: /ocs/ - service: eu.opencloud.web.frontend - skip_x_access_token: false - - type: query - endpoint: /remote.php/?preview=1 - service: eu.opencloud.web.webdav - skip_x_access_token: false - - type: regex - method: REPORT - endpoint: (/remote.php)?/(web)?dav - service: eu.opencloud.web.webdav - skip_x_access_token: false - - type: query - endpoint: /dav/?preview=1 - service: eu.opencloud.web.webdav - skip_x_access_token: false - - type: query - endpoint: /webdav/?preview=1 - service: eu.opencloud.web.webdav - skip_x_access_token: false - - endpoint: /remote.php/ - service: eu.opencloud.web.ocdav - skip_x_access_token: false - - endpoint: /dav/ - service: eu.opencloud.web.ocdav - skip_x_access_token: false - - endpoint: /webdav/ - service: eu.opencloud.web.ocdav - skip_x_access_token: false - - endpoint: /status - service: eu.opencloud.web.ocdav - unprotected: true - skip_x_access_token: false - - endpoint: /status.php - service: eu.opencloud.web.ocdav - unprotected: true - skip_x_access_token: false - - endpoint: /index.php/ - service: eu.opencloud.web.ocdav - skip_x_access_token: false - - endpoint: /apps/ - service: eu.opencloud.web.ocdav - skip_x_access_token: false - - endpoint: /data - service: eu.opencloud.web.frontend - unprotected: true - skip_x_access_token: false - - endpoint: /app/list - service: eu.opencloud.web.frontend - unprotected: true - skip_x_access_token: false - - endpoint: /app/ - service: eu.opencloud.web.frontend - skip_x_access_token: false - - endpoint: /graph/v1beta1/extensions/org.libregraph/activities - service: eu.opencloud.web.activitylog - skip_x_access_token: false - - endpoint: /graph/v1.0/invitations - service: eu.opencloud.web.invitations - skip_x_access_token: false - - endpoint: /graph/ - service: eu.opencloud.web.graph - skip_x_access_token: false - - endpoint: /api/v0/settings - service: eu.opencloud.web.settings - skip_x_access_token: false - - endpoint: /auth-app/tokens - service: eu.opencloud.web.auth-app - skip_x_access_token: false - - endpoint: /wopi - service: eu.opencloud.web.collaboration - unprotected: true - skip_x_access_token: true -additional_policies: [] -oidc: - issuer: https://localhost:9200 - insecure: false - access_token_verify_method: jwt - skip_user_info: false - user_info_cache: - store: memory - addresses: - - 127.0.0.1:9233 - database: cache-userinfo - table: "" - ttl: 10s - disable_persistence: false - username: "" - password: "" - jwks: - refresh_interval: 60 - refresh_timeout: 10 - refresh_limit: 60 - refresh_unknown_kid: true - rewrite_well_known: false -service_account: - service_account_id: "" - service_account_secret: "" -role_assignment: - driver: default - oidc_role_mapper: - role_claim: roles - role_mapping: - - role_name: admin - claim_value: opencloudAdmin - - role_name: spaceadmin - claim_value: opencloudSpaceAdmin - - role_name: user - claim_value: opencloudUser - - role_name: user-light - claim_value: opencloudGuest -policy_selector: - static: - policy: default - claims: null - regex: null -pre_signed_url: - allowed_http_methods: - - GET - enabled: true - signing_keys: - store: nats-js-kv - addresses: - - 127.0.0.1:9233 - ttl: 12h0m0s - disable_persistence: true - username: "" - password: "" -account_backend: cs3 -user_oidc_claim: preferred_username -user_cs3_claim: username -machine_auth_api_key: "" -auto_provision_accounts: false -auto_provision_claims: - username: preferred_username - email: email - display_name: name - groups: groups -enable_basic_auth: false -insecure_backends: false -backend_https_cacert: "" -auth_middleware: - credentials_by_user_agent: {} - allow_app_auth: true -policies_middleware: - query: "" -csp_config_file_location: "" -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" diff --git a/static/env-vars/proxy_readme.md b/static/env-vars/proxy_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/search-config-example.yaml b/static/env-vars/search-config-example.yaml deleted file mode 100644 index 46427ec0..00000000 --- a/static/env-vars/search-config-example.yaml +++ /dev/null @@ -1,78 +0,0 @@ -# Autogenerated -# Filename: search-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9224 - token: "" - pprof: false - zpages: false -grpc: - disabled: false - addr: 127.0.0.1:9220 - tls: null -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -grpc_client_tls: null -events: - disabled: false - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - async_uploads: true - num_consumers: 1 - debounce_duration: 1000 - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" - max_ack_pending: 1000 - ack_wait: 1m0s -engine: - type: bleve - bleve: - data_path: /Users/t.schweiger/.opencloud/search - open_search: - client: - addresses: [] - username: "" - password: "" - header: {} - ca_cert: [] - retry_on_status: [] - disable_retry: false - enable_retry_on_timeout: false - max_retries: 0 - compress_request_body: false - discover_nodes_on_start: false - discover_nodes_interval: 0s - enable_metrics: false - enable_debug_logger: false - insecure: false - resource_index: - name: opencloud-resource -extractor: - type: basic - cs3_allow_insecure: false - tika: - tika_url: http://127.0.0.1:9998 - clean_stop_words: true -content_extraction_size_limit: 20971520 -batch_size: 500 -service_account: - service_account_id: "" - service_account_secret: "" diff --git a/static/env-vars/search_readme.md b/static/env-vars/search_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/settings-config-example.yaml b/static/env-vars/settings-config-example.yaml deleted file mode 100644 index f4f73338..00000000 --- a/static/env-vars/settings-config-example.yaml +++ /dev/null @@ -1,73 +0,0 @@ -# Autogenerated -# Filename: settings-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9194 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9190 - tls: - enabled: false - cert: "" - key: "" - root: / - cors: - allow_origins: - - '*' - allow_methods: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - allow_credentials: true -grpc: - addr: 127.0.0.1:9191 - tls: null -grpc_client_tls: null -metadata_config: - gateway_addr: eu.opencloud.api.storage-system - storage_addr: eu.opencloud.api.storage-system - system_user_id: "" - system_user_idp: internal - system_user_api_key: "" - cache: - store: memory - addresses: - - 127.0.0.1:9233 - database: settings-cache - files_table: settings_files - directories_table: settings_dirs - ttl: 10m0s - disable_persistence: false - username: "" - password: "" -bundles_path: "" -admin_user_id: "" -token_manager: - jwt_secret: "" -set_default_assignments: false -service_account_ids: -- service-user-id -default_language: "" -translation_path: "" diff --git a/static/env-vars/settings_readme.md b/static/env-vars/settings_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/sharing-config-example.yaml b/static/env-vars/sharing-config-example.yaml deleted file mode 100644 index 09b12312..00000000 --- a/static/env-vars/sharing-config-example.yaml +++ /dev/null @@ -1,85 +0,0 @@ -# Autogenerated -# Filename: sharing-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9151 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9150 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_cert_path: "" - enable_tls: false - auth_username: "" - auth_password: "" -skip_user_groups_in_token: false -user_sharing_driver: jsoncs3 -user_sharing_drivers: - jsoncs3: - provider_addr: eu.opencloud.api.storage-system - system_user_id: "" - system_user_idp: internal - system_user_api_key: "" - cache_ttl: 0 - max_concurrency: 1 - json: - file: /Users/t.schweiger/.opencloud/storage/shares.json - cs3: - provider_addr: eu.opencloud.api.storage-system - system_user_id: "" - system_user_idp: internal - system_user_api_key: "" - owncloudsql: - db_username: owncloud - db_password: "" - db_host: mysql - db_port: 3306 - db_name: owncloud - user_storage_mount_id: "" -public_sharing_driver: jsoncs3 -public_sharing_drivers: - json: - file: /Users/t.schweiger/.opencloud/storage/publicshares.json - jsoncs3: - provider_addr: eu.opencloud.api.storage-system - system_user_id: "" - system_user_idp: internal - system_user_api_key: "" - cs3: - provider_addr: eu.opencloud.api.storage-system - system_user_id: "" - system_user_idp: internal - system_user_api_key: "" -public_sharing_writeableshare_must_have_password: false -public_sharing_share_must_have_password: true -enable_expired_shares_cleanup: true -password_policy: - min_characters: 8 - min_lowercase_characters: 1 - min_uppercase_characters: 1 - min_digits: 1 - min_special_characters: 1 - banned_passwords_list: "" diff --git a/static/env-vars/sse-config-example.yaml b/static/env-vars/sse-config-example.yaml deleted file mode 100644 index 5b884d17..00000000 --- a/static/env-vars/sse-config-example.yaml +++ /dev/null @@ -1,50 +0,0 @@ -# Autogenerated -# Filename: sse-config-example.yaml - -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9139 - token: "" - pprof: false - zpages: false -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -keepalive_interval: 0s -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -http: - addr: 127.0.0.1:9135 - root: / - cors: - allow_origins: - - '*' - allow_methods: - - GET - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - - Ocs-Apirequest - allow_credentials: true - tls: - enabled: false - cert: "" - key: "" -token_manager: - jwt_secret: "" diff --git a/static/env-vars/sse_readme.md b/static/env-vars/sse_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/storage-publiclink-config-example.yaml b/static/env-vars/storage-publiclink-config-example.yaml deleted file mode 100644 index fb3cf2d4..00000000 --- a/static/env-vars/storage-publiclink-config-example.yaml +++ /dev/null @@ -1,32 +0,0 @@ -# Autogenerated -# Filename: storage-publiclink-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9179 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9178 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -storage_provider: - mount_id: 7993447f-687f-490d-875c-ac95e89a62a4 diff --git a/static/env-vars/storage-publiclink_readme.md b/static/env-vars/storage-publiclink_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/storage-shares-config-example.yaml b/static/env-vars/storage-shares-config-example.yaml deleted file mode 100644 index 2f19daa8..00000000 --- a/static/env-vars/storage-shares-config-example.yaml +++ /dev/null @@ -1,33 +0,0 @@ -# Autogenerated -# Filename: storage-shares-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9156 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9154 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -mount_id: 7639e57c-4433-4a12-8201-722fd0009154 -readonly: false -user_share_provider_endpoint: eu.opencloud.api.sharing diff --git a/static/env-vars/storage-shares_readme.md b/static/env-vars/storage-shares_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/storage-system-config-example.yaml b/static/env-vars/storage-system-config-example.yaml deleted file mode 100644 index 8bb981c6..00000000 --- a/static/env-vars/storage-system-config-example.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# Autogenerated -# Filename: storage-system-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9217 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9215 - tls: null - protocol: tcp -http: - addr: 127.0.0.1:9216 - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -system_user_id: "" -system_user_api_key: "" -skip_user_groups_in_token: false -cache: - store: memory - nodes: - - 127.0.0.1:9233 - database: storage-system - ttl: 24m0s - disable_persistence: false - auth_username: "" - auth_password: "" -driver: decomposed -drivers: - decomposed: - root: /Users/t.schweiger/.opencloud/storage/metadata - max_acquire_lock_cycles: 20 - lock_cycle_duration_factor: 30 -data_server_url: http://localhost:9216/data diff --git a/static/env-vars/storage-system_readme.md b/static/env-vars/storage-system_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/storage-users-config-example.yaml b/static/env-vars/storage-users-config-example.yaml deleted file mode 100644 index c3b0e5d5..00000000 --- a/static/env-vars/storage-users-config-example.yaml +++ /dev/null @@ -1,204 +0,0 @@ -# Autogenerated -# Filename: storage-users-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9159 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9157 - tls: null - protocol: tcp -http: - addr: 127.0.0.1:9158 - protocol: tcp - prefix: data - cors: - allow_origins: - - https://localhost:9200 - allow_methods: - - POST - - HEAD - - PATCH - - OPTIONS - - GET - - DELETE - allow_headers: - - Authorization - - Origin - - X-Requested-With - - X-Request-Id - - X-HTTP-Method-Override - - Content-Type - - Upload-Length - - Upload-Offset - - Tus-Resumable - - Upload-Metadata - - Upload-Defer-Length - - Upload-Concat - - Upload-Incomplete - - Upload-Draft-Interop-Version - allow_credentials: false - expose_headers: - - Upload-Offset - - Location - - Upload-Length - - Tus-Version - - Tus-Resumable - - Tus-Max-Size - - Tus-Extension - - Upload-Metadata - - Upload-Defer-Length - - Upload-Concat - - Upload-Incomplete - - Upload-Draft-Interop-Version - max_age: 86400 -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -graceful_shutdown_timeout: 30 -driver: posix -drivers: - decomposed: - propagator: sync - async_propagator_options: - propagation_delay: 0s - root: /Users/t.schweiger/.opencloud/storage/users - user_layout: '{{.Id.OpaqueId}}' - permissions_endpoint: eu.opencloud.api.settings - personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}' - personalspacepath_template: "" - generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}' - generalspacepath_template: "" - share_folder: /Shares - max_acquire_lock_cycles: 20 - lock_cycle_duration_factor: 30 - max_concurrency: 5 - async_uploads: true - max_quota: 0 - disable_versioning: false - decomposeds3: - propagator: sync - async_propagator_options: - propagation_delay: 0s - root: /Users/t.schweiger/.opencloud/storage/users - user_layout: '{{.Id.OpaqueId}}' - permissions_endpoint: eu.opencloud.api.settings - region: default - access_key: "" - secret_key: "" - endpoint: "" - bucket: "" - put_object_disable_content_sha254: false - put_object_disable_multipart: false - put_object_send_content_md5: true - put_object_concurrent_stream_parts: false - put_object_num_threads: 4 - put_object_part_size: 0 - personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}' - personalspacepath_template: "" - generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}' - generalspacepath_template: "" - share_folder: /Shares - max_acquire_lock_cycles: 20 - lock_cycle_duration_factor: 30 - max_concurrency: 5 - async_uploads: true - disable_versioning: false - owncloudsql: - root: /Users/t.schweiger/.opencloud/storage/owncloud - share_folder: /Shares - user_layout: '{{.Username}}' - upload_info_dir: /Users/t.schweiger/.opencloud/storage/uploadinfo - db_username: owncloud - db_password: owncloud - db_host: "" - db_port: 3306 - db_name: owncloud - users_provider_endpoint: eu.opencloud.api.users - posix: - root: /Users/t.schweiger/.opencloud/storage/users - propagator: "" - async_propagator_options: - propagation_delay: 0s - personalspacealias_template: '{{.SpaceType}}/{{.User.Username | lower}}' - personalspacepath_template: users/{{.User.Id.OpaqueId}} - generalspacealias_template: '{{.SpaceType}}/{{.SpaceName | replace " " "-" | lower}}' - generalspacepath_template: projects/{{.SpaceId}} - permissions_endpoint: eu.opencloud.api.settings - async_uploads: true - scan_debounce_delay: 1s - max_quota: 0 - max_acquire_lock_cycles: 0 - lock_cycle_duration_factor: 0 - max_concurrency: 0 - disable_versioning: false - use_space_groups: false - enable_fs_revisions: false - watch_fs: false - watch_type: "" - watch_path: "" - watch_notification_brokers: "" - watch_root: "" - inotify_stats_frequency: 5m0s -data_server_url: http://localhost:9158/data -data_gateway_url: http://localhost:9140/data -transfer_expires: 86400 -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_cert_path: "" - enable_tls: false - num_consumers: 0 - username: "" - password: "" -filemetadata_cache: - store: memory - nodes: - - 127.0.0.1:9233 - database: storage-users - ttl: 24m0s - disable_persistence: false - username: "" - password: "" -id_cache: - store: nats-js-kv - nodes: - - 127.0.0.1:9233 - database: ids-storage-users - ttl: 24m0s - disable_persistence: false - username: "" - password: "" -mount_id: "" -expose_data_server: false -readonly: false -upload_expiration: 86400 -tasks: - purge_trash_bin: - user_id: "" - personal_delete_before: 720h0m0s - project_delete_before: 720h0m0s -service_account: - service_account_id: "" - service_account_secret: "" -gateway_addr: 127.0.0.1:9142 -machine_auth_api_key: "" -max_attempts_rename_file: 0 diff --git a/static/env-vars/storage-users_readme.md b/static/env-vars/storage-users_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/thumbnails-config-example.yaml b/static/env-vars/thumbnails-config-example.yaml deleted file mode 100644 index 9a0d9efa..00000000 --- a/static/env-vars/thumbnails-config-example.yaml +++ /dev/null @@ -1,72 +0,0 @@ -# Autogenerated -# Filename: thumbnails-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9189 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9185 - tls: null - max_concurrent_requests: 0 -http: - addr: 127.0.0.1:9186 - tls: - enabled: false - cert: "" - key: "" - root: /thumbnails - cors: - allow_origins: - - '*' - allow_methods: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - - Cache-Control - allow_credentials: true -grpc_client_tls: null -thumbnail: - resolutions: - - 16x16 - - 32x32 - - 64x64 - - 128x128 - - 1080x1920 - - 1920x1080 - - 2160x3840 - - 3840x2160 - - 4320x7680 - - 7680x4320 - filesystem_storage: - root_directory: /Users/t.schweiger/.opencloud/thumbnails - webdav_allow_insecure: false - cs3_allow_insecure: false - reva_gateway: eu.opencloud.api.gateway - font_map_file: "" - transfer_secret: "" - data_endpoint: http://127.0.0.1:9186/thumbnails/data - max_input_width: 7680 - max_input_height: 7680 - max_input_image_file_size: 50MB diff --git a/static/env-vars/thumbnails_readme.md b/static/env-vars/thumbnails_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/userlog-config-example.yaml b/static/env-vars/userlog-config-example.yaml deleted file mode 100644 index 03c248aa..00000000 --- a/static/env-vars/userlog-config-example.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# Autogenerated -# Filename: userlog-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9214 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9210 - root: / - cors: - allow_origins: - - '*' - allow_methods: - - GET - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - - Ocs-Apirequest - allow_credentials: true - tls: - enabled: false - cert: "" - key: "" -grpc_client_tls: null -token_manager: - jwt_secret: "" -reva_gateway: eu.opencloud.api.gateway -translation_path: "" -default_language: "" -events: - endpoint: 127.0.0.1:9233 - cluster: opencloud-cluster - tls_insecure: false - tls_root_ca_certificate: "" - enable_tls: false - username: "" - password: "" -max_concurrency: 1 -persistence: - store: memory - nodes: [] - database: userlog - table: events - ttl: 336h0m0s - username: "" - password: "" -disable_sse: false -global_notifications_secret: "" -service_account: - service_account_id: "" - service_account_secret: "" diff --git a/static/env-vars/userlog_readme.md b/static/env-vars/userlog_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/users-config-example.yaml b/static/env-vars/users-config-example.yaml deleted file mode 100644 index fbf83ed8..00000000 --- a/static/env-vars/users-config-example.yaml +++ /dev/null @@ -1,77 +0,0 @@ -# Autogenerated -# Filename: users-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9145 - token: "" - pprof: false - zpages: false -grpc: - addr: 127.0.0.1:9144 - tls: null - protocol: tcp -token_manager: - jwt_secret: "" -reva: - address: eu.opencloud.api.gateway - tls: - mode: "" - cacert: "" -skip_user_groups_in_token: false -driver: ldap -drivers: - ldap: - uri: ldaps://localhost:9235 - ca_cert: /Users/t.schweiger/.opencloud/idm/ldap.crt - insecure: false - bind_dn: uid=reva,ou=sysusers,o=libregraph-idm - bind_password: "" - user_base_dn: ou=users,o=libregraph-idm - group_base_dn: ou=groups,o=libregraph-idm - user_scope: sub - group_scope: sub - user_substring_filter_type: any - user_filter: "" - group_filter: "" - user_object_class: inetOrgPerson - group_object_class: groupOfNames - idp: https://localhost:9200 - disable_user_mechanism: attribute - user_type_attribute: openCloudUserType - ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm - user_schema: - id: openclouduuid - tenant_id: "" - id_is_octet_string: false - mail: mail - display_name: displayname - user_name: uid - user_enabled: openclouduserenabled - group_schema: - id: openclouduuid - id_is_octet_string: false - mail: mail - display_name: cn - group_name: cn - member: member - owncloudsql: - db_username: owncloud - db_password: secret - db_host: mysql - db_port: 3306 - db_name: owncloud - idp: https://localhost:9200 - nobody: 90 - join_username: false - join_owncloud_uuid: false - enable_medial_search: false diff --git a/static/env-vars/users_readme.md b/static/env-vars/users_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/web-config-example.yaml b/static/env-vars/web-config-example.yaml deleted file mode 100644 index fd1eb5a5..00000000 --- a/static/env-vars/web-config-example.yaml +++ /dev/null @@ -1,131 +0,0 @@ -# Autogenerated -# Filename: web-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9104 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9100 - tls: - enabled: false - cert: "" - key: "" - root: / - cache_ttl: 604800 - cors: - allow_origins: - - https://localhost:9200 - allow_methods: - - OPTIONS - - HEAD - - GET - - PUT - - PATCH - - POST - - DELETE - - MKCOL - - PROPFIND - - PROPPATCH - - MOVE - - COPY - - REPORT - - SEARCH - allow_headers: - - Origin - - Accept - - Content-Type - - Depth - - Authorization - - Ocs-Apirequest - - If-None-Match - - If-Match - - Destination - - Overwrite - - X-Request-Id - - X-Requested-With - - Tus-Resumable - - Tus-Checksum-Algorithm - - Upload-Concat - - Upload-Length - - Upload-Metadata - - Upload-Defer-Length - - Upload-Expires - - Upload-Checksum - - Upload-Offset - - X-HTTP-Method-Override - allow_credentials: false -asset: - core_path: /Users/t.schweiger/.opencloud/web/assets/core - themes_path: /Users/t.schweiger/.opencloud/web/assets/themes - apps_path: /Users/t.schweiger/.opencloud/web/assets/apps -file: "" -web: - theme_server: https://localhost:9200 - theme_path: /themes/opencloud/theme.json - config: - server: https://localhost:9200 - oidc: - metadata_url: https://localhost:9200/.well-known/openid-configuration - authority: https://localhost:9200 - client_id: web - response_type: code - scope: openid profile email - post_logout_redirect_uri: "" - apps: - - files - - search - - text-editor - - pdf-viewer - - external - - admin-settings - - epub-reader - - preview - - app-store - applications: [] - external_apps: [] - options: - accountEditLink: null - disableFeedbackLink: false - feedbackLink: null - runningOnEos: false - cernFeatures: false - upload: null - editor: null - contextHelpersReadMore: true - logoutUrl: "" - loginUrl: "" - tokenStorageLocal: true - disabledExtensions: [] - embed: - enabled: "" - target: "" - messagesOrigin: "" - delegateAuthentication: false - delegateAuthenticationOrigin: "" - userListRequiresFilter: false - concurrentRequests: - resourceBatchActions: 0 - sse: 0 - shares: - create: 0 - list: 0 - defaultAppId: "" - styles: [] - scripts: [] - custom_translations: [] -apps: {} -token_manager: - jwt_secret: "" -gateway_addr: eu.opencloud.api.gateway diff --git a/static/env-vars/web_readme.md b/static/env-vars/web_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/webdav-config-example.yaml b/static/env-vars/webdav-config-example.yaml deleted file mode 100644 index 14900fa7..00000000 --- a/static/env-vars/webdav-config-example.yaml +++ /dev/null @@ -1,51 +0,0 @@ -# Autogenerated -# Filename: webdav-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9119 - token: "" - pprof: false - zpages: false -grpc_client_tls: null -http: - addr: 127.0.0.1:9115 - root: / - cors: - allow_origins: - - '*' - allow_methods: - - GET - - POST - - PUT - - PATCH - - DELETE - - OPTIONS - allow_headers: - - Authorization - - Origin - - Content-Type - - Accept - - X-Requested-With - - X-Request-Id - - Cache-Control - allow_credentials: true - tls: - enabled: false - cert: "" - key: "" -disablePreviews: false -opencloud_public_url: https://localhost:9200 -webdav_namespace: /users/{{.Id.OpaqueId}} -reva_gateway: eu.opencloud.api.gateway -reva_gateway_tls_mode: "" -reva_gateway_tls_cacert: "" diff --git a/static/env-vars/webdav_readme.md b/static/env-vars/webdav_readme.md old mode 100755 new mode 100644 diff --git a/static/env-vars/webfinger-config-example.yaml b/static/env-vars/webfinger-config-example.yaml deleted file mode 100644 index 4c59864a..00000000 --- a/static/env-vars/webfinger-config-example.yaml +++ /dev/null @@ -1,44 +0,0 @@ -# Autogenerated -# Filename: webfinger-config-example.yaml - -tracing: - enabled: false - type: "" - endpoint: "" - collector: "" -log: - level: "" - pretty: false - color: false - file: "" -debug: - addr: 127.0.0.1:9279 - token: "" - pprof: false - zpages: false -http: - addr: 127.0.0.1:9275 - root: / - cors: - allow_origins: - - https://localhost:9200 - allow_methods: [] - allow_headers: [] - allow_credentials: false - tls: - enabled: false - cert: "" - key: "" -instances: -- claim: sub - regex: .+ - href: '{{.OC_URL}}' - titles: - en: OpenCloud Instance - break: false -relations: -- http://openid.net/specs/connect/1.0/issuer -- http://webfinger.opencloud/rel/server-instance -idp: https://localhost:9200 -opencloud_url: https://localhost:9200 -insecure: false diff --git a/static/env-vars/webfinger_readme.md b/static/env-vars/webfinger_readme.md old mode 100755 new mode 100644