advanced_dev.erda.dk_full_wayf.env

# IMPORTANT: this is a sample env file with the setup used for the default simple
#            docker build. To adjust the build settings you can copy it to ./.env and
#            make your desired changes before running
#            make init && make build

# This can be used to specify custom upstream registries
# from where to pull/push the docker-migrid stack images
CONTAINER_REGISTRY=${CONTAINER_REGISTRY:-docker.io}

# Optionally use DOCKER_MIGRID_ROOT to point to another root location than PWD,
# which might be useful e.g. when automating deployment with ansible.
# IMPORTANT: with docker on centos7 at least our readonly mounts fail unless we use abs path!
#DOCKER_MIGRID_ROOT=.
DOCKER_MIGRID_ROOT=/home/mig/docker-migrid

# Set to override container user and group IDs
#UID=1000
#GID=1000
#USER=mig

# The domain in which the instance should be accessible
DOMAIN=dev.erda.dk
WILDCARD_DOMAIN=dev*.erda.dk
PUBLIC_DOMAIN=dev-www.erda.dk
MIGCERT_DOMAIN=
EXTCERT_DOMAIN=dev-cert.erda.dk
MIGOID_DOMAIN=dev-ext.erda.dk
EXTOID_DOMAIN=dev-oid.erda.dk
# NOTE: uncoment next domain for testing external OpenID Connect provider
EXTOIDC_DOMAIN=dev-wayf.erda.dk
SID_DOMAIN=dev-sid.erda.dk
IO_DOMAIN=dev-io.erda.dk
OPENID_DOMAIN=dev-ext.erda.dk
FTPS_DOMAIN=dev-io.erda.dk
SFTP_DOMAIN=dev-io.erda.dk
WEBDAVS_DOMAIN=dev-io.erda.dk
MIG_OID_PROVIDER=https://dev-ext.erda.dk/openid/
EXT_OID_PROVIDER=https://openid.ku.dk/
# TODO: switch to a proper meta provider here
#EXT_OIDC_PROVIDER_META_URL="https://wayf.wayf.dk"
# NOTE: use the included local definition of WAYF interfaces for now
EXT_OIDC_PROVIDER_META_URL="https://${PUBLIC_DOMAIN}/.well-known/wayf-openid-configuration"
EXT_OIDC_TITLE="WAYF"
EXT_OIDC_CLIENT_NAME=""
EXT_OIDC_CLIENT_ID="http://erda.dk"
EXT_OIDC_SCOPE=""
EXT_OIDC_REMOTE_USER_CLAIM=sub
# Uncomment to enable workaround for OpenID Connect sign up with accented chars
# NOTE: default interpretation changed upstream and should use none for old
#EXT_OIDC_PASS_CLAIM_AS="both latin1"
#EXT_OIDC_PASS_CLAIM_AS="both none"
EXT_OIDC_PASS_CLAIM_AS="both"
# WAYF specific options
EXT_OIDC_PKCE_METHOD=S256
EXT_OIDC_PROVIDER_ISSUER="https://wayf.wayf.dk"
EXT_OIDC_PROVIDER_AUTHORIZATION_ENDPOINT="https://wayf.wayf.dk/saml2/idp/SSOService2.php"
EXT_OIDC_PROVIDER_TOKEN_ENDPOINT="https://wayf.wayf.dk/token"
EXT_OIDC_PROVIDER_USER_INFO_ENDPOINT="https://wayf.wayf.dk/token"
EXT_OIDC_PROVIDER_TOKEN_ENDPOINT_AUTH=none
EXT_OIDC_USER_INFO_TOKEN_METHOD=post_param
EXT_OIDC_USER_INFO_SIGNED_RESPONSE_ALG=RS256
EXT_OIDC_COOKIE_SAME_SITE="Off"
EXT_OIDC_PASS_COOKIES="wayfid"
EXT_OIDC_RESPONSE_MODE=form_post
EXT_OIDC_PROVIDER_VERIFY_CERT_FILES="/etc/httpd/MiG-certificates/wayf.dk/wayf-idp.pem"
EXT_OIDC_PRIVATE_KEY_FILES="wayf#/etc/httpd/MiG-certificates/wayf.dk/4k/key-nopw.pem"
EXT_OIDC_PUBLIC_KEY_FILES="wayf#/etc/httpd/MiG-certificates/wayf.dk/4k/cert.pem"
EXT_OIDC_ID_TOKEN_ENCRYPTED_RESPONSE_ALG=RSA-OAEP
EXT_OIDC_ID_TOKEN_ENCRYPTED_RESPONSE_ENC=A256GCM
EXT_OIDC_REWRITE_COOKIE="wayfid:wayf-qa:.erda.dk:0:/:true:true"
PUBLIC_HTTP_PORT=80
PUBLIC_HTTPS_PORT=443
MIGCERT_HTTPS_PORT=443
EXTCERT_HTTPS_PORT=443
MIGOID_HTTPS_PORT=443
EXTOID_HTTPS_PORT=443
EXTOIDC_HTTPS_PORT=443
SID_HTTPS_PORT=443
SFTP_PORT=2222
SFTP_SUBSYS_PORT=22222
SFTP_SHOW_PORT=22
DAVS_PORT=4443
DAVS_SHOW_PORT=443
OPENID_PORT=8443
OPENID_SHOW_PORT=443
FTPS_CTRL_PORT=8021
FTPS_CTRL_SHOW_PORT=21
FTPS_PASSIVE_PORTS=8100-8200

# Various helpers
ADMIN_EMAIL="ERDA Info <mig@dev.erda.dk>"
SUPPORT_EMAIL="ERDA Support <support@dev.erda.dk>"
ADMIN_LIST="/C=DK/ST=NA/L=NA/O=FAKSEK/OU=NA/CN=Jonas Bardino/emailAddress=bardino@science.ku.dk,/C=DK/ST=NA/L=NA/O=NBI/OU=NA/CN=Jonas Bardino/emailAddress=bardino@nbi.ku.dk,/C=DK/ST=NA/L=NA/O=NBI/OU=NA/CN=Martin Rehr/emailAddress=rehr@nbi.ku.dk,/C=DK/ST=NA/L=NA/O=KU/OU=NA/CN=Rasmus Munk/emailAddress=wlp630@alumni.ku.dk"
SMTP_SENDER="Do Not Reply <no-reply@dev.erda.dk>"
#LOG_LEVEL=info
LOG_LEVEL=debug
TITLE="Dev Electronic Research Data Archive"
SHORT_TITLE="Dev ERDA"
MIG_OID_TITLE="Non-KU/UCPH"
EXT_OID_TITLE="KU/UCPH"
PEERS_PERMIT="role:.*(vip|tap|staff)"
VGRID_CREATORS="role:.*(vip|tap|staff)"
VGRID_MANAGERS="distinguished_name:.*"

# Which site setup flavor to emulate regarding skin, etc.
# {migrid, idmc, erda, sif}
EMULATE_FLAVOR=erda
# and the corresponding FQDN used e.g. in that flavor index-FQDN.html
EMULATE_FQDN=erda.dk
#SKIN_SUFFIX=basic
SKIN_SUFFIX=ucph-science

# Site settings
ENABLE_OPENID=True
ENABLE_SFTP=False
ENABLE_SFTP_SUBSYS=True
ENABLE_DAVS=True
ENABLE_FTPS=True
ENABLE_SHARELINKS=True
ENABLE_TRANSFERS=True
ENABLE_DUPLICATI=True
ENABLE_SEAFILE=False
SEAFILE_FQDN=
SEAFILE_RO_ACCESS=False
ENABLE_SANDBOXES=False
ENABLE_VMACHINES=False
ENABLE_CRONTAB=True
ENABLE_JOBS=False
ENABLE_RESOURCES=False
ENABLE_EVENTS=False
ENABLE_GRAVATARS=True
ENABLE_SITESTATUS=True
# Set in site-specific section below
#STATUS_SYSTEM_MATCH=ANY
ENABLE_FREEZE=True
ENABLE_CRACKLIB=True
ENABLE_IMNOTIFY=False
ENABLE_NOTIFY=True
ENABLE_PREVIEW=False
ENABLE_WORKFLOWS=False
ENABLE_VERIFY_CERTS=True
ENABLE_JUPYTER=True
ENABLE_CLOUD=False
ENABLE_TWOFACTOR=True
ENABLE_TWOFACTOR_STRICT_ADDRESS=False
# MFA apps to link to on 2-Factor Auth Setup page
TWOFACTOR_AUTH_APPS="google freeotp yubico bitwarden"
ENABLE_PEERS=True
MIG_PASSWORD_POLICY="MODERN:12"
ENABLE_LOGROTATE=False
LOGROTATE_MIGRID=False
PEERS_MANDATORY=True
PEERS_EXPLICIT_FIELDS="full_name email"
PEERS_CONTACT_HINT="employed at UCPH and authorized to invite you as peer"
ENABLE_MIGADMIN=True
ENABLE_GDP=False
GDP_EMAIL_NOTIFY=False

# Other site-specific options 
# IO daemons
# Limit per-user active SFTP sessions
SFTP_MAX_SESSIONS=16
FTPS_PASV_PORTS=8030:8200
# Status page and security scanning
STATUS_SYSTEM_MATCH="ERDA ALL"
SECSCAN_ADDR="130.226.158.3 130.225.213.72 192.38.10.137"
# Exteral doc link
EXTERNAL_DOC=https://erda.ku.dk
# Workgroup links
ADVANCED_VGRID_LINKS="files web scm"
# Various helper snippets
PEERS_NOTICE="<span class='info iconleftpad highlight_message'>Only employees at UCPH can vouch for external peers to let them have an account for collaboration or course activities.</span><br/>"
PRIVACY_TEXT="<a href='/public/site-privacy-policy.pdf'>Privacy</a> &amp; <a href='/public/cookie-policy.pdf'>cookies</a>"
DATASAFETY_LINK="<div class='fillwidth centertext'><a class='info warningtext title iconspace leftpad'  href='javascript:'>About MiG Data Safety</a></div>"
DATASAFETY_TEXT="<div><p>We try our best to prevent data loss on MiG, and do have daily remote backups running. Yet, it is a research system and we do not guarantee anything beyond best effort to avoid data loss. Please consider securing your data e.g. on ERDA using persistent archives if you have critical data.<br/>For further details please read about data replication and backup strategies for data stored on MiG in our <a target=_blank href='https://www.migrid.org/'>FAQ</a>.</p></div>"

# VGrid Tracker integration
#TRAC_ADMIN_PATH=/usr/bin/trac-admin
TRAC_ADMIN_PATH=
TRAC_INI_PATH=/home/mig/mig/server/trac.ini
# TODO: add this?
# IMPORTANT: Keep trac_id_field in sync with apache trac login section
#TRAC_ID_FIELD=email

ENABLE_SELF_SIGNED_CERTS=False
#BUILD_MOD_AUTH_OPENID=False
UPGRADE_MOD_AUTH_OPENIDC=True
# Upstream no longer supplies centos7 rpm, use local cache
UPGRADE_OIDC_CJOSE_SRC=https://sid.erda.dk/share_redirect/Ar0bdlYdYo/cjose-0.6.2.2-1.el7.x86_64.rpm
UPGRADE_OIDC_AUTH_MOD_SRC=https://sid.erda.dk/share_redirect/Ar0bdlYdYo/mod_auth_openidc-2.4.14.4-1.el7.x86_64.rpm
# Use a recent paramiko for modern host key algo support in grid_sftp (ENABLE_SFTP)
UPGRADE_PARAMIKO=True
PUBKEY_FROM_DNS=False
# NOTE: stay with wsgidav-1.3 for python2 to avoid CVE-2022-41905, we already get 4.3+ for python3
MODERN_WSGIDAV=False
# NOTE: whether to use python3 as default - requires WITH_PY3 to be enabled
# IMPORTANT: currently requires the git 'experimental' branch to work
# NOTE: comment out to leave the choice of default python to the Dockerfile default
PREFER_PYTHON3=True

SIGNUP_METHODS="migoid extcert extoid extoidc"
LOGIN_METHODS="migoid extcert extoid extoidc"
USER_INTERFACES="V3 V2"
AUTO_ADD_CERT_USER=True
AUTO_ADD_OID_USER=True
AUTO_ADD_OIDC_USER=True
AUTO_ADD_FILTER_FIELDS=full_name
AUTO_ADD_FILTER_METHOD=skip
# IMPORTANT: always filter here unless you trust ALL users your IDPs can authenticate.
#            E.g. if you enable international IDPs like WAYF, and you won't allow ANY
#            user who can authenticate there to simply sign up here.
AUTO_ADD_USER_PERMIT="distinguished_name:.+@([a-z0-9]+\.|)ku\.dk$"
CERT_VALID_DAYS=365
OID_VALID_DAYS=365
GENERIC_VALID_DAYS=365
OPENSSH_VERSION=7.4
VGRID_LABEL=Workgroup
# Menu options override default and available extra Apps on personal Home page
DEFAULT_MENU="home files vgrids archives jupyter settings setup logout"
USER_MENU="sharelinks seafile crontab transfers cloud people downloads peers docs migadmin"
# Use persistent salt for storing various sensitive data
# NOTE: the two files were manually created in ./state/secrets/ using initial
#       corresponding generated X_salt values from mig/server/MiGserver.conf
DIGEST_SALT="FILE::/home/mig/state/secrets/digest-salt.hex"
CRYPTO_SALT="FILE::/home/mig/state/secrets/crypto-salt.hex"
# Site-specific javascript and stylesheets to inject on user pages
#EXTRA_USERPAGE_SCRIPTS="https://ui-sid.erda.dk/images/js/hello.js"
EXTRA_USERPAGE_SCRIPTS=""
EXTRA_USERPAGE_STYLES=""

# Apply site-specific overrides from OVERRIDES_DIR inside container
OVERRIDES_DIR="site-overrides"
# Just increment next to force update in next build upon content changes
OVERRIDES_REVISION=3

# The containers can take advantage of a fast shared scratch space e.g. in
# memory for caching various internal state helpers. If not set local disk will
# be used by default.
# NOTE: a shared mig_system_run scratch space on tmpfs can be made with
#       something like:                                                                             
# tmpfs   /storage/tmpfs/mig_system_run  tmpfs   nosuid,nodev,noatime,noexec,uid=1000,gid=1000,mode=0770,size=128m   0 0
# in /etc/fstab. Manual mount can be done with:                                                     
# sudo mount /storage/tmpfs/mig_system_run
# NOTE: toggle commenting on  next two lines if you have such a tmpfs set up in the given path
MIG_SYSTEM_RUN=/storage/tmpfs/mig_system_run
#MIG_SYSTEM_RUN=${DOCKER_MIGRID_ROOT}/state/mig_system_run
# The apache auth openid module performs and scales better if the associated
# internal openid store directory runs from fast storage. It's a volatile data
# store, which allows more concurrent OpenID 2.0 clients if it e.g. uses tmpfs.
# If you have migoid or extoid in LOGIN_METHODS you likely want to look into
# that. The instructions for mig_system_run can be mostly reused in that case.
# Otherwise you can safely ignore the OPENID_STORE setting.
# NOTE: toggle commenting on next two lines if you have such a tmpfs set up in the given path
OPENID_STORE=/storage/tmpfs/openid_store
#OPENID_STORE=${DOCKER_MIGRID_ROOT}/state/openid_store
# We need a read-only bind mounted version of the vgrid_files_writable
# directory and the underlying location can be configured here.
VGRID_FILES_WRITABLE=${DOCKER_MIGRID_ROOT}/state/vgrid_files_writable

# Which svn repo and version of migrid should be used
#MIG_SVN_REPO=https://svn.code.sf.net/p/migrid/code/trunk
#MIG_SVN_REV=HEAD

# Which git repo and version of migrid should be used
MIG_GIT_REPO=https://github.com/ucphhpc/migrid-sync.git
# NOTE: use 'git edge' here for tried and tested python2 version
# NOTE: use 'git experimental' here for future python3 version
# NOTE: comment out to leave the branch decision to the Dockerfile default
#MIG_GIT_BRANCH=edge
#MIG_GIT_REV=97626ff1d7bbf37c96ee67c53b60bc1520cb7915
MIG_GIT_BRANCH=experimental
#MIG_GIT_REV=ffb53c32fb90f076817ac3a9c98a1a1f239f1e6e
#MIG_GIT_REV=HEAD
# NOTE: when leaving the branch commented above we need to set tag here
CONTAINER_TAG=:${MIG_GIT_BRANCH}
#CONTAINER_TAG=

# Toggle Python3 support in the containers.
# NOTE: on platforms where python2 is the default python this option in itself
#       will not switch it on. Use PREFER_PYTHON3 as well to do that.
# NOTE: comment out to leave the python3 inclusion to the Dockerfile default
WITH_PY3=True

# Toggle git support - effectively switches from SVN to GIT options above
WITH_GIT=True

# Which timezone should the service use
TZ=Europe/Copenhagen

# We already run an SMTP server on the host
SMTP_SERVER=localhost

# The URL of the of designated jupyter services
# The url is prefixed by the name of the service itself
JUPYTER_SERVICES="DAG.https://dag.erda.dk"

# The description associated with each jupyter service
# The key is the name of the service it describes
JUPYTER_SERVICES_DESC="{'DAG': '/home/mig/state/wwwpublic/dag_desc.html'}"