isardvdi.cfg.example

# Isard main config v2.20.0

# ------ Docker Compose ------------------------------------------------------

## This configuration should generate docker-compose file for the following
## flavour
## Values: (first value is the default one)
##  - all-in-one: all services in one docker-compose file
##  - hypervisor: hypervisor and related service to access to their desktops
##  - hypervisor-standalone: hypervisor without related services
##  - video-standalone: services to access to desktops
##  - storage: service to manage desktops disks
##  - web: services to manage desktops
##  - monitor: monitoring only host (grafana/loki/prometheus)
##  - web+monitor: web and monitor flavours combined
##  - backupninja: standalone backups
##  - check: standalone check service
##  - nextcloud: starts an standalone IsardVDI Nextcloud Personal Units [EXPERIMENTAL]
##  - haproxy: Only to build portal/video/monitor/nc proxy base image
#FLAVOUR=all-in-one

## This configuration should generate docker-compose file for the following
## usage
## Values: (first value is the default one)
##  - production: docker-compose file without build section
##      ready to pull and up
##      (see also: https://github.com/docker/compose/issues/7873)
##  - build: like production with build section
##  - test: like build with docker services to run tests
##  - devel: like test and host source code are mounted into docker volumes
#USAGE=production

## Should stats service will be included
## Values: (first value is the default one)
##  - true: add stats service
##  - false: doesn't add stats sercice
#ENABLE_STATS=true

# ------ Domain --------------------------------------------------------------
## This server main public domain/ip.
## NOTE: In infrastructure hypervisors should be the reacheable ip/dns from 
##       isard-engine
DOMAIN=localhost

## Allow DOMAIN as IP addr. Select true in production and use a valid domain.
## https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/01-Information_Gathering/04-Enumerate_Applications_on_Webserver
#FORBID_DOMAIN_IP=false

## Allowed CORS. By default will not restrict (testing/develop)
## Set it to your main web domain for all your isard servers in production.
#CORS=*

# ------ Admin password ------------------------------------------------------
## Initial WEB admin user password. Used also in grafana, influxdb
## and authenticated backend paths (/debug/...)
WEBAPP_ADMIN_PWD=IsardVDI

# ------ Frontend Bookings ---------------------------------------------------
## Will show/hide Resource bookings menu.
#FRONTEND_SHOW_BOOKINGS=False

# ------ Frontend Temporal ---------------------------------------------------
## Will show/hide temporal desktops tab.
#FRONTEND_SHOW_TEMPORAL=True

# ------ Frontend Documentation URI ------------------------------------------
## Documentation URI where the user will be redirected.
FRONTEND_DOCS_URI=https://isard.gitlab.io/isardvdi-docs/
FRONTEND_VIEWERS_DOCS_URI=https://isard.gitlab.io/isardvdi-docs/user/viewers/viewers/

# ------ Frontend Direct Viewer cookie ---------------------------------------
## Where will the direct viewer cookie be retrieved from.
## Values: (first value is the default one)
## - browser
## - url
DIRECTVIEWER_MODE=browser

# ------ Notifier ------------------------------------------------------------
## Email credentials that will be used to send email notifications.
# NOTIFY_EMAIL=True
# NOTIFY_EMAIL_SMTP_SERVER=smtp.gmail.com
# NOTIFY_EMAIL_SMPT_PORT=587
# NOTIFY_EMAIL_USERNAME=example@isardvdi.com
# NOTIFY_EMAIL_PASSWORD=IsardVDI

# ------ Nextcloud Personal Units -- [EXPERIMENTAL]---------------------------
## Will start a docker Nextcloud instance integrated into IsardVDI Personal
## units. Other Nextcloud providers can be set at admin resources page.
#NEXTCLOUD_INSTANCE=false
#NEXTCLOUD_AUTO_REGISTER=true
#NEXTCLOUD_ADMIN_USER=isardvdi
#NEXTCLOUD_ADMIN_PASSWORD=<defaults to WEBAPP_ADMIN_PWD>

# ------ Secrets -------------------------------------------------------------
## Generate your own SECRETS!
## openssl rand -base64 32
WEBAPP_SESSION_SECRET=xq0Z3MP5ujxrQxtMGxgPiijH9xpuxkyP04R6At/V+g4=
API_ISARDVDI_SECRET=kpWpdF0NtI2XCEfzMp36hdSV9S42E7axS8D5TvP9c0A=
API_HYPERVISORS_SECRET=B5/bUEUzIC+AjNQRmFh3vxR3VeIKirwdeL/xuHPVO+E=

# ------ Letsencrypt certificate ---------------------------------------------
## You can use your own certificates if you concatenate into 
## /opt/isard/certs/default/chain.pem
## You can let isard generate autosigned certs (not recommended as
## html5 viewers will not work.
## Or you can let isard generate letsencrypt certs for your domain.
## For this option to work be sure the DOMAIN points to this IP.
## To avoid using letsencrypt let this variable commented.
## The email will be used by letsencrypt to notify you expirations
## although the renovation will be automatic.
#LETSENCRYPT_EMAIL=

# ------ Sessions ------------------------------------------------------------
# Maximum valid session time. If this duration is exceeded, the user won't be able to renew
# the session. This time is counted since the user login.
# The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
SESSIONS_SESSIONS_MAX_TIME=8h
# Maximum time a user will be able to renew their session. If this duration is exceeded, the user won't be able to renew
# the session. Renewals are automatically done by the frontend every time the user performs an action.
# This time is counted since the last session renewal
# The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
SESSIONS_SESSIONS_MAX_RENEW_TIME=30m
# Maximum time a token will be valid. If this duration is exceeded, token won't be able to be used
# for any action. This time is counted since the last session renewal
# The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
SESSIONS_SESSIONS_EXPIRATION_TIME=5m
# Whether the sessions service will perform an remote addresss control. If this is enabled, the sessions service will
# only allow one remote_address per session. So, for example, if a user logs in with a network connection, and moves to another
# one, it will reach the limit. If the limit is reached, the sessions service will return an error to the user
# This is done to further prevent token replay attacks, as the attacker would need to have the same IP as the client.
#SESSIONS_SESSIONS_REMOTE_ADDR_CONTROL=false
# The hostname of the Redis
#SESSIONS_SESSIONS_REDIS_HOST=isard-redis
# The port of the Redis
#SESSIONS_SESSIONS_REDIS_PORT=6379
# The username of the Redis
#SESSIONS_SESSIONS_REDIS_USR=
# The password of the Redis
#SESSIONS_SESSIONS_REDIS_PWD=
# The sessions database in the Redis
#SESSIONS_SESSIONS_REDIS_DB=1
# The address where the sessions service will listen to gRPC connections (empty is equivalent to 0.0.0.0)
#SESSIONS_SESSIONS_GRPC_HOST=
# The port where the sessions service will listen to gRPC connections
#SESSIONS_SESSIONS_GRPC_PORT=1312

# ------ Authentication ------------------------------------------------------

# The address of the notifier service
#AUTHENTICATION_NOTIFIER_ADDRESS=http://isard-notifier:5000

# Whether rate limiting for form authentication is enabled
AUTHENTICATION_AUTHENTICATION_LIMITS_ENABLED=true
# The number of attempts a user can fail before being rate limited
AUTHENTICATION_AUTHENTICATION_LIMITS_MAX_ATTEMPTS=10
# The time duration that the user will be unable to login if gets rate limited
# The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
AUTHENTICATION_AUTHENTICATION_LIMITS_RETRY_AFTER=1m
# This factor will be powered against the RETRY_AFTER and the number of failed attempts after being rate limited.
# So, for example, given
# MAX_ATTEMPTS=10
# RETRY_AFTER=1m
# INCREMENT_FACTOR=2
# And the user fails the authentication for 13th time in a row, the user will have to wait (13 - 10) ^ 2 * 1m -> 9 minutes
# before being able to log in again
AUTHENTICATION_AUTHENTICATION_LIMITS_INCREMENT_FACTOR=2
# The maximum time an user will be rate limited
AUTHENTICATION_AUTHENTICATION_LIMITS_MAX_TIME=15m

## Local
### Local authentication against isard database
#AUTHENTICATION_AUTHENTICATION_LOCAL_ENABLED=true

## LDAP
#AUTHENTICATION_AUTHENTICATION_LDAP_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_LDAP_PROTOCOL=ldap
#AUTHENTICATION_AUTHENTICATION_LDAP_HOST=
#AUTHENTICATION_AUTHENTICATION_LDAP_PORT=389

### Credentials used for querying the LDAP
#AUTHENTICATION_AUTHENTICATION_LDAP_BIND_DN=
#AUTHENTICATION_AUTHENTICATION_LDAP_PASSWORD=

### Base Search is the DN that all the users share, e.g. ou=people,dc=example,dc=com
#AUTHENTICATION_AUTHENTICATION_LDAP_BASE_SEARCH=
### Filter is the actual filter used to search users. The '%s' represents the user that is sent through the form
### More information: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
#AUTHENTICATION_AUTHENTICATION_LDAP_FILTER="(&(objectClass=person)(uid=%s))"

### These are the fields that the LDAP search responds. For example, in some installations, the field for the email is called 'mail'
### Then, a regex is applied to this field, in case we needed to filter inside a LDAP field. By default it collects the whole field. The 
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_UID=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_UID=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_USERNAME=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_USERNAME=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_NAME=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_NAME=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_EMAIL=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_EMAIL=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_PHOTO=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_PHOTO=.*

### Auto Register the existing ldap users into IsardVDI
#AUTHENTICATION_AUTHENTICATION_LDAP_AUTO_REGISTER=false
### Only the users that belong to one of these groups will be autoregistered (comma separated)
#AUTHENTICATION_AUTHENTICATION_LDAP_AUTO_REGISTER_GROUPS=

### Try guessing the category based in the LDAP search results (must have AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_CATEGORY configured)
#AUTHENTICATION_AUTHENTICATION_LDAP_GUESS_CATEGORY=false
### These are the fields that the LDAP search responds. For example, in some installations, the field for the group is called 'group'
### Then, a regex is applied to this field, in case we needed to filter inside a LDAP field. By default it collects the whole field. The 
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_CATEGORY=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_CATEGORY=.*
#AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_GROUP=
#AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_GROUP=.*
### If this is configured, this will set a default group when autoregistering a user
### This is only advised to be configured if you have users without a group, otherwise don't configure it
### It's the equivalent of AUTHENTICATION_AUTHENTICATION_LDAP_FIELD_GROUP with AUTHENTICATION_AUTHENTICATION_LDAP_REGEX_GROUP applied to it
#AUTHENTICATION_AUTHENTICATION_LDAP_GROUP_DEFAULT=
### The base search for listing all the roles of a user
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_LIST_SEARCH_BASE=
### Filter is the actual filter used to search all the roles of a user. The '%s' represents the user that is sent through the form
### More information: https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_LIST_FILTER="(&(objectClass=posixGroup)(memberUid=%s))"
# If this field is set to true, use the full DN instead of the user that is sent through the form to search for the user roles
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_LIST_USE_USE_DN=false
### The field that contains the roles in the AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_LIST_FILTER search
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_LIST_FIELD=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_LIST_REGEX=.*
### All the users that are in at least one of the roles specified here, will be created in the admin role (comma separated)
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_ADMIN_IDS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_MANAGER_IDS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_ADVANCED_IDS=
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_USER_IDS=
# This is the default role that users will have if they don't match in any of the previous roles.
# Values can be 'admin', 'manager', 'advanced', 'user'
#AUTHENTICATION_AUTHENTICATION_LDAP_ROLE_DEFAULT=user

## SAML
#AUTHENTICATION_AUTHENTICATION_SAML_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_SAML_METADATA_URL=
## If the key and cert files don't exist, they will be self signed automatically
#AUTHENTICATION_AUTHENTICATION_SAML_KEY_FILE=/keys/isardvdi.key
#AUTHENTICATION_AUTHENTICATION_SAML_CERT_FILE=/keys/isardvdi.cert
## DO NOT CHANGE THIS UNLESS YOU KNOW WHAT YOU'RE DOING
## Set the maximum time between the initial login request and the response
#AUTHENTICATION_AUTHENTICATION_SAML_MAX_ISSUE_DELAY=90s

### These are the fields that the SAML search responds. For example, in some installations, the field for the email is called 'mail'
### Then, a regex is applied to this field, in case we needed to filter inside a SAML field. By default it collects the whole field. The 
### regex match tries to extract the first group, but if there's no group it will extract the whole match
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_UID=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_UID=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_USERNAME=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_USERNAME=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_NAME=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_NAME=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_EMAIL=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_EMAIL=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_PHOTO=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_PHOTO=.*
# TODO: We need to document this configuration options (see LDAP configuration options)
#AUTHENTICATION_AUTHENTICATION_SAML_AUTO_REGISTER=false
### Only the users that belong to one of these groups will be autoregistered (comma separated)
#AUTHENTICATION_AUTHENTICATION_SAML_AUTO_REGISTER_ROLES=
#AUTHENTICATION_AUTHENTICATION_SAML_GUESS_CATEGORY=false
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_CATEGORY=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_CATEGORY=.*
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_GROUP=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_GROUP=.*
#AUTHENTICATION_AUTHENTICATION_SAML_GROUP_DEFAULT=default
#AUTHENTICATION_AUTHENTICATION_SAML_GUESS_ROLE=false
#AUTHENTICATION_AUTHENTICATION_SAML_FIELD_ROLE=
#AUTHENTICATION_AUTHENTICATION_SAML_REGEX_ROLE=.*
### All the users that match with the FIELD_ROLE in at least one of the IDs specified here, will be created in the admin role (comma separated)
#AUTHENTICATION_AUTHENTICATION_SAML_ROLE_ADMIN_IDS=
#AUTHENTICATION_AUTHENTICATION_SAML_ROLE_MANAGER_IDS=
#AUTHENTICATION_AUTHENTICATION_SAML_ROLE_ADVANCED_IDS=
#AUTHENTICATION_AUTHENTICATION_SAML_ROLE_USER_IDS=
# This is the default role that users will have if they don't match in any of the previous groups.
# Values can be 'admin', 'manager', 'advanced', 'user'
#AUTHENTICATION_AUTHENTICATION_SAML_ROLE_DEFAULT=user

## Google
### Create your Google OAUTH credentials at https://console.developers.google.com/apis/credentials
### Authorized redirect URIs: https://domain.tld/authentication/callback
#AUTHENTICATION_AUTHENTICATION_GOOGLE_ENABLED=false
#AUTHENTICATION_AUTHENTICATION_GOOGLE_CLIENT_ID=id
#AUTHENTICATION_AUTHENTICATION_GOOGLE_CLIENT_SECRET=secret

# ------ Backups -------------------------------------------------------------

## Automated backups (https://0xacab.org/liberate/backupninja)
# If BACKUP_NFS_ENABLED is not enabled it will use this directory to create backups
# If BACKUP_NFS_ENABLED is enabled then this variable should be commented
#BACKUP_DIR=/opt/isard-local/backup

# If nfs enabled you need to set server and folder also
#BACKUP_NFS_ENABLED=false
#BACKUP_NFS_SERVER=172.16.0.10
#BACKUP_NFS_FOLDER=/remote/backupfolder

#BACKUP_DB_ENABLED=false
#BACKUP_DB_WHEN="everyday at 01"
#BACKUP_DB_PRUNE="--keep-weekly=8 --keep-monthly=12 --keep-within=14d --save-space"

#BACKUP_REDIS_ENABLED=false
#BACKUP_REDIS_WHEN="everyday at 01"
#BACKUP_REDIS_PRUNE="--keep-weekly=8 --keep-monthly=12 --keep-within=14d --save-space"

#BACKUP_STATS_ENABLED=false
#BACKUP_STATS_WHEN="everyday at 01"
#BACKUP_STATS_PRUNE="--keep-weekly=8 --keep-monthly=12 --keep-within=14d --save-space"

#BACKUP_CONFIG_ENABLED=false
#BACKUP_CONFIG_WHEN="everyday at 01"
#BACKUP_CONFIG_PRUNE="--keep-weekly=8 --keep-monthly=12 --keep-within=14d --save-space"

#BACKUP_DISKS_ENABLED=false
#BACKUP_DISKS_WHEN="everyday at 01"
#BACKUP_DISKS_PRUNE="--keep-weekly=4 --keep-monthly=3 --keep-within=7d --save-space"
#BACKUP_DISKS_TEMPLATES_ENABLED=false
#BACKUP_DISKS_GROUPS_ENABLED=false
#BACKUP_DISKS_MEDIA_ENABLED=false

##################################################################
##################################################################
## DO NOT EDIT FROM HERE UNLESS YOU KNOW WHAT YOU ARE DOING !!! ##
##################################################################
##################################################################

# ------ Docker images prefix ------------------------------------------------
## Image prefix that could include registry and repository
DOCKER_IMAGE_PREFIX=registry.gitlab.com/isard/isardvdi/

# ------ Docker images tags --------------------------------------------------
## Image tag that could be tags or branches from the git repository
## Used for doing docker-compose pull
DOCKER_IMAGE_TAG=main

# Golang image used for building the Golang microservices images
GOLANG_BUILD_IMAGE=golang:1.23-alpine3.20
# Image used for running the images the Golang microservices images
GOLANG_RUN_IMAGE=alpine:3.20

# Image used in haproxy.build flavour to build base for all the HAProxy's
HAPROXY_RUN_IMAGE=haproxy:3.1.1-alpine3.21

## Image used to build isard-nextcloud flavour/instance
#NEXTCLOUD_BASE_IMAGE=nextcloud:28.0.1-fpm-alpine
## Image used for nextcloud nginx
#NEXTCLOUD_NGINX_IMAGE=nginx:1.25.2-alpine-slim
## Image used for nextcloud redis
#NEXTCLOUD_REDIS_IMAGE=redis:alpine3.20

# ------ Logs ----------------------------------------------------------------
LOG_LEVEL=INFO

## ------ HAPROXIES
## Comment/uncomment to deactivate/activate haproxy logging
## (by default will log only bad response status)
HAPROXY_LOGGING=.
## Comment/uncomment to deactivate/activate haproxy success response status
## (disabled by default)
#HAPROXY_LOGGING_NORMAL=.

# ------ QCOW2 images --------------------------------------------------------
## Cluster size used when creating qcow2 disk images
#QCOW2_CLUSTER_SIZE=4k
## Enable use of extended l2 entries when creating qcow2 disk images
## Options: on / off
#QCOW2_EXTENDED_L2=off

# ------ GPUS --------------------------------------------------------------
## ----- NVIDIA
## New hypervisor: Engine will try to scan new hyper for NVIDIA GPUs and
##                 will also setup them.
#GPU_NVIDIA_SCAN=false

## Enabled existing hyper: Existing hyper will be scanned for NVIDIA GPUs
##                         when enabled (from disabled) at web interface.
#GPU_NVIDIA_RESCAN=false

## Only start desktops with GPU reservables (avoid )
#GPU_ONLY=false

## GPU guests reserved hypervisor memory (GB). Only applies when more than
## one hypervisor is online (and not forced) in the system.
## NOTE: Setting this parameter will disable GPU_ONLY as it's desired
##       behaviour is somewhat dynamic, based on memory available.
#GPU_ONLY_MEM=0

# ------ ENGINE BALANCERS ---------------------------------------------------
## Available balancers: round_robin, available_ram, available_ram_percent,
##                      less_cpu, less_cpu_till_low_ram,
##                      less_cpu_till_low_ram_percent
## ----- Hypervisors balancer
#ENGINE_HYPER_BALANCER=available_ram_percent
## ----- Disk operations balancer
#ENGINE_DISK_BALANCER=less_cpu

# ------ ENGINE TELEGRAM ---------------------------------------------------
## Will notify this bot/chat if system not fully operational
#TELEGRAM_ENGINE_TOKEN=
#TELEGRAM_ENGINE_CHAT_ID=

##################################################################
## INFRASTRUCTURE PARAMETERS. Used on remote hypervisors        ##
##################################################################
## Remote hypervisors can be:
## docker-compose.hypervisor.yml: Will have an isard-video
## docker-compose.hypervisor-standalone.yml: Will get video on 
## the VIDEO_HYPERVISOR_PORTS from the VIDEO_DOMAIN isard-video host.

# ------ Hypervisor Identifier -----------------------------------------------
## Set it to a unique name for hypervisor
#HYPER_ID=isard-hypervisor
## Hypervisor can be disabled when entering system with false value
#HYPER_ENABLED=true
## Hypervisor with hypervisor capabilities
#CAPABILITIES_HYPER=true
## Disk capabilities
#CAPABILITIES_DISK=true

## Comma-separated virtualization pool ids that can be used to start desktops
## At least one isard-storage should be registered with each virt pool
## NOTE: If not defined, will default to CAPABILITIES_STORAGE_POOLS
#CAPABILITIES_VIRT_POOLS=00000000-0000-0000-0000-000000000000

## Comma-separated storage pool ids that can be used for disk operations
#CAPABILITIES_STORAGE_POOLS=00000000-0000-0000-0000-000000000000

# ------ Hypervisor options ---------------------------------------------------
## ONLY_FORCED_HYP enables only_forced option to only get domains with
## forced_hyp. Values:
## - false (default): get any domain
## - true: only get domains with forced_hyp
#ONLY_FORCED_HYP=false

# WARNING: By default only DOCKER_NET and self hypervisor is BLOCKED for guest
# Comma separated CIDR networks you want guests to be BLOCKED access
#BLACKLIST_IPTABLES=10.10.10.0/24
# Comma separated CIDR networks you want guests to be ALLOWED access
#WHITELIST_IPTABLES=10.10.10.0/24

# Memory free at hypervisor
## How much memory (in GB) has to be kept free while starting desktops.
## Engine will fail starting desktops till it has enough free memory against
## Máximum memory for starting guests = Hypervisor memory - HYPER_FREEMEM
#HYPER_FREEMEM=0

# Buffering hypervisor
## If this is set to true, the hypervisor will be used as a "buffer" when
## the orchestrator needs to scale up
#BUFFERING_HYPER=false

# ------ Database host -------------------------------------------------------
## Where is the database reacheable?
## Not needed for remote hypervisors, only to split main web install.
#RETHINKDB_HOST=isard-db
#RETHINKDB_PORT=28015
#RETHINKDB_DB=isard

# ------ Authentication host -------------------------------------------------

# Authentication host
## Where is isard-authentication reacheable from clients browser?
## Not needed for remote hypervisors, only to split main web install.
#AUTHENTICATION_AUTHENTICATION_HOST=$DOMAIN
#AUTHENTICATION_DB_HOST=isard-db

# ------ Api host ------------------------------------------------------------
## Where can this host reach the isard-api host?
## Need to be set for flavours:
##   - hypervisor
##   - hypervisor-standalone
#API_DOMAIN=isard-api

# ------ Static nginx host ----------------------------------------------------
## Where the clients browsers will load static when connecting to this host 
## html5 video?
## Need to be set for flavours:
##   - hypervisor
##   - hypervisor-standalone
#STATIC_DOMAIN=$DOMAIN

# ------ Vpn host ------------------------------------------------------------
## Where can this host reach the isard-vpn host?
## Need to be set for flavours:
##   - hypervisor
##   - hypervisor-standalone
#VPN_DOMAIN=isard-vpn

## The vpn mtu will allow for infrastructure connection (allow it in your
## switches)
## If using Internet to connect remote hypers this should be lowered.
## https://keremerkan.net/posts/wireguard-mtu-fixes/
## https://mail.openvswitch.org/pipermail/ovs-discuss/2018-June/046932.html
#VPN_MTU=1600

# ------ Storage host --------------------------------------------------------
## Where can api host reach this isard-storage host?
## Need to be set for flavours:
##   - storage
##   - hypervisor
##   - hypervisor-standalone
#STORAGE_DOMAIN=isard-storage

# ------ WEB PORTS -----------------------------------------------------------
# Note: On web flavours, if you set this variables you may also change
#       accordingly the VIEWER_SPICE and VIEWER_BROWSER ports
#HTTP_PORT=8081
#HTTPS_PORT=8443

# ------ Bastion -------------------------------------------------------------
# TODO: Document this
#BASTION_ENABLED=false
#BASTION_SSH_PORT=2222

# ------ Video proxy host ----------------------------------------------------
## Where will the client browser reach isard-video to this host?
## Need to be set for flavours: 
##   - video-standalone (to generate letsencrypt certs)
##   - hypervisor (to generate letsencrypt certs and set up hyper in db)
##   - hypervisor-standalone ( to set up hyper in db)
#VIDEO_DOMAIN=$DOMAIN

# ------ Video external NAT ports --------------------------------------------
## Where the users browsers will connect to get the video stream for
## their guests started in this hypervisor? (outside NAT ports)
#VIEWER_SPICE=80
#VIEWER_BROWSER=443
#VIEWER_RDPGW=9999

# ------ Video proxy ACL -----------------------------------------------------
## Is this host hosting the isard-video for other hypervisor-standalone
## servers? Then allow here only the hostnames for those hypervisors as
## seen from this host with comma (,) delimiters:
#VIDEO_HYPERVISOR_HOSTNAMES=isard-hypervisor
#VIDEO_HYPERVISOR_PORTS=5900-7899

# ------ Vide proxy settings -------------------------------------------------
## This is the inactivity timeout when the proxy will close the RDP connection.
## The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
## The duration will be trucated up to minutes
#RDPGW_IDLE_TIMEOUT=30m
#RDPGW_API_ADDR=isard-api:5000

# ------ Docker networking ---------------------------------------------------
## Assign a docker /24 network. The host part will be set by system
## You should avoid setting a network that exists in your infrastructure
## or in isard configuration. Set only the /24 part!
#DOCKER_NET=172.31.255

# ------ Guests networking ---------------------------------------------------
## All the sub networks needed for infrastructure wireguard will
## fall within this sub networks
WG_MAIN_NET=10.0.0.0/14

## Users at home will get a unique /32 IP from this range.
## Set a network that will allow as many clients as you will have.
WG_USERS_NET=10.0.0.0/16

## UDP port for users at home to connect wireguard to this server.
WG_USERS_PORT=443

## Only in infrastructure this will be used by remote hypers to 
## send wireguard guests network to the main Isard. 
WG_HYPERS_NET=10.1.0.0/24

## UDP port for remote hypervisors to connect to this server.
WG_HYPERS_PORT=4443

## This is the main range to be used by wireguard interface in
## guests in your system. Will be subdivided in smaller ranges
## for each hypervisor.
WG_GUESTS_NETS=10.2.0.0/16

## 23: 512 GUESTS -2
## 24: 256 GUESTS -2
## Each hypervisor will get one subnet from WG_GUESTS_NETS
## Last network will be subdivided /29 to connect wireguard hyper
## clients (isard-vpnc) to the wireguard server (isard-vpn)
WG_GUESTS_DHCP_MASK=23
## This sets a reserved dhcp range if you want.
WG_GUESTS_RESERVED_HOSTS=20

# ------ Trunk port & vlans --------------------------------------------------
## Uncomment to map host interface name inside hypervisor container.
## If static vlans are commented then hypervisor will initiate an 
## auto-discovery process. The discovery process will last for 260
## seconds and this will delay the hypervisor from being available.
## So it is recommended to set also the static vlans.
## Note: It will create VlanXXX automatically on webapp. You need to
##       assign who is allowed to use this VlanXXX interfaces.
#HYPERVISOR_HOST_TRUNK_INTERFACE=

## This environment variable depends on previous one. When setting
## vlans number comma separated it will disable auto-discovery and
## fix this as forced vlans inside hypervisor.
#HYPERVISOR_STATIC_VLANS=

## NOTE: The interface name should not be changed from defaults.
##       Newer kernels use cgroups2 that doens't work. To get the
##       old cgroups add to /etc/default/grub:
##        GRUB_CMDLINE_LINUX="systemd.unified_cgroup_hierarchy=0"
##       and update-grub, and reboot.

# ------ Override hosts in isard-portal haproxy ------------------------------
#WEBAPP_HOST=isard-webapp

# ------ Redis ---------------------------------------------------------------

# Redis password
## The password used with AUTH inside redis connections.
## WARNING it is sent unencrypted, so the connection should be securized.
## See also https://redis.io/docs/management/security/
#REDIS_PASSWORD=

# Redis host
## Where can isard-api and isard-storage host reach isard-redis host?
## Need to be set for flavours:
##   - storage
##   - hypervisor
##   - hypervisor-standalone
#REDIS_HOST=isard-redis
#REDIS_PORT=6379

# Redis workers
## Amount of workers used by the isard-storage service
## WARNING: The increase of workers could lead to cpu overload
#REDIS_WORKERS=1

##################################################################
## STATS PARAMETERS                                             ##
##################################################################

# ------ Grafana ------------------------------------------------------
## Use GRAFANA_HOST to connect to an internal infrastructure grafana
## server at port :3000 through portal proxy https://[DOMAIN]/monitor
#GRAFANA_HOST=isard-grafana

## Use GRAFANA_WEBAPP_URL to set custom full url to your publicy accessible
## Grafana login from the webapp menu
#GRAFANA_WEBAPP_URL=https://[DOMAIN]:[PORT]/[PATH]

# Documentation: https://isard.gitlab.io/isardvdi-formacion/monitoring/alerts/#grafana-customizations
# This variable is used for provisioning alerts in Grafana
#GRAFANA_TELEGRAM_TOKEN=
#GRAFANA_TELEGRAM_TOKEN_ORCHESTRATOR=
#GRAFANA_TELEGRAM_CHAT_ID=
#GRAFANA_TELEGRAM_CHAT_ID_ORCHESTRATOR=

# ------ Prometheus -----------------------------------------------------
#PROMETHEUS_ADDRESS=http://isard-prometheus:9090
#PROMETHEUS_RETENTION_TIME=40d

# ------ Stats -----------------------------------------------------
#STATS_DIRECTORY=/opt/isard/stats

# ------ Loki -----------------------------------------------------
#LOKI_ADDRESS=http://isard-loki:3100
#LOKI_RETENTION_TIME=40d


# ------ OCI Collector -----------------------------------------------------
#STATS_COLLECTORS_OCI_ENABLE=false
#TF_VAR_tenancy_ocid=
#TF_VAR_user_ocid=
#TF_VAR_fingerprint=
#TF_VAR_region=
#TF_VAR_private_key=

##################################################################
## CHECK PARAMETERS                                             ##
##################################################################
#CHECK_CHECK_IMAGE=registry.gitlab.com/isard/isardvdi/check-client:main


##################################################################
## INFRASTRUCTURE                                               ##
##################################################################

# Set this to true to enable IsardVDI infrastructure management (with isard-operations and isard-orchestrator)
#INFRASTRUCTURE_MANAGEMENT=false
# Set this to true if you want to test the infrastructure management. It won't run the actions
#INFRASTRUCTURE_DRY_RUN=false

# ------ Orchestrator -----------------------------------------------------
# The interval at which the infrastructure status is going to be checked
# The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
#ORCHESTRATOR_ORCHESTRATOR_POLLING_INTERVAL=30s
# The timeout of the operations. If the timeout is reached, the operation fails and throws an error
# The format is the Go time duration: https://pkg.go.dev/time#ParseDuration
#ORCHESTRATOR_ORCHESTRATOR_OPERATIONS_TIMEOUT=15m
# The address of the operations gRPC service
#ORCHESTRATOR_ORCHESTRATOR_OPERATIONS_ADDRESS=isard-operations:1312
# The address of the check gRPC service
#ORCHESTRATOR_ORCHESTRATOR_CHECK_ADDRESS=isard-check:1312
# The API address is the address of isard-api, which is going to be used for both making orchestrator operations and for the check service
#ORCHESTRATOR_ORCHESTRATOR_API_ADDRESS=http://isard-api:5000
# The API secret is the secret used to sign JWT tokens in order to talk with isard-api. By default, it gets the
# value of API_ISARDVDI_SECRET
#ORCHESTRATOR_ORCHESTRATOR_API_SECRET=
# The director is the decision taker of the orchestrator.
# Available directors:
# - rata:      It has minimum resources thresholds for the whole hypervisor pools and the hypervisors themselves.
#              It doesnt take action unless those thresholds are not met
#
# - chamaleon: It works with the bookings systems to ensure there are always enough hypervisors for the bookings prepared
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR=
# This value is the minimum number of CPUs free in the whole hypervisor pool. If it's set to 0, there's no minimum
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_CPU=0
# This value is the same as ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_CPU. However, it's separated by hours.
# The syntax is a JSON map with a map, with the first key being the weekday (0-6, sunday-saturday) with the keys being the hours in a HH:MM format and the value being the RAM.
# If there's only one value, it's going to take it, even when it's out of range
# So, if for example, the map looks like `{"3":{"00:00": 50, "10:30": 100, "20:30": 150}, "5": {"00:00", 20}}` and the current day is monday and the current hour is 15:00h,
# the value is going to be "100"
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_CPU_HOURLY=
# This value is the minimum number of MB of RAM free in the whole hypervisor pool. If it's set to 0, there's no minimum
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_RAM=0
# This value is the same as ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_RAM. However, it's separated by hours.
# The syntax is a JSON map with a map, with the first key being the weekday (0-6, sunday-saturday) with the keys being the hours in a HH:MM format and the value being the RAM.
# If there's only one value, it's going to take it, even when it's out of range
# So, if for example, the map looks like `{"3":{"00:00": 50, "10:30": 100, "20:30": 150}, "5": {"00:00", 20}}` and the current day is monday and the current hour is 15:00h,
# the value is going to be "100"
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_RAM_HOURLY=
# This value is the maximum number of CPUs free in the whole hypervisor pool. If it's set to 0, there's no maximum
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MAX_CPU=0
# This value is the same as ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MAX_CPU. However, it's separated by hours.
# The syntax is a JSON map with a map, with the first key being the weekday (0-6, sunday-saturday) with the keys being the hours in a HH:MM format and the value being the RAM.
# If there's only one value, it's going to take it, even when it's out of range
# So, if for example, the map looks like `{"3":{"00:00": 50, "10:30": 100, "20:30": 150}, "5": {"00:00", 20}}` and the current day is monday and the current hour is 15:00h,
# the value is going to be "100"
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_RAM_LIMIT_PERCENT=0
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_RAM_LIMIT_PERCENT_HOURLY=
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_RAM_LIMIT_MARGIN=0
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MIN_RAM_LIMIT_MARGIN_HOURLY=
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MAX_CPU_HOURLY=
# This value is the maximum number of MB of RAM free in the whole hypervisor pool. If it's set to 0, there's no maximum
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MAX_RAM=0
# This value is the same as ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MAX_RAM. However, it's separated by hours.
# The syntax is a JSON map with a map, with the first key being the weekday (0-6, sunday-saturday) with the keys being the hours in a HH:MM format and the value being the RAM.
# If there's only one value, it's going to take it, even when it's out of range
# So, if for example, the map looks like `{"3":{"00:00": 50, "10:30": 100, "20:30": 150}, "5": {"00:00", 20}}` and the current day is monday and the current hour is 15:00h,
# the value is going to be "100"
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_MAX_RAM_HOURLY=
# This value is the minimum CPU number that a hypervisor needs to have in order to run.
# If it reaches the limit, the hypervisor is put at OnlyForced, which prevents more desktops to be started in the hypervisor
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_HYPER_MIN_CPU=0
# This value is the minimum MB of RAM that a hypervisor needs to have in order to run.
# If it reaches the limit, the hypervisor is put at OnlyForced, which prevents more desktops to be started in the hypervisor
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_HYPER_MIN_RAM=0
# This value is the maximum CPU number that a hypervisor can have free.
# If it reaches the limit, the hypervisor is removed from OnlyForced, and then desktops can be started in the hypervisor again
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_HYPER_MAX_CPU=0
# This value is the maximum MB of RAM that a hypervisor can have free.
# If it reaches the limit, the hypervisor is removed from OnlyForced, and then desktops can be started in the hypervisor again
#ORCHESTRATOR_ORCHESTRATOR_DIRECTOR_RATA_HYPER_MAX_RAM=0
# If this is set to true, it will run the check the hypervisor (using the isard-check service) before adding it for real
# ORCHESTRATOR_ORCHESTRATOR_CHECK_ENABLED=true
# This should be the ID of the template that is going to be used for checking if the hypervisors work correctly
#ORCHESTRATOR_ORCHESTRATOR_CHECK_TEMPLATE_ID=
# If this is set to true, the check service will fail if the maintenance mode is enabled
#ORCHESTRATOR_ORCHESTRATOR_CHECK_FAIL_MAINTENANCE_MODE=true
# If this is set to true, the check service will fail if it encounters a self signed certificate
#ORCHESTRATOR_ORCHESTRATOR_CHECK_FAIL_SELF_SIGNED=true