-
Notifications
You must be signed in to change notification settings - Fork 47
Expand file tree
/
Copy pathenv.sample
More file actions
281 lines (266 loc) · 11.1 KB
/
Copy pathenv.sample
File metadata and controls
281 lines (266 loc) · 11.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
# ============================================
# DEPLOYMENT MODE SELECTION
# ============================================
# Optional: Explicitly declare deployment mode (ADR-021)
# If not set, mode is auto-detected from other settings
# Valid values: single_user_basic, multi_user_basic, login_flow
#
# Note: `login_flow` is the renamed successor of the former
# `oauth_single_audience` mode (see ADR-022). The un-augmented OAuth path
# required unmerged Nextcloud user_oidc patches and is no longer supported.
# Setting MCP_DEPLOYMENT_MODE=login_flow is sufficient — the Login Flow v2
# browser-based app-password layer is derived from the mode automatically
# (the previous ENABLE_LOGIN_FLOW=true env var has been removed).
#
# Recommendation: Set this for clarity and to catch configuration errors early
#MCP_DEPLOYMENT_MODE=login_flow
# ============================================
# COMMON SETTINGS (Required for all modes)
# ============================================
# Your Nextcloud instance URL (without trailing slash)
NEXTCLOUD_HOST=
# Fernet key for encrypting refresh tokens / app passwords / browser
# sessions in SQLite. Required by every docker-compose profile that runs
# the MCP server (single-user, multi-user-basic, keycloak, login-flow).
# Generate one with:
# python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
# NEVER commit a real key. Each environment (dev / staging / prod) needs
# its own key.
TOKEN_ENCRYPTION_KEY=
# ============================================
# SINGLE-USER BASICAUTH MODE
# ============================================
# Simplest deployment - one user, credentials in environment
# Use for: Personal instances, local development, testing
#
# Required:
NEXTCLOUD_USERNAME=
NEXTCLOUD_PASSWORD=
#
# Optional features (semantic search, document processing):
# See "Optional Features" section below
# ============================================
# MULTI-USER BASICAUTH MODE
# ============================================
# Users provide credentials in request headers (pass-through)
# Use for: Multi-user without OAuth, simple shared deployments
#
# Required (sets the deployment mode; the legacy ENABLE_MULTI_USER_BASIC_AUTH
# env var was removed in the ADR-022 follow-up):
#MCP_DEPLOYMENT_MODE=multi_user_basic
#
# Optional - Background Operations (for semantic search, future features):
# Enable background token storage using app passwords (via Astrolabe)
# Required for semantic search in multi-user mode
# Note: ENABLE_SEMANTIC_SEARCH automatically enables this in multi-user modes
#ENABLE_BACKGROUND_OPERATIONS=true
#NEXTCLOUD_OIDC_CLIENT_ID=
#NEXTCLOUD_OIDC_CLIENT_SECRET=
#TOKEN_ENCRYPTION_KEY=
#TOKEN_STORAGE_DB=/app/data/tokens.db
#
# Optional features (semantic search, document processing):
# See "Optional Features" section below
# ============================================
# OAUTH SINGLE-AUDIENCE MODE (Recommended)
# ============================================
# Multi-user OAuth with single-audience tokens
# Use for: Multi-user production deployments, enhanced security
# Tokens work for both MCP server and Nextcloud APIs (pass-through)
#
# Required: None (uses Dynamic Client Registration if credentials not provided)
#
# Optional - Pre-registered OAuth Client:
# If you pre-register the client instead of using DCR:
#NEXTCLOUD_OIDC_CLIENT_ID=
#NEXTCLOUD_OIDC_CLIENT_SECRET=
#
# Optional - Background Operations (for semantic search, future features):
# Enable refresh token storage for offline access
# Note: ENABLE_SEMANTIC_SEARCH automatically enables this in multi-user modes
#ENABLE_BACKGROUND_OPERATIONS=true
#TOKEN_ENCRYPTION_KEY=
#TOKEN_STORAGE_DB=/app/data/tokens.db
#
# Optional - Custom OIDC Discovery:
# Auto-detected from NEXTCLOUD_HOST if not set
#NEXTCLOUD_OIDC_DISCOVERY_URL=
#
# Optional - Custom Scopes:
# Default: openid profile email offline_access notes:* calendar:* contacts:* tables:* webdav:* deck:* cookbook:*
#NEXTCLOUD_OIDC_SCOPES=openid profile email notes:* calendar:*
#
# MCP Server URL (for OAuth redirects):
#NEXTCLOUD_MCP_SERVER_URL=http://localhost:8000
#
# Optional features (semantic search, document processing):
# See "Optional Features" section below
# ============================================
# OAUTH CLIENT ALLOWLISTS (OAuth modes)
# ============================================
# Both env vars are FAIL-CLOSED: if unset/empty, the corresponding auth route
# rejects every request. There are no built-in defaults.
#
# Note: ALLOWED_MCP_CLIENTS and ALLOWED_MGMT_CLIENT are currently separate to
# keep the MCP-route and management-API auth surfaces independent. They may be
# consolidated into a single env var later.
# ===== ALLOWED_MCP_CLIENTS =====
# Clients allowed to use the OAuth AS proxy (/oauth/authorize, /oauth/token).
# Comma-separated. Each entry is either:
# - "client_id" → loopback redirect URIs (http://localhost:*, http://127.0.0.1:*)
# - "client_id|https://app/cb" → bind to a specific HTTPS callback
# HTTP redirect URIs are rejected unless the host is loopback (localhost/127.0.0.1/::1).
#ALLOWED_MCP_CLIENTS=claude-desktop, zed-editor, cloud-app|https://cloud.example.com/cb
# ===== ALLOWED_MGMT_CLIENT =====
# OIDC client_ids whose tokens are accepted by the management API
# (/api/management/*). Comma-separated. The token's `client_id` claim must
# match one of these entries. Typical value: the Astrolabe NC PHP app's
# OAuth client_id (ADR-018).
#ALLOWED_MGMT_CLIENT=astrolabe
# ============================================
# OPTIONAL FEATURES (All Deployment Modes)
# ============================================
# ===== SEMANTIC SEARCH =====
# AI-powered semantic search across Nextcloud content
# Requires: Qdrant vector database + embedding provider (Ollama, Bedrock, or Simple fallback)
#
# Enable semantic search:
#ENABLE_SEMANTIC_SEARCH=true
#
# Search mode (ADR-030): hybrid (default, dense+sparse) or keyword (BM25 sparse
# only). Use keyword for fully airgapped deployments with NO embedding endpoint
# — you still get cross-app Qdrant full-text search, just no semantic recall.
# keyword still requires ENABLE_SEMANTIC_SEARCH=true (it uses the Qdrant index).
#SEARCH_MODE=hybrid
#
# Note for Multi-User Modes:
# ENABLE_SEMANTIC_SEARCH automatically enables background operations when needed
# No need to set ENABLE_BACKGROUND_OPERATIONS separately
# The server will automatically request refresh tokens and store them encrypted
#
# Vector Database - Choose ONE mode:
# 1. In-memory (default): Set neither QDRANT_URL nor QDRANT_LOCATION
# 2. Persistent local: Set QDRANT_LOCATION=/path/to/data
# 3. Network: Set QDRANT_URL=http://qdrant:6333
#
#QDRANT_URL=http://qdrant:6333
#QDRANT_LOCATION=:memory:
#QDRANT_API_KEY=
#QDRANT_COLLECTION=nextcloud_content
#
# Embedding Provider - Choose ONE:
# 1. Ollama (recommended for local deployment):
#OLLAMA_BASE_URL=http://ollama:11434
#OLLAMA_EMBEDDING_MODEL=nomic-embed-text
#OLLAMA_VERIFY_SSL=true
#
# 2. Amazon Bedrock (for AWS deployments):
#AWS_REGION=us-east-1
#BEDROCK_EMBEDDING_MODEL=amazon.titan-embed-text-v2:0
# Optional: AWS credentials (uses credential chain if not set)
#AWS_ACCESS_KEY_ID=
#AWS_SECRET_ACCESS_KEY=
#
# 3. Simple (automatic fallback, no configuration needed)
# Uses basic in-memory embeddings if no provider configured
#
# Document Chunking:
# Configure how documents are split before embedding (units are characters)
#DOCUMENT_CHUNK_SIZE=2048
#DOCUMENT_CHUNK_OVERLAP=200
# Page-aware chunking for PDFs: split on page boundaries first so no chunk spans
# a page (exact page numbers, clean snippets, ~1 chunk/page when chunk size >=
# the largest page). Set false to use the legacy char-based path. Default: true
#DOCUMENT_CHUNK_PAGE_AWARE=true
# ===== SEMANTIC SEARCH TUNING =====
# Advanced parameters for vector sync background operations
# Only modify if you understand the implications
#
# Document scan interval in seconds (default: 300 = 5 minutes)
#VECTOR_SYNC_SCAN_INTERVAL=300
#
# Concurrent indexing workers (default: 3)
#VECTOR_SYNC_PROCESSOR_WORKERS=3
#
# Max queued documents (default: 10000)
#VECTOR_SYNC_QUEUE_MAX_SIZE=10000
#
# Webhook receiver authentication (REQUIRED for webhook-driven sync).
# Security (GHSA-8vh3-g2qg-2h2c): the /webhooks/nextcloud receiver trusts the
# user id in the payload and feeds it to Qdrant, so it must be authenticated.
# When WEBHOOK_SECRET is unset the route is NOT mounted and vector sync falls
# back to the polling scanner. When set, the receiver requires
# `Authorization: Bearer <secret>` and webhook registration injects it.
# Generate one with: python -c "import secrets; print(secrets.token_urlsafe(32))"
#WEBHOOK_SECRET=
# ===== DOCUMENT PROCESSING =====
# Extract text from PDFs, images, DOCX, etc. for semantic search
# Disabled by default
#
#ENABLE_DOCUMENT_PROCESSING=false
#DOCUMENT_PROCESSOR=unstructured
#
# Unstructured.io Processor (recommended):
#ENABLE_UNSTRUCTURED=false
#UNSTRUCTURED_API_URL=http://unstructured:8000
#UNSTRUCTURED_TIMEOUT=120
#UNSTRUCTURED_STRATEGY=auto
#UNSTRUCTURED_LANGUAGES=eng,deu
#PROGRESS_INTERVAL=10
#
# Tesseract OCR (lightweight, images only):
#ENABLE_TESSERACT=false
#TESSERACT_CMD=/usr/bin/tesseract
#TESSERACT_LANG=eng
#
# Custom Processor (your own API):
#ENABLE_CUSTOM_PROCESSOR=false
#CUSTOM_PROCESSOR_NAME=my_ocr
#CUSTOM_PROCESSOR_URL=http://localhost:9000/process
#CUSTOM_PROCESSOR_API_KEY=
#CUSTOM_PROCESSOR_TIMEOUT=60
#CUSTOM_PROCESSOR_TYPES=application/pdf,image/jpeg,image/png
#
# Docling (docling-serve, strong OCR for photographed/scanned/handwritten text):
# - Images always route to docling when enabled (priority over unstructured).
# - Force docling on a text-layer PDF (tables / partial text) per call via the
# nc_webdav_read_file `force_processor="docling"` argument.
# - Route scanned/no-text-layer PDFs to docling automatically by additionally
# setting DOCUMENT_OCR_ENABLED=true and DOCUMENT_OCR_PROVIDER=docling.
# OCR language codes are engine-dependent (docling default EasyOCR uses en,de;
# a Tesseract-backed instance wants eng,deu).
#ENABLE_DOCLING=false
#DOCLING_API_URL=http://docling:5001
#DOCLING_TIMEOUT=120
#DOCLING_OCR_LANG=en,de
#DOCLING_DO_OCR=true
#DOCUMENT_OCR_ENABLED=false
#DOCUMENT_OCR_PROVIDER=docling
# ===== SSL/TLS =====
# For Nextcloud behind reverse proxies with self-signed or private CA certificates
#
# Disable TLS certificate verification (insecure, development only):
#NEXTCLOUD_VERIFY_SSL=false
#
# Use a custom CA bundle (path to PEM file):
#NEXTCLOUD_CA_BUNDLE=/etc/ssl/certs/my-ca.pem
#
# Docker example: mount the CA bundle as a volume
# docker run -v /path/to/ca.pem:/etc/ssl/certs/my-ca.pem:ro \
# -e NEXTCLOUD_CA_BUNDLE=/etc/ssl/certs/my-ca.pem ...
# ===== SECURITY & ADVANCED =====
# Cookie security (browser UI)
# Auto-detects from NEXTCLOUD_HOST protocol if not set
#COOKIE_SECURE=true
# ============================================
# DEPRECATED VARIABLES (Backward Compatibility)
# ============================================
# These variables still work but will be removed in v1.0.0
# Please migrate to new names:
#
# Old Name → New Name
# VECTOR_SYNC_ENABLED → ENABLE_SEMANTIC_SEARCH
# ENABLE_OFFLINE_ACCESS → ENABLE_BACKGROUND_OPERATIONS
#
# Migration is optional - both old and new names work
# Deprecation warnings will be logged when old names are used