5.0.0 7.0.0 Added
Note that the links provided in the service column are non functional when clicked.
| Service | Variable | Description | Default |
|---|---|---|---|
| Special Scope Envvars | OCIS_ASSET_THEMES_PATH | Serve ownCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/web/assets/themes | /var/lib/ocis/web/assets/themes |
| OCIS_DISABLE_VERSIONING | Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version. | false | |
| OCIS_SHOW_USER_EMAIL_IN_RESULTS | Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. | false | |
| OCIS_TRANSLATION_PATH | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. | ||
| OCIS_WOPI_DISABLE_CHAT | Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. | false | |
| Activitylog | ACTIVITYLOG_TRANSLATION_PATH | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. | |
| Antivirus | ANTIVIRUS_WORKERS | The number of concurrent go routines that fetch events from the event queue. | 10 |
| Auth-App | AUTH_APP_DEBUG_ADDR | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. | 127.0.0.1:9245 |
| AUTH_APP_DEBUG_PPROF | Enables pprof, which can be used for profiling. | false | |
| AUTH_APP_DEBUG_TOKEN | Token to secure the metrics endpoint. | ||
| AUTH_APP_DEBUG_ZPAGES | Enables zpages, which can be used for collecting and viewing traces in-memory. | false | |
| AUTH_APP_ENABLE_IMPERSONATION | Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments. | false | |
| AUTH_APP_GRPC_ADDR | The bind address of the GRPC service. | 127.0.0.1:9246 | |
| AUTH_APP_GRPC_PROTOCOL | The transport protocol of the GRPC service. | tcp | |
| AUTH_APP_JWT_SECRET | The secret to mint and validate jwt tokens. | ||
| AUTH_APP_LOG_COLOR | Activates colorized log output. | false | |
| AUTH_APP_LOG_FILE | The path to the log file. Activates logging to this file if set. | ||
| AUTH_APP_LOG_LEVEL | The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’. | ||
| AUTH_APP_LOG_PRETTY | Activates pretty log output. | false | |
| AUTH_APP_MACHINE_AUTH_API_KEY | The machine auth API key used to validate internal requests necessary to access resources from other services. | ||
| AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN | Disables the encoding of the user’s group memberships in the access token. This reduces the token size, especially when users are members of a large number of groups. | false | |
| AUTH_APP_TRACING_COLLECTOR | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | ||
| AUTH_APP_TRACING_ENABLED | Activates tracing. | false | |
| AUTH_APP_TRACING_ENDPOINT | The endpoint of the tracing agent. | ||
| AUTH_APP_TRACING_TYPE | The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now. | ||
| Collaboration | COLLABORATION_APP_ADDR | The URL where the WOPI app is located, such as https://127.0.0.1:8080. | https://127.0.0.1:9980 |
| COLLABORATION_APP_DESCRIPTION | App description | Open office documents with Collabora | |
| COLLABORATION_APP_ICON | Icon for the app | image-edit | |
| COLLABORATION_APP_INSECURE | Skip TLS certificate verification when connecting to the WOPI app | false | |
| COLLABORATION_APP_LICENSE_CHECK_ENABLE | Enable license checking to edit files. Needs to be enabled when using Microsoft365 with the business flow. | false | |
| COLLABORATION_APP_NAME | The name of the app which is shown to the user. You can chose freely but you are limited to a single word without special characters or whitespaces. We recommend to use pascalCase like ‘CollaboraOnline’. | Collabora | |
| COLLABORATION_APP_PRODUCT | The WebOffice app, either Collabora, OnlyOffice, Microsoft365 or MicrosoftOfficeOnline. | Collabora | |
| COLLABORATION_APP_PROOF_DISABLE | Disable the proof keys verification | false | |
| COLLABORATION_APP_PROOF_DURATION | Duration for the proof keys to be cached in memory, using time.ParseDuration format. If the duration can’t be parsed, we’ll use the default 12h as duration | 12h | |
| COLLABORATION_CS3API_DATAGATEWAY_INSECURE | Connect to the CS3API data gateway insecurely. | false | |
| COLLABORATION_DEBUG_ADDR | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. | 127.0.0.1:9304 | |
| COLLABORATION_DEBUG_PPROF | Enables pprof, which can be used for profiling. | false | |
| COLLABORATION_DEBUG_TOKEN | Token to secure the metrics endpoint. | ||
| COLLABORATION_DEBUG_ZPAGES | Enables zpages, which can be used for collecting and viewing in-memory traces. | false | |
| COLLABORATION_GRPC_ADDR | The bind address of the GRPC service. | 127.0.0.1:9301 | |
| COLLABORATION_GRPC_PROTOCOL | The transport protocol of the GRPC service. | tcp | |
| COLLABORATION_HTTP_ADDR | The bind address of the HTTP service. | 127.0.0.1:9300 | |
| COLLABORATION_LOG_COLOR | Activates colorized log output. | false | |
| COLLABORATION_LOG_FILE | The path to the log file. Activates logging to this file if set. | ||
| COLLABORATION_LOG_LEVEL | The log level. Valid values are: ‘panic’, ‘fatal’, ’error’, ‘warn’, ‘info’, ‘debug’, ’trace’. | ||
| COLLABORATION_LOG_PRETTY | Activates pretty log output. | false | |
| COLLABORATION_STORE | The type of the store. Supported values are: ‘memory’, ’nats-js-kv’, ‘redis-sentinel’, ’noop’. See the text description for details. | nats-js-kv | |
| COLLABORATION_STORE_AUTH_PASSWORD | The password to authenticate with the store. Only applies when store type ’nats-js-kv’ is configured. | ||
| COLLABORATION_STORE_AUTH_USERNAME | The username to authenticate with the store. Only applies when store type ’nats-js-kv’ is configured. | ||
| COLLABORATION_STORE_DATABASE | The database name the configured store should use. | collaboration | |
| COLLABORATION_STORE_NODES | A list of nodes to access the configured store. This has no effect when ‘memory’ store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] | |
| COLLABORATION_STORE_TABLE | The database table the store should use. | ||
| COLLABORATION_STORE_TTL | Time to live for events in the store. Defaults to ‘30m’ (30 minutes). See the Environment Variable Types description for more details. | 30m0s | |
| COLLABORATION_TRACING_COLLECTOR | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | ||
| COLLABORATION_TRACING_ENABLED | Activates tracing. | false | |
| COLLABORATION_TRACING_ENDPOINT | The endpoint of the tracing agent. | ||
| COLLABORATION_TRACING_TYPE | The type of tracing. Defaults to ‘’, which is the same as ‘jaeger’. Allowed tracing types are ‘jaeger’ and ’’ as of now. | ||
| COLLABORATION_WOPI_DISABLE_CHAT | Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. | false | |
| COLLABORATION_WOPI_PROXY_SECRET | Optional, the secret to authenticate against the ownCloud Office365 WOPI proxy. This secret can be obtained from ownCloud via the office365 proxy subscription. | ||
| COLLABORATION_WOPI_PROXY_URL | The URL to the ownCloud Office365 WOPI proxy. Optional. To use this feature, you need an office365 proxy subscription. If you become part of the Microsoft CSP program (https://learn.microsoft.com/en-us/partner-center/enroll/csp-overview), you can use WebOffice without a proxy. | ||
| COLLABORATION_WOPI_SECRET | Used to mint and verify WOPI JWT tokens and encrypt and decrypt the REVA JWT token embedded in the WOPI JWT token. | ||
| COLLABORATION_WOPI_SHORTTOKENS | Use short access tokens for WOPI access. This is useful for office packages, like Microsoft Office Online, which have URL length restrictions. If enabled, a persistent store must be configured. | false | |
| COLLABORATION_WOPI_SRC | The WOPI source base URL containing schema, host and port. Set this to the schema and domain where the collaboration service is reachable for the wopi app, such as https://office.owncloud.test. | https://localhost:9300 | |
| Frontend | FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR | Service name or address of the app provider to use for secure view. Should match the service name or address of the registered CS3 app provider. | com.owncloud.api.collaboration |
| FRONTEND_MAX_CONCURRENCY | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 | |
| Gateway | GATEWAY_APP_REGISTRY_ENDPOINT | The endpoint of the app-registry service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.app-registry |
| GATEWAY_AUTH_APP_ENDPOINT | The endpoint of the auth-app service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.auth-app | |
| GATEWAY_AUTH_BASIC_ENDPOINT | The endpoint of the auth-basic service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.auth-basic | |
| GATEWAY_AUTH_BEARER_ENDPOINT | The endpoint of the auth-bearer service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | ||
| GATEWAY_AUTH_MACHINE_ENDPOINT | The endpoint of the auth-machine service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.auth-machine | |
| GATEWAY_AUTH_SERVICE_ENDPOINT | The endpoint of the auth-service service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.auth-service | |
| GATEWAY_GROUPS_ENDPOINT | The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.groups | |
| GATEWAY_OCM_ENDPOINT | The endpoint of the ocm service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.ocm | |
| GATEWAY_PERMISSIONS_ENDPOINT | The endpoint of the permissions service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.settings | |
| GATEWAY_SHARING_ENDPOINT | The endpoint of the shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.sharing | |
| GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT | The endpoint of the storage-publiclink service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.storage-publiclink | |
| GATEWAY_STORAGE_SHARES_ENDPOINT | The endpoint of the storage-shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.storage-shares | |
| GATEWAY_STORAGE_USERS_ENDPOINT | The endpoint of the storage-users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.storage-users | |
| GATEWAY_USERS_ENDPOINT | The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. | com.owncloud.api.users | |
| Graph | GRAPH_AVAILABLE_ROLES | A comma separated list of roles that are available for assignment. | [b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049] |
| GRAPH_MAX_CONCURRENCY | The maximum number of concurrent requests the service will handle. | 20 | |
| GRAPH_TRANSLATION_PATH | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. | ||
| OCM | OCM_OCM_INVITE_MANAGER_TIMEOUT | Timeout specifies a time limit for requests made to OCM endpoints. | 30s |
| OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION | Expiry duration for invite tokens. | 24h0m0s | |
| OCM_OCM_STORAGE_DATA_SERVER_URL | URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed. | http://localhost:9280/data | |
| Postprocessing | POSTPROCESSING_WORKERS | The number of concurrent go routines that fetch events from the event queue. | 3 |
| Proxy | PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME | The name of the OIDC claim that holds the display name. | name |
| PROXY_AUTOPROVISION_CLAIM_EMAIL | The name of the OIDC claim that holds the email. | ||
| PROXY_AUTOPROVISION_CLAIM_GROUPS | The name of the OIDC claim that holds the groups. | groups | |
| PROXY_AUTOPROVISION_CLAIM_USERNAME | The name of the OIDC claim that holds the username. | preferred_username | |
| PROXY_CSP_CONFIG_FILE_LOCATION | The location of the CSP configuration file. | ||
| PROXY_ENABLE_APP_AUTH | Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work. | false | |
| PROXY_EVENTS_AUTH_PASSWORD | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | ||
| PROXY_EVENTS_AUTH_USERNAME | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | ||
| PROXY_EVENTS_CLUSTER | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | ocis-cluster | |
| PROXY_EVENTS_ENABLE_TLS | Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services. | false | |
| PROXY_EVENTS_ENDPOINT | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. | 127.0.0.1:9233 | |
| PROXY_EVENTS_TLS_INSECURE | Whether to verify the server TLS certificates. | false | |
| PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE | The root CA certificate used to validate the server’s TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false. | ||
| Sharing | SHARING_USER_JSONCS3_MAX_CONCURRENCY | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 |
| SSE | SSE_KEEPALIVE_INTERVAL | To prevent intermediate proxies from closing the SSE connection, send periodic SSE comments to keep it open. | 0s |
| Storage-Users | STORAGE_USERS_OCIS_GENERAL_SPACE_PATH_TEMPLATE | Template string to construct the paths of the projects space roots. | |
| STORAGE_USERS_OCIS_MAX_CONCURRENCY | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 | |
| STORAGE_USERS_OCIS_PERSONAL_SPACE_PATH_TEMPLATE | Template string to construct the paths of the personal space roots. | ||
| STORAGE_USERS_PERMISSION_ENDPOINT | Endpoint of the permissions service. The endpoints can differ for ‘ocis’, ‘posix’ and ‘s3ng’. | com.owncloud.api.settings | |
| STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE | Template string to construct the paths of the projects space roots. | projects/{{.SpaceId}} | |
| STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT | Endpoint of the permissions service. The endpoints can differ for ‘ocis’, ‘posix’ and ‘s3ng’. | com.owncloud.api.settings | |
| STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE | Template string to construct the paths of the personal space roots. | users/{{.User.Username}} | |
| STORAGE_USERS_POSIX_ROOT | The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/storage/users. | /var/lib/ocis/storage/users | |
| STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY | The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected. | 1s | |
| STORAGE_USERS_POSIX_USE_SPACE_GROUPS | Use space groups to manage permissions on spaces. | false | |
| STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS | Comma-separated list of kafka brokers to read the watchfolder events from. | ||
| STORAGE_USERS_POSIX_WATCH_PATH | Path to the watch directory/file. Only applies to the ‘gpfsfileauditlogging’ and ‘inotifywait’ watcher, in which case it is the path of the file audit log file/base directory to watch. | ||
| STORAGE_USERS_POSIX_WATCH_TYPE | Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are ‘inotifywait’ (default), ‘gpfswatchfolder’ and ‘gpfsfileauditlogging’. | ||
| STORAGE_USERS_S3NG_GENERAL_SPACE_PATH_TEMPLATE | Template string to construct the paths of the projects space roots. | ||
| STORAGE_USERS_S3NG_PERSONAL_SPACE_PATH_TEMPLATE | Template string to construct the paths of the personal space roots. | ||
| STORAGE_USERS_SERVICE_NAME | Service name to use. Change this when starting an additional storage provider with a custom configuration to prevent it from colliding with the default ‘storage-users’ service. | storage-users | |
| Thumbnails | THUMBNAILS_MAX_CONCURRENT_REQUESTS | Number of maximum concurrent thumbnail requests. Default is 0 which is unlimited. | 0 |
| THUMBNAILS_MAX_INPUT_HEIGHT | The maximum height of an input image which is being processed. | 7680 | |
| THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE | The maximum file size of an input image which is being processed. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB. | 50MB | |
| THUMBNAILS_MAX_INPUT_WIDTH | The maximum width of an input image which is being processed. | 7680 | |
| Userlog | USERLOG_MAX_CONCURRENCY | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 |
| Web | WEB_ASSET_APPS_PATH | Serve ownCloud Web apps assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/web/assets/apps | /var/lib/ocis/web/assets/apps |
| WEB_ASSET_CORE_PATH | Serve ownCloud Web assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/web/assets/core | /var/lib/ocis/web/assets/core | |
| WEB_ASSET_THEMES_PATH | Serve ownCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/web/assets/themes | /var/lib/ocis/web/assets/themes |