diff --git a/nix/module-joex.nix b/nix/module-joex.nix index 928e53bc..3b1d6f1e 100644 --- a/nix/module-joex.nix +++ b/nix/module-joex.nix @@ -16,6 +16,7 @@ let address = "localhost"; port = 7878; }; + mail-debug = false; jdbc = { url = "jdbc:h2:///tmp/docspell-demo.db;MODE=PostgreSQL;DATABASE_TO_LOWER=TRUE;AUTO_SERVER=TRUE"; user = "sa"; @@ -24,6 +25,13 @@ let send-mail = { list-id = ""; }; + user-tasks = { + scan-mailbox = { + max-folders = 50; + mail-chunk-size = 50; + max-mails = 500; + }; + }; scheduler = { pool-size = 2; counting-scheme = "4,1"; @@ -121,6 +129,10 @@ let working-dir = "/tmp/docspell-convert"; }; }; + files = { + chunk-size = 524288; + valid-mime-types = []; + }; }; in { @@ -171,6 +183,16 @@ in { default = defaults.bind; description = "Address and port bind the rest server."; }; + mail-debug = mkOption { + type = types.bool; + default = defaults.mail-debug; + description = '' + Enable or disable debugging for e-mail related functionality. This + applies to both sending and receiving mails. For security reasons + logging is not very extensive on authentication failures. Setting + this to true, results in a lot of data printed to stdout. + ''; + }; jdbc = mkOption { type = types.submodule ({ @@ -306,6 +328,54 @@ in { ''; }; + user-tasks = mkOption { + type = types.submodule({ + options = { + scan-mailbox = mkOption { + type = types.submodule({ + options = { + max-folders = mkOption { + type = types.int; + default = defaults.user-tasks.scan-mailbox.max-folders; + description = '' + A limit of how many folders to scan through. If a user + configures more than this, only upto this limit folders are + scanned and a warning is logged. + ''; + }; + mail-chunk-size = mkOption { + type = types.int; + default = defaults.user-tasks.scan-mailbox.mail-chunk-size; + description = '' + How many mails (headers only) to retrieve in one chunk. + + If this is greater than `max-mails' it is set automatically to + the value of `max-mails'. + ''; + }; + max-mails = mkOption { + type = types.int; + default = defaults.user-tasks.scan-mailbox.max-mails; + description = '' + A limit on how many mails to process in one job run. This is + meant to avoid too heavy resource allocation to one + user/collective. + + If more than this number of mails is encountered, a warning is + logged. + ''; + }; + }; + }); + default = defaults.user-tasks.scan-mailbox; + description = "Allows to import e-mails by scanning a mailbox."; + }; + }; + }); + default = defaults.user-tasks; + description = "Configuration for the user tasks."; + }; + house-keeping = mkOption { type = types.submodule({ options = { @@ -758,6 +828,38 @@ in { path below via the `program` key. ''; }; + files = mkOption { + type = types.submodule({ + options = { + chunk-size = mkOption { + type = types.int; + default = defaults.files.chunk-size; + description = '' + Defines the chunk size (in bytes) used to store the files. + This will affect the memory footprint when uploading and + downloading files. At most this amount is loaded into RAM for + down- and uploading. + + It also defines the chunk size used for the blobs inside the + database. + ''; + }; + valid-mime-types = mkOption { + type = types.listOf types.str; + default = defaults.files.valid-mime-types; + description = '' + The file content types that are considered valid. Docspell + will only pass these files to processing. The processing code + itself has also checks for which files are supported and which + not. This affects the uploading part and is a first check to + avoid that 'bad' files get into the system. + ''; + }; + }; + }); + default = defaults.files; + description= "Settings for how files are stored."; + }; }; }; diff --git a/nix/module-server.nix b/nix/module-server.nix index 55f9941d..65b8034b 100644 --- a/nix/module-server.nix +++ b/nix/module-server.nix @@ -17,6 +17,25 @@ let address = "localhost"; port = 7880; }; + integration-endpoint = { + enabled = false; + priority = "low"; + allowed-ips = { + enabled = true; + ips = [ "127.0.0.1" ]; + }; + http-basic = { + enabled = false; + realm = "Docspell Integration"; + user = "docspell-int"; + password = "docspell-int"; + }; + http-header = { + enabled = false; + header-name = "Docspell-Integration"; + header-value = "some-secret"; + }; + }; auth = { server-secret = "hex:caffee"; session-valid = "5 minutes"; @@ -126,6 +145,118 @@ in { description = "Authentication"; }; + integration-endpoint = mkOption { + type = types.submodule({ + options = { + enabled = mkOption { + type = types.bool; + default = defaults.integration-endpoint.enabled; + description = "Whether the endpoint is globally enabled or disabled."; + }; + priority = mkOption { + type = types.str; + default = defaults.integration-endpoint.priority; + description = "The priority to use when submitting files through this endpoint."; + }; + allowed-ips = mkOption { + type = types.submodule({ + options = { + enabled = mkOption { + type = types.bool; + default = defaults.integration-endpoint.allowed-ips.enabled; + description = "Enable/Disable this protection"; + }; + ips = mkOption { + type = types.listOf types.str; + default = defaults.integration-endpoint.allowed-ips.ips; + description = "The ips/ip patterns to allow"; + }; + }; + }); + default = defaults.integration-endpoint.allowed-ips; + description = '' + IPv4 addresses to allow access. An empty list, if enabled, + prohibits all requests. IP addresses may be specified as simple + globs: a part marked as `*' matches any octet, like in + `192.168.*.*`. The `127.0.0.1' (the default) matches the + loopback address. + ''; + }; + http-basic = mkOption { + type = types.submodule({ + options = { + enabled = mkOption { + type = types.bool; + default = defaults.integration-endpoint.http-basic.enabled; + description = "Enable/Disable this protection"; + }; + realm = mkOption { + type = types.str; + default = defaults.integration-endpoint.http-basic.realm; + description = "The realm name to provide to the client."; + }; + user = mkOption { + type = types.str; + default = defaults.integration-endpoint.http-basic.user; + description = "The user name to check."; + }; + password = mkOption { + type = types.str; + default = defaults.integration-endpoint.http-basic.password; + description = "The password to check."; + }; + }; + }); + default = defaults.integration-endpoint.http-basic; + description = '' + Requests are expected to use http basic auth when uploading files. + ''; + }; + http-header = mkOption { + type = types.submodule({ + options = { + enabled = mkOption { + type = types.bool; + default = defaults.integration-endpoint.http-header.enabled; + description = "Enable/Disable this protection"; + }; + header-name = mkOption { + type = types.str; + default = defaults.integration-endpoint.http-header.header-name; + description = "The header to extract from the request."; + }; + header-value = mkOption { + type = types.str; + default = defaults.integration-endpoint.http-basic.header-value; + description = "The value of the header to check."; + }; + }; + }); + default = defaults.integration-endpoint.http-header; + description = '' + Requests are expected to supply some specific header when + uploading files. + ''; + }; + }; + }); + default = defaults.integration-endpoint; + description = '' + This endpoint allows to upload files to any collective. The + intention is that local software integrates with docspell more + easily. Therefore the endpoint is not protected by the usual + means. + + For security reasons, this endpoint is disabled by default. If + enabled, you can choose from some ways to protect it. It may be a + good idea to further protect this endpoint using a firewall, such + that outside traffic is not routed. + + NOTE: If all protection methods are disabled, the endpoint is not + protected at all! + ''; + }; + backend = mkOption { type = types.submodule({ options = {