development_gdp.env

# IMPORTANT: this is a sample env file with the setup used for the default simple
#            docker build. To adjust the build settings you can copy it to ./.env and
#            make your desired changes before running
#            make init && make build

# This can be used to specify custom upstream registries
# from where to pull/push the docker-migrid stack images
CONTAINER_REGISTRY=${CONTAINER_REGISTRY:-docker.io}

# Optionally use DOCKER_MIGRID_ROOT to point to another root location than PWD,
# which might be useful e.g. when automating deployment with ansible.
# IMPORTANT: with docker on centos7 RO-mounts may fail unless we use an abs path
DOCKER_MIGRID_ROOT=.

# Helper storage locations as subdirs in DOCKER_MIGRID_ROOT by default
# On real production sites you probably want to store them elsewhere on
# scalable storage.
LOG_ROOT=${DOCKER_MIGRID_ROOT}/sitelogs
PERSISTENT_ROOT=${DOCKER_MIGRID_ROOT}/sitedata
VOLATILE_ROOT=${DOCKER_MIGRID_ROOT}/sitetmp

# Set to override container user and group IDs
#UID=1000
#GID=1000
#USER=mig

# The domain in which the instance should be accessible
DOMAIN=gdp.test
WILDCARD_DOMAIN=*.gdp.test
PUBLIC_DOMAIN=www.gdp.test
PUBLIC_ALIAS_DOMAIN=
MIGCERT_DOMAIN=
EXTCERT_DOMAIN=
MIGOID_DOMAIN=ext.gdp.test
EXTOID_DOMAIN=
EXTOIDC_DOMAIN=
SID_DOMAIN=sid.gdp.test
IO_DOMAIN=io.gdp.test
OPENID_DOMAIN=openid.gdp.test
FTPS_DOMAIN=ftps.gdp.test
SFTP_DOMAIN=sftp.gdp.test
WEBDAVS_DOMAIN=webdavs.gdp.test
MIG_OID_PROVIDER=https://ext.gdp.test/openid/
EXT_OID_PROVIDER=unset
EXT_OIDC_PROVIDER_META_URL=unset
EXT_OIDC_CLIENT_NAME=unset
EXT_OIDC_CLIENT_ID=unset
EXT_OIDC_SCOPE="profile email"
EXT_OIDC_REMOTE_USER_CLAIM=sub
# Uncomment to enable workaround for OpenID Connect sign up with accented chars
#EXT_OIDC_PASS_CLAIM_AS="both latin1"
PUBLIC_HTTP_PORT=80
PUBLIC_HTTPS_PORT=444
MIGCERT_HTTPS_PORT=446
EXTCERT_HTTPS_PORT=447
MIGOID_HTTPS_PORT=443
EXTOID_HTTPS_PORT=445
EXTOIDC_HTTPS_PORT=449
SID_HTTPS_PORT=448
SFTP_PORT=2222
SFTP_SUBSYS_PORT=22222
SFTP_SHOW_PORT=2222
DAVS_PORT=4443
DAVS_SHOW_PORT=4443
OPENID_PORT=8443
OPENID_SHOW_PORT=443
FTPS_CTRL_PORT=8021
FTPS_CTRL_SHOW_PORT=21
FTPS_PASV_PORTS="8100:8399"

# Various helpers
ADMIN_EMAIL="GDP Info <mig@gdp.test>"
ADMIN_LIST=
SMTP_SENDER=
SMTP_SERVER=mail.gdp.test
SMTP_LISTEN_PORT=2525
LOG_LEVEL=info
TITLE="General Data Protection"
SHORT_TITLE="GDP"
MIG_OID_TITLE="GDP"
EXT_OID_TITLE="External"
PEERS_PERMIT="distinguished_name:.*"
VGRID_CREATORS="distinguished_name:.*"
VGRID_MANAGERS="distinguished_name:.*"

# Which site setup flavor to emulate regarding skin, etc.
# {migrid, idmc, erda, sif}
EMULATE_FLAVOR=sif
# and the corresponding FQDN used e.g. in that flavor index-FQDN.html
EMULATE_FQDN=test-sif.erda.dk
SKIN_SUFFIX=ucph-science

# Site settings
ENABLE_OPENID=True
ENABLE_SFTP=True
ENABLE_SFTP_SUBSYS=False
ENABLE_DAVS=True
ENABLE_FTPS=False
ENABLE_SHARELINKS=False
ENABLE_TRANSFERS=False
ENABLE_DUPLICATI=False
ENABLE_SEAFILE=False
SEAFILE_FQDN=
SEAFILE_RO_ACCESS=False
ENABLE_SANDBOXES=False
ENABLE_VMACHINES=False
ENABLE_CRONTAB=False
ENABLE_JOBS=False
ENABLE_RESOURCES=False
ENABLE_EVENTS=False
ENABLE_GRAVATARS=False
ENABLE_SITESTATUS=True
STATUS_SYSTEM_MATCH=ANY
ENABLE_FREEZE=False
ENABLE_CRACKLIB=True
ENABLE_IMNOTIFY=False
ENABLE_NOTIFY=True
ENABLE_PREVIEW=False
ENABLE_WORKFLOWS=False
ENABLE_VERIFY_CERTS=True
ENABLE_JUPYTER=False
ENABLE_CLOUD=False
ENABLE_TWOFACTOR=True
ENABLE_TWOFACTOR_STRICT_ADDRESS=False
# MFA apps to link to on 2-Factor Auth Setup page
TWOFACTOR_AUTH_APPS="google freeotp microsoft yubico"
ENABLE_PEERS=True
# NOTE: one should adjust any test user credentials with this policy
MIG_PASSWORD_POLICY="MEDIUM"
ENABLE_LOGROTATE=False
LOGROTATE_MIGRID=False
PEERS_MANDATORY=False
PEERS_EXPLICIT_FIELDS=""
PEERS_CONTACT_HINT="authorized to invite you as peer"
ENABLE_MIGADMIN=False
ENABLE_GDP=True
GDP_EMAIL_NOTIFY=True
#GDP_ID_SCRAMBLE=safe_hash
#GDP_PATH_SCRAMBLE=safe_encrypt
STORAGE_PROTOCOLS=AUTO
WWWSERVE_MAX_BYTES=-1
# NOTE: one could consider this option to mig.shared.configuration and use in mig.shared.url.urlopen
# https://www.tutorialexample.com/best-practice-to-urllib-request-ignore-ssl-verification-in-python-3-x-py
# but using self-signed certs is already a bad hack.
ENABLE_SELF_SIGNED_CERTS=True
UPGRADE_MOD_AUTH_OPENIDC=False
UPGRADE_PARAMIKO=False
PUBKEY_FROM_DNS=False
# NOTE: stay with wsgidav-1.3 for python2 to avoid CVE-2022-41905, we already get 4.3+ for python3
MODERN_WSGIDAV=False
# NOTE: whether to use python3 as default - requires WITH_PY3 to be enabled
# IMPORTANT: currently requires the git 'next' branch to work
# NOTE: leave the choice of default python to the Dockerfile default here
#PREFER_PYTHON3=False

SIGNUP_METHODS="migoid"
LOGIN_METHODS="migoid"
# GDP sites only support V2 so far
USER_INTERFACES=V2
AUTO_ADD_CERT_USER=False
AUTO_ADD_OID_USER=False
AUTO_ADD_OIDC_USER=False
AUTO_ADD_FILTER_FIELDS=full_name
AUTO_ADD_FILTER_METHOD=skip
# IMPORTANT: always filter here unless you trust ALL users your IDPs can authenticate.
#            E.g. if you enable international IDPs like WAYF, and you won't allow ANY
#            user who can authenticate there to simply sign up here.
AUTO_ADD_USER_PERMIT="distinguished_name:.*"
CERT_VALID_DAYS=365
OID_VALID_DAYS=365
GENERIC_VALID_DAYS=365
OPENSSH_VERSION=7.4
VGRID_LABEL=Project
# Menu options override default and available extra Apps on personal Home page
DEFAULT_MENU="files setup close logout"
#USER_MENU=
# Use persistent salt for storing various sensitive data
# NOTE: the two files can be manually created in ./state/secrets/ using initial
#       corresponding generated X_salt values from mig/server/MiGserver.conf
#DIGEST_SALT="FILE::/home/mig/state/secrets/digest-salt.hex"
#CRYPTO_SALT="FILE::/home/mig/state/secrets/crypto-salt.hex"
# Site-specific javascript and stylesheets to inject on user pages
EXTRA_USERPAGE_SCRIPTS=""
EXTRA_USERPAGE_STYLES=""

# The containers can take advantage of a fast shared scratch space e.g. in
# memory for caching various internal state helpers. If not set local disk will
# be used by default.
# NOTE: a shared mig_system_run scratch space on tmpfs can be made with
#       something like:                                                                             
# tmpfs   /storage/tmpfs/mig_system_run  tmpfs   nosuid,nodev,noatime,noexec,uid=1000,gid=1000,mode=0770,size=128m   0 0
# in /etc/fstab. Manual mount can be done with:                                                     
# sudo mount /storage/tmpfs/mig_system_run
# NOTE: toggle commenting on  next two lines if you have such a tmpfs set up in the given path
#MIG_SYSTEM_RUN=/storage/tmpfs/mig_system_run
MIG_SYSTEM_RUN=${DOCKER_MIGRID_ROOT}/state/mig_system_run
# The apache auth openid module performs and scales better if the associated
# internal openid store directory runs from fast storage. It's a volatile data
# store, which allows more concurrent OpenID 2.0 clients if it e.g. uses tmpfs.
# If you have migoid or extoid in LOGIN_METHODS you likely want to look into
# that. The instructions for mig_system_run can be mostly reused in that case.
# Otherwise you can safely ignore the OPENID_STORE setting.
# NOTE: toggle commenting on next two lines if you have such a tmpfs set up in the given path
#OPENID_STORE=/storage/tmpfs/openid_store
OPENID_STORE=${DOCKER_MIGRID_ROOT}/state/openid_store
# We need a read-only bind mounted version of the vgrid_files_writable
# directory and the underlying location can be configured here.
VGRID_FILES_WRITABLE=${DOCKER_MIGRID_ROOT}/state/vgrid_files_writable

# Which svn repo and version of migrid should be used
#MIG_SVN_REPO=https://svn.code.sf.net/p/migrid/code/trunk
#MIG_SVN_REV=HEAD

# Which git repo and version of migrid should be used
MIG_GIT_REPO=https://github.com/ucphhpc/migrid-sync.git
# NOTE: use 'git main' here for tried and tested python2 version
# NOTE: use 'git next' here for future python3 version
# NOTE: leave the branch decision to the Dockerfile default here
#MIG_GIT_BRANCH=main
#MIG_GIT_REV=b499bf33c8dd2a5d3433b39c7750d02912dd40bd
#MIG_GIT_BRANCH=next
#MIG_GIT_REV=9495e1dcbc7b698381d7ed133e7d302891c6bb60
#MIG_GIT_REV=HEAD
# NOTE: when leaving the branch commented above we need to manually set one here
#CONTAINER_TAG=:${MIG_GIT_BRANCH}
CONTAINER_TAG=":latest"

# Toggle Python3 support in the containers.
# NOTE: on platforms where python2 is the default python this option in itself
#       will not switch it on. Use PREFER_PYTHON3 as well to do that.
# NOTE: leave the python3 inclusion to the Dockerfile default here
#WITH_PY3=True

# Toggle git support - effectively switches from SVN to GIT options above
WITH_GIT=True

# Which timezone should the service use
TZ=Europe/Copenhagen

# Uncomment if you already run an SMTP server on the host to use for mail
#SMTP_SERVER=localhost
#SMTP_PORT=25

# The URL of the optional designated jupyter services
# The url is prefixed by the name of the service itself
JUPYTER_SERVICES="DAG.https://dag.test"

# The description associated with each jupyter service
# The key is the name of the service it describes
JUPYTER_SERVICES_DESC="{'DAG': '/home/mig/state/wwwpublic/dag_desc.html'}"

# The URL of the optional designated cloud services
# The url is prefixed by the name of the service itself
CLOUD_SERVICES="MIST.https://mist.test"

# The description associated with each cloud service
# The key is the name of the service it describes
CLOUD_SERVICES_DESC="{'MIST': '/home/mig/state/wwwpublic/mist_desc.html'}"

# User that is created inside migrid for testing purposes
# Must be explicitly used in docker-compose.yml
MIG_TEST_USER=test@external.domain
MIG_TEST_USER_PASSWORD=LongTestPw0rd