Skip to main content
Version: rolling

Global Environment Variables

Environment variables with global scope available in multiple services

NameIntroduction VersionTypeDescriptionDefault Value
IDM_CREATE_DEMO_USERS1.0.0boolThe default role assignments the demo users should be setup."false"
OC_ADMIN_USER_ID1.0.0stringID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.""
OC_ASYNC_UPLOADS1.0.0boolEnable asynchronous file uploads."true"
OC_CACHE_AUTH_PASSWORD1.0.0stringThe password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.""
OC_CACHE_AUTH_USERNAME1.0.0stringThe username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.""
OC_CACHE_DATABASE1.0.0stringThe database name the configured store should use."settings-cache"
OC_CACHE_DISABLE_PERSISTENCE1.0.0boolDisables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false."false"
OC_CACHE_ENABLE_TLSnextboolEnable TLS for the connection to file metadata cache."false"
OC_CACHE_STORE1.0.0stringThe type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details."memory"
OC_CACHE_STORE_NODES1.0.0[]stringA list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."[127.0.0.1:9233]"
OC_CACHE_TLS_INSECUREnextboolWhether to verify the server TLS certificates."false"
OC_CACHE_TLS_ROOT_CA_CERTIFICATEnextstringThe root CA certificate used to validate the server's TLS certificate. If provided SETTINGS_CACHE_TLS_INSECURE will be seen as false.""
OC_CACHE_TTL1.0.0DurationDefault time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details."10m0s"
OC_CORS_ALLOW_CREDENTIALS1.0.0boolAllow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials."true"
OC_CORS_ALLOW_HEADERS1.0.0[]stringA list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details."[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]"
OC_CORS_ALLOW_METHODS1.0.0[]stringA list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details."[GET]"
OC_CORS_ALLOW_ORIGINS1.0.0[]stringA list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details."[*]"
OC_DECOMPOSEDFS_PROPAGATOR1.0.0stringThe propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option."sync"
OC_DEFAULT_LANGUAGE1.0.0stringThe default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details."en"
OC_DISABLE_VERSIONING1.0.0boolDisables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version."false"
OC_ENABLE_OCM1.0.0boolChanging this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed."false"
OC_EVENTS_AUTH_PASSWORD1.0.0stringThe password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.""
OC_EVENTS_AUTH_USERNAME1.0.0stringThe username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.""
OC_EVENTS_CLUSTER1.0.0stringThe clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system."opencloud-cluster"
OC_EVENTS_ENABLE_TLS1.0.0boolEnable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services."false"
OC_EVENTS_ENDPOINT1.0.0stringThe address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture."127.0.0.1:9233"
OC_EVENTS_TLS_INSECURE1.0.0boolWhether to verify the server TLS certificates."false"
OC_EVENTS_TLS_ROOT_CA_CERTIFICATE1.0.0stringThe root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.""
OC_GATEWAY_GRPC_ADDR1.0.0stringThe bind address of the GRPC service."127.0.0.1:9142"
OC_GRPC_CLIENT_TLS_CACERT1.0.0stringPath/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.""
OC_GRPC_CLIENT_TLS_MODE1.0.0stringTLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.""
OC_GRPC_PROTOCOL1.0.0stringThe transport protocol of the GPRC service."tcp"
OC_HTTP_TLS_CERTIFICATE1.0.0stringPath/File name of the TLS server certificate (in PEM format) for the http services.""
OC_HTTP_TLS_ENABLED1.0.0boolActivates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true."false"
OC_HTTP_TLS_KEY1.0.0stringPath/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.""
OC_INSECURE1.0.0boolWhether to verify the server TLS certificates."false"
OC_JWT_SECRET1.0.0stringThe secret to mint and validate jwt tokens.""
OC_KEYCLOAK_BASE_PATH1.0.0stringThe URL to access keycloak.""
OC_KEYCLOAK_CLIENT_ID1.0.0stringThe client ID to authenticate with keycloak.""
OC_KEYCLOAK_CLIENT_REALM1.0.0stringThe realm the client is defined in.""
OC_KEYCLOAK_CLIENT_SECRET1.0.0stringThe client secret to use in authentication.""
OC_KEYCLOAK_INSECURE_SKIP_VERIFY1.0.0boolDisable TLS certificate validation for Keycloak connections. Do not set this in production environments."false"
OC_KEYCLOAK_USER_REALM1.0.0stringThe realm users are defined.""
OC_LDAP_BIND_DN1.0.0stringLDAP DN to use for simple bind authentication with the target LDAP server."uid=reva,ou=sysusers,o=libregraph-idm"
OC_LDAP_BIND_PASSWORD1.0.0stringPassword to use for authenticating the 'bind_dn'.""
OC_LDAP_CACERT1.0.0stringPath/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.""
OC_LDAP_DISABLED_USERS_GROUP_DN1.0.0stringThe distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'."cn=DisabledUsersGroup,ou=groups,o=libregraph-idm"
OC_LDAP_DISABLE_USER_MECHANISM1.0.0stringAn option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed."attribute"
OC_LDAP_GROUP_BASE_DN1.0.0stringSearch base DN for looking up LDAP groups."ou=groups,o=libregraph-idm"
OC_LDAP_GROUP_FILTER1.0.0stringLDAP filter to add to the default filters for group searches.""
OC_LDAP_GROUP_OBJECTCLASS1.0.0stringThe object class to use for groups in the default group search filter ('groupOfNames')."groupOfNames"
OC_LDAP_GROUP_SCHEMA_DISPLAYNAME1.0.0stringLDAP Attribute to use for the displayname of groups (often the same as groupname attribute)."cn"
OC_LDAP_GROUP_SCHEMA_GROUPNAME1.0.0stringLDAP Attribute to use for the name of groups."cn"
OC_LDAP_GROUP_SCHEMA_ID1.0.0stringLDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID."openCloudUUID"
OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING1.0.0boolSet this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's."false"
OC_LDAP_GROUP_SCHEMA_MAIL1.0.0stringLDAP Attribute to use for the email address of groups (can be empty)."mail"
OC_LDAP_GROUP_SCHEMA_MEMBER1.0.0stringLDAP Attribute that is used for group members."member"
OC_LDAP_GROUP_SCOPE1.0.0stringLDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'."sub"
OC_LDAP_INSECURE1.0.0boolDisable TLS certificate validation for the LDAP connections. Do not set this in production environments."false"
OC_LDAP_SERVER_WRITE_ENABLED1.0.0boolAllow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables)."true"
OC_LDAP_URI1.0.0stringURI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'"ldap://localhost:9236"
OC_LDAP_USER_BASE_DN1.0.0stringSearch base DN for looking up LDAP users."ou=users,o=libregraph-idm"
OC_LDAP_USER_ENABLED_ATTRIBUTE1.0.0stringLDAP attribute to use as a flag telling if the user is enabled or disabled."openclouduserenabled"
OC_LDAP_USER_FILTER1.0.0stringLDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.""
OC_LDAP_USER_OBJECTCLASS1.0.0stringThe object class to use for users in the default user search filter ('inetOrgPerson')."inetOrgPerson"
OC_LDAP_USER_SCHEMA_DISPLAYNAME1.0.0stringLDAP Attribute to use for the displayname of users."displayname"
OC_LDAP_USER_SCHEMA_ID1.0.0stringLDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID."openCloudUUID"
OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING1.0.0boolSet this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's."false"
OC_LDAP_USER_SCHEMA_MAIL1.0.0stringLDAP Attribute to use for the email address of users."mail"
OC_LDAP_USER_SCHEMA_TENANT_ID4.0.0stringLDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.""
OC_LDAP_USER_SCHEMA_USERNAME1.0.0stringLDAP Attribute to use for username of users."uid"
OC_LDAP_USER_SCHEMA_USER_TYPE1.0.0stringLDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'."openCloudUserType"
OC_LDAP_USER_SCOPE1.0.0stringLDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'."sub"
OC_LOG_LEVEL1.0.0stringThe log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'."error"
OC_MACHINE_AUTH_API_KEYnextstringThe machine auth API key used to validate internal requests necessary to access resources from other services.""
OC_MAX_CONCURRENCY1.0.0intMaximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used."1"
OC_OIDC_CLIENT_ID1.0.0stringThe OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP."web"
OC_OIDC_CLIENT_SCOPES6.0.0[]stringThe OIDC client scopes the Android app should request."[openid profile email offline_access]"
OC_OIDC_ISSUER1.0.0stringThe identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider."https://localhost:9200"
OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST1.0.0stringPath to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.""
OC_PASSWORD_POLICY_DISABLED1.0.0boolDisable the password policy. Defaults to false if not set."false"
OC_PASSWORD_POLICY_MIN_CHARACTERS1.0.0intDefine the minimum password length. Defaults to 8 if not set."8"
OC_PASSWORD_POLICY_MIN_DIGITS1.0.0intDefine the minimum number of digits. Defaults to 1 if not set."1"
OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS1.0.0intDefine the minimum number of uppercase letters. Defaults to 1 if not set."1"
OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS1.0.0intDefine the minimum number of characters from the special characters list to be present. Defaults to 1 if not set."1"
OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS1.0.0intDefine the minimum number of lowercase letters. Defaults to 1 if not set."1"
OC_PERSISTENT_STORE1.0.0stringThe type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details."nats-js-kv"
OC_PERSISTENT_STORE_AUTH_PASSWORD1.0.0stringThe password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.""
OC_PERSISTENT_STORE_AUTH_USERNAME1.0.0stringThe username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.""
OC_PERSISTENT_STORE_ENABLE_TLSnextboolEnable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured."false"
OC_PERSISTENT_STORE_NODES1.0.0[]stringA list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details."[127.0.0.1:9233]"
OC_PERSISTENT_STORE_TLS_INSECUREnextboolWhether to verify the server TLS certificates."false"
OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATEnextstringThe root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false.""
OC_PERSISTENT_STORE_TTL1.0.0DurationTime to live for events in the store. See the Environment Variable Types description for more details."0s"
OC_REVA_GATEWAY1.0.0stringCS3 gateway used to look up user metadata"eu.opencloud.api.gateway"
OC_SERVICE_ACCOUNT_ID1.0.0stringThe ID of the service account the service should use. See the 'auth-service' service description for more details.""
OC_SERVICE_ACCOUNT_SECRET1.0.0stringThe service account secret.""
OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD1.0.0boolSet this to true if you want to enforce passwords on all public shares."true"
OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD1.0.0boolSet this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service."false"
OC_SHOW_USER_EMAIL_IN_RESULTS1.0.0boolInclude user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses."false"
OC_SPACES_MAX_QUOTA1.0.0uint64Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service."0"
OC_SYSTEM_USER_API_KEY1.0.0stringAPI key for the STORAGE-SYSTEM system user.""
OC_SYSTEM_USER_ID1.0.0stringID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.""
OC_SYSTEM_USER_IDP1.0.0stringIDP of the OpenCloud STORAGE-SYSTEM system user."internal"
OC_TRANSFER_SECRET1.0.0stringThe storage transfer secret.""
OC_TRANSLATION_PATH1.0.0string(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.""
OC_URL1.0.0stringBase url to navigate back from the app to the containing folder in the file list."https://localhost:9200/"
OC_WOPI_DISABLE_CHAT1.0.0boolDisable the chat functionality of the office app."false"
SEARCH_EVENTS_ACK_WAIT4.0.0DurationThe time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes."1m0s"
SEARCH_EVENTS_MAX_ACK_PENDING4.0.0intThe maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time."1000"
STORAGE_GATEWAY_GRPC_ADDR1.0.0stringGRPC address of the STORAGE-SYSTEM service."eu.opencloud.api.storage-system"
STORAGE_GRPC_ADDR1.0.0stringGRPC address of the STORAGE-SYSTEM service."eu.opencloud.api.storage-system"
STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY1.0.0DurationThe delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details."0s"
STORAGE_USERS_PERMISSION_ENDPOINT1.0.0stringEndpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'."eu.opencloud.api.settings"
WEB_OIDC_CLIENT_ID1.0.0stringThe OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP."web"
WEB_OIDC_SCOPE1.0.0stringOIDC scopes to request during authentication to authorize access to user details. Defaults to 'openid profile email'. Values are separated by blank. More example values but not limited to are 'address' or 'phone' etc."openid profile email"