# ============================================================================= # OxiCloud Environment Configuration # ============================================================================= # Copy this file to .env and modify as needed for your deployment. # cp example.env .env # # All variables have sensible defaults. Only override what you need. # ============================================================================= # ----------------------------------------------------------------------------- # SERVER CONFIGURATION # ----------------------------------------------------------------------------- # Root directory for file storage (default: ./storage) OXICLOUD_STORAGE_PATH=./storage # Path to static files directory (default: ./static) OXICLOUD_STATIC_PATH=./static # Server port (default: 8086) OXICLOUD_SERVER_PORT=8086 # Server bind address (default: 127.0.0.1) # Use 0.0.0.0 to bind to all interfaces in Docker # IPv6 format allowed, either ::1 or [::1] OXICLOUD_SERVER_HOST=127.0.0.1 # Public base URL for generating share links and external URLs # If not set, defaults to http://{OXICLOUD_SERVER_HOST}:{OXICLOUD_SERVER_PORT} # Authentication fails if this is not set and you access the host remotely via a domain # Example: https://cloud.example.com #OXICLOUD_BASE_URL=https://cloud.example.com # ── Upload size caps ────────────────────────────────────────────────── # See docs/config/storage-fine-tuning.md for sizing guidance. # Whole-file size ceiling. Applies to BOTH direct PUTs (per-request body) # and chunked uploads (declared `total_size` at session creation — checked # upfront so oversized requests never accumulate chunks on disk). # Default: 10 GB on 64-bit, 1 GB on 32-bit. #OXICLOUD_MAX_UPLOAD_SIZE=10737418240 # Per-request cap for non-chunked PUT bodies (`POST /api/files/upload`, # `PUT /webdav/...`, `PUT /remote.php/dav/files/...`). Set below # MAX_UPLOAD_SIZE so files larger than this are pushed onto the chunked # protocol (resumable on failure, bounded per-request by CHUNK_MAX_BYTES). # Default: 1 GiB. #OXICLOUD_DIRECT_PUT_MAX_BYTES=1073741824 # Per-chunk cap for a single chunked-upload PUT (PATCH /api/uploads/{id} # or PUT /dav/uploads/.../chunk). NC desktop and the OxiCloud frontend # split large files into chunks of this size or smaller, so this knob # tightly bounds the worst-case per-request memory/disk footprint # independently of the whole-file cap. Default: 100 MB. #OXICLOUD_CHUNK_MAX_BYTES=104857600 # ── Upload spool directories ───────────────────────────────────────── # Direct (non-chunked) uploads stream straight into the blob store — # no spool directory. Only chunked-upload sessions accumulate on disk. # See docs/config/storage-fine-tuning.md for layout examples. # Root directory for chunked-upload sessions (REST + NextCloud chunked # share this root). Default: {STORAGE_PATH}/.uploads. Avoid tmpfs in # containers (parts count against the cgroup memory limit); NVMe # placement accelerates chunk PUTs and the /complete streaming pass. #OXICLOUD_CHUNK_DIR=/var/lib/oxicloud/.uploads # How often (seconds) the background sweep reconciles each user's cached # storage usage with the real sum of their files (default: 600 = 10 min). # GET /api/auth/me serves the cached value instead of recomputing per request; # this sweep keeps it fresh for deletes/trash too. Lower = fresher quota, # higher = less background DB work. Minimum enforced: 30s. #OXICLOUD_STORAGE_USAGE_RECONCILE_SECS=600 # Test-only sweep triggers under /api/admin/internal/*. # When true, exposes: # POST /api/admin/internal/trigger-sweep — run the storage-usage # reconciliation synchronously # POST /api/admin/internal/trigger-gc — run the blob garbage collector # synchronously # Used by the Hurl / integration suites to assert post-delete quota # convergence without waiting out the periodic ticker (default 600 s). # These endpoints short-circuit operator-visible background cadence, so # leave OFF in production — when disabled, the routes return 404 even # to an admin token. Default: false. #OXICLOUD_ENABLE_ADMIN_INTERNAL_ENDPOINTS=false # Native WebDAV URL segment that returns the drive listing. Sanitized # by trimming leading/trailing `/` so `/@drive/`, `@drive`, and # `@drive/` are equivalent. Three deployment modes: # # * Default `@drive` — back-compat with pre-multi-drive clients. # /webdav/… → caller's default personal drive # /webdav/@drive/ → drive listing (per-drive virtual # folders) # /webdav/@drive//… → specific drive by UUID or its # display name # # * Empty `""` — no default-drive shortcut; `/webdav/` IS the # drive listing. Clients must always name the drive. # /webdav/ → drive listing # /webdav//… → specific drive # # * Any other string (e.g. `drives`) — same shape as `@drive` but # with your chosen segment substituted. # # Selector `` is a drive UUID or the drive's display name. Only # drives the caller has Read on via role_grants resolve; unknown # selector and permission denial both return 404 (anti-enumeration). #OXICLOUD_WEBDAV_DRIVE_LISTING_PREFIX=@drive # How often (milliseconds) the background job drains storage.tree_etag_dirty # and bumps folder tree ETags (default: 500). Write paths only enqueue bump # requests — this is the upper bound on how stale an ancestor folder's ETag # (WebDAV/NextCloud collection sync signal) can be after a change. Lower = # fresher sync detection, higher = fewer background UPDATEs. Minimum: 100. #OXICLOUD_TREE_ETAG_FLUSH_MS=500 # One-time startup migration that converts pre-CDC whole-file blobs (files # uploaded before chunked dedup landed) into CDC chunk manifests, in the # background on the maintenance pool. Fixes the legacy penalty where a Range # read (video seek) reads — and with encryption, DECRYPTS — the entire blob. # Idempotent; a no-op once no legacy blobs remain. Disable only on metered # remote backends (S3/Azure egress) where the one-time re-read of every # legacy blob should be scheduled deliberately, e.g. off-peak. #OXICLOUD_LEGACY_RECHUNK=true # Allow multiple processes to bind to the same port (SO_REUSEPORT). # DISABLED by default — leaving this off means a second accidental instance # will fail immediately with "address already in use", which is the safe behaviour. # Enable ONLY when you deliberately run several worker processes in parallel # (e.g. behind a process supervisor or during a zero-downtime rolling restart). # Not supported on Windows. #OXICLOUD_REUSE_PORT=false # ----------------------------------------------------------------------------- # DATABASE CONFIGURATION # ----------------------------------------------------------------------------- # PostgreSQL connection string # Format: postgres://USER:PASSWORD@HOST:PORT/DATABASE # For Docker: use 'postgres' as the hostname (the docker-compose service name) # For local development: use 'localhost:5432' OXICLOUD_DB_CONNECTION_STRING=postgres://postgres:postgres@postgres/oxicloud # Maximum number of database connections in the pool (default: 20) #OXICLOUD_DB_MAX_CONNECTIONS=20 # Minimum number of database connections to maintain (default: 5) #OXICLOUD_DB_MIN_CONNECTIONS=5 # Maximum connections for the maintenance pool (background/batch tasks). # This pool is isolated from user requests, preventing background operations # from starving interactive traffic. Default: 5 #OXICLOUD_DB_MAINTENANCE_MAX_CONNECTIONS=5 # Minimum connections for the maintenance pool. Default: 1 #OXICLOUD_DB_MAINTENANCE_MIN_CONNECTIONS=1 # Build-time database URL for SQLx compile-time checks # Only needed during compilation, not at runtime DATABASE_URL=postgres://postgres:postgres@localhost:5432/oxicloud # ----------------------------------------------------------------------------- # AUTHENTICATION CONFIGURATION # ----------------------------------------------------------------------------- # JWT secret key for signing authentication tokens # If not set, a secure secret is auto-generated and persisted to # /.jwt_secret so tokens survive container restarts. # You only need to set this if you want to share the same secret # across multiple OxiCloud instances or control it externally. # Generate a custom secret with: openssl rand -hex 32 #OXICLOUD_JWT_SECRET= # Access token lifetime in seconds (default: 3600 = 1 hour) #OXICLOUD_ACCESS_TOKEN_EXPIRY_SECS=3600 # Refresh token lifetime in seconds (default: 604800 = 7 days) # Active sessions auto-renew on use via token rotation, so users stay logged in # as long as they interact within this window. #OXICLOUD_REFRESH_TOKEN_EXPIRY_SECS=604800 # Argon2id password hashing parameters # Increase memory cost for stronger hashing at the expense of login latency. # Memory cost is in KiB (default: 65536 = 64 MiB) #OXICLOUD_HASH_MEMORY_COST=65536 # Number of iterations (default: 3) #OXICLOUD_HASH_TIME_COST=3 # Parallelism lanes (default: 2) #OXICLOUD_HASH_PARALLELISM=2 # ----------------------------------------------------------------------------- # RATE LIMITING & ACCOUNT LOCKOUT # ----------------------------------------------------------------------------- # Max login attempts per IP before rate-limiting kicks in (default: 10) #OXICLOUD_RATE_LIMIT_LOGIN_MAX=10 # Rate-limit window for logins in seconds (default: 60) #OXICLOUD_RATE_LIMIT_LOGIN_WINDOW_SECS=60 # Max registration attempts per IP per window (default: 5) #OXICLOUD_RATE_LIMIT_REGISTER_MAX=5 # Rate-limit window for registrations in seconds (default: 3600) #OXICLOUD_RATE_LIMIT_REGISTER_WINDOW_SECS=3600 # Max token refresh attempts per IP per window (default: 20) #OXICLOUD_RATE_LIMIT_REFRESH_MAX=20 # Rate-limit window for token refresh in seconds (default: 60) #OXICLOUD_RATE_LIMIT_REFRESH_WINDOW_SECS=60 # Consecutive failed logins before account lockout (default: 5) #OXICLOUD_LOCKOUT_MAX_FAILURES=5 # Account lockout duration in seconds (default: 900 = 15 minutes) #OXICLOUD_LOCKOUT_DURATION_SECS=900 # ----------------------------------------------------------------------------- # FEATURE FLAGS # ----------------------------------------------------------------------------- # Enable/disable authentication system (default: true) #OXICLOUD_ENABLE_AUTH=true # Enable per-user storage quotas (default: false) #OXICLOUD_ENABLE_USER_STORAGE_QUOTAS=false # Enable file/folder sharing (default: true) #OXICLOUD_ENABLE_FILE_SHARING=true # Enable trash/recycle bin functionality (default: true) #OXICLOUD_ENABLE_TRASH=true # Enable search functionality (default: true) #OXICLOUD_ENABLE_SEARCH=true # Full-text content search (embedded Tantivy index over file names AND file # content: PDF, Office, plain text/code). Indexing runs on the maintenance # pool, off the request path. (default: true) #OXICLOUD_ENABLE_CONTENT_SEARCH=true # Content index directory (default: {OXICLOUD_STORAGE_PATH}/.search-index) #OXICLOUD_CONTENT_INDEX_DIR= # Index worker drain cadence in ms — upper bound on how long a new upload # takes to become content-searchable (default: 1500) #OXICLOUD_CONTENT_INDEX_FLUSH_MS=1500 # Files larger than this are indexed by name only, no text extraction # (default: 33554432 = 32 MiB) #OXICLOUD_CONTENT_INDEX_MAX_FILE_BYTES=33554432 # Cap on extracted text per unique blob fed to the index # (default: 1048576 = 1 MiB) #OXICLOUD_CONTENT_INDEX_MAX_TEXT_BYTES=1048576 # Enable music playlists and audio metadata (default: true) #OXICLOUD_ENABLE_MUSIC=true # Expose other OxiCloud users as a read-only "system" address book # at GET /api/address-books (default: true) # Set to false to prevent users from browsing the user directory. #OXICLOUD_EXPOSE_SYSTEM_USERS=true # ── People (face recognition) ──────────────────────────────────────────── # Biometric data (GDPR Art. 9) — OFF by default, opt-in per deployment. # Detects faces and clusters them into people in the photo library. # # Requires ALL of: # 1. a binary built with the `faces-onnx` cargo feature # (`cargo build --release --features faces-onnx`), # 2. OXICLOUD_ENABLE_FACES=true, # 3. the ONNX Runtime shared library + two operator-provided ONNX models # (a SCRFD/RetinaFace detector with 5-point landmarks, and an ArcFace # 512-d embedder — e.g. InsightFace `buffalo_l`). Models are NOT shipped. # Without all three, the People pipeline stays inert (no-op analyzer) and the # server still boots; the People tab stays hidden in the UI. #OXICLOUD_ENABLE_FACES=false # Path to libonnxruntime.{so,dylib,dll}. Falls back to ORT_DYLIB_PATH. # Use the ONNX Runtime build matching this app's `ort` crate (>= 1.24). #OXICLOUD_FACES_ORT_DYLIB=/opt/onnxruntime/lib/libonnxruntime.so # Face detector model (SCRFD/RetinaFace, 5-point landmarks). #OXICLOUD_FACES_DETECTOR_MODEL=/var/lib/oxicloud/models/scrfd_10g_bnkps.onnx # Face embedder model (ArcFace, 112x112 input -> 512-d output). #OXICLOUD_FACES_EMBEDDER_MODEL=/var/lib/oxicloud/models/w600k_r50.onnx # Detector square input size in px (default: 640) #OXICLOUD_FACES_DET_SIZE=640 # Minimum detector confidence to keep a face, 0..1 (default: 0.5) #OXICLOUD_FACES_DET_THRESHOLD=0.5 # IoU threshold for non-maximum suppression, 0..1 (default: 0.4) #OXICLOUD_FACES_NMS_THRESHOLD=0.4 # ONNX Runtime intra-op threads; 0 = let ONNX Runtime decide (default: 0) #OXICLOUD_FACES_INTRA_THREADS=0 # WASM plugin runtime (Extism). Requires a binary built with the `plugins` # cargo feature (`cargo run --features plugins`); without that feature these # vars are inert. Untrusted plugins run sandboxed: no filesystem, no network, # capped memory, per-invocation timeout. (default: false) #OXICLOUD_ENABLE_PLUGINS=false # Directory scanned for plugins at startup; each plugin is a subdirectory with # a plugin.toml + its .wasm. (default: {OXICLOUD_STORAGE_PATH}/.plugins) #OXICLOUD_PLUGINS_DIR= # Per-invocation wall-clock timeout in ms (default: 250) #OXICLOUD_PLUGIN_TIMEOUT_MS=250 # Max linear memory per plugin instance, in 64 KiB WASM pages (default: 256 = 16 MiB) #OXICLOUD_PLUGIN_MAX_MEMORY_PAGES=256 # Max serialized event payload handed to a plugin, in bytes (default: 262144 = 256 KiB) #OXICLOUD_PLUGIN_MAX_INPUT_BYTES=262144 # Max plugin invocations running at once across all plugins. Past this, dispatch # sheds load (drops the event, audit-logged) so plugins can't starve the shared # blocking pool. (default: 16) #OXICLOUD_PLUGIN_MAX_CONCURRENT_INVOCATIONS=16 # Idle window (seconds) after which a plugin's cached compiled module is dropped # to reclaim memory; the next event recompiles from the on-disk cache. (default: 300) #OXICLOUD_PLUGIN_CACHE_IDLE_TTL_SECS=300 # Decompressed-byte ceiling enforced while unpacking an install bundle (zip-bomb # guard; the install route also caps the compressed body at 32 MiB). (default: 67108864 = 64 MiB) #OXICLOUD_PLUGIN_MAX_BUNDLE_DECOMPRESSED_BYTES=67108864 # Directory for per-plugin structured logs, one subdir per plugin id. # (default: {OXICLOUD_STORAGE_PATH}/.plugin-logs) #OXICLOUD_PLUGIN_LOG_DIR= # Size (bytes) at which a plugin's active events.jsonl rotates into a gzip segment. (default: 5242880 = 5 MiB) #OXICLOUD_PLUGIN_LOG_MAX_FILE_BYTES=5242880 # Coarse ceiling on rotated .gz segments kept per plugin at write time. (default: 10) #OXICLOUD_PLUGIN_LOG_MAX_SEGMENTS=10 # Default age (days) past which rotated log segments are pruned by the sweep; # overridable per plugin in the admin UI. 0 = purge all rotated segments. (default: 30) #OXICLOUD_PLUGIN_LOG_RETENTION_DAYS=30 # Default aggregate byte cap on kept log segments per plugin (oldest deleted # first); overridable per plugin. 0 = purge all rotated segments. (default: 268435456 = 256 MiB) #OXICLOUD_PLUGIN_LOG_TOTAL_MAX_BYTES=268435456 # Bounded depth of the log-write queue; a flood past this sheds the oldest batch # rather than blocking dispatch or growing RAM. (default: 1024) #OXICLOUD_PLUGIN_LOG_QUEUE_CAPACITY=1024 # ----------------------------------------------------------------------------- # STORAGE BACKEND # ----------------------------------------------------------------------------- # Blob storage backend: local (default), s3, or azure #OXICLOUD_STORAGE_BACKEND=local # --- S3-Compatible (AWS S3, Backblaze B2, Cloudflare R2, MinIO) --- # Used when OXICLOUD_STORAGE_BACKEND=s3 # S3 bucket name (required) #OXICLOUD_S3_BUCKET=my-oxicloud-bucket # AWS region (default: us-east-1) #OXICLOUD_S3_REGION=us-east-1 # Access credentials #OXICLOUD_S3_ACCESS_KEY= #OXICLOUD_S3_SECRET_KEY= # Custom endpoint for non-AWS providers (e.g. MinIO, R2, B2) #OXICLOUD_S3_ENDPOINT_URL=https://s3.example.com # Force path-style URLs — required for MinIO, Cloudflare R2 (default: false) #OXICLOUD_S3_FORCE_PATH_STYLE=false # --- Azure Blob Storage --- # Used when OXICLOUD_STORAGE_BACKEND=azure # Storage account name (required) #OXICLOUD_AZURE_ACCOUNT_NAME= # Storage account key (or use SAS token below) #OXICLOUD_AZURE_ACCOUNT_KEY= # Blob container name (required) #OXICLOUD_AZURE_CONTAINER=oxicloud # SAS token (alternative to account key) #OXICLOUD_AZURE_SAS_TOKEN= # --- Local Disk Cache for Remote Backends --- # LRU cache that speeds up repeated reads from S3 or Azure. # Enable disk cache (default: false) #OXICLOUD_STORAGE_CACHE_ENABLED=false # Maximum cache size in bytes (default: 53687091200 = 50 GB) #OXICLOUD_STORAGE_CACHE_MAX_SIZE=53687091200 # Cache directory (default: {STORAGE_PATH}/.blob-cache) #OXICLOUD_STORAGE_CACHE_PATH= # --- Client-Side Encryption --- # AES-256-GCM encryption applied to blobs before writing to any backend. # WARNING: losing the key means losing all data. Back it up securely. # Enable at-rest blob encryption (default: false) #OXICLOUD_STORAGE_ENCRYPTION_ENABLED=false # Base64-encoded 32-byte key; generate with: openssl rand -base64 32 #OXICLOUD_STORAGE_ENCRYPTION_KEY= # --- Retry Policy (Remote Backends) --- # Exponential backoff retries for transient errors on S3 and Azure. # Enable retry (default: true) #OXICLOUD_STORAGE_RETRY_ENABLED=true # Maximum number of retry attempts (default: 3) #OXICLOUD_STORAGE_RETRY_MAX_RETRIES=3 # Initial backoff in milliseconds (default: 100) #OXICLOUD_STORAGE_RETRY_INITIAL_BACKOFF_MS=100 # Maximum backoff cap in milliseconds (default: 10000) #OXICLOUD_STORAGE_RETRY_MAX_BACKOFF_MS=10000 # Backoff multiplier per retry (default: 2.0) #OXICLOUD_STORAGE_RETRY_BACKOFF_MULTIPLIER=2.0 # ----------------------------------------------------------------------------- # OPENID CONNECT (OIDC) / SSO CONFIGURATION # ----------------------------------------------------------------------------- # Enable OIDC authentication (default: false) OXICLOUD_OIDC_ENABLED=false # OIDC provider issuer URL (required if OIDC enabled) # Example: https://auth.example.com/application/o/oxicloud/ #OXICLOUD_OIDC_ISSUER_URL= # OIDC client ID (required if OIDC enabled) #OXICLOUD_OIDC_CLIENT_ID= # OIDC client secret (required if OIDC enabled) #OXICLOUD_OIDC_CLIENT_SECRET= # Callback URL after OIDC authentication (must match IdP config) # Default: http://localhost:8086/api/auth/oidc/callback #OXICLOUD_OIDC_REDIRECT_URI=http://localhost:8086/api/auth/oidc/callback # OIDC scopes to request (default: openid profile email) #OXICLOUD_OIDC_SCOPES=openid profile email # Frontend URL to redirect after successful OIDC login # Default: http://localhost:8086 #OXICLOUD_OIDC_FRONTEND_URL=http://localhost:8086 # Auto-create users on first OIDC login (JIT provisioning) (default: true) #OXICLOUD_OIDC_AUTO_PROVISION=true # Comma-separated list of OIDC groups that grant admin role # Example: admins,cloud-admins #OXICLOUD_OIDC_ADMIN_GROUPS= # Disable password-based login entirely when OIDC is active (default: false) #OXICLOUD_OIDC_DISABLE_PASSWORD_LOGIN=false # Display name for the OIDC provider shown in UI (default: SSO) #OXICLOUD_OIDC_PROVIDER_NAME=SSO # ----------------------------------------------------------------------------- # WOPI (WEB APPLICATION OPEN PLATFORM INTERFACE) CONFIGURATION # ----------------------------------------------------------------------------- # Enable WOPI integration for office document editing (default: false) # Used with Collabora, OnlyOffice, or other WOPI-compatible editors OXICLOUD_WOPI_ENABLED=false # URL to the WOPI client's discovery endpoint # Example for Collabora: http://collabora:9980/hosting/discovery # Example for OnlyOffice: http://onlyoffice/hosting/discovery #OXICLOUD_WOPI_DISCOVERY_URL= # Public OxiCloud URL used by the browser for the WOPI host page. # Keep this on the OxiCloud hostname, even when OnlyOffice/Collabora runs elsewhere. # Example: https://cloud.example.com #OXICLOUD_WOPI_PUBLIC_BASE_URL= # Optional callback URL the editor uses to reach OxiCloud's /wopi/* endpoints. # Set this only when the editor uses a different internal address than the browser. # Example: http://oxicloud:8086 #OXICLOUD_WOPI_BASE_URL= # Secret key for signing WOPI access tokens # Falls back to OXICLOUD_JWT_SECRET if not set #OXICLOUD_WOPI_SECRET= # WOPI access token lifetime in seconds (default: 86400 = 24 hours) #OXICLOUD_WOPI_TOKEN_TTL_SECS=86400 # WOPI lock expiration in seconds (default: 1800 = 30 minutes) #OXICLOUD_WOPI_LOCK_TTL_SECS=1800 # ----------------------------------------------------------------------------- # NEXTCLOUD COMPATIBILITY # ----------------------------------------------------------------------------- # Enables the Nextcloud-compatible API layer for clients that speak the # Nextcloud protocol (desktop sync, mobile apps, Nextcloud Talk, etc.) # Enable Nextcloud compatibility (default: false) #OXICLOUD_NEXTCLOUD_ENABLED=false # Instance ID suffix used in oc:id formatting (default: ocnca) #OXICLOUD_NEXTCLOUD_INSTANCE_ID=ocnca # Emulated Nextcloud version reported to clients (default: 28.0.4) # Clients use this to decide which protocol features to enable. #OXICLOUD_NEXTCLOUD_VERSION=28.0.4 # ----------------------------------------------------------------------------- # OUTBOUND EMAIL (SMTP) # ----------------------------------------------------------------------------- # # Used by the magic-link invitation flow (sharing with someone by email) and # the login-via-email flow. When HOST is empty (the default), the feature is # disabled and any endpoint that needs email returns 503. # # OxiCloud does NOT spool mail or retry failed sends — each delivery is a # single attempt. For durability against brief upstream outages, point this # at a local MTA (Postfix, OpenSMTPD, msmtp-mta, …) configured as a # smarthost. The local MTA owns the queue and retries against your real # relay. See docs/config/env.md → "Reliability and retries" for the recipe. # SMTP server hostname or IP. Empty = feature disabled. #OXICLOUD_SMTP_HOST=smtp.example.com # Submission port. Common values: # 587 = STARTTLS submission (default) # 465 = implicit TLS submission # 25 = plain relay (development only) #OXICLOUD_SMTP_PORT=587 # SASL username for SMTP AUTH. Leave empty for anonymous relay. #OXICLOUD_SMTP_USER=oxicloud@example.com # SASL password. Logged as `` / `` in startup banner (never echoed # in plaintext). #OXICLOUD_SMTP_PASS= # `From:` mailbox. Either a bare address or RFC 5322 name-address form. #OXICLOUD_SMTP_FROM=OxiCloud # Transport encryption mode: # starttls = port 587 with STARTTLS upgrade (default — recommended) # tls = implicit TLS from the first byte (port 465) # none = no encryption; emits a startup WARN, development only #OXICLOUD_SMTP_TLS=starttls # ----------------------------------------------------------------------------- # MAGIC-LINK AUTHENTICATION # ----------------------------------------------------------------------------- # # Knobs for the invite-by-email / login-via-email flows. Both rely on SMTP # being configured above. # Lifetime of a freshly-minted magic-link token, in hours. After this, the # background sweeper marks the token expired. Must be > 0. #OXICLOUD_MAGIC_LINK_TTL_HOURS=24 # Kill switch for the whole magic-link flow. # true = POST /api/grants accepts `subject.type = "email"`; new external # users are created lazily and invitation mails are sent. # false = the same call returns 403; POST /api/auth/magic-link/send # returns the uniform stub response without issuing a token. # This is the coarse "turn it all off" switch; the per-domain allowlist # below is the fine-grained version. #OXICLOUD_ALLOW_EXTERNAL_USERS=true # Allowlist of email domains accepted when minting a new external user. # Comma-separated, case-insensitive, exact-match on the post-`@` part of the # address. Empty (the default) = any domain is allowed, subject to # OXICLOUD_ALLOW_EXTERNAL_USERS above. # # Wildcards / subdomain semantics are intentionally NOT supported: # `partner.com` does not match `eng.partner.com`. List every subdomain # explicitly when needed. # # Example (only addresses on these two domains can be invited): #OXICLOUD_EXTERNAL_EMAIL_DOMAINS=partner-a.com,partner-b.io # Per-sharer rate limit on email-type grants from POST /api/grants. Keyed on # the authenticated caller's user_id. Hitting the cap returns 429 with # Retry-After. Default 50/hour — generous for legitimate admin invites, # protective against a compromised account spamming external users. #OXICLOUD_MAGIC_LINK_INVITE_PER_CALLER_PER_HOUR=50 # Per-target-email rate limit on POST /api/auth/magic-link/send. Keyed on # the normalised recipient address (lowercased local, punycode domain). # Exceeding the cap is silently absorbed (uniform 200 anti-enumeration); # audit log records the real reason. Authenticated callers bypass this # limit (a logged-in user resending to themselves should not be throttled). # Default 5/hour. #OXICLOUD_MAGIC_LINK_SEND_PER_EMAIL_PER_HOUR=5 # Per-source-IP backstop on POST /api/auth/magic-link/send. Bounds the cost # of one attacker spreading 5/hr requests across many target addresses. # Same silently-absorbed behaviour on cap. Honours OXICLOUD_TRUST_PROXY_CIDR # for client IP resolution. Default 200/hour. #OXICLOUD_MAGIC_LINK_SEND_PER_IP_PER_HOUR=200 # Policy switch: should magic-link sign-in be offered to users who already # have a password configured? # false (default, strict) — users with a password are audit-logged # `has_password` and receive no mail. Their password is the only # authentication path; magic-link would weaken it to "mailbox # compromise = account compromise". # true (lenient) — users with a password can also request a # magic-link as a sign-in path. Aligns with modern SaaS UX # (Slack, Notion, etc.). Operators who already treat email as the # canonical password-reset channel pick this. # OIDC-linked users are ALWAYS rejected regardless of this flag — the # IdP is the security boundary and may enforce MFA we shouldn't bypass. #OXICLOUD_MAGIC_LINK_OPEN_TO_PASSWORD_USERS=false # Operator-level kill switch for share-notification emails to internal # users (the "Alice shared 'Project Alpha' with you" mail that fires when # `magic_link_eligibility` rejects the recipient — typically password # users and OIDC users with a known email). When `true` (default), the # new RecipientNotificationService dispatches plain-notification mail # on every share. When `false`, internal users discover new shares only # at next login. # # This is a coarser knob than the per-user # `auth.users.notify_on_share` column (set via the profile "Email me # when someone shares with me" checkbox): when this env is `false`, # the per-user opt-in does not matter. # # External-user magic-link FIRST-invitations are NOT affected by this # flag — those always send, because the link is the only way the # recipient can claim the share for the first time. Subsequent shares # to an existing external follow the same plain-notification path and # are subject to both this knob and the per-user opt-out. #OXICLOUD_NOTIFY_INTERNAL_USERS_ON_SHARE=true # ----------------------------------------------------------------------------- # INTERNATIONALIZATION (server-rendered surfaces) # ----------------------------------------------------------------------------- # # Default locale for server-rendered HTML pages and outbound emails when # no stronger signal is available. The resolution priority is: # # HTML pages (anonymous, e.g. magic-link landing): # 1. ?lang=xx query override # 2. browser Accept-Language header (q-weighted) # 3. this default # # Emails to a known user: # 1. user.preferred_locale column # 2. this default # # Supported locales are discovered at boot by listing static/locales/*.json, # so adding a 17th locale is a file-drop operation (no rebuild required). # This variable must match one of the discovered codes — startup fails fast # if you set OXICLOUD_DEFAULT_LOCALE=xx and no static/locales/xx.json exists. # # Default: "en". Today's shipped locales: ar, de, en, es, fa, fr, hi, it, # ja, ko, nl, pl, pt, ru, zh, zh-TW. #OXICLOUD_DEFAULT_LOCALE=en # ----------------------------------------------------------------------------- # PROXY # ----------------------------------------------------------------------------- # Use this section if you are running OxiCloud behind a reverse proxy. # Trusted Proxy CIDRs — comma-separated list of CIDR blocks whose # X-Forwarded-For / X-Real-IP headers will be trusted for client IP detection. # Leave unset if OxiCloud is directly exposed (no proxy). # Example: 127.0.0.1/32,10.0.0.0/8,172.16.0.0/12,::1/128 #OXICLOUD_TRUST_PROXY_CIDR= # DEPRECATED — use OXICLOUD_TRUST_PROXY_CIDR instead #OXICLOUD_TRUST_PROXY_HEADERS= # ----------------------------------------------------------------------------- # MEMORY ALLOCATOR TUNING (IMPORTANT FOR RAM USAGE) # ----------------------------------------------------------------------------- # OxiCloud uses mimalloc as its global memory allocator for performance. # By default, mimalloc RETAINS freed memory in internal free-lists instead of # returning it to the operating system. This causes the process RSS to grow # over time (e.g., after large file uploads or password hashing) and never # shrink back — even though the application has already freed that memory. # # In containerized / memory-constrained environments (Docker, K8s, VPS with # limited RAM), this is critical: without these settings, the container can # appear to "leak" hundreds of MiB that are actually just retained by the # allocator. # # These variables are read directly by the mimalloc C library at startup. # They are NOT OxiCloud-specific — they are part of mimalloc's official API. # Docs: https://microsoft.github.io/mimalloc/environment.html # MIMALLOC_PURGE_DELAY: Delay (in ms) before freed memory is returned to the OS. # 0 = return immediately (RECOMMENDED for Docker / limited RAM) # -1 = never return (maximum performance, highest RAM usage) # 10 = mimalloc default (slight delay for reuse optimization) # Setting this to 0 can reduce idle RAM by 80-120 MiB in typical deployments. MIMALLOC_PURGE_DELAY=0 # MIMALLOC_ALLOW_LARGE_OS_PAGES: Use 2 MiB huge pages for allocations. # 0 = disabled (RECOMMENDED for Docker — avoids RSS inflation from THP) # 1 = enabled (better TLB performance on bare-metal servers with plenty of RAM) # When enabled with Linux Transparent Huge Pages (THP), partially-used 2 MiB # pages inflate the reported RSS by up to 20-30 MiB. MIMALLOC_ALLOW_LARGE_OS_PAGES=0