ProxmoxVED/install/example.env

# =============================================================================
# OxiCloud Environment Configuration
# =============================================================================
# Copy this file to .env and modify as needed for your deployment.
#   cp example.env .env
#
# All variables have sensible defaults. Only override what you need.
# =============================================================================

# -----------------------------------------------------------------------------
# SERVER CONFIGURATION
# -----------------------------------------------------------------------------

# Root directory for file storage (default: ./storage)
OXICLOUD_STORAGE_PATH=./storage

# Path to static files directory (default: ./static)
OXICLOUD_STATIC_PATH=./static

# Server port (default: 8086)
OXICLOUD_SERVER_PORT=8086

# Server bind address (default: 127.0.0.1)
# Use 0.0.0.0 to bind to all interfaces in Docker
OXICLOUD_SERVER_HOST=127.0.0.1

# Public base URL for generating share links and external URLs
# If not set, defaults to http://{OXICLOUD_SERVER_HOST}:{OXICLOUD_SERVER_PORT}
# Example: https://cloud.example.com
#OXICLOUD_BASE_URL=https://cloud.example.com

# -----------------------------------------------------------------------------
# DATABASE CONFIGURATION
# -----------------------------------------------------------------------------

# PostgreSQL connection string
# Format: postgres://USER:PASSWORD@HOST:PORT/DATABASE
# For Docker: use 'postgres' as the hostname (the docker-compose service name)
# For local development: use 'localhost:5432'
OXICLOUD_DB_CONNECTION_STRING=postgres://postgres:postgres@postgres/oxicloud

# Maximum number of database connections in the pool (default: 20)
#OXICLOUD_DB_MAX_CONNECTIONS=20

# Minimum number of database connections to maintain (default: 5)
#OXICLOUD_DB_MIN_CONNECTIONS=5

# Maximum connections for the maintenance pool (background/batch tasks).
# This pool is isolated from user requests, preventing background operations
# (verify_integrity, garbage_collect, storage recalculation) from starving
# interactive traffic. Default: 5
#OXICLOUD_DB_MAINTENANCE_MAX_CONNECTIONS=5

# Minimum connections for the maintenance pool. Default: 1
#OXICLOUD_DB_MAINTENANCE_MIN_CONNECTIONS=1

# Build-time database URL for SQLx compile-time checks
# Only needed during compilation, not at runtime
DATABASE_URL=postgres://postgres:postgres@localhost:5432/oxicloud

# -----------------------------------------------------------------------------
# AUTHENTICATION CONFIGURATION
# -----------------------------------------------------------------------------

# JWT secret key for signing authentication tokens
# If not set, a secure secret is auto-generated and persisted to
# <STORAGE_PATH>/.jwt_secret so tokens survive container restarts.
# You only need to set this if you want to share the same secret
# across multiple OxiCloud instances or control it externally.
# Generate a custom secret with: openssl rand -hex 32
#OXICLOUD_JWT_SECRET=

# Access token lifetime in seconds (default: 3600 = 1 hour)
#OXICLOUD_ACCESS_TOKEN_EXPIRY_SECS=3600

# Refresh token lifetime in seconds (default: 2592000 = 30 days)
#OXICLOUD_REFRESH_TOKEN_EXPIRY_SECS=2592000

# -----------------------------------------------------------------------------
# FEATURE FLAGS
# -----------------------------------------------------------------------------

# Enable/disable authentication system (default: true)
#OXICLOUD_ENABLE_AUTH=true

# Enable per-user storage quotas (default: false)
#OXICLOUD_ENABLE_USER_STORAGE_QUOTAS=false

# Enable file/folder sharing (default: true)
#OXICLOUD_ENABLE_FILE_SHARING=true

# Enable trash/recycle bin functionality (default: true)
#OXICLOUD_ENABLE_TRASH=true

# Enable search functionality (default: true)
#OXICLOUD_ENABLE_SEARCH=true

# -----------------------------------------------------------------------------
# OPENID CONNECT (OIDC) / SSO CONFIGURATION
# -----------------------------------------------------------------------------

# Enable OIDC authentication (default: false)
OXICLOUD_OIDC_ENABLED=false

# OIDC provider issuer URL (required if OIDC enabled)
# Example: https://auth.example.com/application/o/oxicloud/
#OXICLOUD_OIDC_ISSUER_URL=

# OIDC client ID (required if OIDC enabled)
#OXICLOUD_OIDC_CLIENT_ID=

# OIDC client secret (required if OIDC enabled)
#OXICLOUD_OIDC_CLIENT_SECRET=

# Callback URL after OIDC authentication (must match IdP config)
# Default: http://localhost:8086/api/auth/oidc/callback
#OXICLOUD_OIDC_REDIRECT_URI=http://localhost:8086/api/auth/oidc/callback

# OIDC scopes to request (default: openid profile email)
#OXICLOUD_OIDC_SCOPES=openid profile email

# Frontend URL to redirect after successful OIDC login
# Default: http://localhost:8086
#OXICLOUD_OIDC_FRONTEND_URL=http://localhost:8086

# Auto-create users on first OIDC login (JIT provisioning) (default: true)
#OXICLOUD_OIDC_AUTO_PROVISION=true

# Comma-separated list of OIDC groups that grant admin role
# Example: admins,cloud-admins
#OXICLOUD_OIDC_ADMIN_GROUPS=

# Disable password-based login entirely when OIDC is active (default: false)
#OXICLOUD_OIDC_DISABLE_PASSWORD_LOGIN=false

# Display name for the OIDC provider shown in UI (default: SSO)
#OXICLOUD_OIDC_PROVIDER_NAME=SSO

# -----------------------------------------------------------------------------
# WOPI (WEB APPLICATION OPEN PLATFORM INTERFACE) CONFIGURATION
# -----------------------------------------------------------------------------

# Enable WOPI integration for office document editing (default: false)
# Used with Collabora, OnlyOffice, or other WOPI-compatible editors
OXICLOUD_WOPI_ENABLED=false

# URL to the WOPI client's discovery endpoint
# Example for Collabora: http://collabora:9980/hosting/discovery
# Example for OnlyOffice: http://onlyoffice/hosting/discovery
#OXICLOUD_WOPI_DISCOVERY_URL=

# Secret key for signing WOPI access tokens
# Falls back to OXICLOUD_JWT_SECRET if not set
#OXICLOUD_WOPI_SECRET=

# WOPI access token lifetime in seconds (default: 86400 = 24 hours)
#OXICLOUD_WOPI_TOKEN_TTL_SECS=86400

# WOPI lock expiration in seconds (default: 1800 = 30 minutes)
#OXICLOUD_WOPI_LOCK_TTL_SECS=1800

# -----------------------------------------------------------------------------
# MEMORY ALLOCATOR TUNING (IMPORTANT FOR RAM USAGE)
# -----------------------------------------------------------------------------
# OxiCloud uses mimalloc as its global memory allocator for performance.
# By default, mimalloc RETAINS freed memory in internal free-lists instead of
# returning it to the operating system. This causes the process RSS to grow
# over time (e.g., after large file uploads or password hashing) and never
# shrink back — even though the application has already freed that memory.
#
# In containerized / memory-constrained environments (Docker, K8s, VPS with
# limited RAM), this is critical: without these settings, the container can
# appear to "leak" hundreds of MiB that are actually just retained by the
# allocator.
#
# These variables are read directly by the mimalloc C library at startup.
# They are NOT OxiCloud-specific — they are part of mimalloc's official API.
# Docs: https://microsoft.github.io/mimalloc/environment.html

# MIMALLOC_PURGE_DELAY: Delay (in ms) before freed memory is returned to the OS.
#   0  = return immediately (RECOMMENDED for Docker / limited RAM)
#   -1 = never return (maximum performance, highest RAM usage)
#   10 = mimalloc default (slight delay for reuse optimization)
# Setting this to 0 can reduce idle RAM by 80-120 MiB in typical deployments.
MIMALLOC_PURGE_DELAY=0

# MIMALLOC_ALLOW_LARGE_OS_PAGES: Use 2 MiB huge pages for allocations.
#   0 = disabled (RECOMMENDED for Docker — avoids RSS inflation from THP)
#   1 = enabled (better TLB performance on bare-metal servers with plenty of RAM)
# When enabled with Linux Transparent Huge Pages (THP), partially-used 2 MiB
# pages inflate the reported RSS by up to 20-30 MiB.
MIMALLOC_ALLOW_LARGE_OS_PAGES=0