TheAnachronism/docspell
1
0
Fork 0
mirror of https://github.com/TheAnachronism/docspell.git synced 2025-06-22 02:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a84a85446437776e7128c7f76c243466467591ce
docspell/modules/restserver/src/main/resources/reference.conf
eikek 81d8b6c9c1 Allow to configure a region for s3 backend 
Closes: #2386
2023-11-17 21:27:13 +01:00

535 lines
20 KiB
Plaintext
Raw Blame History

docspell.server {
# This is shown in the top right corner of the web application
app-name = "Docspell"
# This is the id of this node. If you run more than one server, you
# have to make sure to provide unique ids per node.
app-id = "rest1"
# This is the base URL this application is deployed to. This is used
# to create absolute URLs and to configure the cookie.
#
# If default is not changed, the HOST line of the login request is
# used instead or the value of the `X-Forwarded-For` header. If set
# to some other value, the request is not inspected.
base-url = "http://localhost:7880"
# This url is the base url for reaching this server internally.
# While you might set `base-url` to some external address (like
# mydocs.myserver.com), the `internal-url` must be set such that
# other nodes can reach this server.
internal-url = "http://localhost:7880"
# Configures logging
logging {
# The format for the log messages. Can be one of:
# Json, Logfmt, Fancy or Plain
format = "Fancy"
# The minimum level to log. From lowest to highest:
# Trace, Debug, Info, Warn, Error
minimum-level = "Warn"
# Override the log level of specific loggers
levels = {
"docspell" = "Info"
"org.flywaydb" = "Info"
"binny" = "Info"
"org.http4s" = "Info"
}
}
# Where the server binds to.
bind {
address = "localhost"
port = 7880
}
# Options for tuning the http server
server-options {
enable-http-2 = false
# Maximum allowed connections
max-connections = 1024
# Timeout for waiting for the first output of the response
response-timeout = 45s
}
# This is a hard limit to restrict the size of a batch that is
# returned when searching for items. The user can set this limit
# within the client config, but it is restricted by the server to
# the number defined here. An admin might choose a lower number
# depending on the available resources.
max-item-page-size = 200
# The number of characters to return for each item notes when
# searching. Item notes may be very long, when returning them with
# all the results from a search, they add quite some data to return.
# In order to keep this low, a limit can be defined here.
max-note-length = 180
# This defines whether the classification form in the collective
# settings is displayed or not. If all joex instances have document
# classification disabled, it makes sense to hide its settings from
# users.
show-classification-settings = true
# Authentication.
auth {
# The secret for this server that is used to sign the authenicator
# tokens. If multiple servers are running, all must share the same
# secret. You can use base64 or hex strings (prefix with b64: and
# hex:, respectively). If empty, a random secret is generated.
# Example: b64:YRx77QujCGkHSvll0TVEmtTaw3Z5eXr+nWMsEJowgKg=
server-secret = ""
# How long an authentication token is valid. The web application
# will get a new one periodically.
session-valid = "5 minutes"
remember-me {
enabled = true
# How long the remember me cookie/token is valid.
valid = "30 days"
}
# One of: fail, convert
#
# Accounts can be local or defined at a remote provider and
# integrated via OIDC. If the same account is defined in both
# sources, docspell by default fails if a user mixes logins (e.g.
# when registering a user locally and then logging in with the
# same user via OIDC). When set to `convert` docspell treats it as
# being the same and simply updates the account to reflect the new
# account source.
on-account-source-conflict = "fail"
}
# Settings for "download as zip"
download-all {
# How many files to allow in a zip.
max-files = 500
# The maximum (uncompressed) size of the zip file contents.
max-size = 1400M
}
# Configures OpenID Connect (OIDC) or OAuth2 authentication. Only
# the "Authorization Code Flow" is supported.
#
# Multiple authentication providers can be defined. Each is
# configured in the array below. The `provider` block gives all
# details necessary to authenticate against an external OIDC or
# OAuth provider. This requires at least two URLs for OIDC and three
# for OAuth2. When using OIDC, the `user-url` is only required if
# the account data is to be retrieved from the user-info endpoint
# and not from the JWT token. For the request to the `user-url`, the
# access token is then used to authenticate at the provider. Thus,
# it doesn't need to be validated here and therefore no `sign-key`
# setting is needed. However, if you want to extract the account
# information from the access token, it must be validated here and
# therefore the correct signature key and algorithm must be
# provided. If the `sign-key` is left empty, the `user-url` is used
# and must be specified. If the `sign-key` is _not_ empty, the
# response from the authentication provider is validated using this
# key.
#
# If a `logout-url` is provided, it will be used to finally redirect
# the browser to this url that should logout the user from Docspell
# at the provider.
#
# After successful authentication, docspell needs to create the
# account. For this a username and collective name is required. The
# account name is defined by the `user-key` and `collective-key`
# setting. The `user-key` is used to search the JSON structure, that
# is obtained from the JWT token or the user-info endpoint, for the
# login name to use. It traverses the JSON structure recursively,
# until it finds an object with that key. The first value is used.
#
# The `collective-key` can be used in multiple ways and both can
# work together to retrieve the full account id:
#
# - If it starts with `fixed:`, like "fixed:collective", the name
# after the `fixed:` prefix is used as collective as is. So all
# users are in the same collective.
#
# - If it starts with `lookup:`, like "lookup:collective_name", the
# value after the prefix is used to search the JSON response for
# an object with this key, just like it works with the `user-key`.
#
# - If it starts with `account:`, like "account:demo", it works the
# same as `lookup:` only that the value is interpreted as the full
# account name of form `collective/login`. The `user-key` value is
# ignored in this case.
#
# If these values cannot be obtained from the response, docspell
# fails the authentication. It is then assumed that the successfully
# authenticated user at the OP has not enough permissions to access
# docspell.
#
# Below are examples for OpenID Connect (keycloak) and OAuth2
# (github).
openid =
[ { enabled = false,
# The name to render on the login link/button.
display = "Keycloak"
# This illustrates to use a custom keycloak setup as the
# authentication provider. For details, please refer to the
# keycloak documentation. The settings here assume a certain
# configuration at keycloak.
#
# Keycloak can be configured to return the collective name for
# each user in the access token. It may also be configured to
# return it in the user info response. If it is already in the
# access token, an additional request can be omitted. Set the
# `sign-key` to an empty string then. Otherwise provide the
# algo and key from your realm settings. In this example, the
# realm is called "home".
provider = {
provider-id = "keycloak",
client-id = "docspell",
client-secret = "example-secret-439e-bf06-911e4cdd56a6",
scope = "profile", # scope is required for OIDC
authorize-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/auth",
token-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/token",
#User URL is not used when signature key is set.
#user-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/userinfo",
logout-url = "http://localhost:8080/auth/realms/home/protocol/openid-connect/logout"
sign-key = "b64:anVzdC1hLXRlc3Q=",
sig-algo = "RS512"
},
# The collective of the user is given in the access token as
# property `docspell_collective`.
collective-key = "lookup:docspell_collective",
# The username to use for the docspell account
user-key = "preferred_username"
},
{ enabled = false,
# The name to render on the login link/button.
display = "Github"
# Provider settings for using github as an authentication
# provider. Note that this is only an example to illustrate
# how it works. Usually you wouldn't want to let every user on
# github in ;-).
#
# Github doesn't have full OpenIdConnect, but supports the
# OAuth2 code flow (which is very similar). It mainly means,
# that there is no standardized token to validate and get
# information from. So the user-url must be used in this case.
provider = {
provider-id = "github",
client-id = "<your github client id>",
client-secret = "<your github client secret>",
scope = "", # scope is not needed for github
authorize-url = "https://github.com/login/oauth/authorize",
token-url = "https://github.com/login/oauth/access_token",
user-url = "https://api.github.com/user",
sign-key = "" # this must be set empty
sig-algo = "RS256" #unused but must be set to something
},
# If the authentication provider doesn't provide the
# collective name, simply use a fixed one. This means all
# users from this provider are in the same collective!
collective-key = "fixed:demo",
# Github provides the login name via the `login` property as
# response from the user-url. This value is used to construct
# the account in docspell.
user-key = "login"
}
]
# When exactly one OIDC/OAuth provider is configured, then the weapp
# automatically redirects to its authentication page skipping the
# docspell login page.
oidc-auto-redirect = true
# This endpoint allows to upload files to any collective. The
# intention is that local software integrates with docspell more
# easily. Therefore the endpoint is not protected by the usual
# means.
#
# For security reasons, this endpoint is disabled by default. If
# enabled, you can choose from some ways to protect it. It may be a
# good idea to further protect this endpoint using a firewall, such
# that outside traffic is not routed.
#
# NOTE: If all protection methods are disabled, the endpoint is not
# protected at all!
integration-endpoint {
enabled = false
# The priority to use when submitting files through this endpoint.
priority = "low"
# The name used for the item "source" property when uploaded
# through this endpoint.
source-name = "integration"
# IPv4 addresses to allow access. An empty list, if enabled,
# prohibits all requests. IP addresses may be specified as simple
# globs: a part marked as `*' matches any octet, like in
# `192.168.*.*`. The `127.0.0.1' (the default) matches the
# loopback address.
allowed-ips {
enabled = false
ips = [ "127.0.0.1" ]
}
# Requests are expected to use http basic auth when uploading
# files.
http-basic {
enabled = false
realm = "Docspell Integration"
user = "docspell-int"
password = "docspell-int"
}
# Requests are expected to supply some specific header when
# uploading files.
http-header {
enabled = false
header-name = "Docspell-Integration"
header-value = "some-secret"
}
}
# This is a special endpoint that allows some basic administration.
#
# It is intended to be used by admins only, that is users who
# installed the app and have access to the system. Normal users
# should not have access and therefore a secret must be provided in
# order to access it.
#
# This is used for some endpoints, for example:
# - re-create complete fulltext index:
# curl -XPOST -H'Docspell-Admin-Secret: xyz' http://localhost:7880/api/v1/admin/fts/reIndexAll
admin-endpoint {
# The secret. If empty, the endpoint is disabled.
secret = ""
}
# Configuration of the full-text search engine. (the same must be used for joex)
full-text-search {
# The full-text search feature can be disabled. It requires an
# additional index server which needs additional memory and disk
# space. It can be enabled later any time.
#
# Currently the SOLR search platform and PostgreSQL is supported.
enabled = false
# Which backend to use, either solr or postgresql
backend = "solr"
# Configuration for the SOLR backend.
solr = {
# The URL to solr
url = "http://localhost:8983/solr/docspell"
# Used to tell solr when to commit the data
commit-within = 1000
# If true, logs request and response bodies
log-verbose = false
# The defType parameter to lucene that defines the parser to
# use. You might want to try "edismax" or look here:
# https://solr.apache.org/guide/8_4/query-syntax-and-parsing.html#query-syntax-and-parsing
def-type = "lucene"
# The default combiner for tokens. One of {AND, OR}.
q-op = "OR"
}
# Configuration for PostgreSQL backend
postgresql = {
# Whether to use the default database, only works if it is
# postgresql
use-default-connection = false
# The database connection.
jdbc {
url = "jdbc:postgresql://server:5432/db"
user = "pguser"
password = ""
}
# A mapping from a language to a postgres text search config. By
# default a language is mapped to a predefined config.
# PostgreSQL has predefined configs for some languages. This
# setting allows to create a custom text search config and
# define it here for some or all languages.
#
# Example:
# { german = "my-german" }
#
# See https://www.postgresql.org/docs/14/textsearch-tables.html ff.
pg-config = {
}
# Define which query parser to use.
#
# https://www.postgresql.org/docs/14/textsearch-controls.html#TEXTSEARCH-PARSING-QUERIES
pg-query-parser = "websearch_to_tsquery"
# Allows to define a normalization for the ranking.
#
# https://www.postgresql.org/docs/14/textsearch-controls.html#TEXTSEARCH-RANKING
pg-rank-normalization = [ 4 ]
}
}
# Configuration for the backend.
backend {
# Enable or disable debugging for e-mail related functionality. This
# applies to both sending and receiving mails. For security reasons
# logging is not very extensive on authentication failures. Setting
# this to true, results in a lot of data printed to stdout.
mail-debug = false
# The database connection.
jdbc {
# The JDBC url to the database. By default a H2 file-based
# database is configured. You can provide a postgresql or
# mariadb connection here. When using H2 use the PostgreSQL
# compatibility mode and AUTO_SERVER feature.
url = "jdbc:h2://"${java.io.tmpdir}"/docspell-demo.db;MODE=PostgreSQL;DATABASE_TO_LOWER=TRUE;AUTO_SERVER=TRUE"
# The database user.
user = "sa"
# The database password.
password = ""
}
# Additional settings related to schema migration.
database-schema = {
# Whether to run main database migrations.
run-main-migrations = true
# Whether to run the fixup migrations.
run-fixup-migrations = true
# Use with care. This repairs all migrations in the database by
# updating their checksums and removing failed migrations. Good
# for testing, not recommended for normal operation.
repair-schema = false
}
# Configuration for registering new users.
signup {
# The mode defines if new users can signup or not. It can have
# three values:
#
# - open: every new user can sign up
# - invite: new users can sign up only if they provide a correct
# invitation key. Invitation keys can be generated by the
# server.
# - closed: signing up is disabled.
mode = "open"
# If mode == 'invite', a password must be provided to generate
# invitation keys. It must not be empty.
new-invite-password = ""
# If mode == 'invite', this is the period an invitation token is
# considered valid.
invite-time = "3 days"
}
files {
# Defines the chunk size (in bytes) used to store the files.
# This will affect the memory footprint when uploading and
# downloading files. At most this amount is loaded into RAM for
# down- and uploading.
#
# It also defines the chunk size used for the blobs inside the
# database.
chunk-size = 524288
# The file content types that are considered valid. Docspell
# will only pass these files to processing. The processing code
# itself has also checks for which files are supported and which
# not. This affects the uploading part and can be used to
# restrict file types that should be handed over to processing.
# By default all files are allowed.
valid-mime-types = [ ]
# The id of an enabled store from the `stores` array that should
# be used.
#
# IMPORTANT NOTE: All nodes must have the exact same file store
# configuration!
default-store = "database"
# A list of possible file stores. Each entry must have a unique
# id. The `type` is one of: default-database, filesystem, s3.
#
# The enabled property serves currently to define target stores
# for te "copy files" task. All stores with enabled=false are
# removed from the list. The `default-store` must be enabled.
stores = {
database =
{ enabled = true
type = "default-database"
}
filesystem =
{ enabled = false
type = "file-system"
directory = "/some/directory"
}
minio =
{ enabled = false
type = "s3"
endpoint = "http://localhost:9000"
access-key = "username"
secret-key = "password"
bucket = "docspell"
region = ""
}
}
}
addons = {
enabled = false
# Whether installing addons requiring network should be allowed
# or not.
allow-impure = true
# Define patterns of urls that are allowed to install addons
# from.
#
# A pattern is compared against an URL by comparing three parts
# of an URL via globs: scheme, host and path.
#
# You can use '*' (0 or more) and '?' (one) as wildcards in each
# part. For example:
#
# https://*.mydomain.com/projects/*
# *s://gitea.mydomain/*
#
# A hostname is separated by dots and the path by a slash. A '*'
# in a pattern means to match one or more characters. The path
# pattern is always matching the given prefix. So /a/b/* matches
# /a/b/c and /a/b/c/d and all other sub-paths.
#
# Multiple patterns can be defined va a comma separated string
# or as an array. An empty string matches no URL, while the
# special pattern '*' all by itself means to match every URL.
allowed-urls = "*"
# Same as `allowed-urls` but a match here means do deny addons
# from this url.
denied-urls = ""
}
}
}
Reference in New Issue View Git Blame Copy Permalink