advanced_migrid.org_full.env

# IMPORTANT: this is a sample env file with the setup used for the default simple
#            docker build. To adjust the build settings you can copy it to ./.env and
#            make your desired changes before running
#            make init && make build

# This can be used to specify custom upstream registries
# from where to pull/push the docker-migrid stack images
CONTAINER_REGISTRY=${CONTAINER_REGISTRY:-docker.io}

# Optionally use DOCKER_MIGRID_ROOT to point to another root location than PWD,
# which might be useful e.g. when automating deployment with ansible.
# IMPORTANT: with docker on centos7 at least our readonly mounts fail unless we use abs path!
DOCKER_MIGRID_ROOT=.

# Set to override container user and group IDs
UID=1002
GID=1002
USER=mig

# The domain in which the instance should be accessible
DOMAIN=migrid.org
WILDCARD_DOMAIN=*.migrid.org
PUBLIC_DOMAIN=dk-www.migrid.org
MIGCERT_DOMAIN=dk-cert.migrid.org
EXTCERT_DOMAIN=
MIGOID_DOMAIN=dk-ext.migrid.org
EXTOID_DOMAIN=dk-oid.migrid.org
# NOTE: uncoment next domain for testing external OpenID Connect provider
EXTOIDC_DOMAIN=
SID_DOMAIN=dk-sid.migrid.org
IO_DOMAIN=dk-io.migrid.org
OPENID_DOMAIN=dk-ext.migrid.org
FTPS_DOMAIN=dk-io.migrid.org
SFTP_DOMAIN=dk-io.migrid.org
WEBDAVS_DOMAIN=dk-io.migrid.org
MIG_OID_PROVIDER=https://dk-ext.migrid.org/openid/
EXT_OID_PROVIDER=https://openid.ku.dk/
#EXT_OIDC_PROVIDER_META_URL=INSERT-WAYF-KEY-SETUP
#EXT_OIDC_CLIENT_NAME=INSERT-WAYF-KEY-SETUP
#EXT_OIDC_CLIENT_ID=INSERT-WAYF-KEY-SETUP
#EXT_OIDC_SCOPE=INSERT-WAYF-KEY-SETUP
#EXT_OIDC_REMOTE_USER_CLAIM=sub
# Uncomment to enable workaround for OpenID Connect sign up with accented chars
#EXT_OIDC_PASS_CLAIM_AS="both latin1"
EXT_OIDC_PASS_CLAIM_AS="both"
PUBLIC_HTTP_PORT=80
PUBLIC_HTTPS_PORT=443
MIGCERT_HTTPS_PORT=443
EXTCERT_HTTPS_PORT=443
MIGOID_HTTPS_PORT=443
EXTOID_HTTPS_PORT=443
EXTOIDC_HTTPS_PORT=443
SID_HTTPS_PORT=443
SFTP_PORT=2222
SFTP_SUBSYS_PORT=22222
SFTP_SHOW_PORT=22
DAVS_PORT=4443
DAVS_SHOW_PORT=443
OPENID_PORT=8443
OPENID_SHOW_PORT=443
FTPS_CTRL_PORT=8021
FTPS_CTRL_SHOW_PORT=21
FTPS_PASSIVE_PORTS=8100-8399

# Various helpers
ADMIN_EMAIL="MiG Info <info@migrid.org>"
SUPPORT_EMAIL="MiG Support <support@migrid.org>"
ADMIN_LIST="/C=DK/ST=NA/L=NA/O=FAKSEK/OU=NA/CN=Jonas Bardino/emailAddress=bardino@science.ku.dk,/C=DK/ST=NA/L=NA/O=NBI/OU=NA/CN=Jonas Bardino/emailAddress=bardino@nbi.ku.dk,/C=DK/ST=NA/L=NA/O=NBI/OU=NA/CN=Martin Rehr/emailAddress=rehr@nbi.ku.dk,/C=DK/ST=NA/L=NA/O=KU/OU=NA/CN=Rasmus Munk/emailAddress=wlp630@alumni.ku.dk"
SMTP_SENDER="Do Not Reply <no-reply@migrid.org>"
LOG_LEVEL=info
TITLE="Minimum intrusion Grid"
SHORT_TITLE="MiG"
MIG_OID_TITLE="Non-KU/UCPH"
EXT_OID_TITLE="KU/UCPH"
PEERS_PERMIT="role:.*(vip|tap)"
VGRID_CREATORS="role:.*(vip|tap)"
VGRID_MANAGERS="distinguished_name:.*"

# Which site setup flavor to emulate regarding skin, etc.
# {migrid, idmc, erda, sif}
EMULATE_FLAVOR=migrid
# and the corresponding FQDN used e.g. in that flavor index-FQDN.html
#EMULATE_FQDN=migrid.org
# TODO: Make support for empty EMULATE_FQDN
EMULATE_FQDN=migrid.org
SKIN_SUFFIX=basic
#SKIN_SUFFIX=ucph-science

# Site settings
ENABLE_OPENID=True
ENABLE_SFTP=False
ENABLE_SFTP_SUBSYS=True
ENABLE_DAVS=True
ENABLE_FTPS=True
ENABLE_SHARELINKS=True
ENABLE_TRANSFERS=True
ENABLE_DUPLICATI=True
ENABLE_SEAFILE=False
SEAFILE_FQDN=
SEAFILE_RO_ACCESS=False
ENABLE_SANDBOXES=True
ENABLE_VMACHINES=True
ENABLE_CRONTAB=True
ENABLE_JOBS=True
ENABLE_RESOURCES=True
ENABLE_EVENTS=True
ENABLE_GRAVATARS=True
ENABLE_SITESTATUS=True
STATUS_SYSTEM_MATCH="MiGrid ALL"
ENABLE_FREEZE=False
ENABLE_CRACKLIB=True
ENABLE_IMNOTIFY=True
ENABLE_NOTIFY=True
ENABLE_PREVIEW=False
ENABLE_WORKFLOWS=True
ENABLE_VERIFY_CERTS=True
ENABLE_JUPYTER=False
ENABLE_CLOUD=False
ENABLE_TWOFACTOR=True
ENABLE_TWOFACTOR_STRICT_ADDRESS=False
# MFA apps to link to on 2-Factor Auth Setup page
TWOFACTOR_AUTH_APPS="google freeotp yubico bitwarden"
ENABLE_PEERS=True
MIG_PASSWORD_POLICY="MODERN:12"
ENABLE_LOGROTATE=True
LOGROTATE_MIGRID=True
PEERS_MANDATORY=True
PEERS_EXPLICIT_FIELDS="full_name email"
PEERS_CONTACT_HINT="employed at UCPH and authorized to invite you as peer"
ENABLE_MIGADMIN=True
ENABLE_GDP=False
GDP_EMAIL_NOTIFY=False
# NOTE: one could consider this option to mig.shared.configuration and use in mig.shared.url.urlopen
# https://www.tutorialexample.com/best-practice-to-urllib-request-ignore-ssl-verification-in-python-3-x-py
# but using self-signed certs is already a bad hack.
ENABLE_SELF_SIGNED_CERTS=False
BUILD_MOD_AUTH_OPENID=True
UPGRADE_MOD_AUTH_OPENIDC=True
# Rocky9 paramiko is already recent
UPGRADE_PARAMIKO=False
PUBKEY_FROM_DNS=True
# NOTE: stay with wsgidav-1.3 for python2 to avoid CVE-2022-41905, we already get 4.3+ for python3
MODERN_WSGIDAV=False
# NOTE: whether to use python3 as default - requires WITH_PY3 to be enabled
# IMPORTANT: currently requires the git 'experimental' branch to work
# NOTE: leave the choice of default python to the Dockerfile default here
#PREFER_PYTHON3=False

SIGNUP_METHODS="migoid extoid migcert"
LOGIN_METHODS="migoid extoid migcert extoidc"
USER_INTERFACES=V3
AUTO_ADD_CERT_USER=True
AUTO_ADD_OID_USER=True
AUTO_ADD_OIDC_USER=False
AUTO_ADD_FILTER_FIELDS=full_name
AUTO_ADD_FILTER_METHOD=skip
# IMPORTANT: always filter here unless you trust ALL users your IDPs can authenticate.
#            E.g. if you enable international IDPs like WAYF, and you won't allow ANY
#            user who can authenticate there to simply sign up here.
AUTO_ADD_USER_PERMIT="distinguished_name:.+@([a-z0-9]+\.|)ku\.dk$"
CERT_VALID_DAYS=365
OID_VALID_DAYS=365
GENERIC_VALID_DAYS=365
OPENSSH_VERSION=7.4
VGRID_LABEL=VGrid
# Menu options override default and available extra Apps on personal Home page
DEFAULT_MENU="home files submitjob jobs vgrids settings setup logout"
USER_MENU="sharelinks crontab transfers people downloads peers resources docs migadmin"
# Use persistent salt for storing various sensitive data
# NOTE: the two files were manually created in ./state/secrets/ using initial
#       corresponding generated X_salt values from mig/server/MiGserver.conf
DIGEST_SALT="FILE::/home/mig/state/secrets/digest_salt.hex"
CRYPTO_SALT="FILE::/home/mig/state/secrets/crypto_salt.hex"
# Site-specific javascript and stylesheets to inject on user pages
EXTRA_USERPAGE_SCRIPTS=""
EXTRA_USERPAGE_STYLES=""

# The containers can take advantage of a fast shared scratch space e.g. in
# memory for caching various internal state helpers. If not set local disk will
# be used by default.
# NOTE: a shared mig_system_run scratch space on tmpfs can be made with
#       something like:                                                                             
# tmpfs   /storage/tmpfs/mig_system_run  tmpfs   nosuid,nodev,noatime,noexec,uid=1000,gid=1000,mode=0770,size=128m   0 0
# in /etc/fstab. Manual mount can be done with:                                                     
# sudo mount /storage/tmpfs/mig_system_run
# NOTE: toggle commenting on  next two lines if you have such a tmpfs set up in the given path
MIG_SYSTEM_RUN=/storage/tmpfs/mig_system_run
#MIG_SYSTEM_RUN=${DOCKER_MIGRID_ROOT}/state/mig_system_run
# The apache auth openid module performs and scales better if the associated
# internal openid store directory runs from fast storage. It's a volatile data
# store, which allows more concurrent OpenID 2.0 clients if it e.g. uses tmpfs.
# If you have migoid or extoid in LOGIN_METHODS you likely want to look into
# that. The instructions for mig_system_run can be mostly reused in that case.
# Otherwise you can safely ignore the OPENID_STORE setting.
# NOTE: toggle commenting on next two lines if you have such a tmpfs set up in the given path
OPENID_STORE=/storage/tmpfs/openid_store
#OPENID_STORE=${DOCKER_MIGRID_ROOT}/state/openid_store
# We need a read-only bind mounted version of the vgrid_files_writable
# directory and the underlying location can be configured here.
VGRID_FILES_WRITABLE=${DOCKER_MIGRID_ROOT}/state/vgrid_files_writable

# Which svn repo and version of migrid should be used
#MIG_SVN_REPO=https://svn.code.sf.net/p/migrid/code/trunk
#MIG_SVN_REV=HEAD

# Which git repo and version of migrid should be used
MIG_GIT_REPO=https://github.com/ucphhpc/migrid-sync.git
# NOTE: use 'git edge' here for tried and tested python2 version
# NOTE: use 'git experimental' here for future python3 version
# NOTE: leave the branch decision to the Dockerfile default here
#MIG_GIT_BRANCH=edge
#MIG_GIT_REV=97626ff1d7bbf37c96ee67c53b60bc1520cb7915
#MIG_GIT_BRANCH=experimental
#MIG_GIT_REV=60237fa3e1c2fb2930d86d8d459dc070d311a796
#MIG_GIT_REV=HEAD
# NOTE: when leaving the branch commented above we need to do the same here
#CONTAINER_TAG=:${MIG_GIT_BRANCH}
CONTAINER_TAG=

# Toggle Python3 support in the containers.
# NOTE: on platforms where python2 is the default python this option in itself
#       will not switch it on. Use PREFER_PYTHON3 as well to do that.
# NOTE: leave the python3 inclusion to the Dockerfile default here
#WITH_PY3=True

# Toggle git support - effectively switches from SVN to GIT options above
WITH_GIT=True

# Which timezone should the service use
TZ=Europe/Copenhagen

# We already run an SMTP server on the host
SMTP_SERVER=localhost

# The URL of the of designated jupyter services
# The url is prefixed by the name of the service itself
JUPYTER_SERVICES=

# The description associated with each jupyter service
# The key is the name of the service it describes
JUPYTER_SERVICES_DESC=

# Lustre quota settings
# NOTE: lustre >=2.15.4 is required for quota support
# supported backends: 'lustre' and 'lustre-gocryptfs'
QUOTA_BACKEND=""
#QUOTA_USER_LIMIT=1099511627776
#QUOTA_VGRID_LIMIT=1099511627776
#QUOTA_LUSTRE_VERSION=2.15.4
#QUOTA_LUSTRE_BASE="/dev/null"
#QUOTA_GOCRYPTFS_XRAY="/dev/null"
#QUOTA_GOCRYPTFS_SOCK="/dev/null"