-
Notifications
You must be signed in to change notification settings - Fork 0
/
cecd.cfg
455 lines (382 loc) · 19.7 KB
/
cecd.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
# ------ Docker Compose ------------------------------------------------------
## This configuration should generate docker-compose file for the following
## flavour
## Values: (first value is the default one)
## - all-in-one: all services in one docker-compose file
## - hypervisor: hypervisor and related service to access to their desktops
## - hypervisor-standalone: hypervisor without related services
## - video-standalone: services to access to desktops
## - storage: service to manage desktops disks
## - storage-base: base image for storage, just to improve CI/CD build
## - web: services to manage desktops
## - monitor: monitoring only host (grafana/loki/influxdb)
## - backupninja: standalone backups
FLAVOUR=all-in-one
# FLAVOUR=monitor
# FLAVOUR=webapp
## This configuration should generate docker-compose file for the following
## usage
## Values: (first value is the default one)
## - production: docker-compose file without build section
## ready to pull and up
## (see also: https://github.com/docker/compose/issues/7873)
## - build: like production with build section
## - test: like build with docker services to run tests
## - devel: like test and host source code are mounted into docker volumes
USAGE=production
# USAGE=devel
## Should stats service will be included
## Values: (first value is the default one)
## - true: add stats service
## - false: doesn't add stats sercice
ENABLE_STATS=true
# ------ Domain --------------------------------------------------------------
## This server main public domain/ip.
## NOTE: In infrastructure hypervisors should be the reacheable ip/dns from
## isard-engine
DOMAIN=localhost
# ------ Admin password ------------------------------------------------------
## Initial WEB admin user password. Used also in grafana, influxdb
## and authenticated backend paths (/debug/...)
WEBAPP_ADMIN_PWD=admin@cecd
# ------ Frontend Bookings ---------------------------------------------------
## Will show/hide Resource bookings menu.
FRONTEND_SHOW_BOOKINGS=False
# ------ Frontend Temporal ---------------------------------------------------
## Will show/hide temporal desktops tab.
FRONTEND_SHOW_TEMPORAL=False
# ------ Frontend Documentation URI ------------------------------------------
## Documentation URI where the user will be redirected.
FRONTEND_DOCS_URI=http://www.cecdcloud.cn/
#license web iste : https://cryptolens.io/
# cryptolens: https://github.com/Cryptolens/cryptolens-python
# ------ Frontend Direct Viewer cookie ---------------------------------------
## Where will the direct viewer cookie be retrieved from.
## Values: (first value is the default one)
## - browser
## - url
# DIRECTVIEWER_MODE=browser
DIRECTVIEWER_MODE=url
# ------ Secrets -------------------------------------------------------------
## Generate your own SECRETS!
## openssl rand -base64 32
WEBAPP_SESSION_SECRET=xq0Z3MP5ujxrQxtMGxgPiijH9xpuxkyP04R6At/V+g4=
API_ISARDVDI_SECRET=kpWpdF0NtI2XCEfzMp36hdSV9S42E7axS8D5TvP9c0A=
INFLUXDB_ADMIN_TOKEN_SECRET=9eFW/Qi29hL3hFGUP8wIGH89XKCH8s1k0il44GCRF2g=
API_HYPERVISORS_SECRET=B5/bUEUzIC+AjNQRmFh3vxR3VeIKirwdeL/xuHPVO+E=
# ------ Letsencrypt certificate ---------------------------------------------
## You can use your own certificates if you concatenate into
## /opt/isard/certs/default/chain.pem
## You can let isard generate autosigned certs (not recommended as
## html5 viewers will not work.
## Or you can let isard generate letsencrypt certs for your domain.
## For this option to work be sure the DOMAIN points to this IP.
## To avoid using letsencrypt let this variable commented.
## The email will be used by letsencrypt to notify you expirations
## although the renovation will be automatic.
#LETSENCRYPT_EMAIL=
# ------ Authentication ------------------------------------------------------
# The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
#AUTHENTICATION_AUTHENTICATION_TOKEN_DURATION=4h
## Local
### Local authentication against isard database
#AUTHENTICATION_AUTHENTICATION_LOCAL_ENABLED=true
## LDAP
#AUTHENTICATION_AUTHENTICATION_LDAP_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_LDAP_PROTOCOL=ldap
#AUTHENTICATION_AUTHENTICATION_LDAP_HOST=
#AUTHENTICATION_AUTHENTICATION_LDAP_PORT=389
### Credentials used for querying the LDAP
#AUTHENTICATION_AUTHENTICATION_LDAP_BIND_DN=
#AUTHENTICATION_AUTHENTICATION_LDAP_PASSWORD=
### Base Search is the DN that all the users share, e.g. ou=people,dc=example,dc=com
#AUTHENTICATION_AUTHENTICATION_LDAP_BASE_SEARCH=
### Filter is the actual filter used to search users. The '%s' represents the user that is sent through the form
### More information: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
#AUTHENTICATION_AUTHENTICATION_LDAP_FILTER="(&(objectClass=person)(uid=%s))"
### These are the fields that the LDAP search responds. For example, in some installations, the field for the email is called 'mail'
### Then, a regex is applied to this field, in case we needed to filter inside a LDAP field. By default it collects the whole field. The
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_UID=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_UID=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_USERNAME=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_USERNAME=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_NAME=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_NAME=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_EMAIL=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_EMAIL=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_PHOTO=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_PHOTO=.*
### Auto Register the existing ldap users into CECD
#AUTHENTICATION_AUTHENTICATION_LDAP_AUTO_REGISTER=false
### Try guessing the category based in the LDAP search results (must have AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_CATEGORY configured)
#AUTHENTICATION_AUTHENTICATION_LDAP_GUESS_CATEGORY=false
### These are the fields that the LDAP search responds. For example, in some installations, the field for the group is called 'group'
### Then, a regex is applied to this field, in case we needed to filter inside a LDAP field. By default it collects the whole field. The
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_CATEGORY=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_CATEGORY=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_GROUP=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_GROUP=.*
### The base search for listing all the groups of a user
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_SEARCH=
### Filter is the actual filter used to search all the groups of a user. The '%s' represents the user that is sent through the form
### More information: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_FILTER="(&(objectClass=posixGroup)(memberUid=%s))"
# If this field is set to true, use the full DN instead of the user that is sent through the form to search for the user groups
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_SEARCH_USE_DN=false
### The field that contains the group in the AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_FILTER search
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_SEARCH_FIELD=
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_SEARCH_REGEX=.*
### All the users that are in at least one of the groups specified here, will be created in the admin role (comma separated)
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_ADMIN_GROUPS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_MANAGER_GROUPS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_ADVANCED_GROUPS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_USER_GROUPS=
# This is the default role that users will have if they don't match in any of the previous groups.
# Values can be 'admin', 'manager', 'advanced', 'user'
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_DEFAULT=user
## SAML
#AUTHENTICATION_AUTHENTICATION_SAML_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_SAML_METADATA_URL=
## If the key and cert files don't exist, they will be self signed automatically
#AUTHENTICATION_AUTHENTICATION_SAML_KEY_FILE=/keys/isardvdi.key
#AUTHENTICATION_AUTHENTICATION_SAML_CERT_FILE=/keys/isardvdi.cert
### These are the fields that the SAML search responds. For example, in some installations, the field for the email is called 'mail'
### Then, a regex is applied to this field, in case we needed to filter inside a SAML field. By default it collects the whole field. The
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_UID=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_UID=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_USERNAME=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_USERNAME=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_NAME=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_NAME=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_EMAIL=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_EMAIL=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_PHOTO=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_PHOTO=.*
## Google
### Create your Google OAUTH credentials at https://console.developers.google.com/apis/credentials
### Authorized redirect URIs: https://domain.tld/authentication/callback
#AUTHENTICATION_AUTHENTICATION_GOOGLE_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_GOOGLE_CLIENT_ID=id
#AUTHENTICATION_AUTHENTICATION_GOOGLE_CLIENT_SECRET=secret
# ------ Backups -------------------------------------------------------------
## Automated backups (https://0xacab.org/liberate/backupninja)
# If BACKUP_NFS_ENABLED is not enabled it will use this directory to create backups
# If BACKUP_NFS_ENABLED is enabled then this variable should be commented
#BACKUP_DIR=/opt/isard-local/backup
# If nfs enabled you need to set server and folder also
#BACKUP_NFS_ENABLED=false
#BACKUP_NFS_SERVER=172.16.0.10
#BACKUP_NFS_FOLDER=/remote/backupfolder
#BACKUP_DB_ENABLED=false
#BACKUP_DB_WHEN="everyday at 01"
#BACKUP_DB_PRUNE="--keep-weekly=8 --keep-monthly=12 --keep-within=14d --save-space"
#BACKUP_DISKS_ENABLED=false
#BACKUP_DISKS_WHEN="everyday at 01"
#BACKUP_DISKS_PRUNE="--keep-weekly=4 --keep-monthly=3 --keep-within=7d --save-space"
#BACKUP_DISKS_TEMPLATES_ENABLED=false
#BACKUP_DISKS_GROUPS_ENABLED=false
#BACKUP_DISKS_MEDIA_ENABLED=false
##################################################################
##################################################################
## DO NOT EDIT FROM HERE UNLESS YOU KNOW WHAT YOU ARE DOING !!! ##
##################################################################
##################################################################
# ------ Docker images prefix ------------------------------------------------
## Image prefix that could include registry and repository
# DOCKER_IMAGE_PREFIX=registry.gitlab.com/isard/isardvdi/
DOCKER_IMAGE_PREFIX=cecd/
# ------ Docker images tags --------------------------------------------------
## Image tag that could be tags or branches from the git repository
## Used for doing docker-compose pull
DOCKER_IMAGE_TAG=main
# ------ Logs ----------------------------------------------------------------
LOG_LEVEL=INFO
# ------ QCOW2 images --------------------------------------------------------
## Cluster size used when creating qcow2 disk images
#QCOW2_CLUSTER_SIZE=4k
## Enable use of extended l2 entries when creating qcow2 disk images
## Options: on / off
#QCOW2_EXTENDED_L2=off
# ------ GPUS --------------------------------------------------------------
## ----- NVIDIA
## New hypervisor: Engine will try to scan new hyper for NVIDIA GPUs and
## will also setup them.
#GPU_NVIDIA_SCAN=false
## Enabled existing hyper: Existing hyper will be scanned for NVIDIA GPUs
## when enabled (from disabled) at web interface.
#GPU_NVIDIA_RESCAN=false
## Only start desktops with GPU reservables (avoid )
#GPU_ONLY=false
##################################################################
## INFRASTRUCTURE PARAMETERS. Used on remote hypervisors ##
##################################################################
## Remote hypervisors can be:
## docker-compose.hypervisor.yml: Will have an isard-video
## docker-compose.hypervisor-standalone.yml: Will get video on
## the VIDEO_HYPERVISOR_PORTS from the VIDEO_DOMAIN isard-video host.
# ------ Hypervisor Identifier -----------------------------------------------
## Set it to a unique name for hypervisor
#HYPER_ID=isard-hypervisor
## Hypervisor can be disabled when entering system with false value
#HYPER_ENABLED=true
## Hypervisor with hypervisor capabilities
#CAPABILITIES_HYPER=true
## Disk capabilities
#CAPABILITIES_DISK=true
## Comma-separated storage pool ids that can be used
#CAPABILITIES_STORAGE_POOLS=00000000-0000-0000-0000-000000000000
# ------ Hypervisor options ---------------------------------------------------
## ONLY_FORCED_HYP enables only_forced option to only get domains with
## forced_hyp. Values:
## - false (default): get any domain
## - true: only get domains with forced_hyp
#ONLY_FORCED_HYP=false
# Memory free at hypervisor
## How much memory (in GB) has to be kept free while starting desktops.
## Engine will fail starting desktops till it has enough free memory against
## Máximum memory for starting guests = Hypervisor memory - HYPER_FREEMEM
#HYPER_FREEMEM=0
# Buffering hypervisor
## If this is set to true, the hypervisor will be used as a "buffer" when
## the orchestrator needs to scale up
#BUFFERING_HYPER=false
# ------ Database host -------------------------------------------------------
## Where is the database reacheable?
## Not needed for remote hypervisors, only to split main web install.
#RETHINKDB_HOST=isard-db
#RETHINKDB_PORT=28015
#RETHINKDB_DB=isard
# ------ Authentication host -------------------------------------------------
# Authentication host
## Where is isard-authentication reacheable from clients browser?
## Not needed for remote hypervisors, only to split main web install.
#AUTHENTICATION_AUTHENTICATION_HOST=$DOMAIN
#AUTHENTICATION_DB_HOST=isard-db
# ------ Api host ------------------------------------------------------------
## Where can this host reach the isard-api host?
## Need to be set for flavours:
## - hypervisor
## - hypervisor-standalone
#API_DOMAIN=isard-api
# ------ Static nginx host ----------------------------------------------------
## Where the clients browsers will load static when connecting to this host
## html5 video?
## Need to be set for flavours:
## - hypervisor
## - hypervisor-standalone
#STATIC_DOMAIN=$DOMAIN
# ------ Vpn host ------------------------------------------------------------
## Where can this host reach the isard-vpn host?
## Need to be set for flavours:
## - hypervisor
## - hypervisor-standalone
#VPN_DOMAIN=isard-vpn
## The vpn mtu will allow for infrastructure connection (allow it in your
## switches)
## If using Internet to connect remote hypers this should be lowered.
## https://keremerkan.net/posts/wireguard-mtu-fixes/
## https://mail.openvswitch.org/pipermail/ovs-discuss/2018-June/046932.html
#VPN_MTU=1600
# ------ Storage host --------------------------------------------------------
## Where can api host reach this isard-storage host?
## Need to be set for flavours:
## - storage
## - hypervisor
## - hypervisor-standalone
#STORAGE_DOMAIN=isard-storage
# ------ Video proxy host ----------------------------------------------------
## Where will the client browser reach isard-video to this host?
## Need to be set for flavours:
## - video-standalone (to generate letsencrypt certs)
## - hypervisor (to generate letsencrypt certs and set up hyper in db)
## - hypervisor-standalone ( to set up hyper in db)
#VIDEO_DOMAIN=$DOMAIN
# ------ Video external NAT ports --------------------------------------------
## Where the users browsers will connect to get the video stream for
## their guests started in this hypervisor? (outside NAT ports)
#VIEWER_SPICE=80
#VIEWER_BROWSER=443
#VIEWER_RDPGW=9999
# ------ Video proxy ACL -----------------------------------------------------
## Is this host hosting the isard-video for other hypervisor-standalone
## servers? Then allow here only the hostnames for those hypervisors as
## seen from this host with comma (,) delimiters:
#VIDEO_HYPERVISOR_HOSTNAMES=isard-hypervisor
#VIDEO_HYPERVISOR_PORTS=5900-6899
# ------ Docker networking ---------------------------------------------------
## Assign a docker /24 network. The host part will be set by system
## You should avoid setting a network that exists in your infrastructure
## or in isard configuration. Set only the /24 part!
#DOCKER_NET=172.31.255
# ------ Guests networking ---------------------------------------------------
## All the sub networks needed for infrastructure wireguard will
## fall within this sub networks
WG_MAIN_NET=10.0.0.0/14
## Users at home will get a unique /32 IP from this range.
## Set a network that will allow as many clients as you will have.
WG_USERS_NET=10.0.0.0/16
## UDP port for users at home to connect wireguard to this server.
WG_USERS_PORT=443
## Only in infrastructure this will be used by remote hypers to
## send wireguard guests network to the main Isard.
WG_HYPERS_NET=10.1.0.0/24
## UDP port for remote hypervisors to connect to this server.
WG_HYPERS_PORT=4443
## This is the main range to be used by wireguard interface in
## guests in your system. Will be subdivided in smaller ranges
## for each hypervisor.
WG_GUESTS_NETS=10.2.0.0/16
## 23: 512 GUESTS -2
## 24: 256 GUESTS -2
## Each hypervisor will get one subnet from WG_GUESTS_NETS
## Last network will be subdivided /29 to connect wireguard hyper
## clients (isard-vpnc) to the wireguard server (isard-vpn)
WG_GUESTS_DHCP_MASK=23
## This sets a reserved dhcp range if you want.
WG_GUESTS_RESERVED_HOSTS=20
# ------ Trunk port & vlans --------------------------------------------------
## Uncomment to map host interface name inside hypervisor container.
## If static vlans are commented then hypervisor will initiate an
## auto-discovery process. The discovery process will last for 260
## seconds and this will delay the hypervisor from being available.
## So it is recommended to set also the static vlans.
## Note: It will create VlanXXX automatically on webapp. You need to
## assign who is allowed to use this VlanXXX interfaces.
#HYPERVISOR_HOST_TRUNK_INTERFACE=
## This environment variable depends on previous one. When setting
## vlans number comma separated it will disable auto-discovery and
## fix this as forced vlans inside hypervisor.
#HYPERVISOR_STATIC_VLANS=
## NOTE: The interface name should not be changed from defaults.
## Newer kernels use cgroups2 that doens't work. To get the
## old cgroups add to /etc/default/grub:
## GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"
## and update-grub, and reboot.
# ------ Override hosts in isard-portal haproxy ------------------------------
#WEBAPP_HOST=isard-webapp
##################################################################
## STATS PARAMETERS ##
##################################################################
# ------ Grafana ------------------------------------------------------
#GRAFANA_HOST=isard-grafana
# This variable is used for provisioning alerts in Grafana
#GRAFANA_TELEGRAM_TOKEN=
# This variable is used for provisioning alerts in Grafana
#GRAFANA_TELEGRAM_CHAT_ID=
# ------ Prometheus -----------------------------------------------------
#PROMETHEUS_ADDRESS=http://isard-prometheus:9090
#PROMETHEUS_RETENTION_TIME=40d
# ------ Stats -----------------------------------------------------
#STATS_DIRECTORY=/opt/isard/stats
# ------ Loki -----------------------------------------------------
#LOKI_ADDRESS=http://isard-loki:3100
# ------ OCI Collector -----------------------------------------------------
#STATS_COLLECTORS_OCI_ENABLE=false
#TF_VAR_tenancy_ocid=
#TF_VAR_user_ocid=
#TF_VAR_fingerprint=
#TF_VAR_region=
#TF_VAR_private_key=