Chris Coutinho
1707b2e6e1
Add NEXTCLOUD_VERIFY_SSL and NEXTCLOUD_CA_BUNDLE env vars to configure TLS certificate verification for all outbound Nextcloud connections. Centralizes SSL config via a new HTTP client factory (http.py) used by all 27 Nextcloud-bound call sites, including API clients, OIDC endpoints, OAuth flows, and health checks. Closes #560 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
250 lines
8.5 KiB
Plaintext
250 lines
8.5 KiB
Plaintext
# ============================================
|
|
# DEPLOYMENT MODE SELECTION
|
|
# ============================================
|
|
# Optional: Explicitly declare deployment mode (ADR-021)
|
|
# If not set, mode is auto-detected from other settings
|
|
# Valid values: single_user_basic, multi_user_basic, oauth_single_audience,
|
|
# oauth_token_exchange, smithery
|
|
#
|
|
# Recommendation: Set this for clarity and to catch configuration errors early
|
|
#MCP_DEPLOYMENT_MODE=oauth_single_audience
|
|
|
|
# ============================================
|
|
# COMMON SETTINGS (Required for all modes)
|
|
# ============================================
|
|
# Your Nextcloud instance URL (without trailing slash)
|
|
NEXTCLOUD_HOST=
|
|
|
|
# ============================================
|
|
# SINGLE-USER BASICAUTH MODE
|
|
# ============================================
|
|
# Simplest deployment - one user, credentials in environment
|
|
# Use for: Personal instances, local development, testing
|
|
#
|
|
# Required:
|
|
NEXTCLOUD_USERNAME=
|
|
NEXTCLOUD_PASSWORD=
|
|
#
|
|
# Optional features (semantic search, document processing):
|
|
# See "Optional Features" section below
|
|
|
|
# ============================================
|
|
# MULTI-USER BASICAUTH MODE
|
|
# ============================================
|
|
# Users provide credentials in request headers (pass-through)
|
|
# Use for: Multi-user without OAuth, simple shared deployments
|
|
#
|
|
# Required:
|
|
#ENABLE_MULTI_USER_BASIC_AUTH=true
|
|
#
|
|
# Optional - Background Operations (for semantic search, future features):
|
|
# Enable background token storage using app passwords (via Astrolabe)
|
|
# Required for semantic search in multi-user mode
|
|
# Note: ENABLE_SEMANTIC_SEARCH automatically enables this in multi-user modes
|
|
#ENABLE_BACKGROUND_OPERATIONS=true
|
|
#NEXTCLOUD_OIDC_CLIENT_ID=
|
|
#NEXTCLOUD_OIDC_CLIENT_SECRET=
|
|
#TOKEN_ENCRYPTION_KEY=
|
|
#TOKEN_STORAGE_DB=/app/data/tokens.db
|
|
#
|
|
# Optional features (semantic search, document processing):
|
|
# See "Optional Features" section below
|
|
|
|
# ============================================
|
|
# OAUTH SINGLE-AUDIENCE MODE (Recommended)
|
|
# ============================================
|
|
# Multi-user OAuth with single-audience tokens
|
|
# Use for: Multi-user production deployments, enhanced security
|
|
# Tokens work for both MCP server and Nextcloud APIs (pass-through)
|
|
#
|
|
# Required: None (uses Dynamic Client Registration if credentials not provided)
|
|
#
|
|
# Optional - Pre-registered OAuth Client:
|
|
# If you pre-register the client instead of using DCR:
|
|
#NEXTCLOUD_OIDC_CLIENT_ID=
|
|
#NEXTCLOUD_OIDC_CLIENT_SECRET=
|
|
#
|
|
# Optional - Background Operations (for semantic search, future features):
|
|
# Enable refresh token storage for offline access
|
|
# Note: ENABLE_SEMANTIC_SEARCH automatically enables this in multi-user modes
|
|
#ENABLE_BACKGROUND_OPERATIONS=true
|
|
#TOKEN_ENCRYPTION_KEY=
|
|
#TOKEN_STORAGE_DB=/app/data/tokens.db
|
|
#
|
|
# Optional - Custom OIDC Discovery:
|
|
# Auto-detected from NEXTCLOUD_HOST if not set
|
|
#NEXTCLOUD_OIDC_DISCOVERY_URL=
|
|
#
|
|
# Optional - Custom Scopes:
|
|
# Default: openid profile email offline_access notes:* calendar:* contacts:* tables:* webdav:* deck:* cookbook:*
|
|
#NEXTCLOUD_OIDC_SCOPES=openid profile email notes:* calendar:*
|
|
#
|
|
# MCP Server URL (for OAuth redirects):
|
|
#NEXTCLOUD_MCP_SERVER_URL=http://localhost:8000
|
|
#
|
|
# Optional features (semantic search, document processing):
|
|
# See "Optional Features" section below
|
|
|
|
# ============================================
|
|
# OAUTH TOKEN EXCHANGE MODE (Advanced)
|
|
# ============================================
|
|
# Multi-user OAuth with RFC 8693 token exchange
|
|
# Use for: Advanced deployments requiring separate MCP and Nextcloud tokens
|
|
# MCP tokens are separate from Nextcloud tokens
|
|
#
|
|
# Required:
|
|
#ENABLE_TOKEN_EXCHANGE=true
|
|
#
|
|
# Optional - Pre-registered OAuth Client:
|
|
# If you pre-register the client instead of using DCR:
|
|
#NEXTCLOUD_OIDC_CLIENT_ID=
|
|
#NEXTCLOUD_OIDC_CLIENT_SECRET=
|
|
#
|
|
# Optional - Token Exchange Configuration:
|
|
# Cache TTL in seconds (default: 300 = 5 minutes)
|
|
#TOKEN_EXCHANGE_CACHE_TTL=300
|
|
#
|
|
# Optional - Background Operations:
|
|
# Note: ENABLE_SEMANTIC_SEARCH automatically enables this in multi-user modes
|
|
#ENABLE_BACKGROUND_OPERATIONS=true
|
|
#TOKEN_ENCRYPTION_KEY=
|
|
#TOKEN_STORAGE_DB=/app/data/tokens.db
|
|
#
|
|
# Optional - Custom OIDC Discovery:
|
|
#NEXTCLOUD_OIDC_DISCOVERY_URL=
|
|
#
|
|
# MCP Server URL (for OAuth redirects):
|
|
#NEXTCLOUD_MCP_SERVER_URL=http://localhost:8000
|
|
#
|
|
# Optional features (semantic search, document processing):
|
|
# See "Optional Features" section below
|
|
|
|
# ============================================
|
|
# SMITHERY STATELESS MODE
|
|
# ============================================
|
|
# Stateless multi-tenant deployment for Smithery platform
|
|
# Configuration comes from session URL parameters
|
|
# No persistent storage, no OAuth, no vector sync
|
|
#
|
|
# Required: None (all config from session URL)
|
|
# This mode is activated automatically when deployed to Smithery
|
|
|
|
# ============================================
|
|
# OPTIONAL FEATURES (All Deployment Modes)
|
|
# ============================================
|
|
|
|
# ===== SEMANTIC SEARCH =====
|
|
# AI-powered semantic search across Nextcloud content
|
|
# Requires: Qdrant vector database + embedding provider (Ollama, Bedrock, or Simple fallback)
|
|
#
|
|
# Enable semantic search:
|
|
#ENABLE_SEMANTIC_SEARCH=true
|
|
#
|
|
# Note for Multi-User Modes:
|
|
# ENABLE_SEMANTIC_SEARCH automatically enables background operations when needed
|
|
# No need to set ENABLE_BACKGROUND_OPERATIONS separately
|
|
# The server will automatically request refresh tokens and store them encrypted
|
|
#
|
|
# Vector Database - Choose ONE mode:
|
|
# 1. In-memory (default): Set neither QDRANT_URL nor QDRANT_LOCATION
|
|
# 2. Persistent local: Set QDRANT_LOCATION=/path/to/data
|
|
# 3. Network: Set QDRANT_URL=http://qdrant:6333
|
|
#
|
|
#QDRANT_URL=http://qdrant:6333
|
|
#QDRANT_LOCATION=:memory:
|
|
#QDRANT_API_KEY=
|
|
#QDRANT_COLLECTION=nextcloud_content
|
|
#
|
|
# Embedding Provider - Choose ONE:
|
|
# 1. Ollama (recommended for local deployment):
|
|
#OLLAMA_BASE_URL=http://ollama:11434
|
|
#OLLAMA_EMBEDDING_MODEL=nomic-embed-text
|
|
#OLLAMA_VERIFY_SSL=true
|
|
#
|
|
# 2. Amazon Bedrock (for AWS deployments):
|
|
#AWS_REGION=us-east-1
|
|
#BEDROCK_EMBEDDING_MODEL=amazon.titan-embed-text-v2:0
|
|
# Optional: AWS credentials (uses credential chain if not set)
|
|
#AWS_ACCESS_KEY_ID=
|
|
#AWS_SECRET_ACCESS_KEY=
|
|
#
|
|
# 3. Simple (automatic fallback, no configuration needed)
|
|
# Uses basic in-memory embeddings if no provider configured
|
|
#
|
|
# Document Chunking:
|
|
# Configure how documents are split before embedding
|
|
#DOCUMENT_CHUNK_SIZE=512
|
|
#DOCUMENT_CHUNK_OVERLAP=50
|
|
|
|
# ===== SEMANTIC SEARCH TUNING =====
|
|
# Advanced parameters for vector sync background operations
|
|
# Only modify if you understand the implications
|
|
#
|
|
# Document scan interval in seconds (default: 300 = 5 minutes)
|
|
#VECTOR_SYNC_SCAN_INTERVAL=300
|
|
#
|
|
# Concurrent indexing workers (default: 3)
|
|
#VECTOR_SYNC_PROCESSOR_WORKERS=3
|
|
#
|
|
# Max queued documents (default: 10000)
|
|
#VECTOR_SYNC_QUEUE_MAX_SIZE=10000
|
|
|
|
# ===== DOCUMENT PROCESSING =====
|
|
# Extract text from PDFs, images, DOCX, etc. for semantic search
|
|
# Disabled by default
|
|
#
|
|
#ENABLE_DOCUMENT_PROCESSING=false
|
|
#DOCUMENT_PROCESSOR=unstructured
|
|
#
|
|
# Unstructured.io Processor (recommended):
|
|
#ENABLE_UNSTRUCTURED=false
|
|
#UNSTRUCTURED_API_URL=http://unstructured:8000
|
|
#UNSTRUCTURED_TIMEOUT=120
|
|
#UNSTRUCTURED_STRATEGY=auto
|
|
#UNSTRUCTURED_LANGUAGES=eng,deu
|
|
#PROGRESS_INTERVAL=10
|
|
#
|
|
# Tesseract OCR (lightweight, images only):
|
|
#ENABLE_TESSERACT=false
|
|
#TESSERACT_CMD=/usr/bin/tesseract
|
|
#TESSERACT_LANG=eng
|
|
#
|
|
# Custom Processor (your own API):
|
|
#ENABLE_CUSTOM_PROCESSOR=false
|
|
#CUSTOM_PROCESSOR_NAME=my_ocr
|
|
#CUSTOM_PROCESSOR_URL=http://localhost:9000/process
|
|
#CUSTOM_PROCESSOR_API_KEY=
|
|
#CUSTOM_PROCESSOR_TIMEOUT=60
|
|
#CUSTOM_PROCESSOR_TYPES=application/pdf,image/jpeg,image/png
|
|
|
|
# ===== SSL/TLS =====
|
|
# For Nextcloud behind reverse proxies with self-signed or private CA certificates
|
|
#
|
|
# Disable TLS certificate verification (insecure, development only):
|
|
#NEXTCLOUD_VERIFY_SSL=false
|
|
#
|
|
# Use a custom CA bundle (path to PEM file):
|
|
#NEXTCLOUD_CA_BUNDLE=/etc/ssl/certs/my-ca.pem
|
|
#
|
|
# Docker example: mount the CA bundle as a volume
|
|
# docker run -v /path/to/ca.pem:/etc/ssl/certs/my-ca.pem:ro \
|
|
# -e NEXTCLOUD_CA_BUNDLE=/etc/ssl/certs/my-ca.pem ...
|
|
|
|
# ===== SECURITY & ADVANCED =====
|
|
# Cookie security (browser UI)
|
|
# Auto-detects from NEXTCLOUD_HOST protocol if not set
|
|
#COOKIE_SECURE=true
|
|
|
|
# ============================================
|
|
# DEPRECATED VARIABLES (Backward Compatibility)
|
|
# ============================================
|
|
# These variables still work but will be removed in v1.0.0
|
|
# Please migrate to new names:
|
|
#
|
|
# Old Name → New Name
|
|
# VECTOR_SYNC_ENABLED → ENABLE_SEMANTIC_SEARCH
|
|
# ENABLE_OFFLINE_ACCESS → ENABLE_BACKGROUND_OPERATIONS
|
|
#
|
|
# Migration is optional - both old and new names work
|
|
# Deprecation warnings will be logged when old names are used
|