cecd.cfg

# ------ Docker Compose ------------------------------------------------------

## This configuration should generate docker-compose file for the following
## flavour
## Values: (first value is the default one)
##  - all-in-one: all services in one docker-compose file
##  - hypervisor: hypervisor and related service to access to their desktops
##  - hypervisor-standalone: hypervisor without related services
##  - video-standalone: services to access to desktops
##  - storage: service to manage desktops disks
##  - storage-base: base image for storage, just to improve CI/CD build
##  - web: services to manage desktops
##  - monitor: monitoring only host (grafana/loki/influxdb)
##  - backupninja: standalone backups
FLAVOUR=all-in-one
# FLAVOUR=monitor
# FLAVOUR=webapp


## This configuration should generate docker-compose file for the following
## usage
## Values: (first value is the default one)
##  - production: docker-compose file without build section
##      ready to pull and up
##      (see also: https://github.com/docker/compose/issues/7873)
##  - build: like production with build section
##  - test: like build with docker services to run tests
##  - devel: like test and host source code are mounted into docker volumes
USAGE=production
# USAGE=devel

## Should stats service will be included
## Values: (first value is the default one)
##  - true: add stats service
##  - false: doesn't add stats sercice
ENABLE_STATS=true

# ------ Domain --------------------------------------------------------------
## This server main public domain/ip.
## NOTE: In infrastructure hypervisors should be the reacheable ip/dns from 
##       isard-engine
DOMAIN=localhost

# ------ Admin password ------------------------------------------------------
## Initial WEB admin user password. Used also in grafana, influxdb
## and authenticated backend paths (/debug/...)
WEBAPP_ADMIN_PWD=admin@cecd

# ------ Frontend Bookings ---------------------------------------------------
## Will show/hide Resource bookings menu.
FRONTEND_SHOW_BOOKINGS=False

# ------ Frontend Temporal ---------------------------------------------------
## Will show/hide temporal desktops tab.
FRONTEND_SHOW_TEMPORAL=False

# ------ Frontend Documentation URI ------------------------------------------
## Documentation URI where the user will be redirected.
FRONTEND_DOCS_URI=http://www.cecdcloud.cn/

#license web iste : https://cryptolens.io/
# cryptolens: https://github.com/Cryptolens/cryptolens-python
# ------ Frontend Direct Viewer cookie ---------------------------------------
## Where will the direct viewer cookie be retrieved from.
## Values: (first value is the default one)
## - browser
## - url
# DIRECTVIEWER_MODE=browser
DIRECTVIEWER_MODE=url

# ------ Secrets -------------------------------------------------------------
## Generate your own SECRETS!
## openssl rand -base64 32
WEBAPP_SESSION_SECRET=xq0Z3MP5ujxrQxtMGxgPiijH9xpuxkyP04R6At/V+g4=
API_ISARDVDI_SECRET=kpWpdF0NtI2XCEfzMp36hdSV9S42E7axS8D5TvP9c0A=
INFLUXDB_ADMIN_TOKEN_SECRET=9eFW/Qi29hL3hFGUP8wIGH89XKCH8s1k0il44GCRF2g=
API_HYPERVISORS_SECRET=B5/bUEUzIC+AjNQRmFh3vxR3VeIKirwdeL/xuHPVO+E=

# ------ Letsencrypt certificate ---------------------------------------------
## You can use your own certificates if you concatenate into 
## /opt/isard/certs/default/chain.pem
## You can let isard generate autosigned certs (not recommended as
## html5 viewers will not work.
## Or you can let isard generate letsencrypt certs for your domain.
## For this option to work be sure the DOMAIN points to this IP.
## To avoid using letsencrypt let this variable commented.
## The email will be used by letsencrypt to notify you expirations
## although the renovation will be automatic.
#LETSENCRYPT_EMAIL=

# ------ Authentication ------------------------------------------------------

# The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
#AUTHENTICATION_AUTHENTICATION_TOKEN_DURATION=4h

## Local
### Local authentication against isard database
#AUTHENTICATION_AUTHENTICATION_LOCAL_ENABLED=true

## LDAP
#AUTHENTICATION_AUTHENTICATION_LDAP_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_LDAP_PROTOCOL=ldap
#AUTHENTICATION_AUTHENTICATION_LDAP_HOST=
#AUTHENTICATION_AUTHENTICATION_LDAP_PORT=389

### Credentials used for querying the LDAP
#AUTHENTICATION_AUTHENTICATION_LDAP_BIND_DN=
#AUTHENTICATION_AUTHENTICATION_LDAP_PASSWORD=

### Base Search is the DN that all the users share, e.g. ou=people,dc=example,dc=com
#AUTHENTICATION_AUTHENTICATION_LDAP_BASE_SEARCH=
### Filter is the actual filter used to search users. The '%s' represents the user that is sent through the form
### More information: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
#AUTHENTICATION_AUTHENTICATION_LDAP_FILTER="(&(objectClass=person)(uid=%s))"

### These are the fields that the LDAP search responds. For example, in some installations, the field for the email is called 'mail'
### Then, a regex is applied to this field, in case we needed to filter inside a LDAP field. By default it collects the whole field. The 
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_UID=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_UID=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_USERNAME=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_USERNAME=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_NAME=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_NAME=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_EMAIL=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_EMAIL=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_PHOTO=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_PHOTO=.*

### Auto Register the existing ldap users into CECD
#AUTHENTICATION_AUTHENTICATION_LDAP_AUTO_REGISTER=false
### Try guessing the category based in the LDAP search results (must have AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_CATEGORY configured)
#AUTHENTICATION_AUTHENTICATION_LDAP_GUESS_CATEGORY=false
### These are the fields that the LDAP search responds. For example, in some installations, the field for the group is called 'group'
### Then, a regex is applied to this field, in case we needed to filter inside a LDAP field. By default it collects the whole field. The 
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_CATEGORY=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_CATEGORY=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_GROUP=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_GROUP=.*
### The base search for listing all the groups of a user
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_SEARCH=
### Filter is the actual filter used to search all the groups of a user. The '%s' represents the user that is sent through the form
### More information: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_FILTER="(&(objectClass=posixGroup)(memberUid=%s))"
# If this field is set to true, use the full DN instead of the user that is sent through the form to search for the user groups
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_SEARCH_USE_DN=false
### The field that contains the group in the AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_FILTER search
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_SEARCH_FIELD=
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUPS_SEARCH_REGEX=.*
### All the users that are in at least one of the groups specified here, will be created in the admin role (comma separated)
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_ADMIN_GROUPS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_MANAGER_GROUPS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_ADVANCED_GROUPS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_USER_GROUPS=
# This is the default role that users will have if they don't match in any of the previous groups.
# Values can be 'admin', 'manager', 'advanced', 'user'
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_DEFAULT=user

## SAML
#AUTHENTICATION_AUTHENTICATION_SAML_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_SAML_METADATA_URL=
## If the key and cert files don't exist, they will be self signed automatically
#AUTHENTICATION_AUTHENTICATION_SAML_KEY_FILE=/keys/isardvdi.key
#AUTHENTICATION_AUTHENTICATION_SAML_CERT_FILE=/keys/isardvdi.cert

### These are the fields that the SAML search responds. For example, in some installations, the field for the email is called 'mail'
### Then, a regex is applied to this field, in case we needed to filter inside a SAML field. By default it collects the whole field. The 
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_UID=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_UID=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_USERNAME=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_USERNAME=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_NAME=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_NAME=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_EMAIL=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_EMAIL=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_PHOTO=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_PHOTO=.*


## Google
### Create your Google OAUTH credentials at https://console.developers.google.com/apis/credentials
### Authorized redirect URIs: https://domain.tld/authentication/callback
#AUTHENTICATION_AUTHENTICATION_GOOGLE_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_GOOGLE_CLIENT_ID=id
#AUTHENTICATION_AUTHENTICATION_GOOGLE_CLIENT_SECRET=secret

# ------ Backups -------------------------------------------------------------

## Automated backups (https://0xacab.org/liberate/backupninja)
# If BACKUP_NFS_ENABLED is not enabled it will use this directory to create backups
# If BACKUP_NFS_ENABLED is enabled then this variable should be commented
#BACKUP_DIR=/opt/isard-local/backup

# If nfs enabled you need to set server and folder also
#BACKUP_NFS_ENABLED=false
#BACKUP_NFS_SERVER=172.16.0.10
#BACKUP_NFS_FOLDER=/remote/backupfolder

#BACKUP_DB_ENABLED=false
#BACKUP_DB_WHEN="everyday at 01"
#BACKUP_DB_PRUNE="--keep-weekly=8 --keep-monthly=12 --keep-within=14d --save-space"

#BACKUP_DISKS_ENABLED=false
#BACKUP_DISKS_WHEN="everyday at 01"
#BACKUP_DISKS_PRUNE="--keep-weekly=4 --keep-monthly=3 --keep-within=7d --save-space"
#BACKUP_DISKS_TEMPLATES_ENABLED=false
#BACKUP_DISKS_GROUPS_ENABLED=false
#BACKUP_DISKS_MEDIA_ENABLED=false

##################################################################
##################################################################
## DO NOT EDIT FROM HERE UNLESS YOU KNOW WHAT YOU ARE DOING !!! ##
##################################################################
##################################################################

# ------ Docker images prefix ------------------------------------------------
## Image prefix that could include registry and repository
# DOCKER_IMAGE_PREFIX=registry.gitlab.com/isard/isardvdi/
DOCKER_IMAGE_PREFIX=cecd/

# ------ Docker images tags --------------------------------------------------
## Image tag that could be tags or branches from the git repository
## Used for doing docker-compose pull
DOCKER_IMAGE_TAG=main

# ------ Logs ----------------------------------------------------------------
LOG_LEVEL=INFO

# ------ QCOW2 images --------------------------------------------------------
## Cluster size used when creating qcow2 disk images
#QCOW2_CLUSTER_SIZE=4k
## Enable use of extended l2 entries when creating qcow2 disk images
## Options: on / off
#QCOW2_EXTENDED_L2=off

# ------ GPUS --------------------------------------------------------------
## ----- NVIDIA
## New hypervisor: Engine will try to scan new hyper for NVIDIA GPUs and
##                 will also setup them.
#GPU_NVIDIA_SCAN=false

## Enabled existing hyper: Existing hyper will be scanned for NVIDIA GPUs
##                         when enabled (from disabled) at web interface.
#GPU_NVIDIA_RESCAN=false

## Only start desktops with GPU reservables (avoid )
#GPU_ONLY=false

##################################################################
## INFRASTRUCTURE PARAMETERS. Used on remote hypervisors        ##
##################################################################
## Remote hypervisors can be:
## docker-compose.hypervisor.yml: Will have an isard-video
## docker-compose.hypervisor-standalone.yml: Will get video on 
## the VIDEO_HYPERVISOR_PORTS from the VIDEO_DOMAIN isard-video host.

# ------ Hypervisor Identifier -----------------------------------------------
## Set it to a unique name for hypervisor
#HYPER_ID=isard-hypervisor
## Hypervisor can be disabled when entering system with false value
#HYPER_ENABLED=true
## Hypervisor with hypervisor capabilities
#CAPABILITIES_HYPER=true
## Disk capabilities
#CAPABILITIES_DISK=true
## Comma-separated storage pool ids that can be used
#CAPABILITIES_STORAGE_POOLS=00000000-0000-0000-0000-000000000000

# ------ Hypervisor options ---------------------------------------------------
## ONLY_FORCED_HYP enables only_forced option to only get domains with
## forced_hyp. Values:
## - false (default): get any domain
## - true: only get domains with forced_hyp
#ONLY_FORCED_HYP=false

# Memory free at hypervisor
## How much memory (in GB) has to be kept free while starting desktops.
## Engine will fail starting desktops till it has enough free memory against
## Máximum memory for starting guests = Hypervisor memory - HYPER_FREEMEM
#HYPER_FREEMEM=0

# Buffering hypervisor
## If this is set to true, the hypervisor will be used as a "buffer" when
## the orchestrator needs to scale up
#BUFFERING_HYPER=false

# ------ Database host -------------------------------------------------------
## Where is the database reacheable?
## Not needed for remote hypervisors, only to split main web install.
#RETHINKDB_HOST=isard-db
#RETHINKDB_PORT=28015
#RETHINKDB_DB=isard

# ------ Authentication host -------------------------------------------------

# Authentication host
## Where is isard-authentication reacheable from clients browser?
## Not needed for remote hypervisors, only to split main web install.
#AUTHENTICATION_AUTHENTICATION_HOST=$DOMAIN
#AUTHENTICATION_DB_HOST=isard-db

# ------ Api host ------------------------------------------------------------
## Where can this host reach the isard-api host?
## Need to be set for flavours:
##   - hypervisor
##   - hypervisor-standalone
#API_DOMAIN=isard-api

# ------ Static nginx host ----------------------------------------------------
## Where the clients browsers will load static when connecting to this host 
## html5 video?
## Need to be set for flavours:
##   - hypervisor
##   - hypervisor-standalone
#STATIC_DOMAIN=$DOMAIN

# ------ Vpn host ------------------------------------------------------------
## Where can this host reach the isard-vpn host?
## Need to be set for flavours:
##   - hypervisor
##   - hypervisor-standalone
#VPN_DOMAIN=isard-vpn

## The vpn mtu will allow for infrastructure connection (allow it in your
## switches)
## If using Internet to connect remote hypers this should be lowered.
## https://keremerkan.net/posts/wireguard-mtu-fixes/
## https://mail.openvswitch.org/pipermail/ovs-discuss/2018-June/046932.html
#VPN_MTU=1600

# ------ Storage host --------------------------------------------------------
## Where can api host reach this isard-storage host?
## Need to be set for flavours:
##   - storage
##   - hypervisor
##   - hypervisor-standalone
#STORAGE_DOMAIN=isard-storage

# ------ Video proxy host ----------------------------------------------------
## Where will the client browser reach isard-video to this host?
## Need to be set for flavours: 
##   - video-standalone (to generate letsencrypt certs)
##   - hypervisor (to generate letsencrypt certs and set up hyper in db)
##   - hypervisor-standalone ( to set up hyper in db)
#VIDEO_DOMAIN=$DOMAIN

# ------ Video external NAT ports --------------------------------------------
## Where the users browsers will connect to get the video stream for
## their guests started in this hypervisor? (outside NAT ports)
#VIEWER_SPICE=80
#VIEWER_BROWSER=443
#VIEWER_RDPGW=9999

# ------ Video proxy ACL -----------------------------------------------------
## Is this host hosting the isard-video for other hypervisor-standalone
## servers? Then allow here only the hostnames for those hypervisors as
## seen from this host with comma (,) delimiters:
#VIDEO_HYPERVISOR_HOSTNAMES=isard-hypervisor
#VIDEO_HYPERVISOR_PORTS=5900-6899

# ------ Docker networking ---------------------------------------------------
## Assign a docker /24 network. The host part will be set by system
## You should avoid setting a network that exists in your infrastructure
## or in isard configuration. Set only the /24 part!
#DOCKER_NET=172.31.255

# ------ Guests networking ---------------------------------------------------
## All the sub networks needed for infrastructure wireguard will
## fall within this sub networks
WG_MAIN_NET=10.0.0.0/14

## Users at home will get a unique /32 IP from this range.
## Set a network that will allow as many clients as you will have.
WG_USERS_NET=10.0.0.0/16

## UDP port for users at home to connect wireguard to this server.
WG_USERS_PORT=443

## Only in infrastructure this will be used by remote hypers to 
## send wireguard guests network to the main Isard. 
WG_HYPERS_NET=10.1.0.0/24

## UDP port for remote hypervisors to connect to this server.
WG_HYPERS_PORT=4443

## This is the main range to be used by wireguard interface in
## guests in your system. Will be subdivided in smaller ranges
## for each hypervisor.
WG_GUESTS_NETS=10.2.0.0/16

## 23: 512 GUESTS -2
## 24: 256 GUESTS -2
## Each hypervisor will get one subnet from WG_GUESTS_NETS
## Last network will be subdivided /29 to connect wireguard hyper
## clients (isard-vpnc) to the wireguard server (isard-vpn)
WG_GUESTS_DHCP_MASK=23
## This sets a reserved dhcp range if you want.
WG_GUESTS_RESERVED_HOSTS=20

# ------ Trunk port & vlans --------------------------------------------------
## Uncomment to map host interface name inside hypervisor container.
## If static vlans are commented then hypervisor will initiate an 
## auto-discovery process. The discovery process will last for 260
## seconds and this will delay the hypervisor from being available.
## So it is recommended to set also the static vlans.
## Note: It will create VlanXXX automatically on webapp. You need to
##       assign who is allowed to use this VlanXXX interfaces.
#HYPERVISOR_HOST_TRUNK_INTERFACE=

## This environment variable depends on previous one. When setting
## vlans number comma separated it will disable auto-discovery and
## fix this as forced vlans inside hypervisor.
#HYPERVISOR_STATIC_VLANS=

## NOTE: The interface name should not be changed from defaults.
##       Newer kernels use cgroups2 that doens't work. To get the
##       old cgroups add to /etc/default/grub:
##        GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"
##       and update-grub, and reboot.

# ------ Override hosts in isard-portal haproxy ------------------------------
#WEBAPP_HOST=isard-webapp


##################################################################
## STATS PARAMETERS                                             ##
##################################################################

# ------ Grafana ------------------------------------------------------
#GRAFANA_HOST=isard-grafana
# This variable is used for provisioning alerts in Grafana
#GRAFANA_TELEGRAM_TOKEN=
# This variable is used for provisioning alerts in Grafana
#GRAFANA_TELEGRAM_CHAT_ID=

# ------ Prometheus -----------------------------------------------------
#PROMETHEUS_ADDRESS=http://isard-prometheus:9090
#PROMETHEUS_RETENTION_TIME=40d

# ------ Stats -----------------------------------------------------
#STATS_DIRECTORY=/opt/isard/stats

# ------ Loki -----------------------------------------------------
#LOKI_ADDRESS=http://isard-loki:3100


# ------ OCI Collector -----------------------------------------------------
#STATS_COLLECTORS_OCI_ENABLE=false
#TF_VAR_tenancy_ocid=
#TF_VAR_user_ocid=
#TF_VAR_fingerprint=
#TF_VAR_region=
#TF_VAR_private_key=