![Create App Token]({require("./img/app-tokens/create.png").default})
+
+- Geben Sie einen Namen für das Token ein (z. B. „WebDAV Client“).
+- Wählen Sie ein Ablaufdatum, um die Sicherheit zu erhöhen.
+- Klicken Sie auf „Bestätigen“.
+
+ ![Namen eingeben und Ablaufdatum wählen]({require("./img/app-tokens/enter-name.png").default})
+
+## App-Token kopieren
+
+- Nach der Erstellung wird das Token nur ein einziges Mal angezeigt.
+- Kopieren Sie es sofort und bewahren Sie es sicher auf.
+
+ ![Copy Token]({require("./img/app-tokens/copy-token.png").default})
+
+:::note
+Wenn Sie das Token verlieren, müssen Sie es löschen und ein neues erstellen.
+:::
+
+## App-Token verwenden
+
+Sie können das Token nun anstelle Ihres Passworts verwenden, zum Beispiel bei:
+
+- WebDAV
+- Externen Apps
+- Drittanbieter-Diensten
+
+:::info
+Der Benutzername entspricht in der Regel dem Benutzernamen Ihres regulären Logins.
+Wenn der Identity Provider jedoch im Autoprovisioning-Modus läuft, kann nur die UUID verwendet werden.
+Diese finden Sie in der Übersicht der Einstellungen.
+:::
+
+## App-Token löschen
+
+Wenn ein Token nicht mehr benötigt wird:
+
+- Gehen Sie erneut zum Bereich „App-Tokens“.
+- Klicken Sie auf das Papierkorb-Symbol neben dem entsprechenden Token, um es zu entfernen.
+
+So stellen Sie sicher, dass ungenutzte Tokens nicht missbraucht werden können.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/copy-token.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/copy-token.png
new file mode 100644
index 000000000..1ea6fc6be
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/copy-token.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/create.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/create.png
new file mode 100644
index 000000000..7f57f552c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/create.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/enter-name.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/enter-name.png
new file mode 100644
index 000000000..20c30bec1
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/app-tokens/enter-name.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/admin-einstellungen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/admin-einstellungen.png
new file mode 100644
index 000000000..1ed8d0d61
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/admin-einstellungen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/allgemein.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/allgemein.png
new file mode 100644
index 000000000..e8fb7d142
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/allgemein.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/gruppen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/gruppen.png
new file mode 100644
index 000000000..cdf911319
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/gruppen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/personen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/personen.png
new file mode 100644
index 000000000..71a000f46
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/personen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/spaces.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/spaces.png
new file mode 100644
index 000000000..0e234f214
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/settings/spaces.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/webdav/preferences.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/webdav/preferences.png
new file mode 100644
index 000000000..4f26606c1
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/webdav/preferences.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/webdav/webdav-url.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/webdav/webdav-url.png
new file mode 100644
index 000000000..4cea59fcb
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/img/webdav/webdav-url.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/index.md
new file mode 100644
index 000000000..4aa99ed0a
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/index.md
@@ -0,0 +1,22 @@
+---
+sidebar_position: 0
+id: admin-overview
+title: Administration von OpenCloud
+---
+
+# Administration von OpenCloud
+
+Dieser Abschnitt erklärt die Administrationsfunktionen in OpenCloud. Je nach Ihren Berechtigungen können Sie
+Kontoeinstellungen verwalten, Benutzer, Gruppen und Spaces administrieren, App-Tokens erstellen und externe Werkzeuge
+wie WebDAV-Clients anbinden.
+
+## In diesem Abschnitt
+
+- [Einstellungen](./settings.md)
+ Rufen Sie den Administrationsbereich auf und verwalten Sie Benutzer, Gruppen und Spaces, je nach Ihren Berechtigungen.
+
+- [App-Tokens](./app-tokens.md)
+ Erstellen und verwalten Sie sichere Tokens für Drittanbieter-Anwendungen und WebDAV-Clients.
+
+- [WebDAV](./web-dav.md)
+ Verbinden Sie OpenCloud-Dateien und Spaces per WebDAV mit Ihrem Betriebssystem oder Dateimanager.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/settings.md
new file mode 100644
index 000000000..688c75014
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/settings.md
@@ -0,0 +1,61 @@
+---
+sidebar_position: 1
+id: settings
+title: Einstellungen
+description: Einstellungen
+draft: false
+---
+
+# Überblick über den Admin-Bereich
+
+Im Admin-Bereich von OpenCloud haben Sie umfangreiche Verwaltungsoptionen für Ihre Organisation. Hier sind die wichtigsten Bereiche:
+![Admin settings]({require("./img/settings/admin-einstellungen.png").default})
+
+## Allgemein
+
+- Versionsübersicht:
+ Im Bereich Allgemein kannst du Informationen zu deiner aktuellen OpenCloud-Version einsehen und prüfen, ob eine neuere Version verfügbar ist.
+ ![Admin general]({require("./img/settings/allgemein.png").default})
+
+:::note
+Wenn ein sicherheitskritisches Upgrade verfügbar ist, können Administratoren zusätzlich eine Warnung unten links in der Weboberfläche sehen.
+Die Versionsprüfung kann von einem Administrator deaktiviert worden sein.
+Wenn diese Option ausgeschaltet ist, werden Informationen über neuere Versionen nicht angezeigt.
+:::
+
+## Benutzer
+
+- Übersicht der Benutzer
+ Hier haben Sie einen Überblick über alle Benutzer von Ihre OpenCloud.
+- Benutzer verwalten:
+ Abhängig von Ihren Benutzerverwaltungseinstellungen können Sie:
+ - Benutzer erstellen oder löschen
+ - Benutzer bearbeiten (z.B. Rechte oder Einstellungen ändern)
+ - Quota (Speicherplatz) von Benutzern ändern
+ - Benutzer in Gruppen hinzufügen oder entfernen
+ - Allow or prohibit logins (for individual users)
+ ![Admin users]({require("./img/settings/personen.png").default})
+
+:::note
+Wenn OpenCloud mit einem externen IdP verbunden ist, können Sie die Benutzer hier weiterhin sehen, die Benutzerverwaltung muss jedoch im IdP erfolgen.
+:::
+
+## Gruppen
+
+- Übersicht der Gruppen
+ Hier können Sie die vorhandenen Gruppen Ihrer OpenCloud anzeigen.
+- Gruppen verwalten:
+ Sie können lokale Gruppen erstellen, bearbeiten oder löschen und Mitglieder hinzufügen oder entfernen.
+- Importierte Gruppen: Externe Gruppen, die über ein externes Benutzerverwaltungssystem importiert wurden, können hier nicht bearbeitet werden. Diese Gruppen sind mit einem Sperrsymbol
+ gekennzeichnet, um anzuzeigen, dass sie gesperrt sind.
+ ![Admin groups]({require("./img/settings/gruppen.png").default})
+
+## Spaces
+
+- Übersicht der Spaces
+ Hier sehen Sie alle vorhandenen Spaces in Ihrer OpenCloud.
+ - Space Management: Als Administrator haben Sie volle Rechte auf:
+ - Bearbeiten
+ - Deaktivieren oder aktivieren
+ - Löschen
+ ![Admin spaces]({require("./img/settings/spaces.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/web-dav.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/web-dav.md
new file mode 100644
index 000000000..2c1c4f4a5
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/admin/web-dav.md
@@ -0,0 +1,92 @@
+---
+sidebar_position: 3
+id: web-dav
+title: WebDAV
+description: Verbindung zu einem Space via WebDAV
+draft: false
+---
+
+# Verbindung zu einem Space via WebDAV herstellen
+
+Mit WebDAV kannst du OpenCloud-Spaces als Netzlaufwerke auf deinem Gerät einbinden und deine Dateien direkt über den Dateimanager verwalten – ganz ohne Browser.
+
+## Voraussetzungen
+
+- Ein gültiges OpenCloud-Konto mit aktivierter WebDAV-Information in den Einstellungen
+- Zugriff auf einen Space in OpenCloud
+- Ein WebDAV-Client (z. B. integrierte Unterstützung des Betriebssystems oder [Mountain Duck](https://mountainduck.io/))
+- (Optional, aber empfohlen) Ein App-Token
+ → [So erstellst du ein App-Token](./app-tokens.md)
+
+## Schritt-für-Schritt-Anleitung
+
+### WebDAV-Informationen in der Oberfläche aktivieren
+
+Um die WebDAV-Informationen für deine Spaces anzuzeigen:
+
+- Gehe zu den Kontoeinstellungen
+- Aktiviere „WebDAV-Info in der Detailansicht anzeigen“
+
+ ![WebDAV-Info aktivieren]({require("./img/webdav/preferences.png").default})
+
+### App-Token erstellen (falls erforderlich)
+
+Einige WebDAV-Clients (insbesondere solche ohne OIDC-Unterstützung wie Mountain Duck) benötigen ein App-Token zur Authentifizierung.
+
+:::note
+Wir empfehlen aus Sicherheitsgründen die Verwendung eines App-Tokens anstelle deines Passworts.
+:::
+
+- Gehe zu Einstellungen > App-Tokens
+- Klicke auf „+ Neu“, gib einen Namen ein und wähle ein Ablaufdatum
+- Kopiere den Token sofort – er wird nur einmal angezeigt
+ → [Siehe App-Token-Anleitung](./app-tokens.md)
+
+### WebDAV-URL abrufen
+
+Öffne das Info-Panel deines Spaces in der OpenCloud-Weboberfläche.
+
+Du findest dort einen Abschnitt „WebDAV“ – kopiere die vollständige URL. Diese sieht beispielsweise so aus:
+
+`https://cloud.example.de/remote.php/dav/spaces/12345678-abcd-efgh-ijkl-987654321000/`
+
+![WebDAV-URL]({require("./img/webdav/webdav-url.png").default})
+
+### Verbindung via WebDAV herstellen
+
+Stelle nun die Verbindung zu deinem Gerät über die WebDAV-URL her:
+
+- Benutzername: dein OpenCloud-Benutzername
+- Passwort: dein App-Token (oder Passwort, falls erlaubt)
+
+Du kannst je nach Betriebssystem unterschiedliche Clients verwenden:
+
+## Windows
+
+- Öffne den Datei-Explorer → Klicke auf „Dieser PC“ → Wähle „Netzlaufwerk verbinden“
+- Gib die WebDAV-URL ein
+- Authentifiziere dich mit Benutzername und App-Token
+
+## macOS
+
+- Wähle im Finder „Gehe zu“ > „Mit Server verbinden…“
+- Gib die WebDAV-URL ein
+- Melde dich mit deinen Zugangsdaten oder dem App-Token an
+
+## Linux
+
+- Nutze die Funktion „Mit Server verbinden“ deines Dateimanagers
+- Format der URL:
+ `davs://cloud.beispiel.de/remote.php/dav/spaces/![Neu erstellen]({require("../img/files-and-folders/create-rename-move-android/create-new.png").default})
+
+Wählen Sie im Menü aus, was Sie erstellen möchten:
+
+### Ordner erstellen
+
+- Tippen Sie auf „Neuer Ordner“
+- Geben Sie einen Namen für Ihren Ordner ein
+- Tippen Sie auf „OK“
+
+![Ordner erstellen]({require("../img/files-and-folders/create-rename-move-android/create-folder.png").default})
+
+### Dokument erstellen (erfordert Collabora)
+
+Wenn Collabora Online in Ihrer OpenCloud-Instanz aktiviert ist:
+
+- Tippen Sie auf „Neues Dokument“
+- Wählen Sie den Dokumenttyp (Text, Tabelle, Präsentation)
+- Geben Sie einen Dateinamen ein und bestätigen Sie
+
+![Dateityp wählen]({require("../img/files-and-folders/create-rename-move-android/choose-file-type.png").default})
+
+Das Dokument wird in einem integrierten Browserfenster mit **Collabora** zur Bearbeitung geöffnet.
+
+![Collabora öffnen]({require("../img/files-and-folders/create-rename-move-android/open-collabora.png").default})
+![Collabora bearbeiten]({require("../img/files-and-folders/create-rename-move-android/edit-collabora.png").default})
+
+## Dateien oder Ordner umbenennen
+
+So benennen Sie eine Datei oder einen Ordner in der OpenCloud Android-App um:
+
+- Tippen Sie auf die „drei Punkte (…)“ neben dem Element, das Sie umbenennen möchten
+
+![Drei-Punkte-Menü]({require("../img/files-and-folders/create-rename-move-android/three-dots.png").default})
+
+- Wählen Sie „Umbenennen“ aus dem Menü
+
+![Umbenennen wählen]({require("../img/files-and-folders/create-rename-move-android/select-rename.png").default})
+
+- Geben Sie den neuen Namen für die Datei oder den Ordner ein
+
+![Neuen Namen eingeben]({require("../img/files-and-folders/create-rename-move-android/enter-rename.png").default})
+
+- Tippen Sie auf „OK“, um die Änderungen zu übernehmen
+
+![OK tippen]({require("../img/files-and-folders/create-rename-move-android/tap-ok.png").default})
+![Neuer Name übernommen]({require("../img/files-and-folders/create-rename-move-android/new-name-applied.png").default})
+
+Der neue Name wird sofort gespeichert.
+
+## Dateien oder Ordner verschieben
+
+So verschieben Sie eine Datei oder einen Ordner in der OpenCloud Android-App:
+
+- Tippen Sie auf die „drei Punkte (…)“ neben der Datei oder dem Ordner, die bzw. den Sie verschieben möchten
+
+![Drei-Punkte-Menü auswählen]({require("../img/files-and-folders/create-rename-move-android/three-dots-move.png").default})
+
+- Wählen Sie „Verschieben“ oder „Kopieren“ aus dem Menü
+
+![Verschieben oder Kopieren wählen]({require("../img/files-and-folders/create-rename-move-android/select-move-or-copy.png").default})
+
+Navigieren Sie zum Zielordner
+Tippen Sie auf „Hierher verschieben“ oder „Hierher kopieren“
+
+![Einfügen auswählen]({require("../img/files-and-folders/create-rename-move-android/select-paste.png").default})
+![Datei wurde verschoben]({require("../img/files-and-folders/create-rename-move-android/file-moved.png").default})
+
+Die Datei oder der Ordner wird nun am neuen Speicherort angezeigt.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/files-and-folders/upload-make-available-offline.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/files-and-folders/upload-make-available-offline.md
new file mode 100644
index 000000000..c47cde205
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/files-and-folders/upload-make-available-offline.md
@@ -0,0 +1,65 @@
+---
+sidebar_position: 2
+id: upload-make-available-offline
+title: Hochladen - Offline verfügbar machen
+description: Dateien hochladen in Android
+draft: false
+---
+
+# Dateien hochladen in Android
+
+Mit der OpenCloud Android-App können Sie ganz einfach Dateien hochladen und für die Offline-Nutzung verfügbar machen.
+
+## Dateien hochladen
+
+### Gewünschten Ordner öffnen
+
+Navigieren Sie zu dem Ordner, in dem Sie eine Datei hochladen möchten.
+
+### Tippen Sie auf das „+“-Symbol unten rechts
+
+und wählen Sie „Hochladen“
+
+![Plus-Schaltfläche]({require("../img/files-and-folders/upload-make-available-offline-android/upload-plus-button.png").default})
+
+### Upload-Option wählen
+
+Im Menü können Sie wählen:
+
+- „Hochladen“ – eine Datei aus dem Gerätespeicher hochladen
+- „Bild von Kamera“ – ein Foto oder Video mit der Kamera des Smartphones oder Tablets aufnehmen und hochladen
+
+![Upload-Optionen]({require("../img/files-and-folders/upload-make-available-offline-android/upload-options.png").default})
+
+### Auswahl bestätigen
+
+Wählen Sie die Datei oder das Medium aus, das Sie hochladen möchten. Der Upload startet automatisch.
+
+## Dateien offline verfügbar machen
+
+Sie können Dateien offline verfügbar machen, damit Sie auch ohne Internetverbindung darauf zugreifen können.
+
+### Tippen Sie auf die drei Punkte (...) neben der Datei
+
+![Drei-Punkte-Menü]({require("../img/files-and-folders/upload-make-available-offline-android/three-dots.png").default})
+
+### Wählen Sie „Offline verfügbar machen“
+
+Die Datei wird heruntergeladen und lokal auf Ihrem Gerät gespeichert.
+
+![Offline verfügbar machen]({require("../img/files-and-folders/upload-make-available-offline-android/make-available-offline.png").default})
+
+:::info
+Offline-Dateien sind mit einem rosa Kreis mit weißem Häkchen markiert.
+:::
+
+![Als offline markiert]({require("../img/files-and-folders/upload-make-available-offline-android/marked-offline.png").default})
+
+## Offline-Verfügbarkeit entfernen
+
+Um Speicherplatz freizugeben:
+
+- Tippen Sie auf die drei Punkte (...) bei einer offline gespeicherten Datei
+- Wählen Sie „Offline-Verfügbarkeit aufheben“
+
+Diese Funktionen helfen Ihnen, auch ohne Internet produktiv zu bleiben!
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/installation.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/installation.md
new file mode 100644
index 000000000..5e9a8d276
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/installation.md
@@ -0,0 +1,37 @@
+---
+sidebar_position: 1
+id: installation
+title: Installieren der Android App
+description: Installieren derOpenCloud Android app
+draft: false
+---
+
+# Installieren der OpenCloud Android app
+
+Anleitung zur Installation der OpenCloud Android-App.
+
+## Play Store
+
+Öffne den Play Store auf deinem Android-Smartphone oder Tablet.
+
+## OpenCloud
+
+Suche nach „OpenCloud“ oder klicke auf folgenden Link, um direkt zur App zu gelangen:
+
+[OpenCloud im Play Store](https://play.google.com/store/apps/details?id=eu.opencloud.android)
+
+![Android Installation]({require(".././img/installation/android-installation.png").default})
+
+## Installieren
+
+Tippe auf „Installieren“, um die App herunterzuladen.
+
+## App Icon
+
+Nach der Installation findest du die OpenCloud-App auf deinem Startbildschirm.
+
+![Icon]({require(".././img/installation/icon-on-screen.png").default}){kind=icon}
+
+## Einrichten
+
+Öffne die App und folge den Anweisungen auf dem Bildschirm, um sie einzurichten.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/overview/account-fileslist.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/overview/account-fileslist.md
new file mode 100644
index 000000000..ca886c530
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/overview/account-fileslist.md
@@ -0,0 +1,61 @@
+---
+sidebar_position: 2
+id: account-fileslist
+title: Dateilisten-Menü
+description: Dateilisten-Menü
+draft: false
+---
+
+# Hier ist eine Übersicht über das Dateilisten-Menü der OpenCloud Android-App
+
+Dieser Abschnitt erklärt die zentralen Elemente der Benutzeroberfläche der OpenCloud Android-App und deren Funktionen.
+
+![Fileslist-Overview]({require("../../img/overview/fileslist.png").default})
+
+## 1. Account Menu
+
+Bietet Zugriff auf die Kontoeinstellungen.
+
+## 2. Search
+
+Ermöglicht die Suche nach Dateien, Ordnern oder geteilten Elementen innerhalb der App.
+
+## 3. Manage Accounts
+
+Zeigt das aktive Konto an und ermöglicht das Hinzufügen eines weiteren Kontos.
+
+## 4. Sort by
+
+Ermöglicht das Sortieren von Dateien nach Name, Datum, Größe oder anderen Kriterien.
+
+## 5. View Mode
+
+Erlaubt das Umschalten zwischen verschiedenen Ansichtsmodi.
+
+## 6. Files List
+
+Zeigt den Inhalt des aktuellen Ordners als Liste von Dateien und Ordnern an.
+
+## 7. Add Button
+
+Öffnet Optionen zum Hochladen von Dateien, Erstellen von Ordnern oder Hinzufügen neuer Inhalte.
+
+## 8. Personal
+
+Ermöglicht den schnellen Wechsel zum persönlichen Bereich.
+
+## 9. Shares
+
+Ermöglicht den schnellen Wechsel zur Liste der geteilten Elemente.
+
+## 10. Spaces
+
+Ermöglicht den schnellen Wechsel zur Liste der Bereiche (Spaces).
+
+## 11. Uploads
+
+Ermöglicht den schnellen Wechsel zur Liste der Uploads.
+
+## 12. Offline
+
+Ermöglicht den schnellen Zugriff auf eine Liste von Dateien und Ordnern, die offline verfügbar sind.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/overview/account-overview.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/overview/account-overview.md
new file mode 100644
index 000000000..46b6235e6
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/overview/account-overview.md
@@ -0,0 +1,43 @@
+---
+sidebar_position: 1
+id: account-overview
+title: Account-Menü
+description: Account-Menü
+draft: false
+---
+
+# Account Menu
+
+Hier ist ein Überblick über das Kontomenü in der OpenCloud Android-App
+
+![Account Menue Button]({require("../../img/overview/account-1.png").default})
+
+![Account Menue]({require("../../img/overview/account-2.png").default})
+
+## 1. Account Menu Item
+
+Öffnet die Hauptoptionen und Einstellungen des Kontos.
+
+## 2. Active Account
+
+Zeigt an, welches Benutzerkonto derzeit aktiv ist.
+
+## 3. Settings Menu Item
+
+Öffnet die allgemeinen Einstellungen und Konfigurationsoptionen.
+
+## 4. Feedback Item
+
+Hier kannst du uns Feedback zu deiner Erfahrung mit der OpenCloud Android-App senden.
+
+## 5. Help Menu Item
+
+Hier findest du Links zu unserer Dokumentationsseite und weiteren Hilfeseiten.
+
+## 6. Privacy Policy Item
+
+Hier findest du den vollständigen Eintrag zu unserer Datenschutzrichtlinie.
+
+## 7. Used Quota
+
+Zeigt an, wie viel deines Speicherplatzes du bisher genutzt hast.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/set-up.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/set-up.md
new file mode 100644
index 000000000..e9c4ee774
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/set-up.md
@@ -0,0 +1,46 @@
+---
+sidebar_position: 2
+id: set-up
+title: Einrichten der OpenCloud Android App
+description: Einrichten der OpenCloud Android App
+draft: false
+---
+
+# Einrichtung deines OpenCloud-Kontos
+
+Nach der Installation der App kannst du jetzt dein OpenCloud-Konto einrichten.
+
+## Einrichtung starten
+
+- Wenn du die OpenCloud Android-App zum ersten Mal startest, erscheint folgender Bildschirm.
+
+ ![Einrichtung starten]({require(".././img/set-up/start-setup.png").default})
+
+- Um ein zusätzliches Konto einzurichten, tippe auf die Schaltfläche „Konten verwalten“ und wähle „Konto hinzufügen“.
+
+ ![Zusätzliches Konto]({require(".././img/set-up/additional-account.png").default})
+
+## Deine Server-URL eingeben
+
+- Gib die URL deines OpenCloud-Servers ein (z. B. `https://cloud.beispiel.de`)
+- Tippe auf „>“, um fortzufahren.
+
+ ![Server-URL eingeben]({require(".././img/set-up/enter-server-url.png").default})
+
+## Die Login-Seite
+
+- Die Login-Seite öffnet sich, und du musst deinen Benutzernamen und dein Passwort eingeben.
+- Tippe anschließend auf „Einloggen“.
+
+- Im folgenden Bildschirm gibst du der App die Berechtigung, auf deine Benutzerinformationen zuzugreifen und eine dauerhafte Verbindung zu deinem Konto herzustellen, indem du auf die Schaltfläche „Zulassen“ tippst.
+
+ ![Login-Seite öffnen]({require(".././img/set-up/open-login-page.png").default})
+ ![Anmeldung fortsetzen]({require(".././img/set-up/continue-sign-in.png").default})
+
+## Einrichtung abschließen
+
+Sobald der Login abgeschlossen ist, wird dein Konto zur App hinzugefügt.
+
+Dein OpenCloud-Konto ist jetzt vollständig eingerichtet und einsatzbereit!
+
+![Konto ist eingerichtet]({require(".././img/set-up/account-set-up.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/settings.md
new file mode 100644
index 000000000..e4ec9d1ad
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/general/settings.md
@@ -0,0 +1,89 @@
+---
+sidebar_position: 4
+id: settings
+title: Einstellungen
+description: Einstellungen der OpenCloud Android App
+draft: false
+---
+
+# Einstellungen
+
+In den Einstellungen der Android-App können Änderungen vorgenommen werden, wie z. B.:
+
+- Sicherheit
+- Benachrichtigungen verwalten
+- Protokollierung
+- Erweiterte Einstellungen
+ und mehr
+
+![Settings]({require(".././img/settings/settings.png").default})
+
+## Userinterface
+
+### 1. Security
+
+Hier kannst du Sperren für den Zugriff auf die App festlegen und Berührungen mit anderen sichtbaren Fenstern zulassen.
+
+### 2. Manage notifications
+
+Hier kannst du Benachrichtigungen der OpenCloud Android-App zulassen.
+
+### 3. Logging
+
+Hier kannst du die Protokollierungsfunktion aktivieren oder deaktivieren und den Speicherort der Protokolldatei festlegen.
+
+### 4. Automatic picture uploads
+
+Hier kannst du Speicherort und Verhalten der automatisch hochgeladenen Bilder verwalten.
+
+### 5. Automatic video uploads
+
+Hier kannst du Speicherort und Verhalten der automatisch hochgeladenen Videos verwalten.
+
+### 6. Advanced
+
+Hier kannst du folgende Optionen einstellen:+ +#### Show hidden files + +- Anzeige versteckter Dateien aktivieren oder deaktivieren. + +#### Delete local copies + +- Automatisch heruntergeladene Dateien, die nicht offline verfügbar sind, werden entfernt, wenn sie für eine bestimmte Zeit nicht verwendet wurden. + +### 7. More + +Hier kannst du folgende Optionen einstellen:
+ +#### Help + +- Hier findest du Links zu unserer Dokumentationsseite und zu Hilfethemen. + +#### Sync your contacts, calendars and tasks + +- Hier kannst du einstellen, welche Kontakte, Kalender und Aufgaben mit der OpenCloud Android-App synchronisiert werden. + +#### Access document provider + +- Vorgeschlagene App, um Dateien über den nativen Android-Dateibrowser zu durchsuchen. + +#### Send feedback + +- Hier kannst du uns Feedback zu deiner Erfahrung mit der OpenCloud Android-App senden. + +#### Recommend to a friend + +- Hier kannst du einen Link zum Herunterladen der Android-App weiterleiten. + +### 8. Privacy Policy + +Hier findest du den vollständigen Eintrag zu unserer Datenschutzrichtlinie. + +### 9. What's new in the latest version? + +Hier findest du Informationen zu Änderungen und Neuerungen in der neuesten Version der OpenCloud Android-App. + +### 10. App version + +Hier siehst du, welche App-Version verwendet wird. diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/choose-file-type.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/choose-file-type.png new file mode 100644 index 000000000..c332d51ac Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/choose-file-type.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/create-folder.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/create-folder.png new file mode 100644 index 000000000..fe378e07f Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/create-folder.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/create-new.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/create-new.png new file mode 100644 index 000000000..27f5c999f Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/create-new.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/edit-collabora.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/edit-collabora.png new file mode 100644 index 000000000..a45531129 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/edit-collabora.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/enter-rename.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/enter-rename.png new file mode 100644 index 000000000..bd21dc413 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/enter-rename.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/file-moved.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/file-moved.png new file mode 100644 index 000000000..1e3e7882d Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/file-moved.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/new-name-applied.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/new-name-applied.png new file mode 100644 index 000000000..9cd1a3bf7 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/new-name-applied.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/open-collabora.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/open-collabora.png new file mode 100644 index 000000000..2cd160b02 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/open-collabora.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-move-or-copy.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-move-or-copy.png new file mode 100644 index 000000000..7502f321e Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-move-or-copy.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-paste.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-paste.png new file mode 100644 index 000000000..d4ad9ec67 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-paste.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-rename.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-rename.png new file mode 100644 index 000000000..a7b912180 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/select-rename.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/tap-ok.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/tap-ok.png new file mode 100644 index 000000000..e03c214c8 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/tap-ok.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/three-dots-move.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/three-dots-move.png new file mode 100644 index 000000000..1e0a44267 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/three-dots-move.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/three-dots.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/three-dots.png new file mode 100644 index 000000000..1e0a44267 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/create-rename-move-android/three-dots.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/make-available-offline.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/make-available-offline.png new file mode 100644 index 000000000..48deeab38 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/make-available-offline.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/marked-offline.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/marked-offline.png new file mode 100644 index 000000000..4fcffecdb Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/marked-offline.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/three-dots.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/three-dots.png new file mode 100644 index 000000000..081c1bf88 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/three-dots.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/upload-options.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/upload-options.png new file mode 100644 index 000000000..1079de399 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/upload-options.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/upload-plus-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/upload-plus-button.png new file mode 100644 index 000000000..cfabce3fd Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/files-and-folders/upload-make-available-offline-android/upload-plus-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/installation/android-installation.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/installation/android-installation.png new file mode 100644 index 000000000..b516c104e Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/installation/android-installation.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/installation/icon-on-screen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/installation/icon-on-screen.png new file mode 100644 index 000000000..1d0422dec Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/installation/icon-on-screen.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/account-1.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/account-1.png new file mode 100644 index 000000000..c153b76aa Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/account-1.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/account-2.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/account-2.png new file mode 100644 index 000000000..f4415c9a0 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/account-2.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/fileslist.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/fileslist.png new file mode 100644 index 000000000..3a11d07e4 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/overview/fileslist.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/search-result.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/search-result.png new file mode 100644 index 000000000..8bf41bec2 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/search-result.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/search-symbol.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/search-symbol.png new file mode 100644 index 000000000..f5f78e601 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/search-symbol.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/searchbar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/searchbar.png new file mode 100644 index 000000000..2b85d863c Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/search/searchbar.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/account-set-up.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/account-set-up.png new file mode 100644 index 000000000..6ca0dc7cd Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/account-set-up.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/additional-account.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/additional-account.png new file mode 100644 index 000000000..639edd194 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/additional-account.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/continue-sign-in.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/continue-sign-in.png new file mode 100644 index 000000000..6128f26e0 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/continue-sign-in.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/enter-server-url.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/enter-server-url.png new file mode 100644 index 000000000..35d49b60d Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/enter-server-url.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/open-login-page.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/open-login-page.png new file mode 100644 index 000000000..ac3243f44 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/open-login-page.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/start-setup.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/start-setup.png new file mode 100644 index 000000000..cb68cc513 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/set-up/start-setup.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/settings/settings.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/settings/settings.png new file mode 100644 index 000000000..fb087e6b3 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/settings/settings.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/invite-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/invite-menue.png new file mode 100644 index 000000000..cf6edd318 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/invite-menue.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/invite-option.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/invite-option.png new file mode 100644 index 000000000..2eeb23f15 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/invite-option.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/permissions.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/permissions.png new file mode 100644 index 000000000..bd1be6770 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/permissions.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/searchbar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/searchbar.png new file mode 100644 index 000000000..cf83b2fb7 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/searchbar.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/shared-with.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/shared-with.png new file mode 100644 index 000000000..25e881a5b Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/shared-with.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/sharing-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/sharing-button.png new file mode 100644 index 000000000..2e025f7fb Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/sharing-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/three-dot-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/three-dot-menue.png new file mode 100644 index 000000000..667b47de3 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/invite/three-dot-menue.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/create-link-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/create-link-button.png new file mode 100644 index 000000000..aa0f502f6 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/create-link-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/create-link-options.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/create-link-options.png new file mode 100644 index 000000000..77bff0c7b Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/create-link-options.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/created-link.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/created-link.png new file mode 100644 index 000000000..6491ab9f4 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/created-link.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/expiration-date.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/expiration-date.png new file mode 100644 index 000000000..3ff37f3ab Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/expiration-date.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/password.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/password.png new file mode 100644 index 000000000..b949382dd Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/password.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/share-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/share-button.png new file mode 100644 index 000000000..d2d3a4352 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/share-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/sharing-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/sharing-button.png new file mode 100644 index 000000000..2e025f7fb Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/sharing-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/three-dot-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/three-dot-menue.png new file mode 100644 index 000000000..667b47de3 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shares/links/three-dot-menue.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/create-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/create-button.png new file mode 100644 index 000000000..153f12615 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/create-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/created-shortcut.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/created-shortcut.png new file mode 100644 index 000000000..0e78f28f1 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/created-shortcut.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/plus-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/plus-button.png new file mode 100644 index 000000000..41268f1a8 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/plus-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/shortcut-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/shortcut-menue.png new file mode 100644 index 000000000..b3b0e52b6 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/shortcut-menue.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/shortcut-name.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/shortcut-name.png new file mode 100644 index 000000000..e5869e75d Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/shortcut-name.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/url.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/url.png new file mode 100644 index 000000000..2b595881f Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/shortcuts/url.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/search-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/search-button.png new file mode 100644 index 000000000..51cb9a766 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/search-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/search-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/search-menue.png new file mode 100644 index 000000000..996affaef Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/search-menue.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-button.png new file mode 100644 index 000000000..49706c6b7 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-button.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-overview.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-overview.png new file mode 100644 index 000000000..ca0964dca Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-overview.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-plus-symbol-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-plus-symbol-menue.png new file mode 100644 index 000000000..44e50695e Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-plus-symbol-menue.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-plus-symbol.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-plus-symbol.png new file mode 100644 index 000000000..d6bcb82a4 Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/img/spaces/spaces-plus-symbol.png differ diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/index.md new file mode 100644 index 000000000..f3fb0795a --- /dev/null +++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/index.md @@ -0,0 +1,30 @@ +--- +sidebar_position: 0 +id: android-app-overview +title: OpenCloud Android App +--- + +# OpenCloud Android App + +Die OpenCloud Android App bietet mobilen Zugriff auf Ihre Dateien, Spaces und Freigaben. Sie ist für den schnellen +Zugriff unterwegs ausgelegt und unterstützt die Einrichtung, Suche, Verknüpfungen und die Dateiverwaltung. + +## In diesem Abschnitt + +- [Allgemeines](./general/) + Installieren Sie die App, richten Sie sie ein und lernen Sie die wichtigsten Bereiche und Einstellungen kennen. + +- [Dateien und Ordner](./files-and-folders/) + Erstellen und bearbeiten Sie Inhalte, laden Sie Dateien hoch und machen Sie Elemente offline verfügbar. + +- [Spaces](./spaces.md) + Arbeiten Sie mit Spaces und den verfügbaren Aktionen in Android. + +- [Suche](./search.md) + Finden Sie Dateien und Ordner direkt in der Android App. + +- [Verknüpfungen](./shortcuts.md) + Erstellen Sie Verknüpfungen zu Dateien oder Weblinks. + +- [Freigaben](./shares/) + Laden Sie Personen ein und erstellen Sie Freigabelinks direkt in der Android App. diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/search.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/search.md new file mode 100644 index 000000000..7fca128dd --- /dev/null +++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/search.md @@ -0,0 +1,29 @@ +--- +sidebar_position: 4 +id: search +title: Suche +description: Suche in der Android-App +draft: false +--- + +# Suchfunktion + +Hier erklären wir, wie du die Suchfunktion in der OpenCloud Android-App verwendest. + +## Suchsymbol + +Wechsle in den Space, in dem du suchen möchtest, und tippe auf das Suchsymbol, um die Suchfunktion zu öffnen. + +
![Lupensymbol]({require("./img/search/search-symbol.png").default})
+
+## Suchleiste
+
+In der Suchleiste kannst du nach Datei- oder Ordnernamen suchen.
+
+![Suchleiste]({require("./img/search/searchbar.png").default})
+
+## Suchergebnis
+
+In diesem Bereich werden die Suchergebnisse angezeigt.
+
+![Suchergebnisse]({require("./img/search/search-result.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shares/invite.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shares/invite.md
new file mode 100644
index 000000000..7003599cb
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shares/invite.md
@@ -0,0 +1,55 @@
+---
+sidebar_position: 1
+id: invite
+title: Einladen zum Teilen
+description: Einladen zum Teilen
+draft: false
+---
+
+# Dateien und Ordner per Einladung mit Personen und Gruppen teilen
+
+Hier erklären wir, wie man Dateien und Ordner per Einladung mit anderen Personen und Gruppen innerhalb deiner OpenCloud in der OpenCloud Android-App teilen kann.
+
+## Drei-Punkte-Menü
+
+Klicke auf das „Drei-Punkte-Menü“ neben der Datei oder dem Ordner.
+
+![Three-dot menue]({require("../img/shares/invite/three-dot-menue.png").default})
+
+## Teilen
+
+Wähle nun den Menüpunkt „Teilen“ aus.
+
+![Shareing-Button]({require("../img/shares/invite/sharing-button.png").default})
+
+## Benutzer und Gruppen
+
+In der folgenden Auswahl klicke auf das Plus bei „Benutzer und Gruppen“.
+
+![Share with]({require("../img/shares/invite/invite-option.png").default})
+
+## Teilen-Menü
+
+Das Teilen-Menü öffnet sich, dort kannst du in der Suchleiste nach Personen oder Gruppen suchen, die du einladen möchtest.
+
+![Share with menue]({require("../img/shares/invite/invite-menue.png").default})
+![Search bar]({require("../img/shares/invite/searchbar.png").default})
+
+## Berechtigungen
+
+Um die Freigabeberechtigungen einzustellen, klicke auf das Stiftsymbol neben dem Papierkorb-Symbol.
+
+![Permissions]({require("../img/shares/invite/permissions.png").default})
+
+- Erstellen:
+ Nutzer können Dateien und Ordner erstellen und hochladen.
+- Ändern:
+ Nutzer können Dateien und Ordner bearbeiten.
+- Löschen:
+ Nutzer können Dateien und Ordner löschen.
+
+## Erstellen
+
+Sobald die Einladung erstellt ist, siehst du sie in der Datei- oder Ordnerübersicht.
+
+![Shared with]({require("../img/shares/invite/shared-with.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shares/links.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shares/links.md
new file mode 100644
index 000000000..70b6c2bf8
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shares/links.md
@@ -0,0 +1,63 @@
+---
+sidebar_position: 2
+id: links
+title: Per Link teilen
+description: Per Link teilen
+draft: false
+---
+
+# Dateien und Ordner per Link teilen
+
+Hier erklären wir, wie man Dateien und Ordner per Link mit anderen in der OpenCloud Android-App teilen kann.
+
+## Drei-Punkte-Menü
+
+Klicke auf das Drei-Punkte-Menü neben der Datei oder dem Ordner.
+
+![Three-dot menue]({require("../img/shares/links/three-dot-menue.png").default})
+
+## Teilen
+
+Wähle nun den Menüpunkt „Teilen“ aus.
+
+![Share]({require("../img/shares/links/sharing-button.png").default})
+
+## Öffentlicher Link
+
+In der folgenden Auswahl klicke auf „Öffentliche Links“.
+
+![Create link]({require("../img/shares/links/create-link-button.png").default})
+
+## Link erstellen
+
+Hier kannst du verschiedene Optionen für den zu erstellenden Link auswählen und festlegen.
+
+![Overview link menue]({require("../img/shares/links/create-link-options.png").default})
+
+- Linkname
+
+ Gib hier einen Namen für deinen Link ein.
+
+- Passwort
+
+ Ein Passwort ist erforderlich. Bitte gib eines ein, um fortzufahren.
+
+![Password]({require("../img/shares/links/password.png").default})
+
+- Ablaufdatum
+
+ Hier kannst du eine Zeitspanne festlegen, wie lange der Link verfügbar sein soll.
+
+![Link expiration date]({require("../img/shares/links/expiration-date.png").default})
+
+## Link speichern
+
+Um den Link zu erstellen, musst du nun auf „Speichern“ klicken.
+
+![Share]({require("../img/shares/links/share-button.png").default})
+
+## Erstellter Link
+
+Sobald der Link erstellt ist, siehst du ihn mit dem vergebenen Namen in der Datei- oder Ordnerübersicht.
+
+![created link]({require("../img/shares/links/created-link.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shortcuts.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shortcuts.md
new file mode 100644
index 000000000..4c623e18f
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/shortcuts.md
@@ -0,0 +1,47 @@
+---
+sidebar_position: 5
+id: shortcuts
+title: Verlinkungen in der OpenCloud Android App
+description: Verlinkungen
+draft: false
+---
+
+# Verlinkung in der OpenCloud Android-App
+
+Hier zeigen wir dir, wie du Verlinkungen in der Android-App erstellen kannst.
+
+## Plus-Symbol
+
+Klicke auf das „Plus-Symbol“ und wähle „New Shortcut“ aus.
+
+![Plus button]({require("./img/shortcuts/plus-button.png").default})
+
+## Verlinkungs-Menü
+
+Ein Menü öffnet sich mit Optionen für Verlinkungen.
+
+![Shortcut menue]({require("./img/shortcuts/shortcut-menue.png").default})
+
+## URL eingeben
+
+Um eine Verlinkung zu einer Webseite zu erstellen, gib die Adresse der Webseite unter „URL“ ein.
+
+![URL]({require("./img/shortcuts/url.png").default})
+
+## Verlinkungsnamen eingeben
+
+Hier gibst du einen Namen für die Verlinkung ein, unter dem sie angezeigt wird.
+
+![Name of the shortcut]({require("./img/shortcuts/shortcut-name.png").default})
+
+## Erstellen-Button
+
+Um die Verlinkung zu erstellen, klicke auf „Create“.
+
+![Create button]({require("./img/shortcuts/create-button.png").default})
+
+## Erstellte Verlinkung
+
+Deine erstellte Verlinkung wird nun angezeigt und kann verwendet werden.
+
+![Shortcut]({require("./img/shortcuts/created-shortcut.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/spaces.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/spaces.md
new file mode 100644
index 000000000..155f85776
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/android-app/spaces.md
@@ -0,0 +1,57 @@
+---
+sidebar_position: 6
+id: spaces
+title: Spaces
+description: Spaces in der OpenCloud Android App
+draft: false
+---
+
+# Der Bereich „Verlinkungen“ in der OpenCloud Android-App
+
+Der Bereich „Verlinkungen“ bietet einen zentralen Ort für die Zusammenarbeit in Gruppen oder Teams. In einem Space können mehrere Nutzer gemeinsam auf Dateien und Ordner zugreifen, Inhalte organisieren und Änderungen nachvollziehen.
+
+## Space-Übersicht
+
+Um die Space-Übersicht zu öffnen, tippe auf den „Spaces-Button“ in der unteren Leiste des Bildschirms.
+
+![Spaces Button]({require("./img/spaces/spaces-button.png").default})
+
+Anschließend erscheint die Space-Übersicht, in der alle Spaces aufgelistet sind, in denen du Mitglied bist oder die du selbst erstellt hast.
+
+![Spaces Overview]({require("./img/spaces/spaces-overview.png").default})
+
+## Suchfunktion
+
+Durch Tippen auf das Suchsymbol öffnet sich die Suchleiste sowie das Suchmenü für Spaces.
+
+![Search Function]({require("./img/spaces/search-button.png").default})
+
+![Search Menue]({require("./img/spaces/search-menue.png").default})
+
+## Funktionen innerhalb eines Spaces
+
+Durch Tippen auf das Plus-Symbol erscheinen die verfügbaren Funktionen innerhalb eines Spaces.
+
+![Plus Icon]({require("./img/spaces/spaces-plus-symbol.png").default})
+
+![Functions in Spaces]({require("./img/spaces/spaces-plus-symbol-menue.png").default})
+
+## Erstellen-Menü
+
+Dieser Abschnitt beschreibt die verfügbaren Aktionen im Erstellen-Menü eines Spaces.
+
+### 1. Hochladen
+
+Dateien vom Gerät auswählen und in den Space hochladen.
+
+### 2. Neuer Ordner
+
+Neue Ordner erstellen, um Inhalte übersichtlich zu strukturieren.
+
+### 3. Neues Dokument
+
+Ein neues Dokument direkt im Space erstellen – ohne separate App.
+
+### 4. Neue Verlinkung
+
+Eine Verlinkung zu einer Datei oder einem Ordner im Space erstellen, um schnellen Zugriff zu ermöglichen.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/collabora.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/collabora.md
new file mode 100644
index 000000000..081d52661
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/collabora.md
@@ -0,0 +1,39 @@
+---
+sidebar_position: 10
+id: collabora
+title: Collabora in OpenCloud
+description: Collabora in OpenCloud
+draft: false
+---
+
+# Collabora Online in OpenCloud
+
+Collabora Online ermöglicht es Ihnen, Dokumente (Textdokumente, Tabellenkalkulationen, Präsentationen) direkt in Ihrem Browser zu erstellen und zu bearbeiten – ganz ohne zusätzliche Software.
+Die Integration mit OpenCloud bietet einen nahtlosen Zugriff auf Ihre Dateien und ermöglicht die Zusammenarbeit in Echtzeit.
+
+## Funktionen in OpenCloud
+
+### Dateien direkt aus der Cloud öffnen
+
+Alle in OpenCloud gespeicherten Dokumente können direkt in Collabora geöffnet werden.
+
+### Gemeinsame Bearbeitung
+
+Mehrere Benutzer können gleichzeitig am selben Dokument arbeiten, wobei Änderungen in Echtzeit synchronisiert werden.
+
+### Bilder aus OpenCloud einfügen
+
+Sie können Bilder, die in OpenCloud gespeichert sind, direkt in Ihre Dokumente einfügen.
+
+### Automatisches Speichern und Versionierung
+
+Änderungen werden automatisch gespeichert, und alle Versionen bleiben innerhalb von OpenCloud erhalten.
+
+### Unterstützte Formate
+
+Collabora Online unterstützt gängige Office-Formate wie `.odt`, `.docx`, `.ods`, `.xlsx`, `.odp` und weitere.
+
+## Hinweise
+
+- Die Leistung hängt von Ihrer Internetverbindung und der Größe des Dokuments ab.
+- Für erweiterte Funktionen oder detaillierte Anleitungen verweisen wir auf die [offizielle Collabora-Online-Dokumentation](https://www.collaboraoffice.com/collabora-online/).
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/common-issues.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/common-issues.md
new file mode 100644
index 000000000..fe884261a
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/common-issues.md
@@ -0,0 +1,60 @@
+---
+sidebar_position: 11
+id: common-issues
+title: Häufige Probleme & Hilfe
+description: Häufige Probleme & Hilfe
+draft: false
+---
+
+# Häufige Probleme & Hilfe
+
+## Symlinks werden mit dem Desktop-Client nicht synchronisiert
+
+### Problem
+
+Symbolische Links (Symlinks) werden vom OpenCloud Desktop-Client nicht synchronisiert. Nutzer stellen häufig fest, dass verlinkte Ordner oder Dateien fehlen oder nicht zugänglich sind.
+
+### Erklärung
+
+Symlinks werden aus mehreren wichtigen Gründen bewusst von der Synchronisation ausgeschlossen:
+
+- Nicht portabel: Symlinks verweisen oft auf Pfade, die nur auf dem ursprünglichen Rechner existieren. Auf einem anderen Gerät ist der Zielpfad in der Regel nicht vorhanden.
+- Nicht im Webinterface nutzbar: Das Webinterface kann Symlinks nicht interpretieren oder darstellen.
+- Problematisch unter Windows: Die Unterstützung von Symlinks unter Windows ist eingeschränkt und inkonsistent.
+- Gefahr von Endlosschleifen: Symlinks könnten aufeinander verweisen und so zu einer endlosen Synchronisationsschleife führen.
+- Identitätsverlust: Wenn der Client dem Symlink folgen und das Ziel synchronisieren würde, entstünde lediglich eine reguläre Kopie. Die Eigenschaft als Symlink ginge dabei verloren.
+
+### Lösung
+
+#### Ordner außerhalb des Synchronisationsverzeichnisses mit Symlinks einbinden
+
+Wenn Sie einen Ordner außerhalb Ihres Synchronisationsverzeichnisses (Sync-Root) synchronisieren möchten, können Sie diesen in die Sync-Root verschieben und am ursprünglichen Ort durch einen Symlink ersetzen.
+
+##### Beispiel
+
+Sie möchten den Ordner `/foo/A` synchronisieren, aber Ihre Sync-Root ist `/home/bar/OpenCloud/Personal`.
+
+1. Verschieben Sie den Ordner in die Sync-Root (in ein geeignetes Unterverzeichnis):
+
+ ```bash
+ mkdir -p /home/bar/OpenCloud/Personal/foo/
+ mv /foo/A /home/bar/OpenCloud/Personal/foo/A
+ ```
+
+2. Erstellen Sie einen Symlink:
+
+ ```bash
+ ln -s /home/bar/OpenCloud/Personal/foo/A /foo/A
+ ```
+
+## Dateien mit "~$" im Namen werden nicht synchronisiert
+
+Der OpenCloud Desktop Client synchronisiert keine Dateien, die mit `~$` beginnen, wie z. B. `~$document.docx`.
+Dabei handelt es sich um temporäre Sperrdateien, die von Microsoft Office-Anwendungen (Word, Excel, PowerPoint) erstellt werden, solange ein Dokument geöffnet ist.
+
+![Anzeige, dass ~$ Dateien von der Synchronisierung ausgeschlossen sind]({require("./img/common-issues/desktop-excluded.png").default})
+
+Es sind keine eigentlichen Inhaltsdateien, sondern interne Marker, die verhindern sollen, dass mehrere Benutzer gleichzeitig dasselbe Dokument bearbeiten.
+Sobald die Datei geschlossen wird, entfernt Office die `~$`-Datei automatisch.
+
+Weitere Informationen finden Sie in dem [Microsoft-Supportartikel zu temporären Office-Sperrdateien von Word/Excel/PowerPoint](https://support.microsoft.com/en-gb/topic/-the-document-is-locked-for-editing-by-another-user-error-message-when-you-try-to-open-a-document-in-word-10b92aeb-2e23-25e0-9110-370af6edb638?).
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/_category_.json b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/_category_.json
new file mode 100644
index 000000000..f1046237c
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/_category_.json
@@ -0,0 +1,8 @@
+{
+ "label": "OpenCloud Desktop Client",
+ "position": 6,
+ "link": {
+ "type": "doc",
+ "id": "desktop-client-overview"
+ }
+}
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/conflict-files.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/conflict-files.md
new file mode 100644
index 000000000..ef3cf4da0
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/conflict-files.md
@@ -0,0 +1,54 @@
+---
+sidebar_position: 10
+id: file-conflicts
+title: Dateikonflikte handhaben
+description: Wie Dateikonflikte handhaben
+draft: false
+---
+
+# Behebung von Dateikonflikten im OpenCloud Desktop-Client
+
+Wenn Dateien sowohl lokal als auch auf dem Server geändert werden, bevor eine Synchronisierung stattfindet, erstellt der Desktop-Client sogenannte „Konfliktkopien“. Beispiele:
+
+- `conflict.txt` (Server-Version)
+- `conflict (conflicted copy JJJJ-MM-TT HHMMSS).txt` (lokale Version)
+
+![Konfliktdateien im Explorer]({require(".././img/conflict-files/conflict-file.png").default})
+
+Dies passiert in der Regel, wenn:
+
+- sich die lokale und die Server-Version einer Datei gleichzeitig verändern,
+- und die App diese Änderungen nicht automatisch zusammenführen kann.
+
+## Wie Sie benachrichtigt werden
+
+In der Übersicht des Desktop-Clients erscheint eine Benachrichtigung, wenn Konfliktdateien erkannt wurden.
+Das bedeutet, dass mehrere Versionen derselben Datei existieren – häufig, weil Änderungen auf verschiedenen Geräten vorgenommen wurden, bevor eine Synchronisierung erfolgen konnte.
+Die Benachrichtigung dient als Hinweis, dass Sie die Konflikte prüfen und entscheiden sollten, wie die Versionen zusammengeführt oder behalten werden.
+
+![Benachrichtigung zu Dateikonflikten im Desktop-Client]({require(".././img/conflict-files/conflict-info.png").default})
+
+## So lösen Sie Dateikonflikte manuell
+
+1. Öffnen Sie beide Dateien (das Original und die Konfliktkopie).
+2. Vergleichen und kombinieren Sie die Unterschiede manuell.
+3. Bearbeiten Sie die ursprüngliche Datei (`conflict.txt`), um alle relevanten Änderungen zu übernehmen.
+4. Löschen Sie die Konfliktkopie, sobald die Änderungen zusammengeführt wurden.
+5. Lassen Sie die aktualisierte Originaldatei bestehen – die Synchronisierung wird dann wie gewohnt fortgesetzt.
+
+## Good Practices zur Vermeidung von Konflikten
+
+- Vermeiden Sie es, dieselbe Datei gleichzeitig auf mehreren Geräten zu bearbeiten.
+- Warten Sie immer, bis die Synchronisierung abgeschlossen ist, bevor Sie lokale Änderungen vornehmen.
+
+## Warum Konfliktdateien entstehen
+
+Der Desktop-Client erkennt einen Konflikt, wenn:
+
+- sowohl die lokale als auch die Server-Version einer Datei seit der letzten Synchronisierung geändert wurden,
+- der Abgleich anhand von Datei-IDs und Checksummen erfolgt – nicht nur anhand von Zeitstempeln.
+- zur Sicherheit beide Versionen erhalten bleiben, wobei die lokale Datei mit `"(conflicted copy ...)"` umbenannt wird.
+
+Konfliktdateien entstehen lokal und erscheinen nicht automatisch auf dem Server – es sei denn, sie werden ausdrücklich hochgeladen.
+
+Treten Konflikte häufig auf – auch bei einfachen Änderungen – kann dies auf Berechtigungsprobleme, schreibgeschützte Dateien oder darauf hinweisen, dass dieselben Dateien zusätzlich über andere Tools synchronisiert werden. In diesem Fall sollten Sie die Protokolle und Dateiattribute prüfen.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/desktop-client-states.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/desktop-client-states.md
new file mode 100644
index 000000000..0f1eba704
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/desktop-client-states.md
@@ -0,0 +1,106 @@
+---
+sidebar_position: 5
+id: desktop-client-states
+title: Status des Desktop-Clients
+description: Symbole des Desktop-Client-Status
+draft: false
+---
+
+## Symbole des Desktop-Client-Status verstehen
+
+Der OpenCloud Desktop-Client verwendet Tray-Symbole, um den aktuellen Synchronisations- und Verbindungsstatus anzuzeigen. So erkennen Sie schnell, ob alles normal funktioniert oder ob Handlungsbedarf besteht.
+
+## Kurzübersicht
+
+| Symbol | Status | Bedeutung | Typische Aktion |
+| ------------------------------------------------------------------------------------------------------------------------------------- | ---------------------- | ------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
+| ![Bereit-Status]({require(".././img/desktop-client-states/ocl-ui_logo-petrol.png").default}){kind=logo}
| Bereit | Der Client ist verbunden und alle Dateien sind auf dem neuesten Stand. | Keine Aktion erforderlich. |
+| ![Synchronisierung-Status]({require(".././img/desktop-client-states/ocl-ui_sync-petrol-colour.png").default}){kind=small}
| Synchronisierung läuft | Dateien werden gerade hoch- oder heruntergeladen. | Warten Sie, bis die Synchronisierung abgeschlossen ist. |
+| ![Pausiert-Status]({require(".././img/desktop-client-states/ocl-ui_pause-petrol-colour.png").default}){kind=small}
| Pausiert | Die Synchronisierung wurde vorübergehend angehalten. | Setzen Sie die Synchronisierung fort, wenn Sie bereit sind. |
+| ![Offline-Status]({require(".././img/desktop-client-states/ocl-ui_offline-petrol-colour.png").default}){kind=small}
| Offline | Der Client kann keine Verbindung zum OpenCloud-Server herstellen. | Prüfen Sie Ihre Netzwerkverbindung und die Erreichbarkeit des Servers. |
+| ![Informations-Status]({require(".././img/desktop-client-states/ocl-ui_info-petrol-colour.png").default}){kind=small}
| Information | Der Client zeigt eine nicht kritische Informationsmeldung an. | Lesen Sie die Meldung bei Bedarf im Detail. |
+| ![Fehler-Status]({require(".././img/desktop-client-states/ocl-ui_error-petrol-colour.png").default}){kind=small}
| Fehler | Der Client ist auf ein Problem gestoßen, das die normale Synchronisierung verhindert. | Öffnen Sie den Client und beheben Sie das gemeldete Problem. |
+
+## Bereit
+
+Das Symbol „Bereit“ wird angezeigt, wenn der Desktop-Client mit OpenCloud verbunden ist und keine Synchronisierung stattfindet.
+
+- Mit OpenCloud verbunden
+- Keine aktiven Dateiübertragungen
+- Alle Dateien sind auf dem neuesten Stand
+
+
+
+Es ist keine Aktion erforderlich. Ihre Dateien sind vollständig synchronisiert.
+
+## Synchronisierung
+
+Das Symbol „Synchronisierung“ zeigt an, dass Dateien gerade hoch- oder heruntergeladen werden.
+
+- Dateien werden synchronisiert
+- Änderungen werden gerade verarbeitet
+- Der Client kommuniziert mit dem Server
+
+
+
+Warten Sie, bis die Synchronisierung abgeschlossen ist, bevor Sie Ihr Gerät herunterfahren.
+
+## Pausiert
+
+Das Symbol „Pausiert“ erscheint, wenn die Synchronisierung vorübergehend angehalten wurde.
+
+- Die Synchronisierung ist gestoppt
+- Es werden keine Dateien übertragen
+- Lokale und entfernte Änderungen werden nicht synchronisiert
+
+
+
+Setzen Sie die Synchronisierung über das Menü des Desktop-Clients fort, wenn Sie wieder synchronisieren möchten.
+
+## Offline
+
+Das Symbol „Offline“ zeigt an, dass der Desktop-Client derzeit keine Verbindung zum OpenCloud-Server herstellen kann.
+
+- Keine Verbindung zum Server
+- Synchronisierung ist nicht verfügbar
+- Lokale Dateien bleiben zugänglich
+
+
+
+Häufige Ursachen sind:
+
+- Keine Internetverbindung
+- Server nicht verfügbar
+- DNS- oder Netzwerkprobleme
+- Firewall-Einschränkungen
+
+Prüfen Sie Ihre Netzwerkverbindung und stellen Sie sicher, dass der OpenCloud-Server erreichbar ist.
+
+## Information
+
+Das Symbol „Information“ wird für Hinweise verwendet, die keine sofortige Aktion erfordern.
+
+- Allgemeine Hinweise
+- Nicht kritische Ereignisse
+- Informationsmeldungen des Clients
+
+
+
+Prüfen Sie die Meldung bei Bedarf für weitere Details.
+
+## Fehler
+
+Das Symbol „Fehler“ zeigt an, dass der Desktop-Client auf ein Problem gestoßen ist, das die normale Synchronisierung verhindert.
+
+- Synchronisierung fehlgeschlagen
+- Probleme mit der Authentifizierung
+- Konfigurationsprobleme
+- Fehler beim Dateizugriff oder bei Berechtigungen
+
+
+
+Öffnen Sie den Desktop-Client und prüfen Sie den gemeldeten Fehler. Die Synchronisierung kann erst fortgesetzt werden, wenn das Problem behoben wurde.
+
+:::info
+Das visuelle Erscheinungsbild und die Farbgebung der Symbole in der Taskleiste (Windows), im Dock (macOS) oder im System-Tray bzw. Panel (Linux) können je nach Betriebssystem variieren.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/file-names.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/file-names.md
new file mode 100644
index 000000000..a0d210ce5
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/file-names.md
@@ -0,0 +1,67 @@
+---
+sidebar_position: 11
+id: file-names
+title: Dateinamensbeschränkungen
+description: Dateinamensbeschränkungen im OpenCloud Desktop-Client
+draft: false
+---
+
+# Dateinamensbeschränkungen im OpenCloud Desktop-Client
+
+Bei der Verwendung des OpenCloud Desktop-Clients müssen Datei- und Ordnernamen bestimmte Anforderungen des Betriebssystems (OS) erfüllen, um eine reibungslose Synchronisierung zwischen verschiedenen Plattformen zu gewährleisten.
+Diese Einschränkungen werden nicht von OpenCloud erzwungen, sondern stammen aus systembedingten Beschränkungen.
+
+## Wichtige Richtlinien
+
+- Verwenden Sie keine verbotenen Zeichen oder reservierten Namen in Dateinamen – unabhängig vom Betriebssystem.
+- Wenn Sie von Linux/macOS zu einer Windows-basierten Freigabe synchronisieren, stellen Sie sicher, dass die Dateinamen mit den Windows-Benennungsregeln kompatibel sind.
+- Um unter Linux/macOS beim Synchronisieren mit Windows nur die Groß-/Kleinschreibung zu ändern (z. B. `File.txt` → `file.txt`), benennen Sie die Datei zunächst in einen komplett neuen Namen um, lassen Sie sie synchronisieren und benennen Sie sie danach in den gewünschten Namen um.
+
+## Häufige Einschränkungen
+
+### a. Maximale Pfadlänge
+
+Windows begrenzt Dateipfade standardmäßig auf 260 Zeichen.
+Wenn Ihr Synchronisierungs-Stammverzeichnis diesen Wert überschreitet, zeigt der Desktop-Client folgende Warnung an:
+„The path 'YOUR.LONG.PATH' is too long. Please enable long paths in the Windows settings or choose a different folder.“
+
+Unter Windows 10 und neuer kann diese Beschränkung aufgehoben werden, indem "Long Paths" aktiviert werden. Siehe [Microsoft-Dokumentation](https://learn.microsoft.com/de-de/windows/win32/fileio/maximum-file-path-limitation?tabs=registry#enable-long-paths-in-windows-10-version-1607-and-later).
+
+### b. Verbotene Zeichen
+
+| Betriebssystem | Verbotene Zeichen |
+| -------------- | ------------------------------- | ------------ |
+| Windows | `<`, `>`, `:`, `"`, `/`, `\`, ` | `, `?`, `\*` |
+
+### c. Nicht druckbare ASCII-Zeichen
+
+- Linux/macOS: NUL (Zeichencode 0)
+- Windows: ASCII 0 – 31
+
+Auch wenn diese Zeichen auf manchen Systemen gültig sind, führen sie häufig zu Problemen bei der Synchronisierung.
+
+### d. Reservierte Dateinamen (Windows)
+
+Vermeiden Sie die Verwendung folgender Dateinamen:
+`CON`, `PRN`, `AUX`, `NUL`, `COM1` – `COM9`, `LPT1` – `LPT9`
+
+### e. Besondere Regeln
+
+- Unter Linux/macOS beim Synchronisieren zu SMB können Dateinamen, die sich nur in der Groß-/Kleinschreibung unterscheiden, zu Konflikten führen – benennen Sie Dateien eindeutig, um Fehler zu vermeiden.
+- Unter Windows dürfen Dateinamen nicht mit einem Leerzeichen oder Punkt (`.`) enden.
+
+## Beispiel
+
+Das Erstellen einer Datei mit dem Namen `example.` oder `example.LPT1` unter macOS kann zwar erfolgreich mit OpenCloud synchronisiert werden.
+Beim Zugriff über einen Windows-Client werden diese Dateien jedoch möglicherweise abgelehnt, da sie gegen reservierte Namens- oder Formatregeln verstoßen, was zu inkonsistentem Synchronisierungsverhalten zwischen Geräten führt.
+
+## Zusammenfassung
+
+| Einschränkungstyp | Maßnahme |
+| ------------------------- | ------------------------------------------------------ |
+| Pfadlänge | Pfade unter ~260 Zeichen halten (außer bei Long Paths) |
+| Verbotene Zeichen | Nicht erlaubte Zeichen aus Namen entfernen |
+| Steuerzeichen | Nicht druckbare ASCII-Zeichen vermeiden |
+| Reservierte Dateinamen | Keine Windows-reservierten Namen verwenden |
+| Nur Groß-/Kleinschreibung | Vorher temporär umbenennen, dann synchronisieren |
+| Endzeichen | Keine Dateinamen mit Leerzeichen oder Punkt beenden |
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/logging.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/logging.md
new file mode 100644
index 000000000..4f4702095
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/logging.md
@@ -0,0 +1,61 @@
+---
+sidebar_position: 5
+id: logging
+title: Logfiles sammeln
+description: Logfiles sammeln in OpenCloud
+draft: false
+---
+
+# Protokollierung in einem temporären Verzeichnis in OpenCloud Desktop
+
+Wenn Sie Protokolle für die Fehlersuche erstellen müssen, gehen Sie wie folgt vor:
+
+## Öffnen Sie die Log-Einstellungen
+
+- Klicken Sie auf Einstellungen → Erweitert → Log-Einstellungen
+
+![logging access]({require(".././img/logging/logging-access.png").default})
+
+## Aktivieren Sie die Protokollierung
+
+- Aktivieren Sie im Fenster Protokollausgabe das Kontrollkästchen Protokollierung in temporärem Ordner aktivieren.
+- Um dem Support-Team und den Entwicklern zu helfen, ist es hilfreich, das Log Http traffic zu aktivieren
+
+![enable logging]({require(".././img/logging/logging-enable.png").default})
+
+## Finden Sie die Log-Dateien
+
+- Klicken Sie auf Ordner öffnen, um auf die Protokolle zuzugreifen.
+
+![open logfile folder]({require(".././img/logging/logging-open-folder.png").default})
+
+- Wählen Sie die Protokolldateien für den Zeitraum aus, in dem das Problem aufgetreten ist.
+
+![logfiles overview]({require(".././img/logging/logging-logfiles.png").default})
+
+:::note
+Diese Protokolle können helfen, Probleme mit OpenCloud Desktop zu diagnostizieren und zu beheben.
+:::
+
+### Log Inhalt Beschreibung
+
+`25-02-17 09:02:35:174 [ info sync.httplogger ]: REQUEST 3710cc12-7391-4793-8e89-00499dc11983 {„request“:{„body“:{„length“:0},„header“:{„accept“:„*/*“,„accept-language“:„en_DE“,„original-request-id“:„3710cc12-7391-4793-8e89-00499dc11983“,„user-agent“:"Mozilla/5. 0 (Macintosh) mirall/1.0.0-git (OpenCloud, macos-24. 3.0 ClientArchitecture: x86_64 OsArchitecture: arm64)„,“x-request-id„:“3710cc12-7391-4793-8e89-00499dc11983„},“info„:{“cached„:false,“id„:“3710cc12-7391-4793-8e89-00499dc11983„,“method„:“GET„,“url„:“https://cloud.opencloud.test/.well-known/openid-configuration"}}}`
+
+| Log Inhalt | Beschreibung |
+| ------------------------------------ | --------------------------------------------------------------------- |
+| 25-02-17 09:02:35:174 | Zeitstempel der Anfrage |
+| [ info sync.httplogger ] | Bezeichnung der Protokollkategorie |
+| 3710cc12-7391-4793-8e89-00499dc11983 | X-REQUEST-ID (wird verwendet, um Anfragen und Antworten abzugleichen) |
+| Header: { } | Liste der HTTP-Header |
+| Data: [] | HTTP-Bodies (JSON, XML) |
+| (112ms) | Antwortzeit (seit Absenden der Anfrage) |
+
+### X-REQUEST-ID für die Fehlersuche verwenden
+
+- Die OpenCloud-Desktop-Anwendung sendet mit jeder Anfrage einen X-REQUEST-ID-Header.
+- Diese ID hilft bei der Suche nach entsprechenden Anfragen und Antworten in den Protokollen.
+- Sie können Ihren Webserver so konfigurieren, dass er die X-REQUEST-ID zu seinen Protokollen hinzufügt, um eine tiefere Analyse zu ermöglichen.
+
+:::note
+Diese Funktion ist nützlich für die Fehlersuche bei Synchronisationsproblemen, die Überwachung von Netzwerkaktivitäten und die Behebung von Verbindungsproblemen.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/multiple-accounts.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/multiple-accounts.md
new file mode 100644
index 000000000..17f6139af
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/common-functionality/multiple-accounts.md
@@ -0,0 +1,44 @@
+---
+sidebar_position: 8
+id: multiple-accounts
+title: Mehrere Konten einrichten
+description: Nutzung von mehreren Konten in OpenCloud Desktop
+draft: false
+---
+
+# Mehrere Konten in OpenCloud Desktop verwenden
+
+Sie können mehrere Konten von verschiedenen OpenCloud-Servern mit Ihrem lokalen Rechner synchronisieren. Dies ermöglicht Ihnen, Dateien von verschiedenen Instanzen innerhalb desselben Desktop-Clients zu verwalten.
+
+## Wie man ein neues Konto hinzufügt
+
+- Öffnen Sie den OpenCloud Desktop
+- Klicken Sie auf Konto hinzufügen
+
+![add accounts]({require(".././img/multiple-accounts/multiple-accounts-add-account.png").default})
+
+- Folgen Sie dem standard Einrichtungsprozess:
+ - Geben Sie die Server-URL ein
+ - Melden Sie sich mit Ihren Anmeldedaten an
+ - Autorisieren Sie den Zugang
+
+## Wechseln zwischen Konten
+
+- Nachdem Sie mehrere Konten hinzugefügt haben, werden diese in der Kontoübersicht im Einstellungsmenü angezeigt
+- Sie können einfach zwischen ihnen wechseln, um die Synchronisierungseinstellungen für jedes Konto separat zu verwalten
+
+![switch accounts]({require(".././img/multiple-accounts/multiple-accounts-switch-accounts.png").default})
+
+## Wie Dateien lokal gespeichert werden
+
+- In Ihrem Datei-Explorer hat jedes Konto einen eigenen Ordner
+- Standardmäßig sind die Ordner benannt:
+ - OpenCloud (für das erste Konto)
+ - OpenCloud (2) (für das zweite Konto)
+ - OpenCloud (3) (für das dritte Konto), und so weiter
+
+![multiple accounts in explorer or finder]({require(".././img/multiple-accounts/multiple-accounts-locally.png").default})
+
+:::note
+Diese Einrichtung stellt sicher, dass Dateien von verschiedenen Konten organisiert bleiben und nicht vermischt werden.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/conflict-files/conflict-file.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/conflict-files/conflict-file.png
new file mode 100644
index 000000000..444ed1d0c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/conflict-files/conflict-file.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/conflict-files/conflict-info.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/conflict-files/conflict-info.png
new file mode 100644
index 000000000..f2f2de293
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/conflict-files/conflict-info.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_error-petrol-colour.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_error-petrol-colour.png
new file mode 100644
index 000000000..d56597ca7
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_error-petrol-colour.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_info-petrol-colour.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_info-petrol-colour.png
new file mode 100644
index 000000000..a88ac03e0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_info-petrol-colour.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_logo-petrol.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_logo-petrol.png
new file mode 100644
index 000000000..7e3bb5e64
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_logo-petrol.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_offline-petrol-colour.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_offline-petrol-colour.png
new file mode 100644
index 000000000..24f10f8b9
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_offline-petrol-colour.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_pause-petrol-colour.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_pause-petrol-colour.png
new file mode 100644
index 000000000..f97c08fe5
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_pause-petrol-colour.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_sync-petrol-colour.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_sync-petrol-colour.png
new file mode 100644
index 000000000..90e82d173
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/desktop-client-states/ocl-ui_sync-petrol-colour.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-access.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-access.png
new file mode 100644
index 000000000..a5ff0436e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-access.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-enable.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-enable.png
new file mode 100644
index 000000000..5b8cdc414
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-enable.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-logfiles.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-logfiles.png
new file mode 100644
index 000000000..47731da84
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-logfiles.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-open-folder.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-open-folder.png
new file mode 100644
index 000000000..3ae406ad2
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/logging/logging-open-folder.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-add-account.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-add-account.png
new file mode 100644
index 000000000..64b46fd13
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-add-account.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-locally.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-locally.png
new file mode 100644
index 000000000..9e4ccc9f4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-locally.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-switch-accounts.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-switch-accounts.png
new file mode 100644
index 000000000..c6385e7fd
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/multiple-accounts/multiple-accounts-switch-accounts.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-accept-access.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-accept-access.png
new file mode 100644
index 000000000..72d6a5034
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-accept-access.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-advanced-configuration.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-advanced-configuration.png
new file mode 100644
index 000000000..c3da82191
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-advanced-configuration.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-all-set.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-all-set.png
new file mode 100644
index 000000000..296c632fc
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-all-set.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-enter-url.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-enter-url.png
new file mode 100644
index 000000000..2caf368ea
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-enter-url.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-login.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-login.png
new file mode 100644
index 000000000..17be764d5
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-login.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-user-password.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-user-password.png
new file mode 100644
index 000000000..8122b278c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/set-up-user-password.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/windows/set-up-advanced-configuration.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/windows/set-up-advanced-configuration.png
new file mode 100644
index 000000000..5ca66f4fc
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/windows/set-up-advanced-configuration.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/windows/set-up-all-set.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/windows/set-up-all-set.png
new file mode 100644
index 000000000..1a139f8bb
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/set-up/windows/set-up-all-set.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-advanced.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-advanced.png
new file mode 100644
index 000000000..5a1bc2479
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-advanced.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-bandwidth.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-bandwidth.png
new file mode 100644
index 000000000..607b8f7d8
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-bandwidth.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-general.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-general.png
new file mode 100644
index 000000000..c414893f2
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-general.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-network.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-network.png
new file mode 100644
index 000000000..531ddb4b5
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-network.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-overview.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-overview.png
new file mode 100644
index 000000000..589974594
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/settings-overview.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/windows/settings-general.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/windows/settings-general.png
new file mode 100644
index 000000000..88049dbf4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/settings/windows/settings-general.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-choose-what-to-sync.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-choose-what-to-sync.png
new file mode 100644
index 000000000..5ef70a994
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-choose-what-to-sync.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-menu.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-menu.png
new file mode 100644
index 000000000..fedf5ca6e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-menu.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-three-dot.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-three-dot.png
new file mode 100644
index 000000000..14b38e296
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/sync-settings/sync-settings-three-dot.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/uninstall/uninstall-manage-account.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/uninstall/uninstall-manage-account.png
new file mode 100644
index 000000000..f94c6edfa
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/uninstall/uninstall-manage-account.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/uninstall/uninstall-remove.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/uninstall/uninstall-remove.png
new file mode 100644
index 000000000..b9310b151
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/uninstall/uninstall-remove.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/always-keep-on-this-device.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/always-keep-on-this-device.png
new file mode 100644
index 000000000..b4172d487
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/always-keep-on-this-device.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/free-up-space.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/free-up-space.png
new file mode 100644
index 000000000..68bab6b7a
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/free-up-space.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/full-pinned.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/full-pinned.png
new file mode 100644
index 000000000..398b77906
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/full-pinned.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/full.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/full.png
new file mode 100644
index 000000000..2bca9d9ad
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/full.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/placeholder.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/placeholder.png
new file mode 100644
index 000000000..c3db85f28
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/img/vfs/placeholder.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/index.md
new file mode 100644
index 000000000..966abf9b7
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/index.md
@@ -0,0 +1,25 @@
+---
+sidebar_position: 0
+id: desktop-client-overview
+title: OpenCloud Desktop Client
+---
+
+# OpenCloud Desktop Client
+
+Der OpenCloud Desktop Client synchronisiert Dateien zwischen Ihrem Computer und OpenCloud. Er ist für Windows, macOS
+und Linux verfügbar und bietet Offline-Zugriff, automatische Synchronisierung und eine einheitliche Arbeitsweise mit
+lokalen Dateien.
+
+## In diesem Abschnitt
+
+- [Windows](./windows/installation.md)
+ Installieren, einrichten und konfigurieren Sie den Desktop Client unter Windows.
+
+- [macOS](./macos/installation.md)
+ Installieren, einrichten und konfigurieren Sie den Desktop Client unter macOS.
+
+- [Linux](./linux/installation.md)
+ Installieren, einrichten und konfigurieren Sie den Desktop Client unter Linux.
+
+- [Gemeinsame Funktionen](./common-functionality/multiple-accounts.md)
+ Erfahren Sie mehr über gemeinsame Funktionen wie mehrere Konten, Dateinamenregeln, Konfliktbehandlung und Logging.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/installation.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/installation.md
new file mode 100644
index 000000000..a385b0388
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/installation.md
@@ -0,0 +1,68 @@
+---
+sidebar_position: 1
+id: installation
+title: Installation
+description: Install OpenCloud Desktop Client on Linux
+draft: false
+---
+
+# Installation on Linux (AppImage with AppImageLauncher)
+
+The OpenCloud Desktop Client is available as an AppImage for Linux.
+Using AppImageLauncher is recommended to ensure proper system integration, menu entries, and simplified updates.
+
+## Install AppImageLauncher
+
+AppImageLauncher integrates AppImages into your system and manages them like regular applications.
+
+Follow the installation instructions here:
+
+[AppImageLauncher Installation Guide](https://github.com/TheAssassin/AppImageLauncher/releases/tag/v3.0.0-beta-3)
+lation
+
+## Download the OpenCloud AppImage
+
+Download the latest or desired `.AppImage` version from the official release page:
+
+- [OpenCloud Desktop Releases on GitHub](https://github.com/opencloud-eu/desktop/releases)
+
+Save the file to your preferred download directory.
+
+## Integrate the AppImage
+
+Once AppImageLauncher is installed:
+
+1. Right-click the downloaded `OpenCloud.AppImage`.
+2. Select “Open with AppImageLauncher”.
+3. Confirm integration when prompted.
+
+AppImageLauncher will automatically:
+
+- store the AppImage in the correct location
+- register a menu entry
+- ensure the app behaves like a native application
+
+## Launching OpenCloud Desktop
+
+After integration, you can start the client as usual through your application menu:
+
+- open your Application Launcher
+- search for OpenCloud Desktop
+- start the application
+
+The client will guide you through the initial setup.
+
+## Updating the AppImage
+
+When a new version is available, download the updated AppImage from GitHub.
+AppImageLauncher will detect it and offer to replace the existing version automatically.
+
+## Uninstallation
+
+To remove the OpenCloud Desktop Client:
+
+1. Open your application menu.
+2. Search for OpenCloud Desktop
+3. Select the option to remove or uninstall the AppImage (menu wording may vary depending on distribution and launcher).
+
+AppImageLauncher will cleanly remove the integrated AppImage.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/set-up.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/set-up.md
new file mode 100644
index 000000000..6acc84662
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/set-up.md
@@ -0,0 +1,55 @@
+---
+sidebar_position: 2
+id: set-up
+title: OpenCloud Desktop einrichten
+description: Einrichtung Ihres OpenCloud Desktop
+draft: false
+---
+
+# OpenCloud Desktop einrichten
+
+Folgen Sie diesen einfachen Schritten, um Ihren OpenCloud Desktop zu installieren, zu konfigurieren und Ihre Dateien mühelos zu synchronisieren.
+
+## Server-URL eingeben
+
+- Öffnen Sie Ihren OpenCloud Desktop
+- Geben Sie die URL Ihrer OpenCloud-Instanz ein
+- Klicken Sie auf **„Weiter“**
+
+ ![URL eingeben]({require(".././img/set-up/set-up-enter-url.png").default})
+
+## Anmeldung über den Webbrowser
+
+- Klicken Sie auf „Webbrowser öffnen“, um sich automatisch anzumelden
+- Alternativ können Sie die angezeigte URL kopieren und manuell in Ihren Browser einfügen
+
+ ![Browser öffnen zur Anmeldung]({require(".././img/set-up/set-up-login.png").default})
+
+## Zugangsdaten eingeben
+
+- Geben Sie Ihren Benutzernamen und Ihr Passwort ein
+- Klicken Sie auf „Login“
+
+ ![Zugangsdaten eingeben]({require(".././img/set-up/set-up-user-password.png").default})
+
+## Zugriff gewähren
+
+- Bestätigen Sie die Zugriffsanfrage, um Ihr Konto mit OpenCloud Desktop zu verknüpfen.
+
+ ![Zugriff gewähren]({require(".././img/set-up/set-up-accept-access.png").default})
+
+## Einrichtung abschließen
+
+## Optionale erweiterte Konfiguration
+
+- Wählen Sie aus, ob alle Dateien synchronisiert werden sollen oder nur bestimmte Ordner (dies kann später angepasst werden).
+- Ändern Sie den lokalen Download-Ordner, in dem Ihre Dateien gespeichert werden.
+
+ ![Erweiterte Konfiguration]({require(".././img/set-up/set-up-advanced-configuration.png").default})
+
+Wenn alles bereit ist, klicken Sie auf „Fertig“, um die Einrichtung abzuschließen.
+
+![Einrichtung abgeschlossen]({require(".././img/set-up/set-up-all-set.png").default})
+
+Der OpenCloud Desktop ist nun erfolgreich eingerichtet.
+Sie können jetzt Ihre Dateien nahtlos zwischen Ihrem Gerät und dem OpenCloud-Server synchronisieren!
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/settings.md
new file mode 100644
index 000000000..13dc09c69
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/settings.md
@@ -0,0 +1,53 @@
+---
+sidebar_position: 3
+id: settings
+title: Einstellungen in Linux
+description: Einstellungen in OpenCloud Desktop für Linux
+draft: false
+---
+
+# Einstellungen in OpenCloud Desktop ändern
+
+Sie können die Einstellungen des OpenCloud Desktop mit den folgenden Schritten anpassen:
+
+## Einstellungen öffnen
+
+- Klicken Sie auf "Einstellungen“ in der oberen rechten Ecke von OpenCloud Desktop
+
+![settings overview]({require(".././img/settings/settings-overview.png").default})
+
+## Übersicht der Einstellungen
+
+### Allgemeine Einstellungen
+
+- Aktivieren oder Deaktivieren des automatischen Starts bei der Anmeldung
+- Legen Sie Ihre bevorzugte Sprache fest
+
+ ![settings-general]({require(".././img/settings/settings-general.png").default})
+
+### Erweiterte Einstellungen
+
+- Versteckte Dateien synchronisieren
+- Entscheiden Sie, ob gelöschte Dateien in den lokalen Papierkorb verschoben werden sollen
+- Bearbeiten Sie die Liste der ignorierten Dateien
+- Aktivieren Sie eine Debug-Protokolldatei für die Fehlersuche
+
+ ![settings advanced]({require(".././img/settings/settings-advanced.png").default})
+
+### Netzwerkeinstellungen
+
+- Wählen Sie aus, wie der Client mit Proxy-Einstellungen umgehen soll:
+ - Kein Proxy
+ - Systemproxy verwenden (Standard)
+ - Manuelles Eingeben eines Proxys
+
+ ![settings network]({require(".././img/settings/settings-network.png").default})
+
+ ### Download- und Upload-Bandbreite
+
+- Legen Sie Bandbreitenlimits fest:
+ - Kein Limit (Standard)
+ - Automatische Anpassung des Limits
+ - Ein bestimmtes Limit manuell einstellen
+
+ ![settings bandwith]({require(".././img/settings/settings-bandwidth.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/sync-settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/sync-settings.md
new file mode 100644
index 000000000..2cd30a2d6
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/linux/sync-settings.md
@@ -0,0 +1,57 @@
+---
+sidebar_position: 3
+id: sync-settings-linux
+title: Synchronisationseinstellungen unter Linux
+description: Synchronisationseinstellungen unter Linux
+draft: false
+---
+
+# Linux: Synchronisationseinstellungen
+
+Auf Linux werden die Dateien auf Ihr System heruntergeladen. Über den OpenCloud Desktop Client können Sie festlegen, was synchronisiert werden soll und wie oft.
+
+## Zugriff auf die Synchronisationseinstellungen
+
+1. Öffnen Sie den OpenCloud Desktop Client.
+2. Gehen Sie zur Account-Ansicht.
+3. Klicken Sie auf das Drei-Punkte-Menü (...) neben dem Space, den Sie konfigurieren möchten.
+
+![Account-Spaces-Menü]({require(".././img/sync-settings/sync-settings-three-dot.png").default})
+
+## Synchronisationsoptionen
+
+![Synchronisationsoptionen-Menü]({require(".././img/sync-settings/sync-settings-menu.png").default})
+
+### In Linux Dateimanager anzeigen
+
+- Öffnet den Space im Dateimanager Ihrer Linux-Desktopumgebung.
+
+### Im Webbrowser anzeigen
+
+- Öffnet den Space in Ihrem Webbrowser.
+- Eine Anmeldung kann erforderlich sein, falls Sie noch nicht eingeloggt sind.
+
+### Jetzt synchronisieren
+
+- Löst eine sofortige manuelle Synchronisation aus.
+
+### Synchronisation pausieren
+
+- Stoppt die Synchronisation vorübergehend.
+- Kann jederzeit über Synchronisation fortsetzen wieder aktiviert werden.
+
+### Synchronisationsverbindung entfernen
+
+- Beendet die Synchronisation des Spaces, löscht jedoch nicht die lokalen Dateien.
+- Der Space bleibt auf dem Server erhalten.
+
+### Auswahl der zu synchronisierenden Dateien
+
+- Wählen Sie bestimmte Ordner aus, die lokal synchronisiert werden sollen.
+- Spart Speicherplatz, indem nur die benötigten Dateien synchronisiert werden.
+
+![Zu synchronisierende Dateien auswählen]({require(".././img/sync-settings/sync-settings-choose-what-to-sync.png").default})
+
+:::note
+Dateien und Ordner, die nicht zur Synchronisation ausgewählt wurden, sind lokal nicht verfügbar.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/installation.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/installation.md
new file mode 100644
index 000000000..007925851
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/installation.md
@@ -0,0 +1,63 @@
+---
+sidebar_position: 1
+id: installation
+title: Installation
+description: OpenCloud Client installieren
+draft: false
+---
+
+# Installation auf macOS (.pkg-Datei)
+
+Der OpenCloud Desktop Client wird als signierte `.pkg`-Installer-Datei für macOS bereitgestellt.
+Diese Installationsmethode integriert die Anwendung sauber ins System und folgt dem Standard-Installationsprozess von macOS.
+
+## Installer herunterladen
+
+Laden Sie die neueste oder gewünschte `.pkg`-Datei von der offiziellen Release-Seite herunter:
+
+- [OpenCloud Desktop Releases auf GitHub](https://github.com/opencloud-eu/desktop/releases)
+
+Speichern Sie die Datei in Ihrem Downloads-Ordner.
+
+## Installer ausführen
+
+1. Doppelklicken Sie auf die heruntergeladene `.pkg`-Datei.
+2. Der macOS-Installer öffnet sich automatisch.
+3. Folgen Sie den Anweisungen auf dem Bildschirm, um die Installation abzuschließen.
+
+Der Installer legt OpenCloud Desktop im Applications-Ordner ab.
+
+## Anwendung starten
+
+Nach der Installation können Sie OpenCloud Desktop starten über:
+
+- den Applications-Ordner
+- Launchpad
+- oder über Spotlight (drücken Sie `Cmd + Leertaste` und suchen Sie nach „OpenCloud Desktop“)
+
+## Erster Start
+
+Beim ersten Start führt der Client Sie durch:
+
+- die Anmeldung mit Ihrem OpenCloud-Konto
+- die Auswahl der Synchronisationseinstellungen
+- die Konfiguration grundlegender Optionen
+
+Die Anwendung ist nun einsatzbereit auf macOS.
+
+## Deinstallation
+
+Um den OpenCloud Desktop Client vom System zu entfernen:
+
+1. Öffnen Sie den Applications-Ordner.
+2. Suchen Sie nach OpenCloud Desktop.app.
+3. Ziehen Sie die Anwendung in den Papierkorb oder klicken Sie mit der rechten Maustaste und wählen Sie In den Papierkorb legen.
+4. Leeren Sie den Papierkorb, um die Deinstallation abzuschließen.
+
+Optionale Konfigurationsdateien können im Benutzerverzeichnis verbleiben:
+
+- `~/Library/Application Support/OpenCloud/`
+- `~/Library/Preferences/eu.opencloud.desktop.plist`
+- `~/Library/Logs/OpenCloud/`
+
+Diese Dateien können manuell gelöscht werden, wenn eine vollständige Bereinigung gewünscht ist.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/set-up.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/set-up.md
new file mode 100644
index 000000000..36bd8c140
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/set-up.md
@@ -0,0 +1,55 @@
+---
+sidebar_position: 2
+id: set-up
+title: OpenCloud Desktop einrichten
+description: Einrichtung Ihres OpenCloud Desktop
+draft: false
+---
+
+# OpenCloud Desktop einrichten
+
+Folgen Sie diesen einfachen Schritten, um Ihren OpenCloud Desktop zu installieren, zu konfigurieren und Ihre Dateien mühelos zu synchronisieren.
+
+## Server-URL eingeben
+
+- Öffnen Sie Ihren OpenCloud Desktop
+- Geben Sie die URL Ihrer OpenCloud-Instanz ein
+- Klicken Sie auf „Weiter“
+
+
+
+## Anmeldung über den Webbrowser
+
+- Klicken Sie auf „Webbrowser öffnen“, um sich automatisch anzumelden
+- Alternativ können Sie die angezeigte URL kopieren und manuell in Ihren Browser einfügen
+
+
+
+## Zugangsdaten eingeben
+
+- Geben Sie Ihren Benutzernamen und Ihr Passwort ein
+- Klicken Sie auf **„Login“**
+
+
+
+## Zugriff gewähren
+
+- Bestätigen Sie die Zugriffsanfrage, um Ihr Konto mit dem OpenCloud Desktop zu verknüpfen.
+
+
+
+## Einrichtung abschließen
+
+## Optionale erweiterte Konfiguration
+
+- Wählen Sie aus, ob alle Dateien synchronisiert werden sollen oder nur bestimmte Ordner (dies kann später angepasst werden).
+- Ändern Sie den lokalen Download-Ordner, in dem Ihre Dateien gespeichert werden.
+
+
+
+Wenn alles bereit ist, klicken Sie auf „Fertig“, um die Einrichtung abzuschließen.
+
+
+
+Der OpenCloud Desktop ist nun erfolgreich eingerichtet.
+Sie können jetzt nahtlos Ihre Dateien zwischen Ihrem Gerät und dem OpenCloud-Server synchronisieren!
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/settings.md
new file mode 100644
index 000000000..0904ac047
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/settings.md
@@ -0,0 +1,53 @@
+---
+sidebar_position: 3
+id: settings
+title: Einstellungen in macOS
+description: Einstellungen in OpenCloud Desktop für macOS
+draft: false
+---
+
+# Einstellungen in OpenCloud Desktop ändern
+
+Sie können die Einstellungen des OpenCloud Desktop mit den folgenden Schritten anpassen:
+
+## Einstellungen öffnen
+
+- Klicken Sie auf "Einstellungen“ in der oberen rechten Ecke von OpenCloud Desktop
+
+
+
+## Übersicht der Einstellungen
+
+### Allgemeine Einstellungen
+
+- Aktivieren oder Deaktivieren des automatischen Starts bei der Anmeldung
+- Legen Sie Ihre bevorzugte Sprache fest
+
+
+
+### Erweiterte Einstellungen
+
+- Versteckte Dateien synchronisieren
+- Entscheiden Sie, ob gelöschte Dateien in den lokalen Papierkorb verschoben werden sollen
+- Bearbeiten Sie die Liste der ignorierten Dateien
+- Aktivieren Sie eine Debug-Protokolldatei für die Fehlersuche
+
+
+
+### Netzwerkeinstellungen
+
+- Wählen Sie aus, wie der Client mit Proxy-Einstellungen umgehen soll:
+ - Kein Proxy
+ - Systemproxy verwenden (Standard)
+ - Manuelles Eingeben eines Proxys
+
+
+
+ ### Download- und Upload-Bandbreite
+
+- Legen Sie Bandbreitenlimits fest:
+ - Kein Limit (Standard)
+ - Automatische Anpassung des Limits
+ - Ein bestimmtes Limit manuell einstellen
+
+
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/sync-settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/sync-settings.md
new file mode 100644
index 000000000..50e028599
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/macos/sync-settings.md
@@ -0,0 +1,57 @@
+---
+sidebar_position: 3
+id: sync-settings-mac
+title: Synchronisationseinstellungen unter macOS
+description: Synchronisationseinstellungen unter macOS
+draft: false
+---
+
+# macOS: Synchronisationseinstellungen
+
+Auf macOS werden die Dateien auf Ihr System heruntergeladen. Über den OpenCloud Desktop Client können Sie festlegen, was synchronisiert werden soll und wie oft.
+
+## Zugriff auf die Synchronisationseinstellungen
+
+1. Öffnen Sie den OpenCloud Desktop Client.
+2. Gehen Sie zur Account-Ansicht.
+3. Klicken Sie auf das Drei-Punkte-Menü neben dem Space, den Sie konfigurieren möchten.
+
+
+
+## Synchronisationsoptionen
+
+
+
+### In Finder anzeigen
+
+- Öffnet den Space im Finder.
+
+### Im Webbrowser anzeigen
+
+- Öffnet den Space in Ihrem Webbrowser.
+- Eine Anmeldung kann erforderlich sein, falls Sie noch nicht eingeloggt sind.
+
+### Jetzt synchronisieren
+
+- Löst eine sofortige manuelle Synchronisation aus.
+
+### Synchronisation pausieren
+
+- Stoppt die Synchronisation vorübergehend.
+- Kann jederzeit über Synchronisation fortsetzen wieder aktiviert werden.
+
+### Synchronisationsverbindung entfernen
+
+- Beendet die Synchronisation des Spaces, löscht jedoch nicht die lokalen Dateien.
+- Der Space bleibt auf dem Server erhalten.
+
+### Auswahl der zu synchronisierenden Dateien
+
+- Wählen Sie bestimmte Ordner aus, die lokal synchronisiert werden sollen.
+- Spart Speicherplatz, indem nur die benötigten Dateien synchronisiert werden.
+
+
+
+:::note
+Dateien und Ordner, die nicht zur Synchronisation ausgewählt wurden, sind lokal nicht verfügbar.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/settings.md
new file mode 100644
index 000000000..de491308f
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/settings.md
@@ -0,0 +1,58 @@
+---
+sidebar_position: 3
+id: settings
+title: Einstellungen
+description: Ändern der Einstellungen in OpenCloud Desktop
+draft: false
+---
+
+# Einstellungen in OpenCloud Desktop ändern
+
+Sie können die Einstellungen des OpenCloud Desktop mit den folgenden Schritten anpassen:
+
+## Einstellungen öffnen
+
+- Klicken Sie auf "Einstellungen“ in der oberen rechten Ecke von OpenCloud Desktop
+
+![settings overview]({require("./img/settings/settings-overview.png").default})
+
+## Übersicht der Einstellungen
+
+### Allgemeine Einstellungen
+
+- Aktivieren oder Deaktivieren des automatischen Starts bei der Anmeldung
+- Wählen Sie, ob Desktop-Benachrichtigungen angezeigt werden sollen
+- Legen Sie Ihre bevorzugte Sprache fest
+
+ ![settings-general]({require("./img/settings/settings-general.png").default})
+
+### Erweiterte Einstellungen
+
+- Versteckte Dateien synchronisieren
+- Entscheiden Sie, ob gelöschte Dateien in den lokalen Papierkorb verschoben werden sollen
+- Bearbeiten Sie die Liste der ignorierten Dateien
+- Aktivieren Sie eine Debug-Protokolldatei für die Fehlersuche
+
+ ![settings advanced]({require("./img/settings/settings-advanced.png").default})
+
+### Netzwerkeinstellungen
+
+- Wählen Sie aus, wie der Client mit Proxy-Einstellungen umgehen soll:
+ - Kein Proxy
+ - Systemproxy verwenden (Standard)
+ - Manuelles Eingeben eines Proxys
+
+ ![settings network]({require("./img/settings/settings-network.png").default})
+
+ ### Download- und Upload-Bandbreite
+
+- Legen Sie Bandbreitenlimits fest:
+ - Kein Limit (Standard)
+ - Automatische Anpassung des Limits
+ - Ein bestimmtes Limit manuell einstellen
+
+ ![settings bandwith]({require("./img/settings/settings-bandwidth.png").default})
+
+:::note
+Indem Sie diese Einstellungen anpassen, können Sie OpenCloud Desktop nach Ihren Bedürfnissen optimieren!
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/installation.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/installation.md
new file mode 100644
index 000000000..151074b9c
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/installation.md
@@ -0,0 +1,57 @@
+---
+sidebar_position: 1
+id: installation
+title: Installation
+description: Installiere den OpenCloud Client
+draft: false
+---
+
+# Installation unter Windows
+
+Der OpenCloud Desktop Client für Windows ist über den Microsoft Store verfügbar.
+Die Installation über den Store sorgt für einen einfachen Installationsprozess, automatische Updates und eine nahtlose Integration in Windows.
+
+## Microsoft Store öffnen
+
+Öffne den Microsoft Store auf deinem Windows-Gerät und suche nach OpenCloud Desktop,
+oder klicke auf den untenstehenden Button, um direkt zur App-Seite zu gelangen:
+
+
+ 
+
+
+## „Installieren“ klicken
+
+Klicke auf der App-Seite auf Installieren, um den OpenCloud Desktop Client herunterzuladen und zu installieren.
+
+Der Microsoft Store übernimmt die Installation automatisch und legt die Anwendung an der richtigen Stelle im System ab.
+
+## Anwendung starten
+
+Nach Abschluss der Installation kannst du den Client über das Startmenü öffnen, indem du nach OpenCloud Desktop suchst.
+Die Anwendung führt dich durch die erste Einrichtung, einschließlich der Anmeldung mit deinem Konto.
+
+## Automatische Updates
+
+Der Microsoft Store hält den OpenCloud Desktop Client automatisch auf dem neuesten Stand.
+Updates werden im Hintergrund installiert und erfordern keine manuellen Schritte.
+
+Dies stellt sicher, dass:
+
+- immer die neuesten Funktionen verfügbar sind
+- Sicherheitsverbesserungen zeitnah angewendet werden
+- volle Kompatibilität mit aktuellen Windows-Versionen gewährleistet ist
+
+:::note
+Die Installation über den Microsoft Store sorgt für automatische Updates, eine bessere Systemintegration und reduziert den Bedarf an manueller Wartung.
+:::
+
+## Deinstallation (optional)
+
+Falls du den Client deinstallieren möchtest:
+
+1. Öffne das Startmenü.
+2. Suche nach OpenCloud Desktop.
+3. Klicke mit der rechten Maustaste auf die Anwendung und wähle Deinstallieren.
+
+Windows entfernt den Client und dessen Komponenten sauber über
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/set-up.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/set-up.md
new file mode 100644
index 000000000..dd44b11d3
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/set-up.md
@@ -0,0 +1,55 @@
+---
+sidebar_position: 2
+id: set-up
+title: OpenCloud Desktop einrichten
+description: Einrichtung Ihres OpenCloud Desktop
+draft: false
+---
+
+# OpenCloud Desktop einrichten
+
+Folgen Sie diesen einfachen Schritten, um Ihren OpenCloud Desktop zu installieren und zu konfigurieren und Ihre Dateien mühelos zu synchronisieren.
+
+## Server-URL eingeben
+
+- Öffnen Sie Ihren OpenCloud Desktop
+- Geben Sie die URL Ihrer OpenCloud-Instanz ein
+- Klicken Sie auf „Weiter“
+
+
+
+## Anmeldung über den Webbrowser
+
+- Klicken Sie auf „Webbrowser öffnen“, um sich automatisch anzumelden
+- Alternativ können Sie die angezeigte URL kopieren und manuell in Ihren Browser einfügen
+
+
+
+## Zugangsdaten eingeben
+
+- Geben Sie Ihren Benutzernamen und Ihr Passwort ein
+- Klicken Sie auf „Login“
+
+
+
+## Zugriff gewähren
+
+- Bestätigen Sie die Zugriffsanfrage, um Ihr Konto mit dem OpenCloud Desktop zu verknüpfen.
+
+
+
+## Einrichtung abschließen
+
+## Optionale erweiterte Konfiguration
+
+- Wählen Sie aus, ob alle vorhandenen Spaces synchronisiert werden sollen oder ob die Synchronisation manuell eingerichtet werden soll.
+- Ändern Sie den lokalen Download-Ordner, in dem Ihre Dateien gespeichert werden.
+
+ ![Erweiterte Konfiguration]({require(".././img/set-up/windows/set-up-advanced-configuration.png").default})
+
+Wenn alles bereit ist, klicken Sie auf „Fertig“, um die Einrichtung abzuschließen.
+
+![Einrichtung abgeschlossen]({require(".././img/set-up/windows/set-up-all-set.png").default})
+
+Der OpenCloud Desktop wurde erfolgreich eingerichtet.
+Sie können nun direkt damit beginnen, Ihre Dateien nahtlos zwischen Ihrem Gerät und dem OpenCloud-Server zu synchronisieren!
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/settings.md
new file mode 100644
index 000000000..0b6cc6252
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/settings.md
@@ -0,0 +1,52 @@
+---
+sidebar_position: 3
+id: settings
+title: Einstellungen in Windows
+description: Einstellungen in OpenCloud Desktop für Windows
+draft: false
+---
+
+# Einstellungen in OpenCloud Desktop ändern
+
+Sie können die Einstellungen des OpenCloud Desktop mit den folgenden Schritten anpassen:
+
+## Einstellungen öffnen
+
+- Klicken Sie auf "Einstellungen“ in der oberen rechten Ecke von OpenCloud Desktop
+
+
+
+## Übersicht der Einstellungen
+
+### Allgemeine Einstellungen
+
+- Legen Sie Ihre bevorzugte Sprache fest
+
+ ![settings-general]({require(".././img/settings/windows/settings-general.png").default})
+
+### Erweiterte Einstellungen
+
+- Versteckte Dateien synchronisieren
+- Entscheiden Sie, ob gelöschte Dateien in den lokalen Papierkorb verschoben werden sollen
+- Bearbeiten Sie die Liste der ignorierten Dateien
+- Aktivieren Sie eine Debug-Protokolldatei für die Fehlersuche
+
+
+
+### Netzwerkeinstellungen
+
+- Wählen Sie aus, wie der Client mit Proxy-Einstellungen umgehen soll:
+ - Kein Proxy
+ - Systemproxy verwenden (Standard)
+ - Manuelles Eingeben eines Proxys
+
+
+
+ ### Download- und Upload-Bandbreite
+
+- Legen Sie Bandbreitenlimits fest:
+ - Kein Limit (Standard)
+ - Automatische Anpassung des Limits
+ - Ein bestimmtes Limit manuell einstellen
+
+
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/sync-settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/sync-settings.md
new file mode 100644
index 000000000..4dff2e36e
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/desktop-client/windows/sync-settings.md
@@ -0,0 +1,65 @@
+---
+sidebar_position: 4
+id: sync-settings-win
+title: Synchronisationseinstellungen unter Windows
+description: Synchronisationseinstellungen unter Windows
+draft: false
+---
+
+# Windows: Synchronisationseinstellungen
+
+Der OpenCloud Desktop Client nutzt das Windows Virtual File System (VFS), um Ihre Cloud-Daten direkt in den Windows-Dateiexplorer zu integrieren.
+Dateien und Ordner werden angezeigt, ohne dass sie vollständig heruntergeladen werden müssen – das spart lokalen Speicherplatz.
+
+## Status der Datei
+
+Dateien und Ordner können verschiedene Stati haben, je nachdem, ob sie lokal gespeichert oder nur online verfügbar sind.
+
+### Immer auf diesem Gerät verfügbar (full pinned)
+
+- Lokal gespeichert und jederzeit offline zugänglich.
+- Windows entfernt diese Datei nicht automatisch.
+
+![Symbol vollständig angeheftet]({require(".././img/vfs/full-pinned.png").default})
+
+### Auf diesem Gerät verfügbar (full)
+
+- Heruntergeladen und offline verfügbar.
+- Kann von Windows entfernt werden, wenn Speicherplatz benötigt wird.
+- Neu erstellte oder hinzugefügte Dateien erhalten automatisch diesen Status.
+
+![Symbol vollständig]({require(".././img/vfs/full.png").default})
+
+### Online verfügbar (placeholder)
+
+- Wird im Datei-Explorer angezeigt, befindet sich jedoch nur in der Cloud.
+- Wird beim Öffnen automatisch heruntergeladen; Internetverbindung erforderlich.
+
+![Symbol Platzhalter]({require(".././img/vfs/placeholder.png").default})
+
+## Elemente offline verfügbar machen
+
+Um eine Datei, einen Ordner oder einen Space lokal zu speichern:
+
+1. Klicken Sie im Datei-Explorer mit der rechten Maustaste auf das Element.
+2. Wählen Sie „Immer auf diesem Gerät beibehalten“.
+
+![Auswahl: Immer auf diesem Gerät behalten]({require(".././img/vfs/always-keep-on-this-device.png").default})
+
+## Speicherplatz freigeben
+
+Um lokale Kopien zu entfernen, während die Elemente weiterhin im Datei-Explorer sichtbar bleiben:
+
+1. Klicken Sie mit der rechten Maustaste auf das Element.
+2. Wählen Sie „Speicherplatz freigeben“.
+
+![Auswahl: Speicherplatz freigeben]({require(".././img/vfs/free-up-space.png").default})
+
+## Zugriff auf Dateien
+
+- Online-only Dateien werden automatisch heruntergeladen, sobald Sie sie öffnen.
+- Änderungen werden zurück zu OpenCloud synchronisiert.
+
+:::note
+Für Dateien, die nur online verfügbar sind, ist eine Internetverbindung erforderlich.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/_category_.json b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/_category_.json
new file mode 100644
index 000000000..5ff00c3b9
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/_category_.json
@@ -0,0 +1,8 @@
+{
+ "label": "Dateien und Ordner verwalten",
+ "position": 3,
+ "link": {
+ "type": "doc",
+ "id": "files-and-folders-overview"
+ }
+}
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/activity.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/activity.md
new file mode 100644
index 000000000..4adcd4fa0
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/activity.md
@@ -0,0 +1,31 @@
+---
+sidebar_position: 8
+id: activities
+title: Aktivitäten
+description: Aktivitäten einer Datei oder eines Ordners in OpenCloud anzeigen
+draft: false
+---
+
+# Aktivitäten einer Datei oder eines Ordners anzeigen
+
+Um herauszufinden, wer eine Datei oder einen Ordner bearbeitet hat und welche Aktionen ausgeführt wurden, gehen Sie wie folgt vor:
+
+## Aktivitäten anzeigen
+
+- Details öffnen
+ - Klicken Sie mit der rechten Maustaste auf die Datei oder den Ordner oder klicken Sie auf die drei Punkte in der entsprechenden Zeile.
+ - Wählen Sie im Kontextmenü "Details“ aus.
+
+ ![Details auswählen im Kontextmenü]({require("./img/activity/details-button.png").default})
+
+- Wählen Sie Aktivitäten
+ - In der rechten Seitenleiste öffnet sich ein Fenster. Wählen Sie dort "Aktivitäten“ aus.
+ ![Aktivitäten auswählen]({require("./img/activity/aktivitaeten-button.png").default})
+
+- Aktivitäten anzeigen
+ - Alle Aktivitäten, die mit dieser Datei oder diesem Ordner durchgeführt wurden, werden jetzt angezeigt.
+ ![Aktivitäten anzeigen]({require("./img/activity/aktivitaeten.png").default})
+
+:::info
+So können Sie alle Änderungen und Aktionen nachverfolgen.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/create-rename-move.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/create-rename-move.md
new file mode 100644
index 000000000..91fed2d24
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/create-rename-move.md
@@ -0,0 +1,68 @@
+---
+sidebar_position: 1
+id: create-rename-move
+title: Erstellen - Umbenennen - Verschieben
+description: Erstellen - Umbenennen - Verschieben
+draft: false
+---
+
+# Erstellen - Umbenennen - Verschieben
+
+In OpenCloud können Sie ganz einfach neue Text-, Tabellen- und Präsentationsdateien in der Weboberfläche erstellen. Sie können Dateien und Ordner außerdem umbenennen oder an einen anderen Speicherort verschieben.
+
+## Dateien und Ordner erstellen
+
+- Öffnen Sie das Menü „+ Neu“ in der linken Seitenleiste.
+ ![Neue Schaltfläche]({require("./img/create-rename-move/neu-button.png").default})
+- Wählen Sie entweder „Ordner“ oder den gewünschten Dateityp aus.
+ ![Dateityp oder Ordner auswählen]({require("./img/create-rename-move/neu-optionen.png").default})
+- Geben Sie im angezeigten Fenster einen Namen für die Datei oder den Ordner ein.
+- Klicken Sie auf „Erstellen“.
+
+ ![Auf Erstellen klicken]({require("./img/create-rename-move/erstellen-button.png").default})
+
+Fertig. Die Datei oder der Ordner wurde erstellt. Wenn es sich um eine Datei handelt, wird sie automatisch im Bearbeitungsmodus geöffnet.
+
+## Dateien oder Ordner umbenennen
+
+- Öffnen Sie das Kontextmenü auf eine der folgenden Arten:
+ - Klicken Sie mit der rechten Maustaste auf die Datei oder den Ordner
+ - Oder klicken Sie auf die drei Punkte rechts in der entsprechenden Zeile
+- Wählen Sie die Option „Umbenennen“.
+
+ ![Umbenennen auswählen]({require("./img/create-rename-move/umbenennen-option.png").default})
+
+- Geben Sie den neuen Namen für die Datei oder den Ordner in das angezeigte Fenster ein.
+- Bestätigen Sie mit „Umbenennen“.
+
+ ![Neuen Namen eingeben]({require("./img/create-rename-move/umbenennen-popup.png").default})
+
+Fertig. Der neue Name wurde übernommen.
+
+## Dateien oder Ordner verschieben
+
+- Treffen Sie zuerst eine Auswahl:
+ - Wählen Sie die Datei(en) oder Ordner aus, die Sie verschieben möchten.
+
+ ![Dateien oder Ordner auswählen]({require("./img/create-rename-move/ordner-auswaehlen.png").default})
+
+ - Öffnen Sie das Kontextmenü:
+ - Klicken Sie mit der rechten Maustaste auf die Datei oder den Ordner
+ - Oder klicken Sie auf die drei Punkte in der entsprechenden Zeile
+ - Wählen Sie die Option „Ausschneiden“ aus dem Menü.
+
+ ![Ausschneiden per Rechtsklick]({require("./img/create-rename-move/rechts-klick-ausschneiden.png").default})
+
+ Alternativ können Sie die Funktion „Ausschneiden“ in der Aktionsleiste oben verwenden.
+
+ ![Ausschneiden in der Aktionsleiste]({require("./img/create-rename-move/actionbar-ausschneiden.png").default})
+
+- Wählen Sie das Ziel aus:
+ - Navigieren Sie zu dem Ordner oder Speicherort, an den die Datei oder der Ordner verschoben werden soll.
+ - Klicken Sie in der Aktionsleiste auf „Hier einfügen“.
+
+ ![Hier einfügen]({require("./img/create-rename-move/hier-einfuegen-button.png").default})
+
+ ![Eingefügte Datei]({require("./img/create-rename-move/eingefuegte-datei.png").default})
+
+Die Datei oder der Ordner befindet sich jetzt am neuen Speicherort und nicht mehr am ursprünglichen Speicherort.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/delete-restore.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/delete-restore.md
new file mode 100644
index 000000000..2d322348a
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/delete-restore.md
@@ -0,0 +1,51 @@
+---
+sidebar_position: 3
+id: delete-restore
+title: Löschen - Wiederherstellen
+description: Löschen - Wiederherstellen
+draft: false
+---
+
+# Löschen - Wiederherstellen
+
+## Dateien und Ordner löschen
+
+- Wählen Sie die Datei(en) oder Ordner aus, die Sie löschen möchten.
+
+ ![Dateien oder Ordner auswählen]({require("./img/delete-restore/markierter-ordner.png").default})
+
+- Öffnen Sie das Kontextmenü und wählen Sie "Löschen“.
+
+ ![Löschen auswählen]({require("./img/delete-restore/loeschen-optionen.png").default})
+
+:::info
+Alternativ können Sie auch auf "Löschen“ in der Aktionsleiste klicken.
+:::
+
+- Die Dateien oder Ordner werden in den Bereich "Gelöschte Dateien“ verschoben. Sie können bei Bedarf von dort wiederhergestellt werden.
+
+ ![Dateien und Ordner in den gelöschten Dateien]({require("./img/delete-restore/ordner-in-geloeschte-dateien.png").default})
+
+## Dateien und Ordner wiederherstellen
+
+- Klicken Sie in der linken Seitenleiste auf „Gelöschte Dateien“.
+- Dateien aus Ihrem persönlichen Bereich finden Sie unter "Persönlich“.
+- Dateien aus anderen Spaces, zum Beispiel "Platform Team“, finden Sie in den jeweiligen Spaces.
+
+ ![Struktur in den gelöschten Dateien]({require("./img/delete-restore/struktur-in-geloeschte-dateien.png").default})
+
+- Klicken Sie auf die Datei(en) oder Ordner, die Sie wiederherstellen möchten.
+
+ ![Dateien oder Ordner zum Wiederherstellen auswählen]({require("./img/delete-restore/markierter-ordner-in-geloeschte-dateien.png").default})
+
+- Klicken Sie mit der rechten Maustaste auf die Auswahl oder klicken Sie auf die drei Punkte daneben und wählen sie "Wiederherstellen"
+
+ ![Drei-Punkte-Menü in den gelöschten Dateien]({require("./img/delete-restore/drei-punkte-menue-in-geloeschte-dateien.png").default})
+
+:::info
+Alternativ können Sie auch auf "Wiederherstellen“ in der Aktionsleiste klicken.
+:::
+
+:::note
+Die Dateien oder Ordner werden an ihren ursprünglichen Speicherort wiederhergestellt.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/favorites.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/favorites.md
new file mode 100644
index 000000000..0e772594b
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/favorites.md
@@ -0,0 +1,41 @@
+---
+sidebar_position: 7
+id: favorites
+title: Favoriten
+description: Häufig verwendete Dateien für den schnellen Zugriff markieren
+draft: false
+---
+
+# Favoriten
+
+Mit OpenCloud 6.0.0 können Sie häufig verwendete Dateien und Ordner als Favoriten markieren, damit Sie schneller darauf zugreifen können. Die Funktion ist im Web-Client verfügbar.
+
+Favoriten werden serverseitig gespeichert, auf einer eigenen Favoriten-Seite angezeigt und sind auch in Suchergebnissen und Dateilisten sichtbar. Die Funktion funktioniert in persönlichen und Projekt-Spaces, einschließlich Unterordnern.
+
+## Ein Element als Favorit markieren
+
+- Öffnen Sie das Kontextmenü für eine Datei oder einen Ordner.
+ ![Kontextmenü mit Favoriten-Aktion]({require("./img/favorites/add-to-favorites-menu.png").default})
+
+- Wählen Sie im Kontextmenü oder in den Batch-Aktionen „Zu Favoriten hinzufügen“.
+
+- Das Element wird sofort zu Ihren Favoriten hinzugefügt.
+
+## Favoriten öffnen
+
+- Öffnen Sie „Favoriten“ in der linken Seitenleiste des Web-Clients.
+ ![Favoriten-Seite mit mehreren persönlichen Dateien]({require("./img/favorites/favorites-personal.png").default})
+
+- Die Favoriten-Seite zeigt die Elemente aus dem persönlichen Bereich zusammen an.
+
+## Einen Favoriten entfernen
+
+- Öffnen Sie das Kontextmenü erneut.
+ ![Kontextmenü mit Entfernen-aus-Favoriten-Aktion]({require("./img/favorites/remove-from-favorites-menu.png").default})
+
+- Wählen Sie im Kontextmenü oder in den Batch-Aktionen „Aus Favoriten entfernen“.
+- Das Element wird aus Ihren Favoriten entfernt.
+
+:::note
+Spaces selbst können derzeit noch nicht als Favoriten markiert werden.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/aktivitaeten-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/aktivitaeten-button.png
new file mode 100644
index 000000000..963faec95
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/aktivitaeten-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/aktivitaeten.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/aktivitaeten.png
new file mode 100644
index 000000000..d7f78d22f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/aktivitaeten.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/details-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/details-button.png
new file mode 100644
index 000000000..331c7876f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/details-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/drei-punkte-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/drei-punkte-menue.png
new file mode 100644
index 000000000..867104fe3
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/activity/drei-punkte-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/actionbar-ausschneiden.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/actionbar-ausschneiden.png
new file mode 100644
index 000000000..cf210a34b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/actionbar-ausschneiden.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/eingefuegte-datei.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/eingefuegte-datei.png
new file mode 100644
index 000000000..8d21ac203
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/eingefuegte-datei.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/erstellen-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/erstellen-button.png
new file mode 100644
index 000000000..b525e3bd0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/erstellen-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/hier-einfuegen-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/hier-einfuegen-button.png
new file mode 100644
index 000000000..5fdde93d2
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/hier-einfuegen-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/neu-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/neu-button.png
new file mode 100644
index 000000000..2e1fa7464
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/neu-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/neu-optionen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/neu-optionen.png
new file mode 100644
index 000000000..4702233ab
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/neu-optionen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/ordner-auswaehlen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/ordner-auswaehlen.png
new file mode 100644
index 000000000..1072342ab
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/ordner-auswaehlen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/rechts-klick-ausschneiden.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/rechts-klick-ausschneiden.png
new file mode 100644
index 000000000..a8cf05270
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/rechts-klick-ausschneiden.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/umbenennen-option.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/umbenennen-option.png
new file mode 100644
index 000000000..3bce327d9
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/umbenennen-option.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/umbenennen-popup.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/umbenennen-popup.png
new file mode 100644
index 000000000..6c529d4eb
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/create-rename-move/umbenennen-popup.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/drei-punkte-menue-in-geloeschte-dateien.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/drei-punkte-menue-in-geloeschte-dateien.png
new file mode 100644
index 000000000..b4ee5d8d4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/drei-punkte-menue-in-geloeschte-dateien.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/drei-punkte-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/drei-punkte-menue.png
new file mode 100644
index 000000000..e790981fd
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/drei-punkte-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/geloeschte-dateien.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/geloeschte-dateien.png
new file mode 100644
index 000000000..d796c32b1
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/geloeschte-dateien.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/loeschen-optionen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/loeschen-optionen.png
new file mode 100644
index 000000000..c904c5a7c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/loeschen-optionen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/markierter-ordner-in-geloeschte-dateien.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/markierter-ordner-in-geloeschte-dateien.png
new file mode 100644
index 000000000..893677f8b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/markierter-ordner-in-geloeschte-dateien.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/markierter-ordner.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/markierter-ordner.png
new file mode 100644
index 000000000..5f024a625
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/markierter-ordner.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/ordner-in-geloeschte-dateien.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/ordner-in-geloeschte-dateien.png
new file mode 100644
index 000000000..9a3560467
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/ordner-in-geloeschte-dateien.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/struktur-in-geloeschte-dateien.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/struktur-in-geloeschte-dateien.png
new file mode 100644
index 000000000..26522a0e3
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/struktur-in-geloeschte-dateien.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/wiederherstellungs-optionen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/wiederherstellungs-optionen.png
new file mode 100644
index 000000000..3c4cc8a89
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/delete-restore/wiederherstellungs-optionen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/add-to-favorites-menu.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/add-to-favorites-menu.png
new file mode 100644
index 000000000..7fb473278
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/add-to-favorites-menu.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/favorites-personal.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/favorites-personal.png
new file mode 100644
index 000000000..8059aee30
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/favorites-personal.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/remove-from-favorites-menu.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/remove-from-favorites-menu.png
new file mode 100644
index 000000000..87bda93f9
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/favorites/remove-from-favorites-menu.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/create-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/create-button.png
new file mode 100644
index 000000000..4ef3b0b1e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/create-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/pop-up-window.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/pop-up-window.png
new file mode 100644
index 000000000..319dbacd4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/pop-up-window.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut-button.png
new file mode 100644
index 000000000..fcfbadb0e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut-right-click.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut-right-click.png
new file mode 100644
index 000000000..b790ae44a
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut-right-click.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut.png
new file mode 100644
index 000000000..773d20ffd
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/shortcut.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/url-and-title.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/url-and-title.png
new file mode 100644
index 000000000..a8209fe45
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/link/url-and-title.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/markdown-editor/editor-open.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/markdown-editor/editor-open.png
new file mode 100644
index 000000000..925736fb4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/markdown-editor/editor-open.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/markdown-editor/slash-menu.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/markdown-editor/slash-menu.png
new file mode 100644
index 000000000..22b8a91e4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/markdown-editor/slash-menu.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/photos-and-videos/photo-roll-screenshot.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/photos-and-videos/photo-roll-screenshot.png
new file mode 100644
index 000000000..c4e8e8695
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/photos-and-videos/photo-roll-screenshot.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/photos-and-videos/video-screenshot.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/photos-and-videos/video-screenshot.png
new file mode 100644
index 000000000..34b60afd2
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/photos-and-videos/video-screenshot.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/readme-files/readme-list-view.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/readme-files/readme-list-view.png
new file mode 100644
index 000000000..e4dd4ba21
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/readme-files/readme-list-view.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/readme-files/readme-removed.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/readme-files/readme-removed.png
new file mode 100644
index 000000000..a5f478de0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/readme-files/readme-removed.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/drop-down-menu-searchbar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/drop-down-menu-searchbar.png
new file mode 100644
index 000000000..06b37eb5e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/drop-down-menu-searchbar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/search-example.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/search-example.png
new file mode 100644
index 000000000..3ecf5e159
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/search-example.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/searchbar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/searchbar.png
new file mode 100644
index 000000000..cda5394e3
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/search/searchbar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/delete-a-tag.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/delete-a-tag.png
new file mode 100644
index 000000000..aabb50509
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/delete-a-tag.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/details-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/details-button.png
new file mode 100644
index 000000000..823eb92ba
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/details-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/tags-line.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/tags-line.png
new file mode 100644
index 000000000..6a3254e11
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/tags-line.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/type-or-choose-a-tag.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/type-or-choose-a-tag.png
new file mode 100644
index 000000000..065ad5379
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/tags/type-or-choose-a-tag.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/entpacken-optionen-fullpage.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/entpacken-optionen-fullpage.png
new file mode 100644
index 000000000..975232bef
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/entpacken-optionen-fullpage.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/herunterladen-optionen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/herunterladen-optionen.png
new file mode 100644
index 000000000..231df1206
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/herunterladen-optionen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-button.png
new file mode 100644
index 000000000..4f057360f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-fenster.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-fenster.png
new file mode 100644
index 000000000..c571c13f1
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-fenster.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-optionen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-optionen.png
new file mode 100644
index 000000000..d65c704f8
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/hochladen-optionen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/markierte-datei.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/markierte-datei.png
new file mode 100644
index 000000000..ae056e31d
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/upload-download-unzip/markierte-datei.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/details-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/details-button.png
new file mode 100644
index 000000000..7df9105fc
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/details-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/versionen-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/versionen-button.png
new file mode 100644
index 000000000..45bcf8db2
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/versionen-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/versionen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/versionen.png
new file mode 100644
index 000000000..4b1fc1db4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/img/versions/versionen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/index.md
new file mode 100644
index 000000000..13a3de5d5
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/index.md
@@ -0,0 +1,54 @@
+---
+sidebar_position: 0
+id: files-and-folders-overview
+title: Dateien und Ordner verwalten
+---
+
+# Dateien und Ordner verwalten
+
+Lernen Sie, wie Sie Dateien und Ordner in OpenCloud organisieren, verwalten und prüfen.
+Dieser Abschnitt behandelt typische Aufgaben wie Inhalte erstellen und verschieben, Dateien hochladen, gelöschte Elemente wiederherstellen und den Dateiverlauf prüfen.
+
+## In diesem Abschnitt
+
+### Inhalte organisieren und verwalten
+
+- [Dateien und Ordner erstellen, umbenennen und verschieben](./create-rename-move.md)
+ Erstellen Sie neue Inhalte, ordnen Sie bestehende Dateien und Ordner neu und verschieben Sie Elemente an einen anderen Ort.
+
+- [Inhalte hochladen, herunterladen und entpacken](./upload-download-unzip.md)
+ Laden Sie Dateien in OpenCloud hoch, speichern Sie sie auf Ihrem Gerät oder entpacken Sie ZIP-Archive.
+
+- [Elemente löschen und aus dem Papierkorb wiederherstellen](./delete-restore.md)
+ Entfernen Sie Dateien und Ordner und stellen Sie sie bei Bedarf später wieder her.
+
+- [Markdown-Dateien bearbeiten](./markdown-editor.md)
+ Bearbeiten Sie `README.md` und andere Markdown-Dateien direkt in OpenCloud mit Formatierungshilfen.
+
+- [README-Dateien in Ordnern](./readme-files.md)
+ Fügen Sie einem Ordner eine `README.md`-Datei hinzu, damit OpenCloud sie oberhalb der Dateiliste rendert.
+
+### Inhalte finden und klassifizieren
+
+- [Fotos und Videos](./photos-and-videos.md)
+ Zeigen Sie Fotos in der Vorschau an, blättern Sie durch einen Photo-Roll und spielen Sie Videos direkt im Web an.
+
+- [Nach Dateien und Inhalten suchen](./search.md)
+ Finden Sie Dateien anhand des Namens oder durchsuchen Sie Inhalte innerhalb von Dateien.
+
+- [Favoriten](./favorites.md)
+ Markieren Sie häufig verwendete Dateien für den schnellen Zugriff und sammeln Sie sie auf einer eigenen Favoriten-Seite.
+
+- [Tags hinzufügen und entfernen](./tags.md)
+ Verwenden Sie Tags, um Dateien und Ordner zu organisieren und leichter wiederzufinden.
+
+- [Verknüpfungen zu Dateien oder Weblinks erstellen](./shortcut.md)
+ Fügen Sie Verknüpfungen zu häufig verwendeten Dateien oder externen Webseiten für einen schnelleren Zugriff hinzu.
+
+### Dateiverlauf und Aktivität prüfen
+
+- [Dateiversionen und Aktivitätshistorie ansehen](./versions.md)
+ Prüfen Sie frühere Dateiversionen und verfolgen Sie, wie sich eine Datei im Laufe der Zeit verändert hat.
+
+- [Dateiaktivität prüfen](./activity.md)
+ Sehen Sie, welche Aktionen an einer Datei oder einem Ordner durchgeführt wurden und von wem die Änderungen stammen.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/markdown-editor.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/markdown-editor.md
new file mode 100644
index 000000000..48b5df0fe
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/markdown-editor.md
@@ -0,0 +1,61 @@
+---
+id: markdown-editor
+sidebar_position: 3.6
+title: Markdown-Dateien bearbeiten
+description: Erfahren Sie, wie Sie Markdown-Dateien mit dem OpenCloud Tiptap-Editor bearbeiten.
+---
+
+# Markdown-Dateien bearbeiten
+
+OpenCloud verwendet einen Tiptap-basierten Markdown-Editor für Dateien wie `README.md` und andere `.md`-Dateien. Der Editor hilft Ihnen dabei, Inhalte zu schreiben und zu formatieren, auch wenn Sie die Markdown-Syntax nicht gut kennen.
+
+## So funktioniert der Editor
+
+Wenn Sie eine Markdown-Datei öffnen, zeigt OpenCloud sie im Editor an, sodass Sie die Datei direkt im Browser bearbeiten können.
+
+![Markdown-Editor mit einer README-Datei geöffnet]({require("./img/markdown-editor/editor-open.png").default})
+
+Sie können Überschriften, Listen, Links, Zitate, Code und andere häufige Formatierungen hinzufügen, ohne die Dateiansicht zu verlassen.
+
+Während Sie bearbeiten, zeigt OpenCloud den Markdown-Inhalt direkt gerendert an, sodass Sie sofort sehen können, wie die Datei aussehen wird.
+
+Der Editor unterstützt außerdem das Einfügen von Bildern und das Erstellen von Tabellen, sodass Sie reichhaltigere Markdown-Dateien direkt in OpenCloud einfacher erstellen können.
+
+## Slash-Kürzel verwenden
+
+Geben Sie `/` in einer neuen Zeile ein, um das Formatierungsmenü zu öffnen.
+
+Das Menü gibt Ihnen einen schnellen Überblick über die verfügbaren Formatierungsoptionen und erlaubt es Ihnen, diese zu nutzen, ohne sich jede Tastenkombination merken zu müssen.
+
+![Slash-Menü im Markdown-Editor]({require("./img/markdown-editor/slash-menu.png").default})
+
+Das ist besonders hilfreich, wenn Sie schnell formatieren möchten und dabei die Hände auf der Tastatur lassen wollen.
+
+## Formatierungsleiste verwenden
+
+Verwenden Sie die Formatierungsleiste oberhalb des Editors, um häufige Markdown-Elemente einzufügen.
+
+Klicken Sie auf die Schaltfläche `Heading`, um eine Überschriftenebene auszuwählen, oder verwenden Sie die anderen Schaltflächen für Fett, Kursiv, Listen, Code, Bilder und Tabellen.
+
+Das ist besonders hilfreich, wenn Sie Inhalte schnell formatieren möchten, ohne sich jede Markdown-Tastenkombination merken zu müssen.
+
+## Unterstützte Formatierung
+
+Der Markdown-Editor unterstützt gängige Formatierungsoptionen für alle Markdown-Dateien. Sie können die Formatierungsleiste oder das Slash-Menü verwenden, um Folgendes einzufügen:
+
+- Überschriften
+- Fett und kursiven Text
+- Aufzählungs- und nummerierte Listen
+- Zitate
+- Inline-Code und Codeblöcke
+- Links
+- Bilder
+- Tabellen
+
+## Gut zu wissen
+
+- Der Editor funktioniert für Markdown-Dateien wie `README.md`.
+- Sie können das Formatierungsmenü verwenden, um strukturierte Inhalte Schritt für Schritt zu erstellen.
+- Die Datei bleibt eine normale Markdown-Datei und kann daher auch außerhalb von OpenCloud verwendet werden.
+
+Wenn die Datei gespeichert wird, wird der Markdown-Inhalt in derselben `.md`-Datei gespeichert und kann überall dort gerendert werden, wo Markdown unterstützt wird.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/photos-and-videos.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/photos-and-videos.md
new file mode 100644
index 000000000..3024dff2f
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/photos-and-videos.md
@@ -0,0 +1,32 @@
+---
+sidebar_position: 3.6
+title: Fotos und Videos
+description: Erfahren Sie, wie OpenCloud Fotos in der Vorschau anzeigt und Videos direkt im Web abspielt.
+---
+
+# Fotos und Videos
+
+OpenCloud kann Fotos in der Vorschau anzeigen und Videos direkt in der Weboberfläche abspielen.
+Dadurch können Sie Medien einfacher prüfen, ohne die Dateien zuerst herunterladen zu müssen.
+
+## Fotovorschau
+
+Öffnen Sie ein Foto in der Vorschauansicht, um durch den Photo-Roll zu blättern.
+
+![Photo-Roll-Ansicht in OpenCloud]({require("./img/photos-and-videos/photo-roll-screenshot.png").default})
+
+Der Fotobetrachter unterstützt eine Navigation im Photo-Roll-Stil, sodass Sie durch eine Bilderserie blättern können, ohne die Vorschau zu verlassen.
+
+## Videowiedergabe
+
+Videos öffnen sich im gleichen Vorschaubereich und können direkt im Browser abgespielt werden.
+
+![Videovorschau in OpenCloud]({require("./img/photos-and-videos/video-screenshot.png").default})
+
+Die Videowiedergabe funktioniert direkt in OpenCloud, sodass Sie Clips prüfen können, ohne sie zuerst herunterzuladen.
+
+## Hinweise
+
+- Das Verhalten hängt vom Dateityp und von den Browserfunktionen ab.
+- Sehr große Mediendateien können trotzdem einen Moment zum Laden benötigen.
+- Diese Funktion ist für die schnelle Ansicht gedacht, nicht für eine erweiterte Medienbearbeitung.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/readme-files.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/readme-files.md
new file mode 100644
index 000000000..62c78fbeb
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/readme-files.md
@@ -0,0 +1,52 @@
+---
+sidebar_position: 3.5
+title: README-Dateien in Ordnern
+description: Erfahren Sie, wie README.md-Dateien in Ordnern in OpenCloud gerendert werden.
+---
+
+# README-Dateien in Ordnern
+
+Wenn ein Ordner eine Datei mit dem Namen `README.md` enthält, rendert OpenCloud deren Markdown-Inhalt oberhalb der Dateiliste.
+
+![README in der Listenansicht gerendert, während die Datei noch sichtbar ist]({require("./img/readme-files/readme-list-view.png").default})
+
+## README-Datei erstellen
+
+1. Öffnen Sie den Ordner, in dem Sie das README hinzufügen möchten.
+2. Erstellen oder laden Sie eine Datei mit dem Namen `README.md` hoch.
+3. Fügen Sie Ihren Markdown-Inhalt hinzu und speichern Sie die Datei.
+
+OpenCloud rendert den Inhalt, wenn der Ordner geöffnet oder aktualisiert wird.
+
+## Unterstützter Dateiname
+
+Der Dateiname muss genau so lauten:
+
+```text
+README.md
+```
+
+## Beispiel
+
+Eine `README.md`-Datei kann zum Beispiel folgenden Markdown-Inhalt enthalten:
+
+```markdown
+# Fotos
+
+Dieser Ordner enthält visuelle Beispiele für Vorschauen und Doku-Screenshots.
+
+Die Bilder werden verwendet, um das Verhalten der Listenansicht, der Kachelansicht und der Bildvorschau in OpenCloud zu zeigen.
+
+## Dateien
+
+- moon-surface-public-domain.jpg
+- rotated-chessboard-photo.jpg
+- vintage-computer-terminal.jpg
+- Space-Nebula.jpg
+```
+
+## README-Bereich entfernen
+
+Löschen oder benennen Sie `README.md` um, um den gerenderten Bereich zu entfernen.
+
+![Ordner ohne den gerenderten README-Bereich]({require("./img/readme-files/readme-removed.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/search.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/search.md
new file mode 100644
index 000000000..473ead71f
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/search.md
@@ -0,0 +1,25 @@
+---
+sidebar_position: 4
+id: search
+title: Suche
+description: Nutzen der Suche in OpenCloud
+draft: false
+---
+
+# Die Suche in OpenCloud verwenden
+
+Sie können die Suchleiste in der oberen Leiste verwenden, um Dateien und Inhalte schnell zu finden.
+
+## So funktioniert die Suche
+
+- Die Suchleiste befindet sich oben in der Web-Oberfläche.
+
+- Kurzbefehle: Drücken Sie `/` oder geben Sie `s` ein, um die Suchleiste zu fokussieren.
+
+- Klicken Sie auf das Dropdown-Menü neben der Suchleiste.
+- Wählen Sie, ob Sie in allen Dateien oder nur im aktuellen Ordner suchen möchten.
+ ![Auswahl, wo gesucht werden soll]({require("./img/search/drop-down-menu-searchbar.png").default})
+- Die Suchfunktion sucht sowohl nach Dateinamen als auch nach dem Inhalt der Dateien, um relevante Ergebnisse anzuzeigen.
+ ![Suchbeispiel]({require("./img/search/search-example.png").default})
+
+Mit diesen Schritten finden Sie Ihre Dateien und Ordner schnell und effizient!
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/shortcut.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/shortcut.md
new file mode 100644
index 000000000..6bce8f24a
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/shortcut.md
@@ -0,0 +1,36 @@
+---
+sidebar_position: 5
+id: shortcut
+title: Verknüpfung
+description: Verknüpfung in OpenCloud erstellen
+draft: false
+---
+
+# Verknüpfung
+
+Mit OpenCloud können Sie Verknüpfungen zu Websites oder Dateien erstellen.
+
+## Verknüpfung erstellen
+
+- Öffnen Sie das Menü "+ Neu“ und wählen Sie "Verknüpfung“.
+
+ ![Verknüpfung auswählen]({require("./img/link/shortcut-button.png").default})
+
+- Geben Sie eine URL oder einen Dateinamen ein.
+ - Sie können auch eine Datei aus der Liste auswählen, nachdem Sie ein paar Buchstaben eingegeben haben.
+
+ ![Link oder Datei im Popup-Fenster eingeben]({require("./img/link/pop-up-window.png").default})
+
+- Geben Sie einen Namen für die Verknüpfung ein.
+
+ ![Namen für die Verknüpfung eingeben]({require("./img/link/url-and-title.png").default})
+
+- Erstellen Sie die Verknüpfung, indem Sie auf "Erstellen“ klicken.
+
+ ![Auf Erstellen klicken]({require("./img/link/create-button.png").default})
+
+## Verknüpfung verwenden
+
+- Öffnen Sie das Kontextmenü, klicken Sie auf "Öffnen mit“ und wählen Sie "Verknüpfung öffnen“.
+
+ ![Rechtsklick auf die Verknüpfung]({require("./img/link/shortcut-right-click.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/tags.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/tags.md
new file mode 100644
index 000000000..5bcf96715
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/tags.md
@@ -0,0 +1,35 @@
+---
+sidebar_position: 6
+id: tags
+title: Tags
+description: Tags mit OpenCloud hinzufügen und verwalten
+draft: false
+---
+
+# Tags mit OpenCloud hinzufügen und verwalten
+
+Mit OpenCloud können Sie Dateien und Ordner mit Tags versehen, damit Sie diese leichter suchen oder gruppieren können.
+
+## Tag hinzufügen
+
+- Öffnen Sie das Kontextmenü für die Datei oder den Ordner.
+- Wählen Sie die Option „Details“.
+ ![Details im Kontextmenü auswählen]({require("./img/tags/details-button.png").default})
+
+## Tag hinzufügen
+
+- Klicken Sie in das Eingabefeld neben „Tags“.
+ ![Eingabefeld neben Tags]({require("./img/tags/tags-line.png").default})
+- Wählen Sie einen vorhandenen Tag aus oder geben Sie einen neuen Begriff ein, um einen neuen Tag zu erstellen.
+ ![Tag-Namen eingeben]({require("./img/tags/type-or-choose-a-tag.png").default})
+
+ Der Tag wird hinzugefügt und ist jetzt mit der Datei oder dem Ordner verknüpft.
+
+## Tag entfernen
+
+- Öffnen Sie die „Details“ der Datei oder des Ordners erneut.
+- Suchen Sie den Tag, den Sie entfernen möchten.
+- Klicken Sie auf das „x“ neben dem Tag, um ihn zu löschen.
+ ![Auf das x neben dem Tag klicken]({require("./img/tags/delete-a-tag.png").default})
+
+ Die Datei oder der Ordner ist nun nicht mehr mit diesem Tag verknüpft.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/upload-download-unzip.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/upload-download-unzip.md
new file mode 100644
index 000000000..7d8009415
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/upload-download-unzip.md
@@ -0,0 +1,59 @@
+---
+sidebar_position: 2
+id: upload-download-unzip
+title: Hochladen - Herunterladen - Entpacken
+description: Hochladen - Herunterladen - Entpacken
+draft: false
+---
+
+# Hochladen - Herunterladen - Entpacken
+
+## Dateien oder Ordner hochladen
+
+- Öffnen Sie das Menü „+ Neu“ in der linken Seitenleiste.
+
+ ![Hochladen-Schaltfläche]({require("./img/upload-download-unzip/hochladen-button.png").default})
+
+- Wählen Sie aus, ob Sie Dateien oder Ordner hochladen möchten.
+
+ ![Datei oder Ordner auswählen]({require("./img/upload-download-unzip/hochladen-optionen.png").default})
+
+- Dateien oder Ordner auswählen:
+ - Wählen Sie im sich öffnenden Fenster die gewünschten Dateien oder Ordner aus.
+ - Mehrere Dateien oder Ordner können gleichzeitig ausgewählt werden.
+- Upload bestätigen:
+ - Klicken Sie auf „Öffnen“, um den Upload zu starten.
+
+ ![Upload bestätigen]({require("./img/upload-download-unzip/hochladen-fenster.png").default})
+
+ - Nach Abschluss des Uploads erscheint eine Meldung in der unteren rechten Ecke.
+
+- Alternativ:
+ - Ziehen Sie die Dateien oder Ordner direkt aus Ihrem Explorer-Fenster in den Browser, um sie hochzuladen.
+
+## Dateien oder Ordner herunterladen
+
+- Wählen Sie die Datei(en) aus, die Sie herunterladen möchten.
+
+ ![Dateien für den Download auswählen]({require("./img/upload-download-unzip/markierte-datei.png").default})
+
+- Öffnen Sie das Kontextmenü, indem Sie mit der rechten Maustaste klicken oder auf die drei Punkte neben der Datei klicken.
+
+ ![Download-Optionen]({require("./img/upload-download-unzip/herunterladen-optionen.png").default})
+
+- Wählen Sie „Herunterladen“ aus dem Menü oder in der oberen Leiste.
+
+- Wenn Sie mehrere Dateien oder Ordner herunterladen, werden diese als ZIP-Datei gespeichert.
+- Entpacken Sie die ZIP-Datei nach dem Herunterladen auf Ihrem Gerät.
+
+## Entpacken
+
+Wenn die Funktion aktiviert ist, können Sie gepackte Dateien in der Cloud entpacken.
+
+- Wählen Sie die ZIP-Datei in der Dateiliste aus und öffnen Sie das Kontextmenü mit einem Rechtsklick auf die Datei oder über die drei Punkte daneben.
+- Wählen Sie „Entpacken“.
+
+ ![Entpacken-Optionen im Vollbild]({require("./img/upload-download-unzip/entpacken-optionen-fullpage.png").default})
+
+- Die Inhalte werden direkt in der Cloud entpackt und erscheinen im aktuellen Ordner.
+- Sobald der Vorgang abgeschlossen ist, erscheint eine Benachrichtigung.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/versions.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/versions.md
new file mode 100644
index 000000000..25cdd94b6
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/files-and-folders/versions.md
@@ -0,0 +1,29 @@
+---
+sidebar_position: 7
+id: versions
+title: Versionen
+description: Verwalten der Versionen von Dateien OpenCloud
+draft: false
+---
+
+# Verwalten von Dateiversionen in OpenCloud
+
+OpenCloud speichert verschiedene Versionen von Dateien. So können Sie frühere Versionen wiederherstellen oder herunterladen:
+
+## Versionen anzeigen und wiederherstellen
+
+- Details öffnen
+ - Klicken Sie mit der rechten Maustaste auf die Datei oder klicken Sie auf die drei Punkte in der entsprechenden Dateizeile.
+ - Wählen Sie „Details“ aus dem Kontextmenü aus.
+ ![Details auswählen]({require("./img/versions/details-button.png").default})
+
+- Versionen auswählen
+ - Wählen Sie in der rechten Seitenleiste den Punkt „Versionen“ aus.
+ ![Versionen auswählen]({require("./img/versions/versionen-button.png").default})
+
+- Versionen anzeigen
+ - Alle Versionen der Datei werden angezeigt.
+ - Sie können nun die gewünschte Version wiederherstellen oder herunterladen.
+ ![Alle Versionen anzeigen]({require("./img/versions/versionen.png").default})
+
+Mit diesen Schritten können Sie jederzeit auf ältere Versionen Ihrer Dateien zugreifen.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/_category_.json b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/_category_.json
new file mode 100644
index 000000000..ee32c9a10
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Benutzeroberfläche und Navigation",
+ "position": 2
+}
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/account-settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/account-settings.md
new file mode 100644
index 000000000..ca6131805
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/account-settings.md
@@ -0,0 +1,83 @@
+---
+sidebar_position: 2
+id: settings
+title: Kontoeinstellungen
+description: Einstellungen für das Benutzerkonto in OpenCloud
+draft: false
+---
+
+# Einstellungen für Ihr Benutzerkonto in OpenCloud
+
+In OpenCloud haben Sie die Möglichkeit, verschiedene Einstellungen für Ihr Benutzerkonto vorzunehmen und es an Ihre Bedürfnisse anzupassen.
+
+## Auf die Einstellungen zugreifen
+
+- Klicken Sie oben rechts auf Ihren Avatar.
+- Wählen Sie den Punkt „Einstellungen“.
+ ![Einstellungen öffnen]({require("./img/account-settings/access.png").default})
+
+## Kontoinformationen
+
+In den Einstellungen können Sie zwischen verschiedenen Abschnitten wählen:
+
+### Profil
+
+- Profilbild
+- Benutzername / Login-Name
+- Vor- und Nachname
+- E-Mail-Adresse
+- Persönlicher Speicherplatz
+- Gruppenmitgliedschaften
+
+![Kontoinformationen]({require("./img/account-settings/account-information.png").default})
+
+### Avatar
+
+Im Bereich Profilbild können Sie Ihr Avatar-Bild ändern:
+
+- Klicken Sie auf „Hochladen“ unter Ihrem Avatar-Symbol.
+ ![Avatar-Menü]({require("./img/account-settings/avatar-menu.png").default}){kind=avatar}
+- Wählen Sie Ihr Avatar-Bild aus und klicken Sie auf „Hochladen“.
+ ![Avatar hochladen]({require("./img/account-settings/avatar-upload.png").default}){kind=avatar}
+- Es öffnet sich nun ein Fenster, in dem Sie Ihr Bild anpassen können. Klicken Sie anschließend auf „Set“.
+ ![Avatar-Einstellungen]({require("./img/account-settings/avatar-settings.png").default}){kind=avatar}
+- Danach wird Ihr Avatar in Ihrem Konto angezeigt.
+ ![Sichtbarer Avatar]({require("./img/account-settings/visible-avatar.png").default}){kind=avatar}
+
+## Einstellungen
+
+Je nach Grundkonfiguration können Sie die folgenden Optionen ändern:
+
+- Sprache:
+ Wählen Sie die gewünschte Sprache für Ihre Benutzeroberfläche.
+- Passwort:
+ Ändern Sie Ihr Passwort für den Zugriff auf Ihr Benutzerkonto.
+- Design (Theme):
+ Passen Sie das Erscheinungsbild der Benutzeroberfläche nach Ihren Vorlieben an.
+- E-Mail-Benachrichtigungen:
+ Legen Sie fest, welche E-Mail-Benachrichtigungen Sie von OpenCloud erhalten möchten.
+- Anzeigeoptionen:
+ Mit den WebDAV-Einstellungen legen Sie fest, ob auf Dateien und Ordner extern zugegriffen werden kann.
+ ![Einstellungen]({require("./img/account-settings/preferences.png").default})
+
+## Erweiterungen
+
+Unter „Erweiterungen“ können Sie installierte Erweiterungen konfigurieren, wie z. B. die Fortschrittsanzeige, sofern verfügbar.
+![Erweiterungen]({require("./img/account-settings/extensions.png").default})
+
+## Kalender
+
+Unter „Kalender“ können Sie auf Ihren persönlichen Kalender zugreifen und ihn, sofern konfiguriert, mit Drittanbieter-Apps wie Thunderbird, Apple Kalender und anderen integrieren.
+
+![Kalender]({require("./img/account-settings/calendar.png").default})
+
+## DSGVO
+
+Unter „DSGVO“ können Sie bei Bedarf einen Export Ihrer personenbezogenen Daten anfordern.
+![DSGVO]({require("./img/account-settings/gdpr.png").default})
+
+## App-Tokens
+
+Mit „App-Tokens“ können Sie externe Apps und Dienste (wie WebDAV-Clients) sicher verbinden, ohne Ihr Hauptpasswort zu verwenden.
+
+![App-Tokens]({require("./img/account-settings/app-tokens.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/file-list-adjustments.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/file-list-adjustments.md
new file mode 100644
index 000000000..dc09c5fc8
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/file-list-adjustments.md
@@ -0,0 +1,31 @@
+---
+sidebar_position: 3
+id: customization-file-list
+title: Anpassungen der Datei-Liste
+description: Anpassungen der Datei-Liste in OpenCloud
+draft: false
+---
+
+# Anpassungen der Datei-Liste in OpenCloud
+
+Wenn Sie auf das Einstellungssymbol auf der rechten Seite der Benutzeroberfläche klicken, gelangen Sie zu den Optionen für die Anpassung der Ansicht. Hier können Sie die Anzeige anpassen
+
+## Verfügbare Optionen
+
+![Settings icon]({require("./img/files-list-adjustment/einstellungs-button.png").default})
+
+- Versteckte Dateien anzeigen
+ - Aktivieren oder deaktivieren Sie die Anzeige von versteckten Dateien.
+ - Bei versteckten Dateien handelt es sich oft um System- oder Konfigurationsdateien.
+
+- Dateierweiterungen anzeigen
+ - Legen Sie fest, ob die Dateierweiterungen (z. B. `.docx`, `.jpg`) hinter den Dateinamen angezeigt werden sollen. Dies erleichtert die Identifizierung von Dateitypen.
+
+- Dateien pro Seite
+ - Geben Sie an, wie viele Dateien pro Seite in einem Ordner angezeigt werden sollen.
+ - Nützlich für das Navigieren in Ordnern mit vielen Dateien.
+
+- Kachelgröße
+ - Passen Sie die Größe der Symbole und Schaltflächen an:
+ - Kleine Kacheln für eine kompaktere Ansicht.
+ - Große Kacheln für eine übersichtlichere Ansicht.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/access.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/access.png
new file mode 100644
index 000000000..29a09b03a
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/access.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/account-information.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/account-information.png
new file mode 100644
index 000000000..711cb7013
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/account-information.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/app-tokens.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/app-tokens.png
new file mode 100644
index 000000000..7a7b1f65c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/app-tokens.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-menu.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-menu.png
new file mode 100644
index 000000000..1035f544d
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-menu.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-settings.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-settings.png
new file mode 100644
index 000000000..901d273de
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-settings.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-upload.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-upload.png
new file mode 100644
index 000000000..7504ac258
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/avatar-upload.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/calendar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/calendar.png
new file mode 100644
index 000000000..94523b529
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/calendar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/extensions.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/extensions.png
new file mode 100644
index 000000000..025c8589b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/extensions.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/gdpr.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/gdpr.png
new file mode 100644
index 000000000..8867ce89e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/gdpr.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/preferences.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/preferences.png
new file mode 100644
index 000000000..0b0c7064b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/preferences.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/visible-avatar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/visible-avatar.png
new file mode 100644
index 000000000..bd12c1503
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/account-settings/visible-avatar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/files-list-adjustment/einstellungs-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/files-list-adjustment/einstellungs-button.png
new file mode 100644
index 000000000..db448b93c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/files-list-adjustment/einstellungs-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/files-list-adjustment/settings-icon.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/files-list-adjustment/settings-icon.png
new file mode 100644
index 000000000..ba901dd78
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/files-list-adjustment/settings-icon.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/overview/marker.svg b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/overview/marker.svg
new file mode 100644
index 000000000..c0d261367
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/overview/marker.svg
@@ -0,0 +1,60 @@
+
\ No newline at end of file
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/overview/ueberblick.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/overview/ueberblick.png
new file mode 100644
index 000000000..9f191daeb
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/overview/ueberblick.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/kachel.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/kachel.png
new file mode 100644
index 000000000..bdee75c17
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/kachel.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/klassisch.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/klassisch.png
new file mode 100644
index 000000000..3cbbf8d8c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/klassisch.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/verdichtet.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/verdichtet.png
new file mode 100644
index 000000000..01f5a355b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/img/view-modes/verdichtet.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/index.md
new file mode 100644
index 000000000..6aea7de46
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/index.md
@@ -0,0 +1,27 @@
+---
+title: Web Benutzeroberfläche und Navigation
+---
+
+# Web Benutzeroberfläche und Navigation
+
+Der Web Client ist die zentrale Oberfläche von OpenCloud und bietet vollen Zugriff im Browser, ohne dass zusätzliche
+Software installiert werden muss.
+
+Dieser Abschnitt erklärt die wichtigsten Bereiche der Oberfläche und zeigt, wie Sie den Web Client nutzen, die
+Dateiliste anpassen und Ihre Kontoeinstellungen personalisieren.
+
+## In diesem Abschnitt
+
+- [Überblick](./overview.md)
+ Machen Sie sich mit den wichtigsten Bereichen des Web Clients vertraut, darunter Seitenleiste, obere Leiste,
+ Dateiliste und Aktionsbereiche.
+
+- [Kontoeinstellungen](./account-settings.md)
+ Verwalten Sie Ihr Profil, Ihre Einstellungen, Ihr Avatarbild, den Kalenderzugriff, den DSGVO-Export und App-Tokens.
+
+- [Dateiliste anpassen](./file-list-adjustments.md)
+ Passen Sie an, wie Dateien angezeigt werden, einschließlich versteckter Dateien, Dateiendungen, Seitennummerierung und
+ Kachelgröße.
+
+- [Ansichtsmodi](./view-modes.md)
+ Wechseln Sie zwischen Tabellen-, Kompakt- und Kachelansicht, um die Dateiliste anders darzustellen.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/overview.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/overview.md
new file mode 100644
index 000000000..9c49dc704
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/overview.md
@@ -0,0 +1,109 @@
+---
+sidebar_position: 1
+id: overview
+title: Übersicht
+description: Überblick über die Web-Benutzeroberfläche
+draft: false
+---
+
+import OverviewMarker from "./img/overview/marker.svg";
+
+# Überblick der Web-Benutzeroberfläche
+
+Die OpenCloud Web-Benutzeroberfläche besteht aus mehreren Bereichen, die Ihnen helfen, effizient mit Dateien und Einstellungen zu arbeiten.
+
+
+ ![Übersicht]({require("./img/overview/ueberblick.png").default})
+
+
+
+## 1. Linke Seitenleiste
+
+Die Seitenleiste enthält Navigationselemente wie Spaces, Dateien, Freigaben und Einstellungen.
+
+## 2. App-Switcher
+
+Das Menü in der rechten oberen Ecke ermöglicht es Ihnen, zwischen verschiedenen Apps und Modulen zu wechseln.
+
+## 3. Obere Leiste
+
+Die obere Leiste enthält wichtige Funktionen wie die Suchleiste, Benutzeraktionen und globale Einstellungen.
+
+## 4. Suchleiste
+
+Ermöglicht Ihnen das schnelle Auffinden von Dateien, Ordnern oder Spaces.
+
+## 5. Dateiliste
+
+Zeigt alle Dateien und Ordner in der ausgewählten Ansicht an.
+
+## 6. Breadcrumbs-Menü
+
+Zeigt den aktuellen Pfad Ihrer Navigation an und ermöglicht es Ihnen, schnell zu vorherigen Verzeichnissen zurückzuspringen.
+
+## 7. Batch-Aktionen
+
+Ermöglicht Ihnen das Bearbeiten, Verschieben oder Löschen mehrerer ausgewählter Dateien zur gleichen Zeit.
+
+## 8. Ansichtsmodi
+
+Bietet verschiedene Anzeigeoptionen für die Dateiliste:
+
+- Listenansicht
+- Kachelansicht
+- Komprimierte Ansicht
+
+## 9. Ansichtseinstellungen
+
+Hier können Sie zusätzliche Anzeigeoptionen wie Sortierung oder Spaltenauswahl anpassen.
+
+## 10. Benutzermenü
+
+Klicken Sie auf Ihr Profilbild in der oberen rechten Ecke, um auf Einstellungen, Abmeldung und Kontooptionen zuzugreifen.
+
+## 11. Rechte Seitenleiste
+
+Zeigt zusätzliche Informationen und Bereiche für Freigaben, Aktivitäten oder Dateidetails.
+
+## 12. Aktionen
+
+Hier finden Sie Aktionen wie Herunterladen, Teilen, Löschen oder Bearbeiten für ausgewählte Dateien.
+
+## 13. Drei-Punkte-Menü
+
+Bietet weitere Optionen für Dateien, Ordner oder Spaces.
+
+## 14. Aktionen-Panel
+
+Zeigt mögliche Aktionen für die ausgewählte Datei, z. B. Umbenennen oder Verschieben.
+
+## 15. Freigabe-Panel
+
+Hier können Sie Dateien und Ordner intern oder extern freigeben und Berechtigungen verwalten.
+
+## 16. Versionen
+
+Zeigt eine Übersicht der Versionen einer ausgewählten Datei oder eines ausgewählten Ordners.
+
+## 17. Aktivitätsleiste
+
+Zeigt eine Übersicht über Änderungen und Aktivitäten innerhalb eines Spaces oder einer Datei.
+
+## 18. Kontextmenü
+
+Ein Rechtsklick auf eine Datei oder einen Ordner öffnet das Kontextmenü mit spezifischen Optionen.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/view-modes.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/view-modes.md
new file mode 100644
index 000000000..fd1d46d50
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/general/view-modes.md
@@ -0,0 +1,31 @@
+---
+sidebar_position: 4
+id: view-modes
+title: Ansichtsmodi
+description: Ansichtsmodi für die Dateiliste in OpenCloud
+draft: false
+---
+
+# Ansichtsmodi der Dateiliste in OpenCloud
+
+In OpenCloud können Sie zwischen verschiedenen Ansichtsmodi für Dateien und Ordner wählen, um die Anzeige nach Ihren Wünschen anzupassen.
+
+## Verfügbare Ansichtsmodi
+
+### Kachelansicht
+
+Dies ist die Standardansicht. Dateien und Ordner werden als Kacheln angezeigt und eignen sich gut für die visuelle Navigation.
+
+
+
+![Kachelansicht der Dateiliste]({require("./img/view-modes/kachel.png").default})
+
+### Verdichtete Tabellenansicht
+
+Eine kompaktere Tabellenansicht, in der Informationen dichter zusammengefasst werden, um Platz zu sparen.
+
+![Verdichtete Tabellenansicht der Dateiliste]({require("./img/view-modes/verdichtet.png").default})
+
+### Standard-Tabellenansicht
+
+Die klassische Listenansicht, in der Dateien und Ordner in einer detaillierten Tabelle angezeigt werden.
+
+![Standard-Tabellenansicht der Dateiliste]({require("./img/view-modes/klassisch.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/img/common-issues/desktop-excluded.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/img/common-issues/desktop-excluded.png
new file mode 100644
index 000000000..fc0b13394
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/img/common-issues/desktop-excluded.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/index.md
new file mode 100644
index 000000000..3e28abfdb
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/index.md
@@ -0,0 +1,94 @@
+---
+sidebar_position: 1
+title: Willkommen
+description: Willkommen
+---
+
+
+
+import OcLogoPetrol from '/static/img/oc-logo-petrol.svg';
+import OcLogoLilac from '/static/img/oc-logo-lilac.svg';
+
+
+
+# Willkommen
+
+![Neu erstellen]({require("../img/files-and-folders/create-rename-move/create-new.png").default})
+
+Wählen Sie aus dem Menü aus, was Sie erstellen möchten:
+
+### Erstellen Sie einen Ordner
+
+– Tippen Sie auf "Ordner erstellen"
+– Geben Sie einen Namen für Ihren Ordner ein
+– Tippen Sie auf "Done"
+
+![Ordner erstellen]({require("../img/files-and-folders/create-rename-move/create-folder.png").default})
+
+### Erstellen Sie ein Dokument (erfordert Collabora)
+
+Wenn Collabora Online in Ihrer OpenCloud-Instanz aktiviert ist:
+
+– Tippen Sie auf "Neues Dokument"
+– Wählen Sie den Dokumenttyp (Text, Tabelle, Präsentation)
+– Geben Sie einen Dateinamen ein und bestätigen Sie.
+
+![Wählen Sie den Dateityp]({require("../img/files-and-folders/create-rename-move/choose-file-type.png").default})
+
+Das Dokument wird zur Bearbeitung in einer integrierten Webansicht mit Collabora geöffnet.
+
+![In Collabora öffnen]({require("../img/files-and-folders/create-rename-move/open-collabora.png").default})
+![In Collabora bearbeiten]({require("../img/files-and-folders/create-rename-move/edit-collabora.png").default})
+
+### Machen Sie ein Foto oder Video
+
+- Wählen Sie "Foto oder Video aufnehmen" aus dem Menü
+
+![wählen Sie Foto oder Video aufnehmen aus]({require("../img/files-and-folders/create-rename-move/select-take-photo.png").default})
+
+– Die Kamera Ihres Geräts wird geöffnet.
+– Nehmen Sie ein Foto oder Video auf.
+
+![Machen Sie ein Foto]({require("../img/files-and-folders/create-rename-move/take-photo.png").default})
+
+- Die Medien werden direkt in Ihrem OpenCloud-Konto gespeichert
+
+![Foto gespeichert]({require("../img/files-and-folders/create-rename-move/photo-saved.png").default})
+
+### Dokument scannen
+
+Scannen Sie Papierdokumente mit Ihrem iOS-Gerät:
+
+- Wählen Sie "Dokument scannen"
+- Richten Sie die Kamera auf Ihr Dokument.
+- OpenCloud erkennt die Ränder automatisch und scannt das Dokument.
+
+Sie können dann:
+
+– Den Scan zuschneiden oder drehen
+– Den Farbmodus wechseln (Farbe, Graustufen, Schwarzweiß)
+– Ein Dateiformat wählen (PDF, JPEG, PNG)
+– Als einseitige oder mehrseitige Datei speichern
+
+Das gescannte Dokument wird in Ihrem OpenCloud-Konto gespeichert.
+
+## Dateien oder Ordner umbenennen
+
+So benennen Sie eine Datei oder einen Ordner in der OpenCloud iOS-App um:
+
+- Tippen Sie auf die drei Punkte (⋯) neben dem Element, das Sie umbenennen möchten.
+
+![Klicken Sie auf das Drei-Punkte-Menü]({require("../img/files-and-folders/create-rename-move/three-dots.png").default})
+
+- Wählen Sie "Umbenennen" aus dem Menü
+
+![Wählen Sie umbenennen]({require("../img/files-and-folders/create-rename-move/select-rename.png").default})
+
+- Geben Sie den neuen Namen für die Datei oder den Ordner ein
+
+![Geben Sie den neuen Namen ein]({require("../img/files-and-folders/create-rename-move/enter-rename.png").default})
+
+- Tippen Sie auf "Done", um die Änderungen zu übernehmen
+
+![Tippen Sie auf fertig]({require("../img/files-and-folders/create-rename-move/tap-done.png").default})
+![Neuer angewendeter Name]({require("../img/files-and-folders/create-rename-move/new-name-applied.png").default})
+
+Der neue Name wird sofort gespeichert.
+
+## Dateien oder Ordner verschieben
+
+So verschieben Sie eine Datei oder einen Ordner in der OpenCloud iOS-App:
+
+- Tippen Sie auf die drei Punkte (⋯) neben der Datei oder dem Ordner, die/den Sie verschieben möchten.
+
+![Wählen Sie das Drei-Punkte-Menü]({require("../img/files-and-folders/create-rename-move/three-dots-move.png").default})
+
+- Wählen Sie "Ausschneiden" oder "Kopieren" aus dem Menü
+
+![Wählen Sie Ausschneiden oder Kopieren]({require("../img/files-and-folders/create-rename-move/select-cut-or-copy.png").default})
+
+- Navigieren Sie zum Zielordner.
+- Tippen Sie auf die drei Punkte (⋯) im Zielordner und wählen Sie Einfügen.
+
+![Wählen Sie einfügen]({require("../img/files-and-folders/create-rename-move/select-paste.png").default})
+![Datei ist verschoben]({require("../img/files-and-folders/create-rename-move/file-moved.png").default})
+
+Die Datei oder der Ordner wird jetzt am neuen Speicherort angezeigt.
+
+---
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/files-and-folders/upload-make-available-offline.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/files-and-folders/upload-make-available-offline.md
new file mode 100644
index 000000000..29a930fce
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/files-and-folders/upload-make-available-offline.md
@@ -0,0 +1,59 @@
+---
+sidebar_position: 2
+id: upload-make-available-offline
+title: Hochladen - Offline verfügbar machen
+description: Hochladen - Offline verfügbar machen
+draft: false
+---
+
+# Dateien hochladen
+
+Mit der OpenCloud iOS-App können Sie ganz einfach Dateien hochladen und offline verfügbar machen.
+
+## Gewünschten Ordner öffnen
+
+Navigieren Sie zu dem Ordner, in den Sie eine Datei hochladen möchten.
+
+## Tippen Sie oben rechts auf das "+"-Symbol
+
+![Plus Symbol]({require("../img/files-and-folders/upoload-make-available-offline/upload-plus-button.png").default})
+
+## Upload-Option auswählen
+
+Im Menü können Sie Folgendes auswählen:
+
+– "Datei hochladen" – Laden Sie eine Datei aus der Dateien-App Ihres Geräts hoch.
+– "Aus Ihrer Fotobibliothek hochladen" – Laden Sie ein vorhandenes Foto oder Video aus Ihrer Medienbibliothek hoch.
+
+![Upload-Optionen]({require("../img/files-and-folders/upoload-make-available-offline/upload-options.png").default})
+
+## Auswahl bestätigen
+
+Wählen Sie die hochzuladende Datei oder das Medium aus. Der Upload startet automatisch.
+
+## Dateien offline verfügbar machen
+
+Sie können Dateien auch offline verfügbar machen, sodass sie auch ohne Internetverbindung zugänglich sind.
+
+- Tippen Sie auf die drei Punkte (⋯) neben der Datei
+
+![Offline verfügbar machen]({require("../img/files-and-folders/upoload-make-available-offline/three-dots.png").default})
+
+- Wählen Sie "Offline verfügbar machen" aus
+
+Die Datei wird heruntergeladen und lokal auf Ihrem Gerät gespeichert.
+
+![Offline verfügbar machen]({require("../img/files-and-folders/upoload-make-available-offline/make-available-offline.png").default})
+
+- Offlinedateien sind mit einem Wolkensymbol mit Häkchen gekennzeichnet.
+
+![Offline verfügbar machen]({require("../img/files-and-folders/upoload-make-available-offline/marked-offline.png").default})
+
+## Offline-Verfügbarkeit entfernen
+
+So geben Sie Speicherplatz frei:
+
+- Tippen Sie erneut auf die drei Punkte (⋯) einer Offline-Datei.
+- Wählen Sie "Offline-Zugriff entfernen".
+
+Mit diesen Funktionen sind Sie immer vorbereitet – auch wenn Sie offline sind!
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/installation.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/installation.md
new file mode 100644
index 000000000..eaca3ce50
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/installation.md
@@ -0,0 +1,35 @@
+---
+sidebar_position: 1
+id: installation
+title: Installieren der iOS App
+description: Installieren der iOS App
+draft: false
+---
+
+# 📱 Installieren der iOS-App
+
+## App Store
+
+Öffnen Sie den App Store auf Ihrem iPhone oder iPad
+
+## OpenCloud
+
+Suchen Sie nach "OpenCloud" oder klicken Sie direkt auf den folgenden Link:
+
+[OpenCloud im App Store](https://apps.apple.com/de/app/opencloud-your-data-anywhere/id6743121005)
+
+![iOS Installation]({require(".././img/installation/ios-installation.jpg").default})
+
+## Installieren
+
+Tippen Sie auf "Laden", um die App zu installieren
+
+## App Icon
+
+Nach der Installation finden Sie die OpenCloud App auf Ihrem Home-Bildschirm
+
+
+
+## Einrichten
+
+Öffnen Sie die App und folgen Sie den Anweisungen zur Einrichtung
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/overview/account-fileslist.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/overview/account-fileslist.md
new file mode 100644
index 000000000..a30ed2e0b
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/overview/account-fileslist.md
@@ -0,0 +1,53 @@
+---
+sidebar_position: 2
+id: account-fileslist
+title: Dateilisten-Menü
+description: Dateilisten-Menü
+draft: false
+---
+
+# Überblick über die Benutzeroberfläche
+
+In diesem Abschnitt werden die zentralen Elemente der Benutzeroberfläche der OpenCloud iOS-App und deren Funktionen erklärt.
+
+
+
+## 1. Konto-Menü
+
+Bietet Zugriff auf die Kontoeinstellungen.
+
+## 2. Navigationsverlauf
+
+Ermöglicht das Zurück- und Vorwärtsnavigieren durch zuvor besuchte Ansichten oder Ordner.
+
+## 3. Suche
+
+Ermöglicht die Suche nach Dateien, Ordnern oder geteilten Inhalten innerhalb der App.
+
+## 4. Hinzufügen-Schaltfläche
+
+Öffnet Optionen zum Hochladen von Dateien, Erstellen von Ordnern oder Hinzufügen neuer Inhalte.
+
+## 5. Drei-Punkte-Menü
+
+Zeigt zusätzliche Aktionen oder Einstellungen zur aktuellen Ansicht oder zum aktuellen Element an.
+
+## 6. Sortierung
+
+Ermöglicht das Sortieren von Dateien nach Name, Datum, Größe oder anderen Kriterien.
+
+## 7. Ansichtsmodus
+
+Ermöglicht das Umschalten zwischen verschiedenen Ansichtsmodi.
+
+## 8. Auswahlmodus
+
+Aktiviert den Mehrfachauswahlmodus, um mehrere Dateien oder Ordner gleichzeitig auszuwählen.
+
+## 9. Dateiliste
+
+Zeigt den Inhalt des aktuellen Ordners als Liste von Dateien und Ordnern an.
+
+## 10. Breadcrumb-Menü
+
+Zeigt den aktuellen Ordnerpfad an und ermöglicht die schnelle Navigation zu übergeordneten Ordnern.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/overview/account-overview.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/overview/account-overview.md
new file mode 100644
index 000000000..9745f2443
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/overview/account-overview.md
@@ -0,0 +1,56 @@
+---
+sidebar_position: 1
+id: account-overview
+title: Account-Menü
+draft: false
+---
+
+# Kontomenü
+
+In der iOS-App bietet das Kontomenü Zugriff auf verschiedene persönliche und freigabebezogene Funktionen.
+
+![Dateiübersicht]({require("../../img/overview/account.png").default})
+
+## 1. Kontomenüeintrag
+
+Öffnet die Hauptoptionen und Einstellungen des Kontos.
+
+## 2. Aktives Konto
+
+Zeigt an, welches Benutzerkonto derzeit aktiv ist.
+
+## 3. Persönlicher Bereich
+
+Bietet Zugriff auf die persönlichen Dateien und Ordner der nutzenden Person.
+
+## 4. Freigaben
+
+Zeigt Dateien und Ordner, die mit anderen geteilt wurden oder empfangen wurden.
+
+## 5. Spaces
+
+Öffnet eine Liste kollaborativer Bereiche oder Teamordner.
+
+## 6. Suche
+
+Ermöglicht die Suche nach Dateien, Ordnern und Inhalten.
+
+## 7. Zuletzt verwendet
+
+Zeigt eine Liste der zuletzt geöffneten oder bearbeiteten Dateien.
+
+## 8. Offline verfügbar
+
+Zeigt Dateien an, die für den Offline-Zugriff markiert wurden.
+
+## 9. Status
+
+Zeigt den aktuellen Synchronisations- oder Verbindungsstatus an.
+
+## 10. Konto hinzufügen
+
+Ermöglicht das Hinzufügen eines neuen Kontos zur App.
+
+## 11. Einstellungen
+
+Öffnet die allgemeinen Einstellungen und Konfigurationsoptionen.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/set-up.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/set-up.md
new file mode 100644
index 000000000..ed0655a9e
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/set-up.md
@@ -0,0 +1,50 @@
+---
+sidebar_position: 2
+id: set-up
+title: Einrichten der OpenCloud iOS App
+description: Einrichten deines OpenCloud Accounts
+draft: false
+---
+
+# 🔐 Einrichten deines OpenCloud Accounts
+
+Nachdem du die App installiert hast, kannst du deinen OpenCloud Account einrichten.
+
+## S tarte die Einrichtung
+
+- Tippe auf „Start setup“, um zu beginnen.
+- Wenn du bereits einen Account eingerichtet hast und einen weiteren hinzufügen möchtest, tippe auf das „+“-Symbol unten links auf dem Bildschirm.
+
+
+![Zusätzlichen Account hinzufügen]({require(".././img/set-up/add-additional-account.png").default})
+
+## Server-URL eingeben
+
+- Gib die URL deines OpenCloud Servers ein (z. B. `https://cloud.beispiel.de`)
+- Tippe auf „Proceed“, um fortzufahren.
+
+
+
+## Login Seite öffnen
+
+- Tippe auf „Open login page“
+- Tippe anschließend auf „Fortfahren“, um die Anmeldeseite im Browser zu starten
+
+
+
+
+## Anmelden und Zugriff erlauben
+
+- Melde dich mit deinen OpenCloud Zugangsdaten an
+- Erlaube der App den Zugriff auf deine Benutzerinformationen und die kontinuierliche Anmeldung
+
+![Zugangsdaten eingeben]({require(".././img/set-up/enter-credentials.png").default})
+![Zugriff gewähren]({require(".././img/set-up/grant-access.png").default})
+
+## Einrichtung abschließen
+
+- Nach erfolgreicher Anmeldung wird dein Account in der App hinzugefügt
+- Optional kannst du deinem Account einen benutzerdefinierten Anzeigenamen geben
+ (Standardmäßig erscheint er als `BENUTZERNAME@DEINE.DOMAIN`)
+
+![Benutzerdefinierter Name]({require(".././img/set-up/custom-name.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/settings.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/settings.md
new file mode 100644
index 000000000..76d9d0465
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/general/settings.md
@@ -0,0 +1,103 @@
+---
+sidebar_position: 4
+id: settings
+title: Einstellungen
+description: Einstellungen der iOS App
+draft: false
+---
+
+# Einstellungen
+
+In den iOS-App Einstellungen können Änderungen vorgenommen werden wie z.B
+
+ - Benutzeroberfläche
+ - Datennutzung
+ - erweiterte Einstellungen
+ - Mediadateien
+ und mehr
+
+![Einstellungen]({require(".././img/settings/einstellungen.png").default})
+
+## Userinterface
+
+### 1. Theme
+
+Hier kann ausgewählt werden, ob man die App im "Light-" oder "Darkmode" betreiben möchte.
+
+### 2. Sucheinstellungen
+
+Hier kann man einstellen, wo die Suchfunktion agieren soll:
+
+- Ordner
+- Baum
+- Space
+- Account
+- Server
+
+### 3. Logging
+
+Hier kann die Loggingfunktion aktiviert und deaktiviert werden, sowie der Speicherort des Logfiles angegeben werden.
+
+## Data Usage
+
+### 4. Mobile Datennutzung
+
+Hier kann eingestellt werden, ob die App mit mobilen Daten genutzt werden kann oder nicht.
+
+### 5. Löschen von nicht verwendeten lokalen Kopien
+
+Hier kann eingestellt werden, wann nicht genutzte lokale Kopien gelöscht werden sollen.
+
+## Advanced Settings
+
+### 6. Anzeigen von versteckten Dateien und Ordnern
+
+Hier kann das Anzeigen von verstecken Dateien und Ordnern aktiviert und deaktiviert werden.
+
+### 7. Zeige Ordner oben
+
+Hier kann man einstellen, ob die Ordner in der Listenansicht vor den Dateien angezeigt werden sollen.
+
+### 8. Gesten deaktivieren
+
+Hier kann die Gestensteuerung deaktiviert werden, um Mehfachauswahl und das Ziehen von Dateien und Ordnern zu verhindern.
+
+### 9. Diagnose aktivieren
+
+Hier kann ausgewählt werden, ob die App im Hintergrund Diagnosen ausführen darf.
+
+## Media Files
+
+### 10. Herunterladen anstelle von streamen
+
+Hier kann eingestellt werden, ob eine Datei direkt heruntergeladen oder gestreamt werden soll.
+
+### 11. Medien hochladen
+
+Hier kann man einstellen, ob z.B. bestimmte Dateien beim hochladen konvertiert werden sollen, wie HEIC zu JPEG.
+
+## More
+
+### 12. Hilfe und Kontakt
+
+Hier findet man Links zu unserer Dokumentaionsseite und Hilfelinks.
+
+### 13. Einem Freund empfehlen
+
+Hier kann man einen Link zum Download der iOS-App weiterleiten.
+
+### 14. Datenschutzrichtlinie
+
+Hier findet man einen vollständigen Eintrag zu unseren Datenschutzrichtlinien.
+
+### 15. Nutzungsbedingungen
+
+Hier findet man einen vollständigen Eintrag zu unseren Nutzungsbedingen.
+
+### 16. Anerkennungen
+
+Teile der App können urheberrechtlich geschütztes Material verwenden, dessen Verwendung hier anerkannt wird.
+
+### 17. App Version
+
+Hier kann ausgelesen werden, welche App Version verwendet wird.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/choose-file-type.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/choose-file-type.png
new file mode 100644
index 000000000..0e014e283
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/choose-file-type.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/create-folder.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/create-folder.png
new file mode 100644
index 000000000..ba69d2a97
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/create-folder.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/create-new.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/create-new.png
new file mode 100644
index 000000000..c925a437a
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/create-new.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/edit-collabora.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/edit-collabora.png
new file mode 100644
index 000000000..79a870c1d
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/edit-collabora.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/enter-rename.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/enter-rename.png
new file mode 100644
index 000000000..6023a359d
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/enter-rename.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/file-moved.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/file-moved.png
new file mode 100644
index 000000000..df5c8fe32
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/file-moved.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/new-name-applied.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/new-name-applied.png
new file mode 100644
index 000000000..3c9a42233
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/new-name-applied.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/open-collabora.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/open-collabora.png
new file mode 100644
index 000000000..890e17a71
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/open-collabora.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/photo-saved.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/photo-saved.png
new file mode 100644
index 000000000..651c303f0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/photo-saved.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-cut-or-copy.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-cut-or-copy.png
new file mode 100644
index 000000000..36e6376b6
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-cut-or-copy.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-paste.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-paste.png
new file mode 100644
index 000000000..55ea34e2d
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-paste.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-rename.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-rename.png
new file mode 100644
index 000000000..3555bd608
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-rename.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-take-photo.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-take-photo.png
new file mode 100644
index 000000000..776241fc7
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/select-take-photo.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/take-photo.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/take-photo.png
new file mode 100644
index 000000000..9c82a0645
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/take-photo.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/tap-done.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/tap-done.png
new file mode 100644
index 000000000..cc09b6957
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/tap-done.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/three-dots-move.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/three-dots-move.png
new file mode 100644
index 000000000..5005f980f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/three-dots-move.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/three-dots.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/three-dots.png
new file mode 100644
index 000000000..f26842895
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/create-rename-move/three-dots.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/make-available-offline.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/make-available-offline.png
new file mode 100644
index 000000000..c7f66a588
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/make-available-offline.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/marked-offline.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/marked-offline.png
new file mode 100644
index 000000000..6a414eaae
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/marked-offline.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/three-dots.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/three-dots.png
new file mode 100644
index 000000000..200f2d4f1
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/three-dots.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/upload-options.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/upload-options.png
new file mode 100644
index 000000000..ee3c63a76
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/upload-options.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/upload-plus-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/upload-plus-button.png
new file mode 100644
index 000000000..f2a7ceeff
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/files-and-folders/upoload-make-available-offline/upload-plus-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/installation/icon-on-screen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/installation/icon-on-screen.png
new file mode 100644
index 000000000..a86cb5c3f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/installation/icon-on-screen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/installation/ios-installation.jpg b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/installation/ios-installation.jpg
new file mode 100644
index 000000000..70eaa1864
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/installation/ios-installation.jpg differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/overview/account.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/overview/account.png
new file mode 100644
index 000000000..ffd976234
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/overview/account.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/overview/fileslist.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/overview/fileslist.png
new file mode 100644
index 000000000..cf8773d83
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/overview/fileslist.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/date.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/date.png
new file mode 100644
index 000000000..c4a31e2bc
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/date.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/save-search.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/save-search.png
new file mode 100644
index 000000000..63f439b26
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/save-search.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-location.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-location.png
new file mode 100644
index 000000000..b2084313e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-location.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-menue.png
new file mode 100644
index 000000000..ec300254b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-result.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-result.png
new file mode 100644
index 000000000..551f4f7b2
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-result.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-symbol.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-symbol.png
new file mode 100644
index 000000000..3ecbd4991
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/search-symbol.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/searchbar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/searchbar.png
new file mode 100644
index 000000000..755fa9050
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/searchbar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/size.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/size.png
new file mode 100644
index 000000000..708f96903
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/size.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/type.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/type.png
new file mode 100644
index 000000000..72d249a63
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/search/type.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/add-additional-account.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/add-additional-account.png
new file mode 100644
index 000000000..e3ecc6c06
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/add-additional-account.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/continue-sign-in.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/continue-sign-in.png
new file mode 100644
index 000000000..ebe6f25a4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/continue-sign-in.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/custom-name.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/custom-name.png
new file mode 100644
index 000000000..056a6225f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/custom-name.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/enter-credentials.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/enter-credentials.png
new file mode 100644
index 000000000..bb31e743b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/enter-credentials.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/enter-server-url.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/enter-server-url.png
new file mode 100644
index 000000000..90af12a67
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/enter-server-url.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/grant-access.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/grant-access.png
new file mode 100644
index 000000000..1f36079e8
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/grant-access.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/open-login-page.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/open-login-page.png
new file mode 100644
index 000000000..195e33502
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/open-login-page.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/start-setup.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/start-setup.png
new file mode 100644
index 000000000..69ab090f6
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/set-up/start-setup.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/settings/einstellungen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/settings/einstellungen.png
new file mode 100644
index 000000000..93fc10aba
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/settings/einstellungen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/choose-invites.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/choose-invites.png
new file mode 100644
index 000000000..0a632fc7d
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/choose-invites.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-button.png
new file mode 100644
index 000000000..a4ae9d18f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-menue.png
new file mode 100644
index 000000000..13c5854a7
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-option.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-option.png
new file mode 100644
index 000000000..d5f398baf
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/invite-option.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/permissions.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/permissions.png
new file mode 100644
index 000000000..3848f49ae
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/permissions.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/searchbar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/searchbar.png
new file mode 100644
index 000000000..f7aa1ecf0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/searchbar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/shared-with.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/shared-with.png
new file mode 100644
index 000000000..80566d860
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/shared-with.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/sharing-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/sharing-button.png
new file mode 100644
index 000000000..cb96657d0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/sharing-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/three-dot-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/three-dot-menue.png
new file mode 100644
index 000000000..fb1ec63ec
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/invite/three-dot-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/create-link-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/create-link-button.png
new file mode 100644
index 000000000..9b38d54ae
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/create-link-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/create-link-options.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/create-link-options.png
new file mode 100644
index 000000000..e126b5de6
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/create-link-options.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/created-link.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/created-link.png
new file mode 100644
index 000000000..233aa0124
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/created-link.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/expiration-date.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/expiration-date.png
new file mode 100644
index 000000000..33eda696c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/expiration-date.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/link-name.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/link-name.png
new file mode 100644
index 000000000..3f70f6c0b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/link-name.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/password.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/password.png
new file mode 100644
index 000000000..b6814c107
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/password.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/share-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/share-button.png
new file mode 100644
index 000000000..ac909edf7
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/share-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/sharing-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/sharing-button.png
new file mode 100644
index 000000000..cb96657d0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/sharing-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/sharing-options.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/sharing-options.png
new file mode 100644
index 000000000..05f86cd45
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/sharing-options.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/three-dot-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/three-dot-menue.png
new file mode 100644
index 000000000..fb1ec63ec
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shares/links/three-dot-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/choose-file-or-folder.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/choose-file-or-folder.png
new file mode 100644
index 000000000..ff7c3266a
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/choose-file-or-folder.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/create-shortcut-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/create-shortcut-button.png
new file mode 100644
index 000000000..de479b955
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/create-shortcut-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/create-shortcut.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/create-shortcut.png
new file mode 100644
index 000000000..a55ff6ed3
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/create-shortcut.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/created-shortcut.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/created-shortcut.png
new file mode 100644
index 000000000..ccf7a2b88
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/created-shortcut.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/pick-file-or-folder.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/pick-file-or-folder.png
new file mode 100644
index 000000000..3f2a0899f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/pick-file-or-folder.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/plus-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/plus-button.png
new file mode 100644
index 000000000..d66a0b336
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/plus-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/plus-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/plus-menue.png
new file mode 100644
index 000000000..9247ed80c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/plus-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/select-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/select-button.png
new file mode 100644
index 000000000..18ab749bf
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/select-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/shortcut-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/shortcut-menue.png
new file mode 100644
index 000000000..f65abb1d0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/shortcut-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/shortcut-name.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/shortcut-name.png
new file mode 100644
index 000000000..7673f7fa5
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/shortcut-name.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/url.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/url.png
new file mode 100644
index 000000000..2e455795e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/shortcuts/url.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/plus-symbol.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/plus-symbol.png
new file mode 100644
index 000000000..a8bb6ed5f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/plus-symbol.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/search-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/search-button.png
new file mode 100644
index 000000000..5893e8bae
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/search-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/search-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/search-menue.png
new file mode 100644
index 000000000..3aff88663
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/search-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-button.png
new file mode 100644
index 000000000..8f44b7e19
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-functions.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-functions.png
new file mode 100644
index 000000000..60db08662
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-functions.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-overview.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-overview.png
new file mode 100644
index 000000000..0973862ff
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/spaces-overview.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/three-point-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/three-point-menue.png
new file mode 100644
index 000000000..e6e214bdc
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/img/spaces/three-point-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/index.md
new file mode 100644
index 000000000..35d331407
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/index.md
@@ -0,0 +1,31 @@
+---
+sidebar_position: 0
+id: ios-app-overview
+title: OpenCloud iOS App
+---
+
+# OpenCloud iOS App
+
+Die OpenCloud iOS App bietet mobilen Zugriff auf Ihre Dateien, Spaces und Freigaben auf iPhone und iPad. Sie ist für
+alltägliche Aufgaben wie Einrichtung, Suche, Teilen und das Offline-Verfügbar-Machen von Dateien ausgelegt.
+
+## In diesem Abschnitt
+
+- [Allgemeines](./general/)
+ Installieren Sie die App, führen Sie die Ersteinrichtung durch und lernen Sie die wichtigsten Bereiche und
+ Einstellungen kennen.
+
+- [Dateien und Ordner](./files-and-folders/)
+ Erstellen und bearbeiten Sie Inhalte, laden Sie Dateien hoch und machen Sie Elemente offline verfügbar.
+
+- [Spaces](./spaces.md)
+ Arbeiten Sie mit Spaces und den verfügbaren Aktionen in der iOS App.
+
+- [Suche](./search.md)
+ Finden Sie Dateien und Ordner direkt in der iOS App.
+
+- [Verknüpfungen](./shortcuts.md)
+ Erstellen Sie Verknüpfungen zu Dateien oder Weblinks.
+
+- [Freigaben](./shares/)
+ Laden Sie Personen ein und erstellen Sie Freigabelinks direkt in der iOS App.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/search.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/search.md
new file mode 100644
index 000000000..ec6a6f201
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/search.md
@@ -0,0 +1,72 @@
+---
+sidebar_position: 4
+id: search
+title: Suche
+description: Suche
+draft: false
+---
+
+# Suchfunktion
+
+Hier erklären wir, wie du die Suchfunktion in der OpenCloud iOS-App verwendest.
+
+## Suchsymbol
+
+- Klicke auf das Suchsymbol, um die Suchfunktion zu öffnen
+
+
+
+## Suchfunktion
+
+- Die Suchfunktion bietet verschiedene Optionen, mit denen du deine Suche eingrenzen kannst
+
+## Suchleiste
+
+- In der Suchleiste kannst du nach Datei- oder Ordnernamen suchen.
+
+
+
+## Suchort
+
+Durch Klicken auf die Option links neben der Suchleiste kannst du festlegen, wo gesucht werden soll.
+
+- Ordner:
+ Sucht nur im aktuellen Ordner.
+- Baum:
+ Sucht im aktuellen Ordner und allen darin enthaltenen Unterordnern.
+- Space:
+ Sucht im aktuellen Space, einschließlich aller darin enthaltenen Ordner und Unterordner.
+- Konto:
+ Sucht im gesamten angemeldeten Konto, einschließlich aller Spaces, Ordner und Unterordner.
+- Server:
+ Sucht auf dem gesamten Server.
+
+ ![Search location]({require("./img/search/search-location.png").default})
+
+## Typ
+
+- Durch Klicken auf die Option „Typ“ kannst du festlegen, nach welchem Dateityp gesucht werden soll
+
+ ![File type]({require("./img/search/type.png").default})
+
+## Datum
+
+- Durch Klicken auf die Option „Datum“ kannst du den Zeitraum festlegen, in dem gesucht werden soll
+
+ ![Date]({require("./img/search/date.png").default})
+
+## Größe
+
+- Durch Klicken auf die Option „Größe“ kannst du die gesuchte Dateigröße eingrenzen
+
+## Suche speichern
+
+- Durch Klicken auf das „Kreissymbol“ mit den drei Punkten kannst du die aktuelle Suche speichern
+
+ ![Save search]({require("./img/search/save-search.png").default})
+
+## Suchergebnis
+
+- In diesem Bereich werden die Suchergebnisse angezeigt
+
+
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shares/invite.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shares/invite.md
new file mode 100644
index 000000000..14cf488c3
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shares/invite.md
@@ -0,0 +1,62 @@
+---
+sidebar_position: 1
+id: invite
+title: Einladen zum Teilen
+description: Einladen zum Teilen
+draft: false
+---
+
+# Dateien und Ordner mit Personen und Gruppen per Einladung teilen
+
+Hier erklären wir, wie man in der OpenCloud iOS-App, Dateien und Ordner per Einladung mit anderen Personen und Gruppen innerhalb der eigenen OpenCloud teilt
+
+## Drei-Punkte-Menü
+
+- Klicken Sie auf das "Drei-Punkte-Menü" neben der Datei oder Ordner
+
+
+
+## Teilen
+
+- Wählen Sie nun den Menüpunkt "Sharing" aus
+
+
+
+## Teilen mit
+
+- In der folgenden Auswahl klicken Sie auf "invite"
+
+
+
+## Teilen Menü
+
+- Es öffnet sich das Teilen Menü, in dem Sie über die Suchleiste nach Personen oder Gruppen suchen können, die Sie einladen möchten
+
+
+
+![Auswahl Personen und/oder Gruppen]({require("../img/shares/invite/choose-invites.png").default})
+
+## Berechtigungen
+
+- Hier können Sie auswählen welche Berechtiigungen Personen und Gruppen haben sollen:
+
+
+
+ - Viever:
+ Personen können die Inhalte nur anzeigen und herunterladen, jedoch nicht bearbeiten, erstellen oder hochladen.
+ - Editor:
+ Personen können die Inhalte anzeigen, herunterladen, Dateien hochladen, bearbeiten und erstellen.
+ - Custom:
+ Hier können die Berechtigungen individuell gewählt werden.
+
+## Einladen
+
+- Um den Link nun zu erstellen müssen Sie auf "Invite" klicken
+
+![Einladen]({require("../img/shares/invite/invite-button.png").default})
+
+## Link erstellt
+
+- Wenn die Einladung erstellt ist, sehen Sie diese in der Datei- oder Ordnerübersicht
+
+
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shares/links.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shares/links.md
new file mode 100644
index 000000000..8b90ab8bf
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shares/links.md
@@ -0,0 +1,81 @@
+---
+sidebar_position: 2
+id: links
+title: Per Link teilen
+description: Per Link teilen
+draft: false
+---
+
+# Dateien und Ordner per Link teilen
+
+Hier erklären wir, wie man in der OpenCloud iOS-App Dateien und Ordner per Link mit anderen teilen kann.
+
+## Drei-Punkte-Menü
+
+- Tippe auf das Drei-Punkte-Menü neben der Datei oder dem Ordner
+
+
+
+## Teilen
+
+- Wähle nun den Menüpunkt „Share“ aus
+
+
+
+## Link erstellen
+
+- Klicke in der folgenden Auswahl auf „Create Link“
+
+
+
+## Optionen
+
+- Hier kannst du mehrere Optionen für den zu erstellenden Link auswählen und festlegen
+
+
+
+## Linkname
+
+- Gib hier einen Namen für deinen Link ein
+
+ ![Linkname]({require("../img/shares/links/link-name.png").default})
+
+## Linkfunktionen
+
+- Hier kannst du auswählen, welche Funktion dein Link haben soll:
+
+ ![Freigabeoptionen]({require("../img/shares/links/sharing-options.png").default})
+ - Personen einladen:
+ Nur eingeladene Personen haben Zugriff auf den Link und dessen Inhalt.
+ - Kann anzeigen:
+ Personen können den Inhalt des Links nur ansehen und herunterladen, aber nicht bearbeiten, erstellen oder hochladen.
+ - Kann hochladen:
+ Personen können den Inhalt des Links ansehen und Dateien hochladen, aber nicht bearbeiten oder erstellen.
+ - Kann verwalten:
+ Personen können Dateien ansehen, herunterladen und hochladen, aber nicht bearbeiten oder erstellen.
+ - Kann bearbeiten:
+ Personen können den Inhalt des Links ansehen, herunterladen, hochladen, bearbeiten und erstellen.
+
+## Passwort
+
+- Hier musst du ein Passwort eingeben. Du kannst eines selbst wählen oder automatisch generieren lassen
+
+
+
+## Verfügbarkeitszeitraum
+
+- Hier kannst du einen Zeitraum festlegen, für den der Link verfügbar sein soll
+
+
+
+## Erstellen
+
+- Um den Link zu erstellen, musst du nun auf „Share“ klicken
+
+
+
+## Erstellt Link
+
+- Sobald der Link erstellt wurde, wird er mit dem vergebenen Namen in der Datei- oder Ordnerübersicht angezeigt
+
+
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shortcuts.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shortcuts.md
new file mode 100644
index 000000000..410a17b53
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/shortcuts.md
@@ -0,0 +1,67 @@
+---
+sidebar_position: 5
+id: shortcuts
+title: Verlinkungen in der OpenCloud iOS App
+description: Verlinkungen in der OpenCloud iOS App
+draft: false
+---
+
+# Shortcut in der OpenCloud iOS-App
+
+Hier zeigen wir dir, wie du Shortcuts in der iOS-App erstellst.
+
+## „+“-Symbol
+
+- Tippe auf das „+“-Symbol
+
+
+
+## Drop-down-Menü
+
+- Es öffnet sich ein Drop-down-Menü
+
+ ![Drop-down menu]({require("./img/shortcuts/plus-menue.png").default})
+
+## Shortcut erstellen
+
+- Wähle „Shortcut erstellen“ aus
+
+ ![Select create shortcut]({require("./img/shortcuts/create-shortcut.png").default})
+
+## Shortcut-Optionen
+
+- Es öffnet sich ein Menü mit Optionen für Shortcuts
+
+
+
+## URL
+
+- Um einen Shortcut zu einer Website zu erstellen, gib unter „URL“ die Adresse der Website ein
+
+
+
+## Dateien und Ordner auswählen
+
+- Um einen Shortcut zu einer Datei oder einem Ordner in OpenCloud zu erstellen, tippe auf die Option „Datei oder Ordner auswählen“
+
+ ![Select file or folder option]({require("./img/shortcuts/pick-file-or-folder.png").default})
+ ![Select file or folder]({require("./img/shortcuts/choose-file-or-folder.png").default})
+ ![Select]({require("./img/shortcuts/select-button.png").default})
+
+## Shortcut-Name
+
+- Gib hier einen Namen für den Shortcut ein, unter dem er angezeigt werden soll
+
+
+
+## Erstellen-Button
+
+- Tippe auf „Shortcut erstellen“, um den Shortcut zu erstellen
+
+ ![Create shortcut]({require("./img/shortcuts/create-shortcut-button.png").default})
+
+## Erstellter Shortcut
+
+- Dein erstellter Shortcut wird nun angezeigt und kann verwendet werden
+
+
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/spaces.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/spaces.md
new file mode 100644
index 000000000..ca5aa5960
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/ios-app/spaces.md
@@ -0,0 +1,75 @@
+---
+sidebar_position: 6
+id: spaces
+title: Spaces
+description: Spaces in OpenCloud iOS app
+draft: false
+---
+
+# Der Bereich „Spaces“ in der OpenCloud iOS-App
+
+Der Bereich „Spaces“ bietet einen zentralen Ort für die Zusammenarbeit in Gruppen oder Teams. In einem Space können mehrere Personen gemeinsam auf Dateien und Ordner zugreifen, Inhalte organisieren und Änderungen nachverfolgen.
+
+## Spaces-Übersicht
+
+Um die Spaces-Übersicht zu öffnen, tippe im Kontomenü auf die Schaltfläche „Spaces“.
+
+
+
+Anschließend erscheint die Spaces-Übersicht, in der alle Spaces aufgelistet sind, in denen du Mitglied bist oder die du selbst erstellt hast.
+
+
+
+## Suchfunktion
+
+Durch Tippen auf das Suchsymbol öffnet sich das Suchmenü für Spaces.
+
+
+
+
+
+## Funktionen innerhalb eines Spaces
+
+Durch Tippen auf das Plus-Symbol erscheinen die verfügbaren Funktionen innerhalb eines Spaces.
+
+![Plus Icon]({require("./img/spaces/plus-symbol.png").default})
+
+![Functions in Spaces]({require("./img/spaces/spaces-functions.png").default})
+
+## Hinzufügen-Menü
+
+Das Hinzufügen-Menü in der iOS-App ermöglicht es Nutzer\*innen, Inhalte direkt in einem Space zu erstellen oder hochzuladen.
+
+### 1. Ordner erstellen
+
+Neue Ordner erstellen, um Inhalte übersichtlich zu strukturieren.
+
+### 2. Neues Dokument
+
+Ein neues Dokument direkt im Space erstellen, ohne eine separate App zu nutzen.
+
+### 3. Dateien hochladen
+
+Dateien vom eigenen Gerät auswählen und in den Space hochladen.
+
+### 4. Aus Mediathek hochladen
+
+Auf die iOS-Fotomediathek zugreifen und Bilder oder Videos direkt in den Space laden.
+
+### 5. Foto oder Video aufnehmen
+
+Die iOS-Kamera nutzen, um Fotos oder Videos aufzunehmen und direkt in den Space hochzuladen.
+
+### 6. Shortcut erstellen
+
+Einen Shortcut zu einer Datei oder einem Ordner im Space erstellen, um schneller darauf zugreifen zu können.
+
+### 7. Dokument scannen
+
+Die Gerätekamera verwenden, um physische Dokumente zu scannen und sie direkt als PDF im Space zu speichern.
+
+## Drei-Punkte-Menü
+
+Durch Tippen auf das Drei-Punkte-Menü öffnet sich ein Pop-up-Menü, in dem du den Space offline verfügbar machen kannst.
+
+![Three-Dot Menu]({require("./img/spaces/three-point-menue.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/_category_.json b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/_category_.json
new file mode 100644
index 000000000..6f27be626
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/_category_.json
@@ -0,0 +1,8 @@
+{
+ "label": "Rollen",
+ "position": 9,
+ "link": {
+ "type": "doc",
+ "id": "roles-overview"
+ }
+}
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/index.md
new file mode 100644
index 000000000..e735f65fd
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/index.md
@@ -0,0 +1,21 @@
+---
+sidebar_position: 0
+id: roles-overview
+title: Rollen
+---
+
+# Rollen
+
+Dieser Abschnitt erklärt die Rollenmodelle in OpenCloud. Er behandelt allgemeine Benutzerrollen, die Berechtigungen
+innerhalb von Spaces und die Zugriffsebenen, die beim Teilen von Dateien und Ordnern vergeben werden können.
+
+## In diesem Abschnitt
+
+- [Benutzerrollen](./user-roles.md)
+ Erfahren Sie mehr über die verfügbaren Benutzerrollen in OpenCloud, darunter Admin, Space Admin, User und User Light.
+
+- [Space-Rollen](./space-roles.md)
+ Verstehen Sie die Berechtigungen innerhalb eines Space, darunter Kann ansehen, Kann bearbeiten und Kann verwalten.
+
+- [Freigaberollen](./share-roles.md)
+ Prüfen Sie die Zugriffsebenen, die beim Teilen von Dateien und Ordnern verfügbar sind.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/share-roles.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/share-roles.md
new file mode 100644
index 000000000..3307c6f6b
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/share-roles.md
@@ -0,0 +1,42 @@
+---
+sidebar_position: 3
+id: share-roles
+title: Rollen beim Teilen
+description: Rollen beim Teilen in OpenCloud
+draft: false
+---
+
+# Rollen beim teilen in OpenCloud
+
+| Rolle | anzeigen | herunterladen | hochladen | bearbeiten | erstellen | löschen | nur doc, img, pdf mit Wasserzeichen anzeigen |
+| :--------------------- | :------: | :-----------: | :-------: | :--------: | :-------: | :-----: | :------------------------------------------: |
+| kann anzeigen (geheim) | - | - | - | - | - | - | x |
+| kann anzeigen | x | x | - | - | - | - | - |
+| kann hochladen | x | x | x | - | - | - | - |
+| kann bearbeiten | x | x | x | x | x | x | - |
+
+## Space-Mitglieder-Rollen und -Rechte
+
+In einem Space können Mitglieder verschiedene Rollen haben, die bestimmen, was sie mit gemeinsamen Dateien und Ordnern tun können.
+
+### Kann ansehen (sicher)
+
+- Sie können nur Dokumente, Bilder und PDFs anzeigen.
+- Die Dateien werden mit einem Wasserzeichen versehen.
+- Das Herunterladen ist nicht erlaubt.
+
+### Kann anzeigen
+
+- Sie können Dateien und Ordner anzeigen und herunterladen.
+- Keine Einschränkungen beim Herunterladen.
+
+### Kann hochladen
+
+- Sie können Dateien und Ordner anzeigen, herunterladen und hochladen.
+
+### Kann bearbeiten
+
+- Sie können Dateien und Ordner bearbeiten, hinzufügen und löschen.
+- Voller Zugriff auf die Änderung gemeinsamer Inhalte.
+
+Jede Rolle gibt eine andere Zugriffsstufe, so dass jeder Benutzer die richtigen Berechtigungen erhält!
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/space-roles.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/space-roles.md
new file mode 100644
index 000000000..443e494d3
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/space-roles.md
@@ -0,0 +1,42 @@
+---
+sidebar_position: 2
+id: space-roles
+title: Rollen für Spaces
+---
+
+# Rollen für Spaces in OpenCloud
+
+| Role | anzeigen | herunterladen | hochladen | bearbeiten | erstellen | löschen | Mitglieder verwalten | deaktivieren / aktivieren Space | Quota bearbeiten | Space löschen |
+| :-------------- | :------: | :-----------: | :-------: | :--------: | :-------: | :-----: | :------------------: | :-----------------------------: | :--------------: | :-----------: |
+| Kann anzeigen | x | x | - | - | - | - | - | - | - | - |
+| Kann bearbeiten | x | x | x | x | x | x | - | - | - | - |
+| Kann verwalten | x | x | x | x | x | x | x | x | x | x |
+
+## Space Rollen und Berechtigungen
+
+In einem Space können Mitglieder verschiedene Rollen haben, die ihnen unterschiedliche Zugriffsebenen geben.
+
+### Kann anzeigen
+
+Mit dieser Rolle kann das Mitglied Dateien im Space ansehen und herunterladen, aber keine Änderungen vornehmen, keine Dateien und Ordner hochladen oder neue erstellen.
+
+### Kann bearbeiten
+
+Mit dieser Rolle kann das Mitglied alles tun, was ein „Can View“-Mitglied tun kann, plus:
+
+- Dateien in den Space hochladen
+- Hinzufügen von neuen Dateien und Ordnern
+- Löschen von Dateien und Ordnern, einschließlich ihrer Historie
+- Gelöschte Dateien wiederherstellen
+
+### Kann verwalten
+
+Diese Rolle verleiht dem Mitglied alle Fähigkeiten von „Kann bearbeiten“, plus:
+
+- Hinzufügen oder Entfernen von Mitgliedern aus dem Space
+- Ändern der Rollen anderer Mitglieder im Space
+- Aktivieren und Deaktivieren des Spaces
+- Bearbeiten der Quote des Spaces
+- Löschen des Spaces
+
+Jede Rolle bestimmt, was ein Mitglied innerhalb des Spaces tun kann!
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/user-roles.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/user-roles.md
new file mode 100644
index 000000000..11289190b
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/roles/user-roles.md
@@ -0,0 +1,73 @@
+---
+sidebar_position: 1
+id: user-roles
+title: Rollen für Nutzer
+---
+
+# Nutzerrollen in OpenCloud
+
+| Rolle | Persönlicher Space | Spaces erstellen | Spaces verwalten | Nutzer und Gruppen verwalten |
+| :---------------- | :----------------: | :--------------: | :--------------: | :--------------------------: |
+| Administrator | x | x | x | x |
+| Space Manager/-in | x | x | x | - |
+| Person | x | - | x | - |
+| User Light | - | - | x | - |
+
+## Administrator
+
+Die Administrator-Rolle in OpenCloud hat die gleichen Fähigkeiten wie ein Space-Administrator, verfügt aber zusätzlich über spezielle Berechtigungen zur Verwaltung von Benutzern, Gruppen und Systemeinstellungen.
+Allerdings haben Administratoren keinen direkten Zugriff auf Space-Daten oder die Möglichkeit, Benutzer zu Spaces hinzuzufügen, für die sie nicht die Rolle „kann verwalten“ haben. Nachfolgend sind die wichtigsten Aktionen aufgeführt, die ein Administrator durchführen kann:
+
+- Lokale Benutzer und Gruppen erstellen und löschen
+
+ Administratoren können neue lokale Benutzer hinzufügen und bestehende lokale Benutzer aus dem System entfernen.
+ Sie können auch lokale Gruppen erstellen und löschen, um Benutzer effizient zu organisieren.
+
+- Benutzer und Gruppen bearbeiten
+
+ Benutzerdetails wie Namen, E-Mail-Adressen und Rollen können geändert werden.
+ Gruppen können durch Hinzufügen oder Entfernen von Mitgliedern nach Bedarf aktualisiert werden.
+
+- Anmeldung verhindern
+
+ Falls erforderlich, können Administratoren Benutzerkonten deaktivieren und so verhindern, dass sie sich anmelden können.
+ Dies ist nützlich aus Sicherheitsgründen oder wenn ein Konto nicht mehr benötigt wird.
+
+- Spaces verwalten (ohne Zugriff auf Space-Daten)
+
+ Administratoren können Spaces verwalten, z. B. aktivieren, deaktivieren oder löschen, umbenennen oder die Quote anpassen, auch wenn sie nicht die Rolle „kann verwalten“ haben.
+ Sie können jedoch nicht auf die Dateien innerhalb eines Spaces zugreifen oder ihm Mitglieder hinzufügen.
+
+- Das Logo ändern
+
+ Das Systemlogo kann aktualisiert werden, um das Firmenbranding widerzuspiegeln.
+ Dies kann in den Admin-Einstellungen unter dem Abschnitt „Allgemein“ vorgenommen werden.
+
+## Space Manager/-in
+
+Ein Space-Administrator hat die höchste Ebene der Kontrolle über Spaces. Er kann:
+
+- Spaces erstellen und verwalten
+- in Spaces, die er nicht erstellt hat, die Rolle „Kann bearbeiten“ zugewiesen bekommen
+- Einen persönlichen Space haben, in dem er Dateien und Ordner erstellen und Daten hochladen kann
+
+## Person
+
+Ein normaler Benutzer hat Zugang zu seinem eigenen Space und kann Teil anderer Spaces sein. Er kann:
+
+- Dateien und Ordner in seinem persönlichen Space erstellen
+- Eigene Daten hochladen und verwalten
+- Als Mitglied zu einem Space hinzugefügt werden
+- Kann die Rolle „Kann bearbeiten“ in einem Space haben
+
+## User Light
+
+Ein User Light hat einen eingeschränkten Zugang und verfügt nicht über einen eigenen Space. Er kann:
+
+- Als Mitglied zu einem Space hinzugefügt werden
+- Kann die Rolle „Kann bearbeiten“ in einem Space haben
+- Er kann keine Dateien und Ordner erstellen oder Daten in einen persönlichen Space hochladen.
+
+:::note
+Wenn ein Nutzer zuvor die Rolle Person oder höher hatte und später wieder auf User Light gesetzt wird, behält er seinen persönlichen Space.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/_category_.json b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/_category_.json
new file mode 100644
index 000000000..1773e73a2
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/_category_.json
@@ -0,0 +1,8 @@
+{
+ "label": "Dateien und Ordner teilen",
+ "position": 4,
+ "link": {
+ "type": "doc",
+ "id": "sharing-overview"
+ }
+}
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/external.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/external.md
new file mode 100644
index 000000000..3c7d4e365
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/external.md
@@ -0,0 +1,51 @@
+---
+sidebar_position: 2
+id: external
+title: Extern
+description: Externes Teilen von Dateien und Ordnern in OpenCloud
+draft: false
+---
+
+# Öffentliche Links - Externes Teilen von Dateien und Ordnern in OpenCloud
+
+Öffentliche Links ermöglichen es Ihnen, Dateien und Ordner mit Personen außerhalb Ihrer Organisation zu teilen.
+
+## Schritte zum Erstellen eines öffentlichen Links
+
+- Klicken Sie mit der rechten Maustaste auf die Datei oder den Ordner oder klicken Sie auf das Drei-Punkte-Menü neben dem Namen, um das Kontextmenü zu öffnen.
+- Wählen Sie im Kontextmenü die Option „Teilen“ aus.
+
+ ![Teilen auswählen]({require("./img/extern/teilen-menue.png").default})
+
+- Auf der rechten Seite des Bildschirms wird eine Seitenleiste geöffnet.
+ ![Seitenleistenfenster]({require("./img/extern/sidebar-fenster.png").default})
+
+- Klicken Sie auf „Link hinzufügen“, um das Fenster zur Link-Konfiguration zu öffnen.
+
+ ![Popup-Fenster]({require("./img/extern/oeffentliche-links-popup.png").default})
+
+- Klicken Sie auf „Optionen“, um den Link zu konfigurieren.
+- Wählen Sie die gewünschten Zugriffsrechte für die Empfänger aus:
+ - „Kann anzeigen“:
+ Empfänger können die Datei ansehen und herunterladen, aber nicht bearbeiten oder Dateien hochladen.
+ - „Kann bearbeiten“:
+ Empfänger können die Datei ansehen, herunterladen, bearbeiten und löschen sowie Dateien in den Ordner hochladen.
+ - „Datei ablegen (geheim)“:
+ Empfänger können nur Dateien hochladen. Sie können den Inhalt weder anzeigen noch bearbeiten.
+
+ ![Zugriffsrechte]({require("./img/extern/rechte.png").default})
+
+- Geben Sie ein Passwort in das Feld unter „Passwort“ ein. Ein Passwort ist erforderlich, sofern ein Administrator die Einstellung nicht geändert hat.
+- Optional können Sie ein Ablaufdatum festlegen.
+- Nachdem Sie die Link-Optionen konfiguriert haben, klicken Sie auf „Link kopieren“, um den öffentlichen Link zu erstellen und zu kopieren.
+ Um das Passwort mit einzuschließen, öffnen Sie das Menü neben „Link kopieren“ und wählen Sie „Link und Passwort kopieren“.
+ ![Passwortbereich]({require("./img/extern/passwort-auswahl.png").default})
+
+- Der Link ist jetzt erstellt und kann mit den Empfängern geteilt werden.
+ ![Link kopieren]({require("./img/extern/link-kopieren-button.png").default})
+
+- Sie können den Link später bearbeiten, indem Sie auf das Drei-Punkte-Menü rechts neben dem Link klicken.
+ Dort können Sie den Link umbenennen, das Ablaufdatum ändern, das Passwort aktualisieren, das Passwort entfernen oder den Link löschen.
+ ![Link-Aktionen-Menü]({require("./img/extern/drei-punkte-menue.png").default})
+
+Jetzt wissen Sie, wie Sie Dateien und Ordner sicher mit externen Nutzern teilen können.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/file-drop.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/file-drop.md
new file mode 100644
index 000000000..1cde54e0d
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/file-drop.md
@@ -0,0 +1,46 @@
+---
+sidebar_position: 3
+id: file-drop
+title: File Drop
+description: File Drop (geheim)
+draft: false
+---
+
+# File Drop (geheim) - So funktioniert es
+
+File Drop ermöglicht es Personen, die einen bestimmten Link erhalten, Dateien in einen freigegebenen Ordner hochzuladen.
+Die Linkempfänger können die Dateien, die sich bereits im Ordner befinden, nicht sehen.
+
+## Einen File Drop erstellen
+
+- Klicken Sie mit der rechten Maustaste auf die Datei oder den Ordner oder klicken Sie auf das Drei-Punkte-Menü neben dem Namen, um das Kontextmenü zu öffnen.
+- Wählen Sie im Kontextmenü „Teilen“ aus.
+ ![Dropdown-Menü]({require("./img/file-drop/teilen-menue.png").default})
+- Auf der rechten Seite des Bildschirms wird eine Seitenleiste geöffnet.
+ ![Seitenleiste]({require("./img/file-drop/sidebar-fenster.png").default})
+- Suchen Sie in der Seitenleiste den Bereich „Öffentliche Links“ und klicken Sie auf „Link hinzufügen“.
+ ![Link hinzufügen]({require("./img/file-drop/link-hinzufuegen.png").default})
+- Klicken Sie auf „Optionen“, um die Linkeinstellungen zu öffnen.
+- Öffnen Sie das Dropdown-Menü für die Zugriffsrechte und wählen Sie „File Drop (geheim)“.
+ ![File Drop auswählen]({require("./img/file-drop/oeffentliche-links-button.png").default})
+
+- Geben Sie ein Passwort ein und klicken Sie auf „Link kopieren“, um zu bestätigen.
+- Sie können auch ein „Ablaufdatum“ festlegen, wenn der Link ablaufen soll.
+ ![Passwort eingeben und Link kopieren]({require("./img/file-drop/passwort-und-link-kopieren.png").default})
+- Teilen Sie den Link und das Passwort mit dem Empfänger.
+
+## Was der Empfänger macht
+
+- Der Empfänger öffnet den erhaltenen Link in einem Browser und gibt das Passwort ein. Anschließend klickt er auf „Weiter“.
+ ![Passwort eingeben und weiter]({require("./img/file-drop/passwort-popup.png").default})
+- Dateien hochladen:
+ - Der File-Drop-Ordner wird geöffnet. Der Empfänger kann Dateien hochladen, ohne den vorhandenen Inhalt des Ordners zu sehen.
+ ![File-Drop-Bereich]({require("./img/file-drop/file-drop-bildschirm.png").default})
+ - Unten rechts erscheint ein Pop-up-Fenster, das bestätigt, dass der Upload erfolgreich war.
+ ![Upload-Bestätigung]({require("./img/file-drop/hochladen-bestaedigung.png").default})
+
+:::important
+Empfänger haben keinen Zugriff auf vorhandene Dateien. Sie können nur neue Dateien hinzufügen.
+:::
+
+Jetzt wissen Sie, wie Sie einen File-Drop-Link freigeben.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/drei-punkte-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/drei-punkte-menue.png
new file mode 100644
index 000000000..2e9a0b240
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/drei-punkte-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/link-kopieren-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/link-kopieren-button.png
new file mode 100644
index 000000000..f21c219e6
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/link-kopieren-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/oeffentliche-links-popup.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/oeffentliche-links-popup.png
new file mode 100644
index 000000000..7db8c011b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/oeffentliche-links-popup.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/passwort-auswahl.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/passwort-auswahl.png
new file mode 100644
index 000000000..a8f4d358b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/passwort-auswahl.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/rechte.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/rechte.png
new file mode 100644
index 000000000..f40e52367
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/rechte.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/sidebar-fenster.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/sidebar-fenster.png
new file mode 100644
index 000000000..58aa4cda9
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/sidebar-fenster.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/teilen-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/teilen-menue.png
new file mode 100644
index 000000000..7ec536bf0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/extern/teilen-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/drei-punkte-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/drei-punkte-menue.png
new file mode 100644
index 000000000..ee3d5d38f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/drei-punkte-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-bildschirm.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-bildschirm.png
new file mode 100644
index 000000000..d1aa6661f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-bildschirm.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-button.png
new file mode 100644
index 000000000..54a64ff4b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-website.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-website.png
new file mode 100644
index 000000000..3be8f0f28
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/file-drop-website.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/hochladen-bestaedigung.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/hochladen-bestaedigung.png
new file mode 100644
index 000000000..3011035c3
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/hochladen-bestaedigung.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/link-hinzufuegen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/link-hinzufuegen.png
new file mode 100644
index 000000000..d3655c719
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/link-hinzufuegen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/oeffentliche-links-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/oeffentliche-links-button.png
new file mode 100644
index 000000000..69a412201
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/oeffentliche-links-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/passwort-popup.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/passwort-popup.png
new file mode 100644
index 000000000..ad732d48a
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/passwort-popup.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/passwort-und-link-kopieren.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/passwort-und-link-kopieren.png
new file mode 100644
index 000000000..40c747340
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/passwort-und-link-kopieren.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/sidebar-fenster.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/sidebar-fenster.png
new file mode 100644
index 000000000..d3655c719
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/sidebar-fenster.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/teilen-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/teilen-menue.png
new file mode 100644
index 000000000..0534bd1f9
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/file-drop/teilen-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/freigabe-entfernen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/freigabe-entfernen.png
new file mode 100644
index 000000000..c5be9c1fa
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/freigabe-entfernen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/mit-personen-teilen-auswahl.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/mit-personen-teilen-auswahl.png
new file mode 100644
index 000000000..847abbeee
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/mit-personen-teilen-auswahl.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/rechte-optionen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/rechte-optionen.png
new file mode 100644
index 000000000..bac87f27b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/rechte-optionen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/shared-with-alan.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/shared-with-alan.png
new file mode 100644
index 000000000..35c2d5dc9
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/shared-with-alan.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/sidebar-fenster.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/sidebar-fenster.png
new file mode 100644
index 000000000..86934f065
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/sidebar-fenster.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/suchleiste.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/suchleiste.png
new file mode 100644
index 000000000..a2f50b7a2
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/suchleiste.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/teilen-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/teilen-menue.png
new file mode 100644
index 000000000..28ac95130
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/img/intern/teilen-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/index.md
new file mode 100644
index 000000000..03b9f0798
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/index.md
@@ -0,0 +1,21 @@
+---
+sidebar_position: 0
+id: sharing-overview
+title: Dateien und Ordner teilen
+---
+
+# Dateien und Ordner teilen
+
+Dieser Abschnitt erklärt, wie das Teilen in OpenCloud funktioniert. Er behandelt internes Teilen mit Mitgliedern und
+Gruppen, öffentliche Links für externen Zugriff und File Drop zum Empfangen von Uploads.
+
+## In diesem Abschnitt
+
+- [Internes Teilen](./internal.md)
+ Teilen Sie Dateien und Ordner mit Mitgliedern oder Gruppen innerhalb Ihrer Organisation.
+
+- [Externes Teilen](./external.md)
+ Erstellen Sie öffentliche Links und verwalten Sie Optionen wie Berechtigungen, Passwörter und Ablaufdaten.
+
+- [File Drop](./file-drop.md)
+ Erlauben Sie externen Benutzern das Hochladen von Dateien, ohne ihnen Zugriff auf bestehende Inhalte zu geben.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/internal.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/internal.md
new file mode 100644
index 000000000..59d666be6
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/sharing/internal.md
@@ -0,0 +1,63 @@
+---
+sidebar_position: 1
+id: internal
+title: Intern
+description: Organisationsinterne Freigabe von Dateien und Ordnern in OpenCloud
+draft: false
+---
+
+# Organisationsinterne Freigabe von Dateien und Ordnern in OpenCloud
+
+Dateien und Ordner können innerhalb der Organisation mit einzelnen Mitgliedern oder Gruppen geteilt werden. Dabei können unterschiedliche Zugriffsrechte vergeben werden.
+
+## Interne Freigabe erstellen
+
+- Öffnen Sie das Drei-Punkte-Menü neben der Datei oder dem Ordner, den Sie freigeben möchten.
+
+- Wählen Sie im Kontextmenü die Option „Teilen“ aus.
+
+ ![Teilen auswählen]({require("./img/intern/teilen-menue.png").default})
+
+- Die Seitenleiste wird auf der rechten Seite des Bildschirms geöffnet.
+
+ ![Seitenleiste anzeigen]({require("./img/intern/sidebar-fenster.png").default})
+
+- Wählen Sie in der Seitenleiste den Bereich „Interne Freigabe“ aus.
+
+ ![Interne Freigabe auswählen]({require("./img/intern/mit-personen-teilen-auswahl.png").default})
+
+- Geben Sie mindestens drei Zeichen in das Suchfeld ein, um nach Mitgliedern oder Gruppen zu suchen.
+
+ ![Nach Personen oder Gruppen suchen]({require("./img/intern/suchleiste.png").default})
+
+- Wählen Sie die gewünschte Person oder Gruppe aus der Vorschlagsliste aus.
+
+- Legen Sie die Zugriffsrechte fest:
+ - „Kann anzeigen“:
+ Mitglieder können die Datei oder den Ordner anzeigen und herunterladen. Sie können keine Inhalte bearbeiten oder in freigegebene Ordner hochladen.
+
+ - „Kann hochladen“:
+ Mitglieder können Inhalte anzeigen und herunterladen. Bei Ordnern können sie zusätzlich eigene Dateien hochladen.
+
+ - „Kann bearbeiten“:
+ Mitglieder können Inhalte anzeigen, herunterladen, hochladen, erstellen, bearbeiten und löschen.
+
+ ![Rechte auswählen]({require("./img/intern/rechte-optionen.png").default})
+
+- Klicken Sie auf „Teilen“, um die interne Freigabe zu erstellen.
+
+Die freigegebenen Mitglieder oder Gruppen werden anschließend im Bereich „Freigegeben mit“ angezeigt.
+
+![Freigegebene Mitglieder anzeigen]({require("./img/intern/shared-with-alan.png").default})
+
+## Interne Freigabe entfernen
+
+Eine bestehende interne Freigabe kann jederzeit entfernt werden.
+
+- Öffnen Sie im Bereich „Freigegeben mit“ das Drei-Punkte-Menü neben der Person oder Gruppe.
+
+- Wählen Sie die Option „Freigabe entfernen“ aus.
+
+![Freigabe entfernen]({require("./img/intern/freigabe-entfernen.png").default})
+
+Der Zugriff wird sofort entfernt. Die betroffene Person oder Gruppe kann danach nicht mehr über diese Freigabe auf die Datei oder den Ordner zugreifen.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/_category_.json b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/_category_.json
new file mode 100644
index 000000000..eac5ba4c7
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/_category_.json
@@ -0,0 +1,8 @@
+{
+ "label": "Im Team mit Spaces arbeiten",
+ "position": 5,
+ "link": {
+ "type": "doc",
+ "id": "spaces-overview"
+ }
+}
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/add-user.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/add-user.md
new file mode 100644
index 000000000..1a7b43997
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/add-user.md
@@ -0,0 +1,46 @@
+---
+sidebar_position: 3
+id: add-members
+title: Mitglieder hinzufügen
+description: Neue Mitglieder zu Ihrem Space in OpenCloud hinzufügen
+draft: false
+---
+
+# Neues Mitglied zu Ihrem Space in OpenCloud hinzufügen
+
+Sie können ganz einfach neue Mitglieder einladen, um in Ihrem Space zusammenzuarbeiten, indem Sie die folgenden Schritte ausführen.
+
+- Gehen Sie zu Ihrem Space und öffnen Sie das Mitglieder-Menü.
+ ![Mitglieder-Menü]({require("./img/add-user/mitglieder-menue.png").default})
+
+- Im Mitglieder-Menü können Sie nach dem Benutzer aus Ihrer Organisation suchen, den Sie hinzufügen möchten.
+
+ ![Benutzer suchen]({require("./img/add-user/mitglieder-suche.png").default})
+
+- Wählen Sie die gewünschten Rechte für das Mitglied aus, z. B. ob die Person nur lesen oder auch bearbeiten darf.
+
+ ![Rechte auswählen]({require("./img/add-user/rechte.png").default})
+
+- Klicken Sie auf „Hinzufügen“, um das Mitglied in den Space einzuladen.
+
+ ![Mitglied hinzugefügt]({require("./img/add-user/mitglieder-hinzufuegen.png").default})
+
+- Um die Rechte eines Mitglieds zu ändern, öffnen Sie das Mitglieder-Menü, klicken Sie auf den entsprechenden Benutzer und wählen Sie die gewünschten neuen Rechte aus.
+
+ ![Rechte ändern]({require("./img/add-user/rechte-aendern.png").default})
+
+- Öffnen Sie das Mitglieder-Menü, klicken Sie auf das Drei-Punkte-Menü neben dem Mitglied und verwenden Sie nach Bedarf „Zugriffsdetails“, „Ablaufdatum festlegen“ oder „Mitglied entfernen“.
+
+ ![Mitglied entfernen]({require("./img/add-user/mitglied-entfernen.png").default})
+
+:::note
+Das entfernte Mitglied verliert sofort den Zugriff auf den Space.
+:::
+
+:::important
+
+- Das hinzugefügte Mitglied hat sofortigen Zugriff auf den Space.
+- Achtung: Jeder Benutzer mit dem Recht „Kann verwalten“ hat die Berechtigung, den Space zu deaktivieren und zu löschen.
+- Ein gelöschter Space kann nicht wiederhergestellt werden, also seien Sie vorsichtig, wem Sie diese Rechte gewähren.
+
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/create.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/create.md
new file mode 100644
index 000000000..9aa160ea9
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/create.md
@@ -0,0 +1,39 @@
+---
+sidebar_position: 2
+id: create
+title: Space erstellen
+description: Spaces erstellen und Daten in OpenCloud teilen
+draft: false
+---
+
+# Spaces erstellen und Daten in OpenCloud teilen
+
+Mit Spaces können Sie Daten mit bestimmten Personen innerhalb Ihrer Organisation teilen. Alle Mitglieder eines Spaces haben den festgelegten Zugriff auf die Daten, und Sie können die Bearbeitungsrechte für jedes Mitglied individuell anpassen.
+
+## Einen neuen Space erstellen
+
+- Gehen Sie auf den Menüpunkt „Spaces“ in der linken Seitenleiste.
+
+ ![Space in linker Seitenleiste]({require("./img/create/linke-seitenleiste.png").default})
+
+- Klicken Sie auf „+ Neuer Space“.
+
+ ![Neuer Space]({require("./img/create/space-erstellen.png").default})
+
+- Geben Sie den gewünschten Namen für den Space ein.
+
+ ![Space-Namen eingeben]({require("./img/create/benennen.png").default})
+
+- Klicken Sie auf „Erstellen“.
+
+## Ihr neuer Space
+
+Ihr neuer Space erscheint nun unter „Spaces“ und ist bereit zur Nutzung.
+
+![Erstellter Space]({require("./img/create/neuer-space.png").default})
+
+Jetzt wissen Sie, wie Sie schnell und einfach einen Space erstellen und mit dem Teilen von Daten beginnen können.
+
+:::important
+Spaces können nur dauerhaft innerhalb Ihrer eigenen Organisation geteilt werden.
+:::
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/customize.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/customize.md
new file mode 100644
index 000000000..9e43109de
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/customize.md
@@ -0,0 +1,45 @@
+---
+sidebar_position: 8
+id: customize
+title: Spaces anpassen
+description: Einen Space in OpenCloud anpassen
+draft: false
+---
+
+# Spaces anpassen in OpenCloud
+
+Sie können einen Space entweder in der Space-Übersicht oder direkt im Space selbst anpassen.
+
+## Beschreibung bearbeiten
+
+Klicken Sie auf „Beschreibung bearbeiten“. Geben Sie Ihre Beschreibung in den sich öffnenden Texteditor ein, speichern Sie sie und schließen Sie ihn anschließend.
+
+![Beschreibung erstellen]({require("./img/customize/beschreibung-erstellen.png").default})
+![Beschreibung Editor]({require("./img/customize/beschreibung-editor.png").default})
+
+Die Beschreibung kann auch direkt im Space bearbeitet werden, indem Sie auf den Stift daneben klicken.
+
+## Untertitel bearbeiten
+
+Klicken Sie auf „Untertitel bearbeiten“. Geben Sie den gewünschten Untertitel in den Texteditor ein und speichern Sie ihn.
+
+![Untertitel ändern]({require("./img/customize/untertitel-aendern.png").default})
+![Untertitel bearbeiten und speichern]({require("./img/customize/untertitel-bearbeiten.png").default})
+
+## Bild festlegen
+
+Klicken Sie auf „Bild bearbeiten“ und dann auf „Bild festlegen“. Wählen Sie im sich öffnenden Fenster das gewünschte Bild für Ihren Space aus und bestätigen Sie. Wählen Sie dann den gewünschten Ausschnitt aus und bestätigen Sie.
+
+![Spacebild bearbeiten]({require("./img/customize/spacebild-bearbeiten.png").default})
+![Spacebild zuschneiden]({require("./img/customize/spacebild-zuschneiden.png").default})
+![Spacebild]({require("./img/customize/spacebild.png").default})
+
+## Symbol festlegen
+
+Klicken Sie auf „Bild bearbeiten“ und dann auf „Symbol festlegen“. Wählen Sie im sich öffnenden Fenster das gewünschte Symbol für Ihren Space aus.
+
+![Symbol als Spacebild Option]({require("./img/customize/symbol-als-spacebild-option.png").default})
+![Symbol Auswahl]({require("./img/customize/symbol-auswahl.png").default})
+![Symbol als Spacebild]({require("./img/customize/symbol-als-spacebild.png").default})
+
+Jetzt wissen Sie, wie Sie einen Space anpassen können.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/delete.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/delete.md
new file mode 100644
index 000000000..4448e3a48
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/delete.md
@@ -0,0 +1,35 @@
+---
+sidebar_position: 6
+id: delete
+title: Einen Space löschen
+description: Einen Space in OpenCloud löschen
+draft: false
+---
+
+# Einen Space in OpenCloud löschen
+
+Bevor Sie einen Space löschen, muss er zuerst deaktiviert werden.
+
+## Space deaktivieren
+
+- Folgen Sie der Anleitung unter [Einen Space deaktivieren](./enable-disable.md), um den Space vor dem Löschen zu deaktivieren.
+
+- Wenn der Space nach der Deaktivierung nicht mehr sichtbar ist, stellen Sie sicher, dass der Filter für deaktivierte Spaces aktiviert ist, damit der Space wieder angezeigt wird.
+
+ ![Deaktivierte Spaces anzeigen]({require("./img/delete/einblenden.png").default})
+
+## Space löschen
+
+- Wählen Sie den Space aus, den Sie löschen möchten, oder öffnen Sie das Kontextmenü und klicken Sie auf „Löschen“.
+
+ ![Space löschen in der oberen Leiste und im Kontextmenü]({require("./img/delete/loeschen-top-bar.png").default})
+
+- Bestätigen Sie, dass Sie den Space löschen möchten.
+
+ ![Bestätigen]({require("./img/delete/loeschen-bestaetigen.png").default})
+
+:::caution
+Ein gelöschter Space kann nicht wiederhergestellt werden. Stellen Sie sicher, dass vor dem Löschen keine wichtigen Daten verloren gehen.
+:::
+
+Jetzt wissen Sie, wie Sie einen Space löschen können.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/enable-disable.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/enable-disable.md
new file mode 100644
index 000000000..92d8bcfb5
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/enable-disable.md
@@ -0,0 +1,56 @@
+---
+sidebar_position: 5
+id: disable-enable
+title: Deaktivieren und Aktivieren eines Spaces
+description: Einen Space in OpenCloud deaktivieren und aktivieren
+draft: false
+---
+
+# Einen Space in OpenCloud deaktivieren und aktivieren
+
+Sie können einen Space auf verschiedene Arten deaktivieren und später wieder aktivieren. Nur ein Space-Admin oder ein Administrator kann dies tun.
+
+## Space deaktivieren
+
+- Wählen Sie den gewünschten Space aus.
+- Klicken Sie in der oberen Aktionsleiste auf „Deaktivieren“ oder öffnen Sie das Kontextmenü.
+
+ ![Space in der Übersicht deaktivieren]({require("./img/enable-disable/deaktivieren-spaceuebersicht.png").default})
+
+- Bestätigen Sie die Deaktivierung.
+
+ ![Deaktivierung bestätigen]({require("./img/enable-disable/deaktivieren-bestaetigen.png").default})
+
+- Der Space ist jetzt deaktiviert.
+
+ ![Deaktivierter Space]({require("./img/enable-disable/space-nicht-sichtbar.png").default})
+ :::note
+ Es werden keine Daten gelöscht. Nur der Space-Admin oder der Administrator kann den Space wieder aktivieren.
+ :::
+
+## Space aktivieren
+
+- Nachdem der Space deaktiviert wurde, ersetzt die Option „Aktivieren“ nun „Deaktivieren“.
+
+ ![Admin general]({require("./img/enable-disable/aktivieren-button.png").default})
+
+- Klicken Sie darauf, um den Space wieder zu aktivieren.
+
+- Wenn der Space nicht sichtbar ist, kann der Filter „Deaktivierte Spaces anzeigen“ aktiviert sein.
+
+ ![Deaktivierte Spaces anzeigen]({require("./img/enable-disable/deaktivierte-spaces-einblenden.png").default})
+
+- Aktivieren Sie den Filter, damit der Space angezeigt wird und wieder aktiviert werden kann.
+
+ ![Space wieder verfügbar]({require("./img/enable-disable/wieder-verfuegbar.png").default})
+
+## Aktivieren durch den Administrator
+
+Ein Administrator kann einen Space auch über [Admin-Einstellungen](../admin/settings.md#spaces) aktivieren oder deaktivieren.
+
+- Öffnen Sie in den Admin-Einstellungen den Bereich „Spaces“.
+- Suchen Sie den Space, der aktiviert oder deaktiviert werden soll.
+- Öffnen Sie das Drei-Punkte-Menü und wählen Sie „Aktivieren“ oder „Deaktivieren“.
+- Bestätigen Sie die Aktion.
+
+Der Space wird dann in der Space-Übersicht im entsprechenden Zustand angezeigt.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglied-entfernen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglied-entfernen.png
new file mode 100644
index 000000000..869ccc10d
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglied-entfernen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-hinzufuegen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-hinzufuegen.png
new file mode 100644
index 000000000..408c87241
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-hinzufuegen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-menue.png
new file mode 100644
index 000000000..b432745df
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-suche.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-suche.png
new file mode 100644
index 000000000..408c87241
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/mitglieder-suche.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/rechte-aendern.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/rechte-aendern.png
new file mode 100644
index 000000000..74f6565fe
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/rechte-aendern.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/rechte.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/rechte.png
new file mode 100644
index 000000000..408c87241
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/add-user/rechte.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/benennen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/benennen.png
new file mode 100644
index 000000000..18c1deeed
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/benennen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/linke-seitenleiste.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/linke-seitenleiste.png
new file mode 100644
index 000000000..85d4e10d0
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/linke-seitenleiste.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/neuer-space.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/neuer-space.png
new file mode 100644
index 000000000..b86af4acb
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/neuer-space.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/space-erstellen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/space-erstellen.png
new file mode 100644
index 000000000..3d3d83cf6
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/create/space-erstellen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/beschreibung-editor.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/beschreibung-editor.png
new file mode 100644
index 000000000..93ea80876
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/beschreibung-editor.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/beschreibung-erstellen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/beschreibung-erstellen.png
new file mode 100644
index 000000000..7c9428617
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/beschreibung-erstellen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild-bearbeiten.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild-bearbeiten.png
new file mode 100644
index 000000000..f4255b9c2
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild-bearbeiten.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild-zuschneiden.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild-zuschneiden.png
new file mode 100644
index 000000000..10f9b2ba9
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild-zuschneiden.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild.png
new file mode 100644
index 000000000..eedfc7b12
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/spacebild.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-als-spacebild-option.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-als-spacebild-option.png
new file mode 100644
index 000000000..e10a2697c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-als-spacebild-option.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-als-spacebild.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-als-spacebild.png
new file mode 100644
index 000000000..4beac082e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-als-spacebild.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-auswahl.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-auswahl.png
new file mode 100644
index 000000000..cc18e010e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/symbol-auswahl.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/untertitel-aendern.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/untertitel-aendern.png
new file mode 100644
index 000000000..40029133d
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/untertitel-aendern.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/untertitel-bearbeiten.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/untertitel-bearbeiten.png
new file mode 100644
index 000000000..275e2e089
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/customize/untertitel-bearbeiten.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/confirm.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/confirm.png
new file mode 100644
index 000000000..57e702482
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/confirm.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/deactivate-filter.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/deactivate-filter.png
new file mode 100644
index 000000000..64e7de42b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/deactivate-filter.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/deaktivieren-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/deaktivieren-button.png
new file mode 100644
index 000000000..bd6bd181a
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/deaktivieren-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/delete-top-bar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/delete-top-bar.png
new file mode 100644
index 000000000..de6186c3e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/delete-top-bar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/einblenden.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/einblenden.png
new file mode 100644
index 000000000..cb796647e
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/einblenden.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-bestaetigen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-bestaetigen.png
new file mode 100644
index 000000000..0f7a062bf
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-bestaetigen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-kontext-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-kontext-menue.png
new file mode 100644
index 000000000..104e7ad9a
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-kontext-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-top-bar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-top-bar.png
new file mode 100644
index 000000000..3ca278ad6
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/delete/loeschen-top-bar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/aktivieren-bestaetigen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/aktivieren-bestaetigen.png
new file mode 100644
index 000000000..445799510
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/aktivieren-bestaetigen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/aktivieren-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/aktivieren-button.png
new file mode 100644
index 000000000..147fdc40c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/aktivieren-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivieren-bestaetigen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivieren-bestaetigen.png
new file mode 100644
index 000000000..de17fe0fa
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivieren-bestaetigen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivieren-spaceuebersicht.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivieren-spaceuebersicht.png
new file mode 100644
index 000000000..9bd8dff4b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivieren-spaceuebersicht.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivierte-spaces-einblenden.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivierte-spaces-einblenden.png
new file mode 100644
index 000000000..356745cd3
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/deaktivierte-spaces-einblenden.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/space-nicht-sichtbar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/space-nicht-sichtbar.png
new file mode 100644
index 000000000..f0932c86b
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/space-nicht-sichtbar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/wieder-verfuegbar.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/wieder-verfuegbar.png
new file mode 100644
index 000000000..4e05122e4
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/enable-disable/wieder-verfuegbar.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/hinzufuegen-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/hinzufuegen-button.png
new file mode 100644
index 000000000..8adbf3496
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/hinzufuegen-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/mitglieder-rechte.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/mitglieder-rechte.png
new file mode 100644
index 000000000..fe488db81
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/mitglieder-rechte.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/mitglieder-suchleiste.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/mitglieder-suchleiste.png
new file mode 100644
index 000000000..a5f26e72f
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/mitglieder-suchleiste.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/space-mitglieder-menue.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/space-mitglieder-menue.png
new file mode 100644
index 000000000..59ab8fdfa
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/invite-user/space-mitglieder-menue.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/bestaetigen-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/bestaetigen-button.png
new file mode 100644
index 000000000..a02de7362
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/bestaetigen-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/individuelle-quota.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/individuelle-quota.png
new file mode 100644
index 000000000..1cc6e8ba6
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/individuelle-quota.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/quota-aendern-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/quota-aendern-button.png
new file mode 100644
index 000000000..6e6948584
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/quota-aendern-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/standard-quota.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/standard-quota.png
new file mode 100644
index 000000000..963f509f6
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/quota/standard-quota.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/space-mit-neuem-namen.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/space-mit-neuem-namen.png
new file mode 100644
index 000000000..6a844c2e3
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/space-mit-neuem-namen.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/umbenennen-button.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/umbenennen-button.png
new file mode 100644
index 000000000..3cb4ad739
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/umbenennen-button.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/umbenennen-popup.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/umbenennen-popup.png
new file mode 100644
index 000000000..3a701d216
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/rename/umbenennen-popup.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/alan-left.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/alan-left.png
new file mode 100644
index 000000000..01e2c4179
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/alan-left.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaces.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaces.png
new file mode 100644
index 000000000..95ee417f8
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaces.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaghetti-alan-left.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaghetti-alan-left.png
new file mode 100644
index 000000000..a1ebee16c
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaghetti-alan-left.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaghetti.png b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaghetti.png
new file mode 100644
index 000000000..7ba9019cc
Binary files /dev/null and b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/img/why-spaces/spaghetti.png differ
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/index.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/index.md
new file mode 100644
index 000000000..39c6be1f0
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/index.md
@@ -0,0 +1,39 @@
+---
+sidebar_position: 0
+id: spaces-overview
+title: Im Team mit Spaces arbeiten
+---
+
+# Im Team mit Spaces arbeiten
+
+Spaces sind gemeinsam genutzte Arbeitsbereiche in OpenCloud. Sie helfen Teams dabei, Inhalte zu organisieren, den
+Zugriff zu verwalten und Projekt- oder Teamdateien von persönlichen Daten zu trennen.
+
+## In diesem Abschnitt
+
+- [Warum Spaces?](./why-spaces.md)
+ Erfahren Sie, warum Spaces sich besser für Teamarbeit eignen als klassische Freigaben.
+
+- [Space erstellen](./create.md)
+ Legen Sie einen neuen Space für ein Team, ein Projekt oder eine Abteilung an.
+
+- [Mitglieder hinzufügen](./add-user.md)
+ Laden Sie Personen in einen Space ein und vergeben Sie die passenden Berechtigungen.
+
+- [Space-Quota bearbeiten](./quota.md)
+ Passen Sie die für einen Space verfügbare Speicherkapazität an.
+
+- [Space deaktivieren und aktivieren](./enable-disable.md)
+ Deaktivieren Sie einen Space vorübergehend und aktivieren Sie ihn später wieder.
+
+- [Space löschen](./delete.md)
+ Entfernen Sie einen Space endgültig, wenn er nicht mehr benötigt wird.
+
+- [Space umbenennen](./rename.md)
+ Ändern Sie den Namen eines vorhandenen Space.
+
+- [Spaces anpassen](./customize.md)
+ Aktualisieren Sie Beschreibungen, Untertitel, Bilder und Symbole für einen Space.
+
+- [Best Practice](./spaces-best-practices.md)
+ Beachten Sie empfohlene Strukturen und Namenskonventionen für Spaces.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/quota.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/quota.md
new file mode 100644
index 000000000..9d8b0d3b4
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/quota.md
@@ -0,0 +1,30 @@
+---
+sidebar_position: 4
+id: space-quota
+title: Space Quota
+description: Quota eines Spaces bearbeiten
+draft: false
+---
+
+# Quota eines Spaces bearbeiten
+
+Als Space-Administrator können Sie die Speicherkapazität (Quota) eines Spaces anpassen, um den verfügbaren Speicherplatz nach Bedarf zu erhöhen oder zu verringern.
+
+## Schritte zum Bearbeiten der Space-Quota
+
+- Wählen Sie die Option „Quota ändern“ in der Top-Bar oder im Kontextmenü.
+
+ ![Kontextmenü]({require("./img/quota/quota-aendern-button.png").default})
+
+- Im sich öffnenden Fenster stehen zwei Optionen zur Verfügung:
+- Wählen Sie eine Standardgröße (z. B. 5 GB) aus dem Dropdown-Menü.
+
+ ![Quota auswählen]({require("./img/quota/standard-quota.png").default})
+
+- Geben Sie eine individuelle Speichergröße ein.
+
+ ![Quota eingeben]({require("./img/quota/individuelle-quota.png").default})
+
+- Klicken Sie auf „Bestätigen“, um die Änderung zu übernehmen.
+
+Die Quota des Spaces wird entsprechend der neuen Einstellungen aktualisiert.
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/rename.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/rename.md
new file mode 100644
index 000000000..aa8570f01
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/rename.md
@@ -0,0 +1,22 @@
+---
+sidebar_position: 7
+id: rename
+title: Space umbenennen
+description: Einen Space in OpenCloud umbenennen
+draft: false
+---
+
+# Einen Space in OpenCloud umbenennen
+
+Sie können einen bestehenden Space jederzeit umbenennen, damit er besser zu seinem Zweck oder Inhalt passt.
+
+- Klicken Sie im Space-Überblick auf das Drei-Punkte-Menü oder machen Sie einen Rechtsklick auf den Space und wählen Sie „Umbenennen“.
+
+ ![Umbenennen]({require("./img/rename/umbenennen-button.png").default})
+
+- Geben Sie den neuen Namen für den Space ein und bestätigen Sie.
+
+ ![Bestätigen]({require("./img/rename/umbenennen-popup.png").default})
+
+- Jetzt wurde Ihr Space umbenannt.
+ ![Umbenannter Space]({require("./img/rename/space-mit-neuem-namen.png").default})
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/spaces-best-practices.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/spaces-best-practices.md
new file mode 100644
index 000000000..175733238
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/spaces-best-practices.md
@@ -0,0 +1,135 @@
+---
+sidebar_position: 9
+id: best-practice
+title: Best practice
+description: Best Practices zur Organisation von Spaces in OpenCloud
+---
+
+# Best Practices zur Organisation von Spaces in OpenCloud
+
+Spaces sind kollaborative Bereiche, die von mehreren Nutzern verwendet
+werden. Anders als persönlicher Speicher müssen sie so aufgebaut sein,
+dass sie Klarheit, Zusammenarbeit und Skalierbarkeit unterstützen.
+Dieser Leitfaden hilft dir dabei, Spaces gut organisiert und langfristig
+nutzbar einzurichten und zu pflegen.
+
+## Allgemeine Grundsätze
+
+- Erst planen -- Behandle Spaces nicht wie spontanen Ablagespeicher.
+ Denke voraus.
+- In Rollen und Teams denken -- Strukturiere anhand der Zusammenarbeit
+ von Personen.
+- Skalierbarkeit beachten -- Wähle eine Struktur, die jetzt _und_
+ später mit mehr Nutzern funktioniert.
+- Konsistenz anwenden -- Benennung, Zugriffsrechte und Aufbau sollten
+ gemeinsamen Regeln folgen.
+
+## Ordnerstruktur: Empfohlene Muster
+
+### Beispiel: Familie
+
+```plaintext
+📁 Familien-Space
+ ├── 📂 Dokumente
+ │ ├── 🧾 Versicherungen
+ │ └── 📑 Verträge
+ ├── 📂 Fotos
+ │ ├── 📸 2024
+ │ └── 📸 2023
+ └── 📂 Gemeinsame Notizen
+```
+
+### Schule / Kindergarten
+
+```plaintext
+📁 2024
+ ├── 📂 Klasse 3B
+ │ ├── 📂 Unterrichtsmaterial
+ │ ├── 📂 Elternkommunikation
+ │ ├── 📂 Hausaufgaben
+ │ └── 📂 Veranstaltungen & Fotos
+ ├── 📂 Klasse 4C
+ │ ├── 📂 Unterrichtsmaterial
+ │ ├── 📂 Elternkommunikation
+ │ ├── 📂 Hausaufgaben
+ │ └── 📂 Veranstaltungen & Fotos
+```
+
+### Unternehmen / Team
+
+```plaintext
+📁 Marketing-Team
+ ├── 📂 Kampagnen
+ │ ├── 📂 Q1-2025
+ │ └── 📂 Q2-2025
+ ├── 📂 Vorlagen
+ ├── 📂 Berichte
+ └── 📂 Meeting-Notizen
+```
+
+## Namenskonventionen
+
+- Klare, beschreibende Namen verwenden -- vermeide „Neuer Ordner" oder
+ kryptische Titel
+- Bevorzuge lowercase-mit-bindestrichen oder Title Case
+- Relevante Daten hinzufügen: `bericht-2025-Q2.pdf` oder
+ `Budget 2024.xlsx`
+- Sonderzeichen vermeiden: `& % $ § !` können Integrationen stören
+
+## Richtlinien für Eigentümerschaft & Zugriffe
+
+- Space Owner festlegen: verantwortlich für Struktur und
+ Berechtigungen
+- Wenn möglich Gruppen für Zugriffskontrolle nutzen (z. B. `staff`,
+ `students`, `parents`)
+- Sensible Inhalte in separate Ordner mit eingeschränktem Zugriff
+ auslagern
+- Bearbeitungs- und Leserechte klar definieren
+
+## Archivierung & Aufräumen
+
+- Einen Archiv-Ordner für alte oder ungenutzte Dateien einrichten
+- Den Space jährlich überprüfen und veraltete Inhalte entfernen
+- Bei Unsicherheit Versionierung nutzen oder vor dem Löschen
+ exportieren
+
+## Häufige Stolperfallen
+
+| ❌ Nicht tun | ✅ Besser so |
+| ------------------------------------------ | ------------------------------------------ |
+| Alle Dateien im Root-Ordner ablegen | Klare Unterordner verwenden |
+| Persönliche und gemeinsame Inhalte mischen | Persönliche Daten in „Persönlich" belassen |
+| Allen Nutzern Vollzugriff geben | Least-Privilege-Prinzip anwenden |
+| Uneinheitliche Benennungen nutzen | Konventionen definieren & einhalten |
+
+## Schnellstart-Vorlage zum Teilen
+
+Du kannst diese Vorlage für neue Spaces verwenden:
+
+```plaintext
+📁 [Team-/Projektname]
+ ├── 📂 Dokumente
+ ├── 📂 Planung
+ ├── 📂 Ressourcen
+ ├── 📂 Archiv
+ └── README.md (Zweck, Struktur, Regeln des Spaces)
+```
+
+## Zusammenfassung
+
+---
+
+Ziel Vorgehen
+
+---
+
+Spaces leicht navigierbar Klare Ordnernamen & Hierarchie nutzen
+machen
+
+Berechtigungschaos vermeiden Eigentümer und Rollen definieren
+
+Ordnung behalten Regelmäßig prüfen und archivieren
+
+Zusammenarbeit fördern Gruppenrechte & standardisierte Benennung
+
+---
diff --git a/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/why-spaces.md b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/why-spaces.md
new file mode 100644
index 000000000..105faaead
--- /dev/null
+++ b/i18n/de/docusaurus-plugin-content-docs/version-7.x/user/spaces/why-spaces.md
@@ -0,0 +1,42 @@
+---
+sidebar_position: 1
+id: why-spaces
+title: Warum Spaces?
+description: Warum man Spaces nutzen sollte
+draft: false
+---
+
+# Warum du Spaces verwenden solltest – und wie sie sich vom klassischen Teilen unterscheiden
+
+## Das Problem mit klassischem Teilen
+
+### Ein einfaches Beispiel
+
+- Alan erstellt einen Ordner mit dem Namen „Projekt“ und teilt ihn mit mehreren Personen.
+ ![Mitglieder-Menü]({require("./img/why-spaces/spaghetti.png").default})
+- Später verlässt Alan die Organisation.
+- Da Alans Account gelöscht wird, verschwinden auch einige geteilte Ordner.
+- Benutzer verlieren den Zugriff auf bestimmte Ordner und deren Inhalte.
+
+ ![Mitglieder-Menü]({require("./img/why-spaces/alan-left.png").default})
+
+### Dieses Szenario zeigt mehrere Risiken auf
+
+- Potenzieller Datenverlust, wenn der ursprüngliche Eigentümer das Unternehmen verlässt
+- Projektdaten werden auf das persönliche Speicherkontingent angerechnet – ungünstig für Teamarbeit
+- Administrativer Aufwand beim Übertragen der Eigentümerschaft
+- Chaos durch „Spaghetti“-Sharing – Benutzer verlieren den Überblick in „Mit mir geteilt“ oder „Von mir geteilt“
+
+## Die Vorteile von Spaces
+
+Spaces wurden entwickelt, um diese Einschränkungen zu überwinden und eine stabilere, teamfreundlichere Lösung zu bieten:
+
+- **Organisationsgebunden:** Spaces gehören der Organisation, nicht einzelnen Personen.
+- **Gemeinsame Verwaltung:** Mehrere Benutzer können einen Space gemeinsam verwalten.
+- **Eigenes Speicherkontingent:** Jeder Space hat ein eigenes Speicherkontingent, unabhängig vom persönlichen Speicherplatz.
+
+ ![Mitglieder-Menü]({require("./img/why-spaces/spaces.png").default})
+
+:::note
+Spaces machen Zusammenarbeit einfacher, sicherer und skalierbarer – besonders in professionellen Umgebungen.
+:::
diff --git a/versioned_docs/version-7.x/_static/env-vars/activitylog.yaml b/versioned_docs/version-7.x/_static/env-vars/activitylog.yaml
new file mode 100644
index 000000000..62c1ba3c1
--- /dev/null
+++ b/versioned_docs/version-7.x/_static/env-vars/activitylog.yaml
@@ -0,0 +1,60 @@
+# Autogenerated
+# Filename: activitylog.yaml
+
+loglevel: error
+debug:
+ addr: 127.0.0.1:9197
+ token: ""
+ pprof: false
+ zpages: false
+events:
+ endpoint: 127.0.0.1:9233
+ cluster: opencloud-cluster
+ tls_insecure: false
+ tls_root_ca_certificate: ""
+ enable_tls: false
+ username: ""
+ password: ""
+store:
+ store: nats-js-kv
+ nodes:
+ - 127.0.0.1:9233
+ database: activitylog
+ ttl: 0s
+ username: ""
+ password: ""
+ enable_tls: false
+ tls_insecure: false
+ tls_root_ca_certificate: ""
+reva_gateway: eu.opencloud.api.gateway
+grpc_client_tls: null
+http:
+ addr: 127.0.0.1:9195
+ root: /
+ cors:
+ allow_origins:
+ - '*'
+ allow_methods:
+ - GET
+ allow_headers:
+ - Authorization
+ - Origin
+ - Content-Type
+ - Accept
+ - X-Requested-With
+ - X-Request-Id
+ - Ocs-Apirequest
+ allow_credentials: true
+ tls:
+ enabled: false
+ cert: ""
+ key: ""
+token_manager:
+ jwt_secret: ""
+translation_path: ""
+default_language: en
+service_account:
+ service_account_id: ""
+ service_account_secret: ""
+write_buffer_duration: 10s
+max_activities: 6000
diff --git a/versioned_docs/version-7.x/_static/env-vars/activitylog_configvars.md b/versioned_docs/version-7.x/_static/env-vars/activitylog_configvars.md
new file mode 100644
index 000000000..22d45b0b7
--- /dev/null
+++ b/versioned_docs/version-7.x/_static/env-vars/activitylog_configvars.md
@@ -0,0 +1,42 @@
+## Environment variables for the **activitylog** service
+
+| Name | Introduction Version | Type | Description | Default Value |
+|---|---|---|---|:---|
+|`OC_LOG_LEVEL``ACTIVITYLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`ACTIVITYLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9197`| +|`ACTIVITYLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`ACTIVITYLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`ACTIVITYLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_PERSISTENT_STORE`
`ACTIVITYLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`ACTIVITYLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`ACTIVITYLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`activitylog`| +|`OC_PERSISTENT_STORE_TTL`
`ACTIVITYLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`ACTIVITYLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`ACTIVITYLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_ENABLE_TLS`
`ACTIVITYLOG_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`| +|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`ACTIVITYLOG_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`ACTIVITYLOG_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`ACTIVITYLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9195`| +|`ACTIVITYLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`ACTIVITYLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`ACTIVITYLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`| +|`OC_CORS_ALLOW_HEADERS`
`ACTIVITYLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`ACTIVITYLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_JWT_SECRET`
`ACTIVITYLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_TRANSLATION_PATH`
`ACTIVITYLOG_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|`en`| +|`OC_SERVICE_ACCOUNT_ID`
`ACTIVITYLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`ACTIVITYLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`ACTIVITYLOG_WRITE_BUFFER_DURATION`| 4.0.0 |Duration|`The duration to wait before flushing the write buffer. This is used to reduce the number of writes to the store.`|`10s`| +|`ACTIVITYLOG_MAX_ACTIVITIES`| 4.0.0 |int|`The maximum number of activities to keep in the store per resource. If the number of activities exceeds this value, the oldest activities will be removed.`|`6000`| diff --git a/versioned_docs/version-7.x/_static/env-vars/activitylog_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/activitylog_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/activitylog_readme.md b/versioned_docs/version-7.x/_static/env-vars/activitylog_readme.md new file mode 100755 index 000000000..ef0a0cd83 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/activitylog_readme.md @@ -0,0 +1,54 @@ + + +## Abstract + + +The `activitylog` service is responsible for storing events (activities) per resource. + + +## Table of Contents + +* [The Log Service Ecosystem](#the-log-service-ecosystem) +* [Activitylog Store](#activitylog-store) +* [Translations](#translations) + * [Translation Rules](#translation-rules) +* [Default Language](#default-language) + +## The Log Service Ecosystem + +Log services like the `activitylog`, `userlog`, `clientlog` and `sse` are responsible for composing notifications for a specific audience. + - The `userlog` service translates and adjusts messages to be human readable. + - The `clientlog` service composes machine readable messages, so clients can act without the need to query the server. + - The `sse` service is only responsible for sending these messages. It does not care about their form or language. + - The `activitylog` service stores events per resource. These can be retrieved to show item activities + +## Activitylog Store + +The `activitylog` stores activities for each resource. It works in conjunction with the `eventhistory` service to keep the data it needs to store to a minimum. + +## Translations + +The `activitylog` service has embedded translations sourced via transifex to provide a basic set of translated languages. These embedded translations are available for all deployment scenarios. In addition, the service supports custom translations, though it is currently not possible to just add custom translations to embedded ones. If custom translations are configured, the embedded ones are not used. To configure custom translations, the `ACTIVITYLOG_TRANSLATION_PATH` environment variable needs to point to a base folder that will contain the translation files. This path must be available from all instances of the activitylog service, a shared storage is recommended. Translation files must be of type [.po](https://www.gnu.org/software/gettext/manual/html_node/PO-Files.html#PO-Files) or [.mo](https://www.gnu.org/software/gettext/manual/html_node/Binaries.html). For each language, the filename needs to be `activitylog.po` (or `activitylog.mo`) and stored in a folder structure defining the language code. In general the path/name pattern for a translation file needs to be: + +```text +{ACTIVITYLOG_TRANSLATION_PATH}/{language-code}/LC_MESSAGES/activitylog.po +``` + +The language code pattern is composed of `language[_territory]` where `language` is the base language and `_territory` is optional and defines a country. + +For example, for the language `de`, one needs to place the corresponding translation files to `{ACTIVITYLOG_TRANSLATION_PATH}/de_DE/LC_MESSAGES/activitylog.po`. + + + +Important: For the time being, the embedded OpenCloud Web frontend only supports the main language code but does not handle any territory. When strings are available in the language code `language_territory`, the web frontend does not see it as it only requests `language`. In consequence, any translations made must exist in the requested `language` to avoid a fallback to the default. + +### Translation Rules + +* If a requested language code is not available, the service tries to fall back to the base language if available. For example, if the requested language-code `de_DE` is not available, the service tries to fall back to translations in the `de` folder. +* If the base language `de` is also not available, the service falls back to the system's default English (`en`), +which is the source of the texts provided by the code. + +## Default Language + +The default language can be defined via the `OC_DEFAULT_LANGUAGE` environment variable. See the `settings` service for a detailed description. + diff --git a/versioned_docs/version-7.x/_static/env-vars/antivirus.yaml b/versioned_docs/version-7.x/_static/env-vars/antivirus.yaml new file mode 100644 index 000000000..28b354ee1 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/antivirus.yaml @@ -0,0 +1,31 @@ +# Autogenerated +# Filename: antivirus.yaml + +file: "" +loglevel: error +debug: + addr: 127.0.0.1:9277 + token: "" + pprof: false + zpages: false +infected-file-handling: delete +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +workers: 10 +scanner: + type: clamav + clamav: + socket: /run/clamav/clamd.ctl + scan_timeout: 5m0s + icap: + scan_timeout: 5m0s + url: icap://127.0.0.1:1344 + service: avscan +max-scan-size: 100MB +max-scan-size-mode: partial diff --git a/versioned_docs/version-7.x/_static/env-vars/antivirus_configvars.md b/versioned_docs/version-7.x/_static/env-vars/antivirus_configvars.md new file mode 100644 index 000000000..7bebe2c2a --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/antivirus_configvars.md @@ -0,0 +1,27 @@ +## Environment variables for the **antivirus** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`ANTIVIRUS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`ANTIVIRUS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9277`| +|`ANTIVIRUS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`ANTIVIRUS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`ANTIVIRUS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`ANTIVIRUS_INFECTED_FILE_HANDLING`| 1.0.0 |string|`Defines the behaviour when a virus has been found. Supported options are: 'delete', 'continue' and 'abort '. Delete will delete the file. Continue will mark the file as infected but continues further processing. Abort will keep the file in the uploads folder for further admin inspection and will not move it to its final destination.`|`delete`| +|`OC_EVENTS_ENDPOINT`
`ANTIVIRUS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`ANTIVIRUS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`ANTIVIRUS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`ANTIVIRUS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`ANTIVIRUS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`ANTIVIRUS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`ANTIVIRUS_WORKERS`| 1.0.0 |int|`The number of concurrent go routines that fetch events from the event queue.`|`10`| +|`ANTIVIRUS_SCANNER_TYPE`| 1.0.0 |ScannerType|`The antivirus scanner to use. Supported values are 'clamav' and 'icap'.`|`clamav`| +|`ANTIVIRUS_CLAMAV_SOCKET`| 1.0.0 |string|`The socket clamav is running on. Note the default value is an example which needs adaption according your OS.`|`/run/clamav/clamd.ctl`| +|`ANTIVIRUS_CLAMAV_SCAN_TIMEOUT`| 2.1.0 |Duration|`Scan timeout for the ClamAV client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.`|`5m0s`| +|`ANTIVIRUS_ICAP_SCAN_TIMEOUT`| 1.0.0 |Duration|`Scan timeout for the ICAP client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.`|`5m0s`| +|`ANTIVIRUS_ICAP_URL`| 1.0.0 |string|`URL of the ICAP server.`|`icap://127.0.0.1:1344`| +|`ANTIVIRUS_ICAP_SERVICE`| 1.0.0 |string|`The name of the ICAP service.`|`avscan`| +|`ANTIVIRUS_MAX_SCAN_SIZE`| 1.0.0 |string|`The maximum scan size the virus scanner can handle.0 means unlimited. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.`|`100MB`| +|`ANTIVIRUS_MAX_SCAN_SIZE_MODE`| 2.1.0 |MaxScanSizeMode|`Defines the mode of handling files that exceed the maximum scan size. Supported options are: 'skip', which skips files that are bigger than the max scan size, and 'truncate' (default), which only uses the file up to the max size.`|`partial`| +|`ANTIVIRUS_DEBUG_SCAN_OUTCOME`| 1.0.0 |string|`A predefined outcome for virus scanning, FOR DEBUG PURPOSES ONLY! (example values: 'found,infected')`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/antivirus_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/antivirus_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/antivirus_readme.md b/versioned_docs/version-7.x/_static/env-vars/antivirus_readme.md new file mode 100755 index 000000000..82dcfb8fb --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/antivirus_readme.md @@ -0,0 +1,99 @@ + + +## Abstract + + +The `antivirus` service is responsible for scanning files for viruses. + + +## Table of Contents + +* [Memory Considerations](#memory-considerations) +* [Configuration](#configuration) + * [Antivirus Scanner Type](#antivirus-scanner-type) + * [Maximum Scan Size](#maximum-scan-size) + * [Antivirus Workers](#antivirus-workers) + * [Infected File Handling](#infected-file-handling) + * [Scanner Inaccessibility](#scanner-inaccessibility) +* [Operation Modes](#operation-modes) + * [Postprocessing](#postprocessing) + * [Scaling in Kubernetes](#scaling-in-kubernetes) + +## Memory Considerations + +The antivirus service can consume considerable amounts of memory. +This is relevant to provide or define sufficient memory for the deployment selected. +To avoid out of memory (OOM) situations, the following equation gives a rough overview based on experiences made. +The memory calculation comes without any guarantee, is intended as overview only and subject of change. + +`memory limit` = `max file size` x `workers` x `factor 8 - 14` + +With: +`ANTIVIRUS_WORKERS` == 1 +```plaintext + 50MB file --> factor 14 --> 700MB memory +844MB file --> factor 8,3 --> 7GB memory +``` + +## Configuration + +### Antivirus Scanner Type + +The antivirus service currently supports [ICAP](https://tools.ietf.org/html/rfc3507) and [ClamAV](http://www.clamav.net/index.html) as antivirus scanners. +The `ANTIVIRUS_SCANNER_TYPE` environment variable is used to select the scanner. +The detailed configuration for each scanner heavily depends on the scanner type selected. +See the environment variables for more details. + + - For `icap`, only scanners using the `X-Infection-Found` header are currently supported. + - For `clamav` only local sockets can currently be configured. + +### Maximum Scan Size + +Several factors can make it necessary to limit the maximum filesize the antivirus service uses for scanning. +Use the `ANTIVIRUS_MAX_SCAN_SIZE` environment variable to scan only a given number of bytes, +or to skip the whole resource. + +Even if it is recommended to scan the whole file, several factors like scanner type and version, +bandwidth, performance issues, etc. might make a limit necessary. + +In such cases, the antivirus max scan size mode can be handy, the following modes are available: + + - `partial`: The file is scanned up to the given size. The rest of the file is not scanned. This is the default mode `ANTIVIRUS_MAX_SCAN_SIZE_MODE=partial` + - `skip`: The file is skipped and not scanned. `ANTIVIRUS_MAX_SCAN_SIZE_MODE=skip` + +**IMPORTANT** +> Streaming of files to the virus scan service still [needs to be implemented](https://github.com/owncloud/ocis/issues/6803). +> To prevent OOM errors `ANTIVIRUS_MAX_SCAN_SIZE` needs to be set lower than available ram and or the maximum file size that can be scanned by the virus scanner. + +### Antivirus Workers + +The number of concurrent scans can be increased by setting `ANTIVIRUS_WORKERS`. Be aware that this will also increase memory usage. + +### Infected File Handling + +The antivirus service allows three different ways of handling infected files. Those can be set via the `ANTIVIRUS_INFECTED_FILE_HANDLING` environment variable: + + - `delete`: (default): Infected files will be deleted immediately, further postprocessing is cancelled. + - `abort`: (advanced option): Infected files will be kept, further postprocessing is cancelled. Files can be manually retrieved and inspected by an admin. To identify the file for further investigation, the antivirus service logs the abort/infected state including the file ID. The file is located in the `storage/users/uploads` folder of the OpenCloud data directory and persists until it is manually deleted by the admin via the [Manage Unfinished Uploads](https://github.com/opencloud-eu/opencloud/tree/main/services/storage-users#manage-unfinished-uploads) command. + - `continue`: (not recommended): Infected files will be marked via metadata as infected, but postprocessing continues normally. Note: Infected Files are moved to their final destination and therefore not prevented from download, which includes the risk of spreading viruses. + +In all cases, a log entry is added declaring the infection and handling method and a notification via the `userlog` service sent. + +### Scanner Inaccessibility + +In case a scanner is not accessible by the antivirus service like a network outage, service outage or hardware outage, the antivirus service uses the `abort` case for further processing, independent of the actual setting made. In any case, an error is logged noting the inaccessibility of the scanner used. + +## Operation Modes + +The antivirus service can scan files during `postprocessing`. `on demand` scanning is currently not available and might be added in a future release. + +### Postprocessing + +The antivirus service will scan files during postprocessing. It listens for a postprocessing step called `virusscan`. This step can be added in the environment variable `POSTPROCESSING_STEPS`. Read the documentation of the [postprocessing service](https://github.com/opencloud-eu/opencloud/tree/main/services/postprocessing) for more details. + +The number of concurrent scans can be increased by setting `ANTIVIRUS_WORKERS`, but be aware that this will also increase the memory usage. + +### Scaling in Kubernetes + +In kubernetes, `ANTIVIRUS_WORKERS` and `ANTIVIRUS_MAX_SCAN_SIZE` can be used to trigger the horizontal pod autoscaler by requesting a memory size that is below `ANTIVIRUS_MAX_SCAN_SIZE`. Keep in mind that `ANTIVIRUS_MAX_SCAN_SIZE` amount of memory might be held by `ANTIVIRUS_WORKERS` number of go routines. + diff --git a/versioned_docs/version-7.x/_static/env-vars/app-provider.yaml b/versioned_docs/version-7.x/_static/env-vars/app-provider.yaml new file mode 100644 index 000000000..917bf3ac6 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/app-provider.yaml @@ -0,0 +1,36 @@ +# Autogenerated +# Filename: app-provider.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9165 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9164 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +external_addr: eu.opencloud.api.app-provider +driver: "" +drivers: + wopi: + app_api_key: "" + app_desktop_only: false + app_icon_uri: "" + app_internal_url: "" + app_name: "" + app_url: "" + app_disable_chat: false + insecure: false + wopi_server_iop_secret: "" + wopi_server_external_url: "" + wopi_folder_url_base_url: https://localhost:9200/ + wopi_folder_url_path_template: /f/{{.ResourceID}} diff --git a/versioned_docs/version-7.x/_static/env-vars/app-provider_configvars.md b/versioned_docs/version-7.x/_static/env-vars/app-provider_configvars.md new file mode 100644 index 000000000..371118985 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/app-provider_configvars.md @@ -0,0 +1,30 @@ +## Environment variables for the **app-provider** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`APP_PROVIDER_SERVICE_NAME`| 1.0.0 |string|`The name of the service. This needs to be changed when using more than one app provider. Each app provider configured needs to be identified by a unique service name. Possible examples are: 'app-provider-collabora', 'app-provider-onlyoffice', 'app-provider-office365'.`|`app-provider`| +|`OC_LOG_LEVEL`
`APP_PROVIDER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`APP_PROVIDER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9165`| +|`APP_PROVIDER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint`|``| +|`APP_PROVIDER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling`|`false`| +|`APP_PROVIDER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing traces in-memory.`|`false`| +|`APP_PROVIDER_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9164`| +|`OC_GRPC_PROTOCOL`
`APP_PROVIDER_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`| +|`OC_JWT_SECRET`
`APP_PROVIDER_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`APP_PROVIDER_EXTERNAL_ADDR`| 1.0.0 |string|`Address of the app provider, where the GATEWAY service can reach it.`|`eu.opencloud.api.app-provider`| +|`APP_PROVIDER_DRIVER`| 1.0.0 |string|`Driver, the APP PROVIDER services uses. Only 'wopi' is supported as of now.`|``| +|`APP_PROVIDER_WOPI_APP_API_KEY`| 1.0.0 |string|`API key for the wopi app.`|``| +|`APP_PROVIDER_WOPI_APP_DESKTOP_ONLY`| 1.0.0 |bool|`Offer this app only on desktop.`|`false`| +|`APP_PROVIDER_WOPI_APP_ICON_URI`| 1.0.0 |string|`URI to an app icon to be used by clients.`|``| +|`APP_PROVIDER_WOPI_APP_INTERNAL_URL`| 1.0.0 |string|`Internal URL to the app, like in your DMZ.`|``| +|`APP_PROVIDER_WOPI_APP_NAME`| 1.0.0 |string|`Human readable app name.`|``| +|`APP_PROVIDER_WOPI_APP_URL`| 1.0.0 |string|`URL for end users to access the app.`|``| +|`APP_PROVIDER_WOPI_DISABLE_CHAT`
`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|`Disable the chat functionality of the office app.`|`false`| +|`APP_PROVIDER_WOPI_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for requests to the WOPI server and the web office application. Do not set this in production environments.`|`false`| +|`APP_PROVIDER_WOPI_WOPI_SERVER_IOP_SECRET`| 1.0.0 |string|`Shared secret of the CS3org WOPI server.`|``| +|`APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL`| 1.0.0 |string|`External url of the CS3org WOPI server.`|``| +|`OC_URL`
`APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL`| 1.0.0 |string|`Base url to navigate back from the app to the containing folder in the file list.`|`https://localhost:9200/`| +|`APP_PROVIDER_WOPI_FOLDER_URL_PATH_TEMPLATE`| 1.0.0 |string|`Path template to navigate back from the app to the containing folder in the file list. Supported template variables are {{.ResourceInfo.ResourceID}}, {{.ResourceInfo.Mtime.Seconds}}, {{.ResourceInfo.Name}}, {{.ResourceInfo.Path}}, {{.ResourceInfo.Type}}, {{.ResourceInfo.Id.SpaceId}}, {{.ResourceInfo.Id.StorageId}}, {{.ResourceInfo.Id.OpaqueId}}, {{.ResourceInfo.MimeType}}`|`/f/{{.ResourceID}}`| diff --git a/versioned_docs/version-7.x/_static/env-vars/app-provider_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/app-provider_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/app-provider_readme.md b/versioned_docs/version-7.x/_static/env-vars/app-provider_readme.md new file mode 100755 index 000000000..323ba0304 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/app-provider_readme.md @@ -0,0 +1,31 @@ + + +## Abstract + + +The `app-provider` service provides the CS3 App Provider API for OpenCloud. It is responsible for managing and serving applications that can open files based on their MIME types. + +The service works in conjunction with the `app-registry` service, which maintains the registry of available applications and their supported MIME types. When a client requests to open a file with a specific application, the `app-provider` service handles the request and coordinates with the application to provide the appropriate interface. + + +## Table of Contents + +* [Integration](#integration) +* [Configuration](#configuration) +* [Scalability](#scalability) + +## Integration + +The `app-provider` service integrates with: +- `app-registry` - For discovering which applications are available for specific MIME types +- `frontend` - The frontend service forwards app provider requests (default endpoint `/app`) to this service + +## Configuration + +The service can be configured via environment variables. Key configuration options include: +- `APP_PROVIDER_EXTERNAL_ADDR` - External address where the gateway service can reach the app provider + +## Scalability + +The app-provider service can be scaled horizontally as it primarily acts as a coordinator between applications and the OpenCloud backend services. + diff --git a/versioned_docs/version-7.x/_static/env-vars/app-registry.yaml b/versioned_docs/version-7.x/_static/env-vars/app-registry.yaml new file mode 100644 index 000000000..99935923b --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/app-registry.yaml @@ -0,0 +1,106 @@ +# Autogenerated +# Filename: app-registry.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9243 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9242 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +app_registry: + mimetypes: + - mime_type: application/pdf + extension: pdf + name: PDF + description: PDF document + icon: "" + default_app: "" + allow_creation: false + - mime_type: application/vnd.oasis.opendocument.text + extension: odt + name: Document + description: OpenDocument text document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.oasis.opendocument.spreadsheet + extension: ods + name: Spreadsheet + description: OpenDocument spreadsheet document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.oasis.opendocument.presentation + extension: odp + name: Presentation + description: OpenDocument presentation document + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document + extension: docx + name: Microsoft Word + description: Microsoft Word document + icon: "" + default_app: "" + allow_creation: false + - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.form + extension: docxf + name: Form Document + description: Form Document + icon: "" + default_app: "" + allow_creation: false + - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet + extension: xlsx + name: Microsoft Excel + description: Microsoft Excel document + icon: "" + default_app: "" + allow_creation: false + - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation + extension: pptx + name: Microsoft PowerPoint + description: Microsoft PowerPoint document + icon: "" + default_app: "" + allow_creation: false + - mime_type: application/vnd.jupyter + extension: ipynb + name: Jupyter Notebook + description: Jupyter Notebook + icon: "" + default_app: "" + allow_creation: false + - mime_type: text/markdown + extension: md + name: Markdown file + description: Markdown file + icon: "" + default_app: "" + allow_creation: true + - mime_type: application/compressed-markdown + extension: zmd + name: Compressed markdown file + description: Compressed markdown file + icon: "" + default_app: "" + allow_creation: false + - mime_type: application/vnd.geogebra.slides + extension: ggs + name: GeoGebra Slides + description: GeoGebra Slides + icon: "" + default_app: "" + allow_creation: false diff --git a/versioned_docs/version-7.x/_static/env-vars/app-registry_configvars.md b/versioned_docs/version-7.x/_static/env-vars/app-registry_configvars.md new file mode 100644 index 000000000..16f467391 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/app-registry_configvars.md @@ -0,0 +1,15 @@ +## Environment variables for the **app-registry** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`APP_REGISTRY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`APP_REGISTRY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9243`| +|`APP_REGISTRY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`APP_REGISTRY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`APP_REGISTRY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`APP_REGISTRY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9242`| +|`OC_GRPC_PROTOCOL`
`APP_REGISTRY_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`APP_REGISTRY_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/app-registry_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/app-registry_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/app-registry_readme.md b/versioned_docs/version-7.x/_static/env-vars/app-registry_readme.md new file mode 100755 index 000000000..5a3886a38 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/app-registry_readme.md @@ -0,0 +1,463 @@ + + +## Abstract + + +The `app-registry` service is the single point where all apps register themselves and their respective supported mime types. + +Administrators can set default applications on a per MIME type basis and also allow the creation of new files for certain MIME types. This per MIME type configuration also features a description, file extension option and an icon. + + +## Table of Contents + +* [MIME Type Configuration / Creation Allow List](#mime-type-configuration--creation-allow-list) + * [MIME Type Configuration](#mime-type-configuration) +* [Endpoint Access](#endpoint-access) + * [Listing available apps and mime types](#listing-available-apps-and-mime-types) + * [Open a File With OpenCloud Web](#open-a-file-with-opencloud-web) + * [Open a File With the App Provider](#open-a-file-with-the-app-provider) + * [Creating a File With the App Provider](#creating-a-file-with-the-app-provider) + +## MIME Type Configuration / Creation Allow List + +The apps will register their supported MIME types automatically, so that users can open supported files with them. + +Administrators can set default applications for each MIME type and also allow the creation of new files for certain mime types. This, per MIME type configuration, also features a description, file extension option and an icon. + +### MIME Type Configuration + +Modifing the MIME type config can only be achieved via a yaml configuration. Using environment variables is not possible. The following is a brief structure and a field description: + +**Structure** + +```yaml +app_registry: + mimetypes: + - mime_type: application/vnd.oasis.opendocument.spreadsheet + extension: ods + name: OpenSpreadsheet + description: OpenDocument spreadsheet document + icon: https://some-website.test/opendocument-spreadsheet-icon.png + default_app: Collabora + allow_creation: true + - mime_type: ... +``` + +**Fields** + +* `mime_type`\ +The MIME type you want to configure. +* `extension`\ +The file extension to be used for new files. +* `name`\ +The name of the file / MIME type. +* `description`\ +The human-readable description of the file / MIME type. +* `icon`\ +The URL to an icon which should be used for that MIME type. +* `default_app`\ +The name of the default app which opens this MIME type if the user doesn’t specify one. +* `allow_creation`\ +Whether a user should be able to create new files of that MIME type (true or false). + +## Endpoint Access + +### Listing available apps and mime types + +Clients, for example OpenCloud Web, need to offer users the available apps to open files and mime types for new file creation. This information can be obtained from this endpoint. + +**Endpoint**: specified in the capabilities in `apps_url`, currently `/app/list` + +**Method**: HTTP GET + +**Authentication**: None + +**Request example**: + +```bash +curl 'https://opencloud.test/app/list' +``` + +**Response example**: + +HTTP status code: 200 + +```json +{ + "mime-types": [ + { + "mime_type": "application/pdf", + "ext": "pdf", + "app_providers": [ + { + "name": "OnlyOffice", + "icon": "https://some-website.test/onlyoffice-pdf-icon.png" + } + ], + "name": "PDF", + "description": "PDF document" + }, + { + "mime_type": "application/vnd.oasis.opendocument.text", + "ext": "odt", + "app_providers": [ + { + "name": "Collabora", + "icon": "https://some-website.test/collabora-odt-icon.png" + }, + { + "name": "OnlyOffice", + "icon": "https://some-website.test/onlyoffice-odt-icon.png" + } + ], + "name": "OpenDocument", + "icon": "https://some-website.test/opendocument-text-icon.png", + "description": "OpenDocument text document", + "allow_creation": true, + "default_application": "Collabora" + }, + { + "mime_type": "text/markdown", + "ext": "md", + "app_providers": [ + { + "name": "CodiMD", + "icon": "https://some-website.test/codimd-md-icon.png" + } + ], + "name": "Markdown file", + "description": "Markdown file", + "allow_creation": true, + "default_application": "CodiMD" + }, + { + "mime_type": "application/vnd.ms-word.document.macroenabled.12", + "app_providers": [ + { + "name": "Collabora", + "icon": "https://some-website.test/collabora-word-icon.png" + }, + { + "name": "OnlyOffice", + "icon": "https://some-website.test/onlyoffice-word-icon.png" + } + ] + }, + { + "mime_type": "application/vnd.ms-powerpoint.template.macroenabled.12", + "app_providers": [ + { + "name": "Collabora", + "icon": "https://some-website.test/collabora-powerpoint-icon.png" + } + ] + } + ] +} +``` + +### Open a File With OpenCloud Web + +**Endpoint**: specified in the capabilities in `open_web_url`, currently `/app/open-with-web` + +**Method**: HTTP POST + +**Authentication** (one of them): + +- `Authorization` header with OIDC Bearer token for authenticated users or basic auth credentials (if enabled in OpenCloud) +- `X-Access-Token` header with a REVA token for authenticated users + +**Query parameters**: + +- `file_id` (mandatory): id of the file to be opened +- `app_name` (optional) + - default (not given): default app for mime type + - possible values depend on the app providers for a mimetype from the `/app/open` endpoint + +**Request examples**: + +```bash +curl -X POST 'https://opencloud.test/app/open-with-web?file_id=ZmlsZTppZAo=' + +curl -X POST 'https://opencloud.test/app/open-with-web?file_id=ZmlsZTppZAo=&app_name=Collabora' +``` + +**Response examples**: + +The URI from the response JSON is intended to be opened with a GET request in a browser. If the user has not yet a session in the browser, a login flow is handled by OpenCloud Web. + +HTTP status code: 200 + +```json +{ + "uri": "https://....." +} +``` + +**Example responses (error case)**: + +See error cases for [Open a file with the app provider](#open-a-file-with-the-app-provider) + +### Open a File With the App Provider + +**Endpoint**: specified in the capabilities in `open_url`, currently `/app/open` + +**Method**: HTTP POST + +**Authentication** (one of them): + +- `Authorization` header with OIDC Bearer token for authenticated users or basic auth credentials (if enabled in OpenCloud) +- `Public-Token` header with public link token for public links +- `X-Access-Token` header with a REVA token for authenticated users + +**Query parameters**: + +- `file_id` (mandatory): id of the file to be opened +- `app_name` (optional) + - default (not given): default app for mime type + - possible values depend on the app providers for a mimetype from the `/app/open` endpoint +- `view_mode` (optional) + - default (not given): highest possible view mode, depending on the file permissions + - possible values: + - `write`: user can edit and download in the opening app + - `read`: user can view and download from the opening app + - `view`: user can view in the opening app (download is not possible) +- `lang` (optional) + - default (not given): default language of the application (which might maybe use the browser language) + - possible value is any ISO 639-1 language code. Examples: + - de + - en + - es + - ... + +**Request examples**: + +```bash +curl -X POST 'https://opencloud.test/app/open?file_id=ZmlsZTppZAo=' + +curl -X POST 'https://opencloud.test/app/open?file_id=ZmlsZTppZAo=&lang=de' + +curl -X POST 'https://opencloud.test/app/open?file_id=ZmlsZTppZAo=&app_name=Collabora' + +curl -X POST 'https://opencloud.test/app/open?file_id=ZmlsZTppZAo=&view_mode=read' + +curl -X POST 'https://opencloud.test/app/open?file_id=ZmlsZTppZAo=&app_name=Collabora&view_mode=write' +``` + +**Response examples**: + +All apps are expected to be opened in an iframe and the response will give some parameters for that action. + +There are apps, which need to be opened in the iframe with a form post. The form post must include all form parameters included in the response. For these apps the response will look like this: + +HTTP status code: 200 + +```json +{ + "app_url": "https://.....", + "method": "POST", + "form_parameters": { + "access_token": "eyJ0...", + "access_token_ttl": "1634300912000", + "arbitrary_param": "lorem-ipsum" + } +} +``` + +There are apps, which need to be opened in the iframe with a GET request. The GET request must have set all headers included in the response. For these apps the response will look like this: + +HTTP status code: 200 + +```json +{ + "app_url": "https://...", + "method": "GET", + "headers": { + "access_token": "eyJ0e...", + "access_token_ttl": "1634300912000", + "arbitrary_header": "lorem-ipsum" + } +} +``` + +**Example responses (error case)**: + +- missing `file_id` + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "missing file ID" + } + ``` + +- wrong `view_mode` + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "invalid view mode" + } + ``` + +- unknown `app_name` + + HTTP status code: 404 + + ```json + { + "code": "RESOURCE_NOT_FOUND", + "message": "error: not found: app 'Collabora' not found" + } + ``` + +- wrong / invalid file id + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "invalid file ID" + } + ``` + +- file id does not point to a file + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "the given file id does not point to a file" + } + ``` + +- file does not exist / unauthorized to open the file + + HTTP status code: 404 + + ```json + { + "code": "RESOURCE_NOT_FOUND", + "message": "file does not exist" + } + ``` + +- invalid language code + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "lang parameter does not contain a valid ISO 639-1 language code" + } + ``` + +### Creating a File With the App Provider + +**Endpoint**: specified in the capabilities in `new_file_url`, currently `/app/new` + +**Method**: HTTP POST + +**Authentication** (one of them): + +- `Authorization` header with OIDC Bearer token for authenticated users or basic auth credentials (if enabled in OpenCloud) +- `Public-Token` header with public link token for public links +- `X-Access-Token` header with a REVA token for authenticated users + +**Query parameters**: + +- `parent_container_id` (mandatory): ID of the folder in which the file will be created +- `filename` (mandatory): name of the new file +- `template` (optional): not yet implemented + +**Request examples**: + +```bash +curl -X POST 'https://opencloud.test/app/new?parent_container_id=c2lkOmNpZAo=&filename=test.odt' +``` + +**Response example**: + +You will receive a file id of the freshly created file, which you can use to open the file in an editor. + +```json +{ + "file_id": "ZmlsZTppZAo=" +} +``` + +**Example responses (error case)**: + +- missing `parent_container_id` + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "missing parent container ID" + } + ``` + +- missing `filename` + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "missing filename" + } + ``` + +- parent container not found + + HTTP status code: 404 + + ```json + { + "code": "RESOURCE_NOT_FOUND", + "message": "the parent container is not accessible or does not exist" + } + ``` + +- `parent_container_id` does not point to a container + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "the parent container id does not point to a container" + } + ``` + +- `filename` is invalid (e.g. includes a path segment) + + HTTP status code: 400 + + ```json + { + "code": "INVALID_PARAMETER", + "message": "the filename must not contain a path segment" + } + ``` + +- file already exists + + HTTP status code: 403 + + ```json + { + "code": "RESOURCE_ALREADY_EXISTS", + "message": "the file already exists" + } + ``` + diff --git a/versioned_docs/version-7.x/_static/env-vars/audit.yaml b/versioned_docs/version-7.x/_static/env-vars/audit.yaml new file mode 100644 index 000000000..1c6720df6 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/audit.yaml @@ -0,0 +1,22 @@ +# Autogenerated +# Filename: audit.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9229 + token: "" + pprof: false + zpages: false +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +auditlog: + log_to_console: true + log_to_file: false + filepath: "" + format: json diff --git a/versioned_docs/version-7.x/_static/env-vars/audit_configvars.md b/versioned_docs/version-7.x/_static/env-vars/audit_configvars.md new file mode 100644 index 000000000..d49795b71 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/audit_configvars.md @@ -0,0 +1,20 @@ +## Environment variables for the **audit** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`AUDIT_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`AUDIT_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9229`| +|`AUDIT_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUDIT_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUDIT_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_EVENTS_ENDPOINT`
`AUDIT_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`AUDIT_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`AUDIT_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`AUDIT_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`AUDIT_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`AUDIT_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`AUDIT_LOG_TO_CONSOLE`| 1.0.0 |bool|`Logs to stdout if set to 'true'. Independent of the LOG_TO_FILE option.`|`true`| +|`AUDIT_LOG_TO_FILE`| 1.0.0 |bool|`Logs to file if set to 'true'. Independent of the LOG_TO_CONSOLE option.`|`false`| +|`AUDIT_FILEPATH`| 1.0.0 |string|`Filepath of the logfile. Mandatory if LOG_TO_FILE is set to 'true'.`|``| +|`AUDIT_FORMAT`| 1.0.0 |string|`Log format. Supported values are '' (empty) and 'json'. Using 'json' is advised, '' (empty) renders the 'minimal' format. See the text description for more details.`|`json`| diff --git a/versioned_docs/version-7.x/_static/env-vars/audit_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/audit_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/audit_readme.md b/versioned_docs/version-7.x/_static/env-vars/audit_readme.md new file mode 100755 index 000000000..1d22d217a --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/audit_readme.md @@ -0,0 +1,38 @@ + + +## Abstract + + +The audit service logs all events of the system as an audit log. Per default, it will be logged to standard out, but can also be configured to a file output. Supported log formats are json or a minimal human-readable format. + +With audit logs, you are able to prove compliance with corporate guidelines as well as to enable reporting and auditing of operations. The audit service takes note of actions conducted by users and administrators. + +Example minimal format: +``` +file_delete) + user 'user_id' trashed file 'item_id' +file_trash_delete) + user 'user_id' removed file 'item_id' from trashbin +``` + +Example json: +``` +{"RemoteAddr":"","User":"user_id","URL":"","Method":"","UserAgent":"","Time":"","App":"admin_audit","Message":"user 'user_id' trashed file 'item_id'","Action":"file_delete","CLI":false,"Level":1,"Path":"path","Owner":"user_id","FileID":"item_id"} +{"RemoteAddr":"","User":"user_id","URL":"","Method":"","UserAgent":"","Time":"","App":"admin_audit","Message":"user 'user_id' removed file 'item_id' from trashbin","Action":"file_trash_delete","CLI":false,"Level":1,"Path":"path","Owner":"user_id","FileID":"item_id"} +``` + +The audit service is not started automatically when running as single binary started via `opencloud server` or when running as docker container and must be started and stopped manually on demand. + +The audit service logs: + +- File system operations +(create/delete/move; including actions on the trash bin and versioning) +- User management operations +(creation/deletion of users) +- Sharing operations +(user/group sharing, sharing via link, changing permissions, calls to sharing API from clients) + +## Table of Contents + + + diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-app.yaml b/versioned_docs/version-7.x/_static/env-vars/auth-app.yaml new file mode 100644 index 000000000..809240439 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-app.yaml @@ -0,0 +1,60 @@ +# Autogenerated +# Filename: auth-app.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9245 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9246 + tls: null + protocol: tcp +http: + addr: 127.0.0.1:9247 + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - DELETE + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Ocs-Apirequest + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +grpc_client_tls: null +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +machine_auth_api_key: "" +allow_impersonation: false +storage_driver: jsoncs3 +storage_drivers: + jsoncs3: + provider_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" + password_generator: diceware + password_generator_options: + diceware: + number_of_words: 6 + randon: + password_length: 0 diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-app_configvars.md b/versioned_docs/version-7.x/_static/env-vars/auth-app_configvars.md new file mode 100644 index 000000000..96115bf95 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-app_configvars.md @@ -0,0 +1,35 @@ +## Environment variables for the **auth-app** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`AUTH_APP_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`AUTH_APP_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9245`| +|`AUTH_APP_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_APP_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_APP_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing traces in-memory.`|`false`| +|`AUTH_APP_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9246`| +|`OC_GRPC_PROTOCOL`
`AUTH_APP_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`AUTH_APP_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9247`| +|`AUTH_APP_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`AUTH_APP_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`AUTH_APP_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST DELETE]`| +|`OC_CORS_ALLOW_HEADERS`
`AUTH_APP_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`AUTH_APP_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_JWT_SECRET`
`AUTH_APP_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`| +|`OC_MACHINE_AUTH_API_KEY`
`AUTH_APP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`|``| +|`AUTH_APP_ENABLE_IMPERSONATION`| 1.0.0 |bool|`Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments.`|`false`| +|`AUTH_APP_STORAGE_DRIVER`| 4.0.0 |string|`Driver to be used to persist the app tokes . Supported values are 'jsoncs3', 'json'.`|`jsoncs3`| +|`AUTH_APP_JSONCS3_PROVIDER_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`AUTH_APP_JSONCS3_SYSTEM_USER_ID`| 4.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`AUTH_APP_JSONCS3_SYSTEM_USER_IDP`| 4.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`AUTH_APP_JSONCS3_SYSTEM_USER_API_KEY`| 4.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`AUTH_APP_JSONCS3_PASSWORD_GENERATOR`| 4.0.0 |string|`The password generator that should be used for generating app tokens. Supported values are: 'diceware' and 'random'.`|`diceware`| +|`AUTH_APP_JSONCS3_DICEWARE_NUMBER_OF_WORDS`| 4.0.0 |int|`The number of words the generated passphrase will have.`|`6`| +|`AUTH_APP_JSONCS3_RANDOM_PASSWORD_LENGTH`| 4.0.0 |int|`The number of charactors the generated passwords will have.`|`0`| diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-app_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/auth-app_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-app_readme.md b/versioned_docs/version-7.x/_static/env-vars/auth-app_readme.md new file mode 100755 index 000000000..6d75f889e --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-app_readme.md @@ -0,0 +1,154 @@ + + +## Abstract + + +The auth-app service provides authentication for 3rd party apps unable to use +OpenID Connect. The service is enabled by default and started automatically. It +is possible to disable the service by setting: + +```bash +OC_EXCLUDE_RUN_SERVICES=auth-app # deployment specific. Removes service from the list of automatically started services, use with single-binary deployments +PROXY_ENABLE_APP_AUTH=false # mandatory, disables app authentication. In case of a distributed environment, this envvar needs to be set in the proxy service. +``` + + +## Table of Contents + +* [App Tokens](#app-tokens) +* [Important Security Note](#important-security-note) +* [Managing App Tokens](#managing-app-tokens) + * [Via API](#via-api) + * [Via Impersonation API](#via-impersonation-api) + * [Via CLI (developer only)](#via-cli-developer-only) +* [Authenticating using App Tokens](#authenticating-using-app-tokens) + +## App Tokens + +App Tokens are password specifically generated to be used by 3rd party applications +for authentication when accessing the OpenCloud API endpoints. To +be able to use an app token, one must first create a token. There are different +options of creating a token. + +## Important Security Note + +When using an external IDP for authentication, App Token are NOT invalidated +when the user is disabled or locked in that external IDP. That means the user +will still be able to use its existing App Tokens for authentication for as +long as the App Tokes are valid. + +## Managing App Tokens + +### Via API + +Please note: This API is preliminary. In the future we will provide endpoints +in the `graph` service for allowing the management of App Tokens. + +The `auth-app` service provides an API to create (POST), list (GET) and delete (DELETE) tokens at the `/auth-app/tokens` endpoint. + +* **Create a token**\ + The POST request requires: + * A `expiry` key/value pair in the form of `expiry=
`AUTH_BASIC_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`AUTH_BASIC_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9147`| +|`AUTH_BASIC_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_BASIC_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_BASIC_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing traces in-memory.`|`false`| +|`AUTH_BASIC_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9146`| +|`OC_GRPC_PROTOCOL`
`AUTH_BASIC_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`AUTH_BASIC_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`| +|`AUTH_BASIC_AUTH_MANAGER`| 1.0.0 |string|`The authentication manager to check if credentials are valid. Supported value is 'ldap'.`|`ldap`| +|`OC_LDAP_URI`
`AUTH_BASIC_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldap://localhost:9236`| +|`OC_LDAP_CACERT`
`AUTH_BASIC_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|``| +|`OC_LDAP_INSECURE`
`AUTH_BASIC_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`OC_LDAP_BIND_DN`
`AUTH_BASIC_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`AUTH_BASIC_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`OC_LDAP_USER_BASE_DN`
`AUTH_BASIC_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_GROUP_BASE_DN`
`AUTH_BASIC_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`AUTH_BASIC_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_GROUP_SCOPE`
`AUTH_BASIC_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_USER_FILTER`
`AUTH_BASIC_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_GROUP_FILTER`
`AUTH_BASIC_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`AUTH_BASIC_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`| +|`OC_LDAP_GROUP_OBJECTCLASS`
`AUTH_BASIC_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`| +|`LDAP_LOGIN_ATTRIBUTES`
`AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES`| 1.0.0 |[]string|`A list of user object attributes that can be used for login. See the Environment Variable Types description for more details.`|`[uid]`| +|`OC_URL`
`OC_OIDC_ISSUER`
`AUTH_BASIC_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`OC_LDAP_DISABLE_USER_MECHANISM`
`AUTH_BASIC_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.`|`attribute`| +|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`AUTH_BASIC_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCHEMA_ID`
`AUTH_BASIC_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`| +|`OC_LDAP_USER_SCHEMA_TENANT_ID`
`AUTH_BASIC_LDAP_USER_SCHEMA_TENANT_ID`| 4.0.0 |string|`LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.`|``| +|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs.`|`false`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`AUTH_BASIC_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`| +|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`| +|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`| +|`OC_LDAP_GROUP_SCHEMA_ID`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID).`|`openCloudUUID`| +|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs.`|`false`| +|`OC_LDAP_GROUP_SCHEMA_MAIL`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`| +|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`| +|`AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`| +|`AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|``| +|`AUTH_BASIC_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`| +|`AUTH_BASIC_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`| +|`AUTH_BASIC_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`| +|`AUTH_BASIC_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`AUTH_BASIC_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`| +|`AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames`|`false`| +|`AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user ID's.`|`false`| diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-basic_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/auth-basic_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-basic_readme.md b/versioned_docs/version-7.x/_static/env-vars/auth-basic_readme.md new file mode 100755 index 000000000..441fc5d48 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-basic_readme.md @@ -0,0 +1,46 @@ + + +## Abstract + + +The OpenCloud Auth Basic service provides basic authentication for those clients who cannot handle OpenID Connect. This should only be enabled for tests and development. + +The `auth-basic` service is responsible for validating authentication of incoming requests. To do so, it will use the configured `auth manager`, see the `Auth Managers` section. Only HTTP basic auth requests to OpenCloud will involve the `auth-basic` service. + +To enable `auth-basic`, you first must set `PROXY_ENABLE_BASIC_AUTH` to `true`. + + +## Table of Contents + +* [The `auth` Service Family](#the-auth-service-family) +* [Auth Managers](#auth-managers) + * [LDAP Auth Manager](#ldap-auth-manager) + * [Other Auth Managers](#other-auth-managers) +* [Scalability](#scalability) + +## The `auth` Service Family + +OpenCloud uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist: + - `auth-app` handles authentication of external 3rd party apps + - `auth-basic` handles basic authentication + - `auth-bearer` handles oidc authentication + - `auth-machine` handles interservice authentication when a user is impersonated + - `auth-service` handles interservice authentication when using service accounts + +## Auth Managers + +Since the `auth-basic` service does not do any validation itself, it needs to be configured with an authentication manager. One can use the `AUTH_BASIC_AUTH_MANAGER` environment variable to configure this. Currently only one auth manager is supported: `"ldap"` + +### LDAP Auth Manager + +Setting `AUTH_BASIC_AUTH_MANAGER` to `"ldap"` will configure the `auth-basic` service to use LDAP as auth manager. This is the recommended option for running in a production and testing environment. More details on how to configure LDAP with OpenCloud can be found in the admin docs. + +### Other Auth Managers + +OpenCloud currently supports no other auth manager + +## Scalability + +When using `"ldap"` as auth manager, there is no persistance as requests will just be forwarded to the LDAP server. Therefore, multiple instances of the `auth-basic` service can be started without further configuration. Be aware, that other auth managers might not allow that. + + diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-bearer.yaml b/versioned_docs/version-7.x/_static/env-vars/auth-bearer.yaml new file mode 100644 index 000000000..f7e28e0e9 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-bearer.yaml @@ -0,0 +1,27 @@ +# Autogenerated +# Filename: auth-bearer.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9149 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9148 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +oidc: + issuer: https://localhost:9200 + insecure: false + id_claim: preferred_username + uid_claim: "" + gid_claim: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-bearer_configvars.md b/versioned_docs/version-7.x/_static/env-vars/auth-bearer_configvars.md new file mode 100644 index 000000000..60896410b --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-bearer_configvars.md @@ -0,0 +1,21 @@ +## Environment variables for the **auth-bearer** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`AUTH_BEARER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`AUTH_BEARER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9149`| +|`AUTH_BEARER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_BEARER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_BEARER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`AUTH_BEARER_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9148`| +|`OC_GRPC_PROTOCOL`
`AUTH_BEARER_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`AUTH_BEARER_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`| +|`OC_URL`
`OC_OIDC_ISSUER`
`AUTH_BEARER_OIDC_ISSUER`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`| +|`OC_INSECURE`
`AUTH_BEARER_OIDC_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the OIDC issuer.`|`false`| +|`AUTH_BEARER_OIDC_ID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the user identifier.`|`preferred_username`| +|`AUTH_BEARER_OIDC_UID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the UID.`|``| +|`AUTH_BEARER_OIDC_GID_CLAIM`| 1.0.0 |string|`Name of the claim, which holds the GID.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-bearer_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/auth-bearer_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-bearer_readme.md b/versioned_docs/version-7.x/_static/env-vars/auth-bearer_readme.md new file mode 100755 index 000000000..8df3212aa --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-bearer_readme.md @@ -0,0 +1,33 @@ + + +## Abstract + + +The OpenCloud Auth Bearer service communicates with the configured OpenID Connect identity provider to authenticate requests. OpenID Connect is the default authentication mechanism for all clients: web, desktop and mobile. Basic auth is only used for testing and has to be explicity enabled. + + +## Table of Contents + +* [The `auth` Service Family](#the-auth-service-family) +* [Built in OpenID Connect Identity Provider](#built-in-openid-connect-identity-provider) +* [Scalability](#scalability) + +## The `auth` Service Family + +OpenCloud uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist: + - `auth-app` handles authentication of external 3rd party apps + - `auth-basic` handles basic authentication + - `auth-bearer` handles oidc authentication + - `auth-machine` handles interservice authentication when a user is impersonated + - `auth-service` handles interservice authentication when using service accounts + +## Built in OpenID Connect Identity Provider + +A default OpenCloud deployment will start a [built in OpenID Connect identity provider](https://github.com/opencloud-eu/opencloud/tree/main/services/idp) but can be configured to use an external one as well. + +## Scalability + +There is no persistance or caching. The proxy caches verified auth bearer tokens. Requests will be forwarded to the identity provider. Therefore, multiple instances of the `auth-bearer` service can be started without further configuration. Currently, the auth registry used by the gateway can only use a single instance of the service. To use more than one auth provider per deployment you need to scale the gateway. + +This will change when we use the service registry in more places and use micro clients to select an instance of a service. + diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-machine.yaml b/versioned_docs/version-7.x/_static/env-vars/auth-machine.yaml new file mode 100644 index 000000000..fe0287023 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-machine.yaml @@ -0,0 +1,22 @@ +# Autogenerated +# Filename: auth-machine.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9167 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9166 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +machine_auth_api_key: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-machine_configvars.md b/versioned_docs/version-7.x/_static/env-vars/auth-machine_configvars.md new file mode 100644 index 000000000..d0784ca1d --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-machine_configvars.md @@ -0,0 +1,17 @@ +## Environment variables for the **auth-machine** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`AUTH_MACHINE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`AUTH_MACHINE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9167`| +|`AUTH_MACHINE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_MACHINE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_MACHINE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`AUTH_MACHINE_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9166`| +|`OC_GRPC_PROTOCOL`
`AUTH_MACHINE_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`AUTH_MACHINE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the encoding of the user's group memberships in the reva access token. This reduces the token size, especially when users are members of a large number of groups.`|`false`| +|`OC_MACHINE_AUTH_API_KEY`
`AUTH_MACHINE_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-machine_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/auth-machine_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-machine_readme.md b/versioned_docs/version-7.x/_static/env-vars/auth-machine_readme.md new file mode 100755 index 000000000..809fe02bb --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-machine_readme.md @@ -0,0 +1,28 @@ + + +## Abstract + + +The OpenCloud Auth Machine is used for interservice communication when using user impersonation. + +OpenCloud uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist: + - `auth-app` handles authentication of external 3rd party apps + - `auth-basic` handles basic authentication + - `auth-bearer` handles oidc authentication + - `auth-machine` handles interservice authentication when a user is impersonated + - `auth-service` handles interservice authentication when using service accounts + + +## Table of Contents + +* [User Impersonation](#user-impersonation) +* [Deprecation](#deprecation) + +## User Impersonation + +When one OpenCloud service is trying to talk to other OpenCloud services, it needs to authenticate itself. To do so, it will impersonate a user using the `auth-machine` service. It will then act on behalf of this user. Any action will show up as action of this specific user, which gets visible when e.g. logged in the audit log. + +## Deprecation + +With the upcoming `auth-service` service, the `auth-machine` service will be used less frequently and is probably a candidate for deprecation. + diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-service.yaml b/versioned_docs/version-7.x/_static/env-vars/auth-service.yaml new file mode 100644 index 000000000..e1cd9551b --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-service.yaml @@ -0,0 +1,23 @@ +# Autogenerated +# Filename: auth-service.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9198 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9199 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +service_account: + service_account_id: "" + service_account_secret: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-service_configvars.md b/versioned_docs/version-7.x/_static/env-vars/auth-service_configvars.md new file mode 100644 index 000000000..f69c58d97 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-service_configvars.md @@ -0,0 +1,17 @@ +## Environment variables for the **auth-service** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`AUTH_SERVICE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`AUTH_SERVICE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9198`| +|`AUTH_SERVICE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`AUTH_SERVICE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`AUTH_SERVICE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`AUTH_SERVICE_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9199`| +|`OC_GRPC_PROTOCOL`
`AUTH_SERVICE_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`AUTH_SERVICE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`AUTH_SERVICE_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`AUTH_SERVICE_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-service_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/auth-service_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/auth-service_readme.md b/versioned_docs/version-7.x/_static/env-vars/auth-service_readme.md new file mode 100755 index 000000000..81acd16d8 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/auth-service_readme.md @@ -0,0 +1,31 @@ + + +## Abstract + + +The OpenCloud Auth Service is used to authenticate service accounts. Compared to normal accounts, service accounts are OpenCloud internal only and not available as ordinary users like via LDAP. + + +## Table of Contents + +* [The `auth` Service Family](#the-auth-service-family) +* [Service Accounts](#service-accounts) +* [Configuring Service Accounts](#configuring-service-accounts) + +## The `auth` Service Family + +OpenCloud uses serveral authentication services for different use cases. All services that start with `auth-` are part of the authentication service family. Each member authenticates requests with different scopes. As of now, these services exist: + - `auth-app` handles authentication of external 3rd party apps + - `auth-basic` handles basic authentication + - `auth-bearer` handles oidc authentication + - `auth-machine` handles interservice authentication when a user is impersonated + - `auth-service` handles interservice authentication when using service accounts + +## Service Accounts + +Service accounts are user accounts that are only used for inter service communication. The users have no personal space, do not show up in user lists and cannot login via the UI. Service accounts can be configured in the settings service. Only the `admin` service user is available for now. Additionally to the actions it can do via its role, all service users can stat all files on all spaces. + +## Configuring Service Accounts + +By using the envvars `OC_SERVICE_ACCOUNT_ID` and `OC_SERVICE_ACCOUNT_SECRET`, one can configure the ID and the secret of the service user. The secret can be rotated regulary to increase security. For activating a new secret, all services where the envvars are used need to be restarted. The secret is always and only stored in memory and never written into any persistant store. Though you can use any string for the service account, it is recommmended to use a UUIDv4 string. + diff --git a/versioned_docs/version-7.x/_static/env-vars/clientlog.yaml b/versioned_docs/version-7.x/_static/env-vars/clientlog.yaml new file mode 100644 index 000000000..283a4b237 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/clientlog.yaml @@ -0,0 +1,24 @@ +# Autogenerated +# Filename: clientlog.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9260 + token: "" + pprof: false + zpages: false +grpc_client_tls: null +token_manager: + jwt_secret: "" +reva_gateway: eu.opencloud.api.gateway +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +service_account: + service_account_id: "" + service_account_secret: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/clientlog_configvars.md b/versioned_docs/version-7.x/_static/env-vars/clientlog_configvars.md new file mode 100644 index 000000000..53cde196e --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/clientlog_configvars.md @@ -0,0 +1,20 @@ +## Environment variables for the **clientlog** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`CLIENTLOG_USERLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`CLIENTLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9260`| +|`CLIENTLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`CLIENTLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`CLIENTLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_JWT_SECRET`
`CLIENTLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`OC_EVENTS_ENDPOINT`
`CLIENTLOG_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`CLIENTLOG_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`CLIENTLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`CLIENTLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`CLIENTLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`CLIENTLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`CLIENTLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`CLIENTLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/clientlog_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/clientlog_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/clientlog_readme.md b/versioned_docs/version-7.x/_static/env-vars/clientlog_readme.md new file mode 100755 index 000000000..50e55db18 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/clientlog_readme.md @@ -0,0 +1,24 @@ + + +## Abstract + + +The `clientlog` service is responsible for composing machine readable notifications for clients. Clients are apps and web interfaces. + + +## Table of Contents + +* [The Log Service Ecosystem](#the-log-service-ecosystem) +* [Clientlog Events](#clientlog-events) + +## The Log Service Ecosystem + +Log services like the `userlog`, `clientlog` and `sse` are responsible for composing notifications for a certain audience. + - The `userlog` service translates and adjusts messages to be human readable. + - The `clientlog` service composes machine readable messages, so clients can act without the need to query the server. + - The `sse` service is only responsible for sending these messages. It does not care about their form or language. + +## Clientlog Events + +The messages the `clientlog` service sends are intended for the use by clients, not by users. The client might for example be informed that a file has finished post-processing. With that, the client can make the file available to the user without additional server queries. + diff --git a/versioned_docs/version-7.x/_static/env-vars/collaboration.yaml b/versioned_docs/version-7.x/_static/env-vars/collaboration.yaml new file mode 100644 index 000000000..138e4658b --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/collaboration.yaml @@ -0,0 +1,69 @@ +# Autogenerated +# Filename: collaboration.yaml + +app: + name: Collabora + product: "" + description: Open office documents with Collabora + icon: image-edit + addr: https://127.0.0.1:9980 + insecure: false + proofkeys: + disable: false + duration: 12h + licensecheckenable: false +font: + asset_path: /var/lib/opencloud/collaboration/fonts + preview_text: OpenCloud +store: + store: nats-js-kv + nodes: + - 127.0.0.1:9233 + database: collaboration + table: "" + ttl: 30m0s + username: "" + password: "" + enable_tls: false + tls_insecure: false + tls_root_ca_certificate: "" +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +token_manager: + jwt_secret: "" +grpc: + addr: 127.0.0.1:9301 + protocol: tcp +http: + addr: 127.0.0.1:9300 + tls: + enabled: false + cert: "" + key: "" +wopi: + wopisrc: https://localhost:9300 + secret: "" + disable_chat: false + proxy_url: "" + proxy_secret: "" + short_tokens: false +cs3api: + gateway: + name: eu.opencloud.api.gateway + datagateway: + insecure: false + grpc_client_tls: null + app_registration_interval: 30s +loglevel: error +debug: + addr: 127.0.0.1:9304 + token: "" + pprof: false + zpages: false +machine_auth_api_key: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/collaboration_configvars.md b/versioned_docs/version-7.x/_static/env-vars/collaboration_configvars.md new file mode 100644 index 000000000..f8adb0c2c --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/collaboration_configvars.md @@ -0,0 +1,55 @@ +## Environment variables for the **collaboration** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`COLLABORATION_SERVICE_NAME`| 3.6.0 |string|`The name of the service which is registered. You only need to change this when more than one collaboration service is needed.`|`collaboration`| +|`COLLABORATION_APP_NAME`| 1.0.0 |string|`The name of the app which is shown to the user. You can chose freely but you are limited to a single word without special characters or whitespaces. We recommend to use pascalCase like 'CollaboraOnline'.`|`Collabora`| +|`COLLABORATION_APP_PRODUCT`| 1.0.0 |string|`The WebOffice app, either Collabora, OnlyOffice, Microsoft365 or MicrosoftOfficeOnline.`|``| +|`COLLABORATION_APP_DESCRIPTION`| 1.0.0 |string|`App description`|`Open office documents with Collabora`| +|`COLLABORATION_APP_ICON`| 1.0.0 |string|`Icon for the app`|`image-edit`| +|`COLLABORATION_APP_ADDR`| 1.0.0 |string|`The URL where the WOPI app is located, such as \https://127.0.0.1:8080.`|`https://127.0.0.1:9980`| +|`COLLABORATION_APP_INSECURE`| 1.0.0 |bool|`Skip TLS certificate verification when connecting to the WOPI app`|`false`| +|`COLLABORATION_APP_PROOF_DISABLE`| 1.0.0 |bool|`Disable the proof keys verification`|`false`| +|`COLLABORATION_APP_PROOF_DURATION`| 1.0.0 |string|`Duration for the proof keys to be cached in memory, using time.ParseDuration format. If the duration can't be parsed, we'll use the default 12h as duration`|`12h`| +|`COLLABORATION_APP_LICENSE_CHECK_ENABLE`| 1.0.0 |bool|`Enable license checking to edit files. Needs to be enabled when using Microsoft365 with the business flow.`|`false`| +|`COLLABORATION_FONT_ASSET_PATH`| next |string|`Serve fonts from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/collaboration/fonts`|`/var/lib/opencloud/collaboration/fonts`| +|`COLLABORATION_FONT_PREVIEW_TEXT`| next |string|`The text that will be displayed in the font preview.`|`OpenCloud`| +|`OC_PERSISTENT_STORE`
`COLLABORATION_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`COLLABORATION_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`COLLABORATION_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`collaboration`| +|`COLLABORATION_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`COLLABORATION_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details.`|`30m0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`COLLABORATION_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`COLLABORATION_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_ENABLE_TLS`
`COLLABORATION_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`| +|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`COLLABORATION_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`COLLABORATION_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_STORE_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENDPOINT`
`COLLABORATION_EVENTS_ENDPOINT`| next |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`COLLABORATION_EVENTS_CLUSTER`| next |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`COLLABORATION_EVENTS_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`COLLABORATION_EVENTS_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`COLLABORATION_EVENTS_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`COLLABORATION_EVENTS_AUTH_USERNAME`| next |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`COLLABORATION_EVENTS_AUTH_PASSWORD`| next |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_JWT_SECRET`
`COLLABORATION_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`COLLABORATION_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9301`| +|`OC_GRPC_PROTOCOL`
`COLLABORATION_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`COLLABORATION_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9300`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`COLLABORATION_WOPI_SRC`| 1.0.0 |string|`The WOPI source base URL containing schema, host and port. Set this to the schema and domain where the collaboration service is reachable for the wopi app, such as \https://office.example.test.`|`https://localhost:9300`| +|`COLLABORATION_WOPI_SECRET`| 1.0.0 |string|`Used to mint and verify WOPI JWT tokens and encrypt and decrypt the REVA JWT token embedded in the WOPI JWT token.`|``| +|`COLLABORATION_WOPI_DISABLE_CHAT`
`OC_WOPI_DISABLE_CHAT`| 1.0.0 |bool|`Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft.`|`false`| +|`COLLABORATION_WOPI_PROXY_URL`| 1.0.0 |string|`The URL to the OpenCloud WOPI proxy. Optional. To use this feature, you need an office365 proxy subscription. If you become part of the Microsoft CSP program (\https://learn.microsoft.com/en-us/partner-center/enroll/csp-overview), you can use WebOffice without a proxy.`|``| +|`COLLABORATION_WOPI_PROXY_SECRET`| 1.0.0 |string|`Optional, the secret to authenticate against the OpenCloud WOPI proxy. This secret can be obtained from OpenCloud via the office365 proxy subscription.`|``| +|`COLLABORATION_WOPI_SHORTTOKENS`| 1.0.0 |bool|`Use short access tokens for WOPI access. This is useful for office packages, like Microsoft Office Online, which have URL length restrictions. If enabled, a persistent store must be configured.`|`false`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata.`|`eu.opencloud.api.gateway`| +|`COLLABORATION_CS3API_DATAGATEWAY_INSECURE`| 1.0.0 |bool|`Connect to the CS3API data gateway insecurely.`|`false`| +|`COLLABORATION_CS3API_APP_REGISTRATION_INTERVAL`| 4.0.0 |Duration|`The interval at which the app provider registers itself.`|`30s`| +|`OC_LOG_LEVEL`
`COLLABORATION_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`COLLABORATION_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9304`| +|`COLLABORATION_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`COLLABORATION_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`COLLABORATION_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_MACHINE_AUTH_API_KEY`
`COLLABORATION_MACHINE_AUTH_API_KEY`| next |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/collaboration_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/collaboration_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/collaboration_readme.md b/versioned_docs/version-7.x/_static/env-vars/collaboration_readme.md new file mode 100755 index 000000000..e9a5c2785 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/collaboration_readme.md @@ -0,0 +1,81 @@ + + +## Abstract + + +The collaboration service connects opencloud with document servers such as Collabora, ONLYOFFICE or Microsoft using the WOPI protocol. + +Since this service requires an external document server, it won't start by default when using `opencloud server`. You must start it manually with the `opencloud collaboration server` command. + +Because the collaboration service needs to be started manually, the following prerequisite applies: On collaboration service startup, particular environment variables are required to be populated. If environment variables have a default like the `MICRO_REGISTRY_ADDRESS`, the default will be used, if not set otherwise. Use for all others the instance values as defined. If these environment variables are not provided or misconfigured, the collaboration service will not start up. + +Required environment variables: +* `OC_URL` +* `OC_JWT_SECRET` +* `OC_REVA_GATEWAY` +* `MICRO_REGISTRY_ADDRESS` + + +## Table of Contents + +* [Requirements](#requirements) +* [WOPI Configuration](#wopi-configuration) +* [Storing](#storing) + +## Requirements + +The collaboration service requires the target document server (ONLYOFFICE, Collabora, etc.) to be up and running. Additionally, some OpenCloud services are also required to be running in order to register the GRPC service for the `open in app` action in the webUI. The following internal and external services need to be available: + +* External document server. +* The gateway service. +* The app-registry service. + +If any of the named services above have not been started or are not reachable, the collaboration service won't start. For the binary or the docker release of OpenCloud, check with the `opencloud list` command if they have been started. If not, you must start them manually upfront before starting the collaboration service. + +## WOPI Configuration + +There are a few variables that you need to set: + +* `COLLABORATION_APP_NAME`:\ + The name of the app which is shown to the user. You can chose freely but you are limited to a single word without special characters or whitespaces. We recommend to use pascalCase like 'CollaboraOnline'. + +* `COLLABORATION_APP_PRODUCT`:\ + The product name of the connected WebOffice app, which can be one of the following:\ + `Collabora`, `OnlyOffice`, `Microsoft365` or `MicrosoftOfficeOnline`. This is used to internally control the behavior according to the different features of the used products. + +* `COLLABORATION_APP_ADDR`:\ + The URL of the collaborative editing app (onlyoffice, collabora, etc).\ + For example: `https://office.example.com`. + +* `COLLABORATION_APP_INSECURE`:\ + In case you are using a self signed certificate for the WOPI app you can tell the collaboration service to allow an insecure connection. + +* `COLLABORATION_WOPI_SRC`:\ + The external address of the collaboration service. The target app (onlyoffice, collabora, etc) will use this address to read and write files from OpenCloud.\ + For example: `https://wopi.example.com`. + +* `COLLABORATION_WOPI_SHORTTOKENS`:\ + Needs to be set if the office application like `Microsoft Office Online` complains about the URL is too long (which contains the access token) and refuses to work. If enabled, a store must be configured. + +The application can be customized further by changing the `COLLABORATION_APP_*` options to better describe the application. + +## Storing + +The `collaboration` service persists information via the configured store in `COLLABORATION_STORE`. Possible stores are: + - `memory`: Basic in-memory store. Will not survive a restart. This is not recommended for this service. + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store). This is the default value. + - `noop`: Stores nothing. Useful for testing. Not recommended in production environments. + +Other store types may work but are not supported currently. + +Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances! + +Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `
`EVENTHISTORY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`EVENTHISTORY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9270`| +|`EVENTHISTORY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`EVENTHISTORY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`EVENTHISTORY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`EVENTHISTORY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9274`| +|`OC_EVENTS_ENDPOINT`
`EVENTHISTORY_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`EVENTHISTORY_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`EVENTHISTORY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided.`|``| +|`OC_EVENTS_ENABLE_TLS`
`EVENTHISTORY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`EVENTHISTORY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`EVENTHISTORY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_PERSISTENT_STORE`
`EVENTHISTORY_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`EVENTHISTORY_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`EVENTHISTORY_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`eventhistory`| +|`EVENTHISTORY_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`EVENTHISTORY_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`EVENTHISTORY_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`EVENTHISTORY_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_ENABLE_TLS`
`EVENTHISTORY_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`| +|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`EVENTHISTORY_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`EVENTHISTORY_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/eventhistory_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/eventhistory_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/eventhistory_readme.md b/versioned_docs/version-7.x/_static/env-vars/eventhistory_readme.md new file mode 100755 index 000000000..e1cd04886 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/eventhistory_readme.md @@ -0,0 +1,46 @@ + + +## Abstract + + +The `eventhistory` consumes all events from the configured event system like NATS, stores them and allows other services to retrieve them via an event ID. + + +## Table of Contents + +* [Prerequisites](#prerequisites) +* [Consuming](#consuming) +* [Storing](#storing) +* [Retrieving](#retrieving) + +## Prerequisites + +Running the eventhistory service without an event system like NATS is not possible. + +## Consuming + +The `eventhistory` services consumes all events from the configured event system. + +## Storing + +The `eventhistory` service stores each consumed event via the configured store in `EVENTHISTORY_STORE`. Possible stores are: + - `memory`: Basic in-memory store and the default. + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) + - `noop`: Stores nothing. Useful for testing. Not recommended in production environments. + +Other store types may work but are not supported currently. + +Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances! + +Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `
`FRONTEND_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`FRONTEND_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9141`| +|`FRONTEND_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`FRONTEND_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`FRONTEND_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`FRONTEND_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9140`| +|`FRONTEND_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`FRONTEND_HTTP_PREFIX`| 1.0.0 |string|`The Path prefix where the frontend can be accessed (defaults to /).`|``| +|`OC_CORS_ALLOW_ORIGINS`
`FRONTEND_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`FRONTEND_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT POST PATCH DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`| +|`OC_CORS_ALLOW_HEADERS`
`FRONTEND_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`FRONTEND_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_TRANSFER_SECRET`| 1.0.0 |string|`Transfer secret for signing file up- and download requests.`|``| +|`OC_JWT_SECRET`
`FRONTEND_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_MACHINE_AUTH_API_KEY`
`FRONTEND_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`The machine auth API key used to validate internal requests necessary to access resources from other services.`|``| +|`FRONTEND_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`OC_SPACES_MAX_QUOTA`
`FRONTEND_MAX_QUOTA`| 1.0.0 |uint64|`Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities.`|`0`| +|`FRONTEND_UPLOAD_MAX_CHUNK_SIZE`| 1.0.0 |int|`Sets the max chunk sizes in bytes for uploads via the clients.`|`10000000`| +|`FRONTEND_UPLOAD_HTTP_METHOD_OVERRIDE`| 1.0.0 |string|`Advise TUS to replace PATCH requests by POST requests.`|``| +|`FRONTEND_DEFAULT_UPLOAD_PROTOCOL`| 1.0.0 |string|`The default upload protocol to use in clients. Currently only 'tus' is available. See the developer API documentation for more details about TUS.`|`tus`| +|`OC_ENABLE_OCM`
`FRONTEND_ENABLE_FEDERATED_SHARING_INCOMING`| 1.0.0 |bool|`Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed.`|`false`| +|`OC_ENABLE_OCM`
`FRONTEND_ENABLE_FEDERATED_SHARING_OUTGOING`| 1.0.0 |bool|`Changing this value is NOT supported. Enables support for outgoing federated sharing for clients. The backend behaviour is not changed.`|`false`| +|`FRONTEND_SEARCH_MIN_LENGTH`| 1.0.0 |int|`Minimum number of characters to enter before a client should start a search for Share receivers. This setting can be used to customize the user experience if e.g too many results are displayed.`|`3`| +|`OC_DISABLE_SSE`
`FRONTEND_DISABLE_SSE`| 1.0.0 |bool|`When set to true, clients are informed that the Server-Sent Events endpoint is not accessible.`|`false`| +|`FRONTEND_DISABLE_RADICALE`| 4.0.0 |bool|`When set to true, clients are informed that the Radicale (CalDAV/CardDAV) is not accessible.`|`false`| +|`FRONTEND_DEFAULT_LINK_PERMISSIONS`| 1.0.0 |int|`Defines the default permissions a link is being created with. Possible values are 0 (= internal link, for instance members only) and 1 (= public link with viewer permissions). Defaults to 1.`|`1`| +|`OC_URL`
`FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|`https://localhost:9200`| +|`OC_MAX_CONCURRENCY`
`FRONTEND_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`| +|`OC_INSECURE`
`FRONTEND_APP_HANDLER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the frontend.`|`false`| +|`FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR`| 1.0.0 |string|`Service name or address of the app provider to use for secure view. Should match the service name or address of the registered CS3 app provider.`|`eu.opencloud.api.collaboration`| +|`FRONTEND_ARCHIVER_MAX_NUM_FILES`| 1.0.0 |int64|`Max number of files that can be packed into an archive.`|`10000`| +|`FRONTEND_ARCHIVER_MAX_SIZE`| 1.0.0 |int64|`Max size in bytes of the zip archive the archiver can create.`|`1073741824`| +|`OC_INSECURE`
`FRONTEND_ARCHIVER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the archiver.`|`false`| +|`FRONTEND_DATA_GATEWAY_PREFIX`| 1.0.0 |string|`Path prefix for the data gateway.`|`data`| +|`FRONTEND_OCS_PREFIX`| 1.0.0 |string|`URL path prefix for the OCS service. Note that the string must not start with '/'.`|`ocs`| +|`FRONTEND_OCS_SHARE_PREFIX`| 1.0.0 |string|`Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'.`|`/Shares`| +|`FRONTEND_OCS_PERSONAL_NAMESPACE`| 1.0.0 |string|`Home namespace identifier.`|`/users/{{.Id.OpaqueId}}`| +|`FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE`| 1.0.0 |string|`Additional information attribute for the user like {{.Mail}}.`|`{{.Mail}}`| +|`OC_CACHE_STORE`
`FRONTEND_OCS_STAT_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`FRONTEND_OCS_STAT_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-stat`| +|`FRONTEND_OCS_STAT_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_CACHE_TTL`
`FRONTEND_OCS_STAT_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when using the 'nats-js-kv' store type.`|``| +|`OC_CACHE_ENABLE_TLS`
`FRONTEND_OCS_STAT_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`FRONTEND_OCS_STAT_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`FRONTEND_OCS_STAT_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false.`|``| +|`FRONTEND_OCS_ENABLE_DENIALS`| 1.0.0 |bool|`EXPERIMENTAL: enable the feature to deny access on folders.`|`false`| +|`OC_ENABLE_OCM`
`FRONTEND_OCS_LIST_OCM_SHARES`| 1.0.0 |bool|`Include OCM shares when listing shares. See the OCM service documentation for more details.`|`true`| +|`OC_ENABLE_OCM`
`FRONTEND_OCS_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing sharees.`|`false`| +|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`
`FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on all public shares.`|`true`| +|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`
`FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false.`|`false`| +|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|`Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.`|`false`| +|`OCDAV_HTTP_PREFIX`
`FRONTENT_OCDAV_HTTP_PREFIX`| 1.0.0 |string|`A URL path prefix for the handler.`|``| +|`OCDAV_SKIP_USER_GROUPS_IN_TOKEN`
`FRONTENT_OCDAV_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`OCDAV_WEBDAV_NAMESPACE`
`FRONTENT_OCDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/webdav into this CS3 namespace. Supports template layouting with CS3 User properties.`|`/users/{{.Id.OpaqueId}}`| +|`OCDAV_FILES_NAMESPACE`
`FRONTENT_OCDAV_FILES_NAMESPACE`| 1.0.0 |string|`Jail requests to /dav/files/{username} into this CS3 namespace. Supports template layouting with CS3 User properties.`|`/users/{{.Id.OpaqueId}}`| +|`OCDAV_SHARES_NAMESPACE`
`FRONTENT_OCDAV_SHARES_NAMESPACE`| 1.0.0 |string|`The human readable path for the share jail. Relative to a users personal space root. Upcased intentionally.`|`/Shares`| +|`OCDAV_OCM_NAMESPACE`
`FRONTENT_OCDAV_OCM_NAMESPACE`| 1.0.0 |string|`The human readable path prefix for the ocm shares.`|`/public`| +|`OC_URL`
`OCDAV_PUBLIC_URL`
`FRONTENT_OCDAV_PUBLIC_URL`| 1.0.0 |string|`URL where OpenCloud is reachable for users.`|`https://localhost:9200`| +|`OC_INSECURE`
`OCDAV_INSECURE`
`FRONTENT_OCDAV_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the GATEWAY service.`|`false`| +|`OCDAV_ENABLE_HTTP_TPC`
`FRONTENT_OCDAV_ENABLE_HTTP_TPC`| 6.0.0 |bool|`Enable HTTP / WebDAV Third-Party-Copy support.`|`false`| +|`OCDAV_GATEWAY_REQUEST_TIME`
`FRONTENT_OUTOCDAV_GATEWAY_REQUEST_TIMEOUT`| 1.0.0 |int64|`Request timeout in seconds for requests from the oCDAV service to the GATEWAY service.`|`84300`| +|`OC_MACHINE_AUTH_API_KEY`
`OCDAV_MACHINE_AUTH_API_KEY`
`FRONTENT_OCDAV_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``| +|`OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`
`FRONTENT_OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY`| 1.0.0 |bool|`Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times.`|`false`| +|`OCDAV_NAME_VALIDATION_INVALID_CHARS`
`FRONTENT_OCDAV_NAME_VALIDATION_INVALID_CHARS`| 6.0.0 |[]string|`List of characters that are not allowed in file or folder names.`|``| +|`OCDAV_NAME_VALIDATION_MAX_LENGTH`
`FRONTENT_OCDAV_NAME_VALIDATION_MAX_LENGTH`| 6.0.0 |int|`Max length of file or folder names.`|`255`| +|`FRONTEND_CHECKSUMS_SUPPORTED_TYPES`| 1.0.0 |[]string|`A list of checksum types that indicate to clients which hashes the server can use to verify upload integrity. Supported types are 'sha1', 'md5' and 'adler32'. See the Environment Variable Types description for more details.`|`[sha1 md5 adler32]`| +|`FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE`| 1.0.0 |string|`The supported checksum type for uploads that indicates to clients supporting multiple hash algorithms which one is preferred by the server. Must be one out of the defined list of SUPPORTED_TYPES.`|`sha1`| +|`FRONTEND_READONLY_USER_ATTRIBUTES`| 1.0.0 |[]string|`A list of user attributes to indicate as read-only. Supported values: 'user.onPremisesSamAccountName' (username), 'user.displayName', 'user.mail', 'user.passwordProfile' (password), 'user.appRoleAssignments' (role), 'user.memberOf' (groups), 'user.accountEnabled' (login allowed), 'drive.quota' (quota). See the Environment Variable Types description for more details.`|`[]`| +|`OC_LDAP_SERVER_WRITE_ENABLED`
`FRONTEND_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|`Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).`|`true`| +|`FRONTEND_EDIT_LOGIN_ALLOWED_DISABLED`| 3.4.0 |bool|`Used to set if login is allowed/forbidden for for User.`|`false`| +|`FRONTEND_FULL_TEXT_SEARCH_ENABLED`| 1.0.0 |bool|`Set to true to signal the web client that full-text search is enabled.`|`false`| +|`FRONTEND_CHECK_FOR_UPDATES`| 3.6.0 |bool|`Enable automatic checking for updates. Defaults to true.`|`true`| +|`OC_EVENTS_ENDPOINT`
`FRONTEND_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`FRONTEND_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`FRONTEND_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`FRONTEND_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`FRONTEND_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`FRONTEND_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`FRONTEND_AUTO_ACCEPT_SHARES`| 1.0.0 |bool|`Defines if shares should be auto accepted by default. Users can change this setting individually in their profile.`|`true`| +|`OC_SERVICE_ACCOUNT_ID`
`FRONTEND_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`FRONTEND_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`OC_PASSWORD_POLICY_DISABLED`
`FRONTEND_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|`Disable the password policy. Defaults to false if not set.`|`false`| +|`OC_PASSWORD_POLICY_MIN_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|`Define the minimum password length. Defaults to 8 if not set.`|`8`| +|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of uppercase letters. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of lowercase letters. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_DIGITS`
`FRONTEND_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|`Define the minimum number of digits. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`
`FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|`Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`
`FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|`Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.`|``| +|`FRONTEND_CONFIGURABLE_NOTIFICATIONS`| 1.0.0 |bool|`Allow configuring notifications via web client.`|`false`| +|`FRONTEND_GROUPWARE_ENABLED`| 3.7.0 |bool|`Enable groupware features. Defaults to false.`|`false`| diff --git a/versioned_docs/version-7.x/_static/env-vars/frontend_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/frontend_deprecation.md new file mode 100644 index 000000000..d7c2fb719 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/frontend_deprecation.md @@ -0,0 +1,4 @@ + +:::danger +frontend has deprecated environment variables. Please refer to the table below for more information. +::: \ No newline at end of file diff --git a/versioned_docs/version-7.x/_static/env-vars/frontend_readme.md b/versioned_docs/version-7.x/_static/env-vars/frontend_readme.md new file mode 100755 index 000000000..a5a7aee3b --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/frontend_readme.md @@ -0,0 +1,166 @@ + + +## Abstract + + +The frontend service translates various OpenCloud related HTTP APIs to CS3 requests. + + +## Table of Contents + +* [Endpoints Overview](#endpoints-overview) + * [appprovider](#appprovider) + * [archiver](#archiver) + * [datagateway](#datagateway) + * [ocs](#ocs) + * [Event Handler](#event-handler) + * [Sharing](#sharing) +* [Scalability](#scalability) +* [Define Read-Only Attributes](#define-readonly-attributes) +* [Caching](#caching) + * [Auto-Accept Shares](#autoaccept-shares) +* [Passwords](#passwords) + * [The Password Policy](#the-password-policy) + * [The Password Policy Capability](#the-password-policy-capability) + * [Password Enforcement for all Public Links](#password-enforcement-for-all-public-links) + * [Password Enforcement for Writeable Public Links](#password-enforcement-for-writeable-public-links) + +## Endpoints Overview + +Currently, the frontend service handles requests for three functionalities, which are `appprovider`, `archiver`, `datagateway` and `ocs`. + +### appprovider + +The appprovider endpoint, by default `/app`, forwards HTTP requests to the CS3 [App Registry API](https://cs3org.github.io/cs3apis/#cs3.app.registry.v1beta1.RegistryAPI) + +### archiver + +The archiver endpoint, by default `/archiver`, implements zip and tar download for collections of files. It will internally use the CS3 API to initiate downloads and then stream the individual files as part of a compressed file. + +### datagateway + +The datagateway endpoint, by default `/data`, forwards file up- and download requests to the correct CS3 data provider. OpenCloud starts a dataprovider as part of the storage-* services. The routing happens based on the JWT that was created by a storage provider in response to an `InitiateFileDownload` or `InitiateFileUpload` request. + +### ocs + +The ocs endpoint, by default `/ocs`, implements the Open Collaboration Services API by translating it into CS3 API requests. It can handle users, groups, capabilities and also implements the files sharing functionality on top of CS3. The `/ocs/v[12].php/cloud/user/signing-key` is currently handled by the dedicated [ocs](https://github.com/opencloud-eu/opencloud/tree/main/services/ocs) service. + +#### Event Handler + +The `frontend` service contains an eventhandler for handling `ocs` related events. As of now, it only listens to the `ShareCreated` event. + +### Sharing + +Aggregating share information is one of the most time consuming operations in OpenCloud. The service fetches a list of either received or created shares and has to stat every resource individually. While stats are fast, the default behavior scales linearly with the number of shares. + +To save network trips the sharing implementation can cache the stat requests with an in memory cache or in Redis. It will shorten the response time by the network round-trip overhead at the cost of the API only eventually being updated. + +Setting `FRONTEND_OCS_RESOURCE_INFO_CACHE_TTL=60` (deprecated) would cache the stat info for 60 seconds. Increasing this value makes sense for large deployments with thousands of active users that keep the cache up to date. Low frequency usage scenarios should not expect a noticeable improvement. + +## Scalability + +While the frontend service does not persist any data, it does cache information about files and filesystem (`Stat()`) responses and user information. Therefore, multiple instances of this service can be spawned in a bigger deployment like when using container orchestration with Kubernetes, when configuring `FRONTEND_OCS_RESOURCE_INFO_CACHE_STORE` (deprecated) and the related config options. + +## Define Read-Only Attributes + +A lot of user management is made via the standardized libregraph API. Depending on how the system is configured, there might be some user attributes that an OpenCloud instance admin can't change because of properties coming from an external LDAP server, or similar. This can be the case when the OpenCloud admin is not the LDAP admin. To ease life for admins, there are hints as capabilites telling the frontend which attributes are read-only to enable a different optical representation like being grayed out. To configure these hints, use the environment variable `FRONTEND_READONLY_USER_ATTRIBUTES`, which takes a comma separated list of attributes, see the envvar for supported values. + +You can find more details regarding available attributes at the [libre-graph-api openapi-spec](https://github.com/opencloud-eu/libre-graph-api/blob/main/api/openapi-spec/v1.0.yaml) and on [docs.opencloud.eu](https://docs.opencloud.eu/swagger/libre-graph-api/). + +## Caching + +The `frontend` service can use a configured store via `FRONTEND_OCS_STAT_CACHE_STORE` (deprecated). Possible stores are: + - `memory`: Basic in-memory store and the default. + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) + - `noop`: Stores nothing. Useful for testing. Not recommended in production environments. + +Other store types may work but are not supported currently. + +Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances! + +Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `
`GATEWAY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`GATEWAY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9143`| +|`GATEWAY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`GATEWAY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`GATEWAY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_GATEWAY_GRPC_ADDR`
`GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9142`| +|`OC_GRPC_PROTOCOL`
`GATEWAY_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`GATEWAY_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`GATEWAY_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`GATEWAY_COMMIT_SHARE_TO_STORAGE_GRANT`| 1.0.0 |bool|`Commit shares to storage grants. This grants access to shared resources for the share receiver directly on the storage.`|`true`| +|`GATEWAY_SHARE_FOLDER_NAME`| 1.0.0 |string|`Name of the share folder in users' home space.`|`Shares`| +|`GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN`| 1.0.0 |bool|`Disable creation of the home space on login.`|`true`| +|`OC_TRANSFER_SECRET`| 1.0.0 |string|`The storage transfer secret.`|``| +|`GATEWAY_TRANSFER_EXPIRES`| 1.0.0 |int|`Expiry for the gateway tokens.`|`86400`| +|`OC_CACHE_STORE`
`GATEWAY_PROVIDER_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`noop`| +|`OC_CACHE_STORE_NODES`
`GATEWAY_PROVIDER_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-providers`| +|`OC_CACHE_TTL`
`GATEWAY_PROVIDER_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`GATEWAY_PROVIDER_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`GATEWAY_PROVIDER_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`GATEWAY_PROVIDER_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`GATEWAY_PROVIDER_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_PROVIDER_CACHE_TLS_INSECURE will be seen as false.`|``| +|`OC_CACHE_STORE`
`GATEWAY_CREATE_HOME_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`GATEWAY_CREATE_HOME_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-createhome`| +|`OC_CACHE_TTL`
`GATEWAY_CREATE_HOME_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`5m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`GATEWAY_CREATE_HOME_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`GATEWAY_CREATE_HOME_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE will be seen as false.`|``| +|`OC_URL`
`GATEWAY_FRONTEND_PUBLIC_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud frontend.`|`https://localhost:9200`| +|`GATEWAY_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.users`| +|`GATEWAY_GROUPS_ENDPOINT`| 1.0.0 |string|`The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.groups`| +|`GATEWAY_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`The endpoint of the permissions service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.settings`| +|`GATEWAY_SHARING_ENDPOINT`| 1.0.0 |string|`The endpoint of the shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.sharing`| +|`GATEWAY_AUTH_APP_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-app service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-app`| +|`GATEWAY_AUTH_BASIC_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-basic service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-basic`| +|`GATEWAY_AUTH_BEARER_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-bearer service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|``| +|`GATEWAY_AUTH_MACHINE_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-machine service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-machine`| +|`GATEWAY_AUTH_SERVICE_ENDPOINT`| 1.0.0 |string|`The endpoint of the auth-service service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.auth-service`| +|`GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-publiclink service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-publiclink`| +|`GATEWAY_STORAGE_USERS_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-users`| +|`GATEWAY_STORAGE_SHARES_ENDPOINT`| 1.0.0 |string|`The endpoint of the storage-shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.storage-shares`| +|`GATEWAY_APP_REGISTRY_ENDPOINT`| 1.0.0 |string|`The endpoint of the app-registry service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.app-registry`| +|`GATEWAY_OCM_ENDPOINT`| 1.0.0 |string|`The endpoint of the ocm service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol.`|`eu.opencloud.api.ocm`| +|`GATEWAY_STORAGE_REGISTRY_DRIVER`| 1.0.0 |string|`The driver name of the storage registry to use.`|`spaces`| +|`GATEWAY_STORAGE_REGISTRY_RULES`| 1.0.0 |[]string|`The rules for the storage registry. See the Environment Variable Types description for more details.`|`[]`| +|`GATEWAY_STORAGE_REGISTRY_CONFIG_JSON`| 1.0.0 |string|`Additional configuration for the storage registry in json format.`|``| +|`GATEWAY_STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/gateway_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/gateway_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/gateway_readme.md b/versioned_docs/version-7.x/_static/env-vars/gateway_readme.md new file mode 100755 index 000000000..47b4707c5 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/gateway_readme.md @@ -0,0 +1,186 @@ + + +## Abstract + + +The gateway service is responsible for passing requests to the storage providers. Other services never talk to the storage providers directly but will always send their requests via the `gateway` service. + + +## Table of Contents + +* [Caching](#caching) +* [Service Endpoints](#service-endpoints) +* [Storage Registry](#storage-registry) + +## Caching + +The gateway service is using caching as it is highly frequented with the same requests. As of now it uses two different caches: + - the `provider cache` is caching requests to list or get storage providers. + - the `create home cache` is caching requests to create personal spaces (as they only need to be executed once). + +Both caches can be configured via the `OC_CACHE_*` envvars (or `GATEWAY_PROVIDER_CACHE_*` and `GATEWAY_CREATE_HOME_CACHE_*` respectively). + +Use `OC_CACHE_STORE` (`GATEWAY_PROVIDER_CACHE_STORE`, `GATEWAY_CREATE_HOME_CACHE_STORE`) to define the type of cache to use: + - `memory`: Basic in-memory store and the default. + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) + - `noop`: Stores nothing. Useful for testing. Not recommended in production environments. + +Other store types may work but are not supported currently. + +Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances! + +Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `
`
dns: ...
kubernetes: ... | + +```console +USERS_GRPC_PROTOCOL=unix" +USERS_GRPC_ADDR=/var/run/opencloud/users.sock" +GATEWAY_USERS_ENDPOINT=unix:/var/run/opencloud/users.sock" + +GROUPS_GRPC_PROTOCOL=unix" +GROUPS_GRPC_ADDR=/var/run/opencloud/groups.sock" +GATEWAY_GROUPS_ENDPOINT=unix:/var/run/opencloud/groups.sock" + +AUTH_APP_GRPC_PROTOCOL=unix" +AUTH_APP_GRPC_ADDR=/var/run/opencloud/auth-app.sock" +GATEWAY_AUTH_APP_ENDPOINT=unix:/var/run/opencloud/auth-app.sock" + +AUTH_BASIC_GRPC_PROTOCOL=unix" +AUTH_BASIC_GRPC_ADDR=/var/run/opencloud/auth-basic.sock" +GATEWAY_AUTH_BASIC_ENDPOINT=unix:/var/run/opencloud/auth-basic.sock" + +AUTH_MACHINE_GRPC_PROTOCOL=unix" +AUTH_MACHINE_GRPC_ADDR=/var/run/opencloud/auth-machine.sock" +GATEWAY_AUTH_MACHINE_ENDPOINT=unix:/var/run/opencloud/auth-machine.sock" + +AUTH_SERVICE_GRPC_PROTOCOL=unix" +AUTH_SERVICE_GRPC_ADDR=/var/run/opencloud/auth-service.sock" +GATEWAY_AUTH_SERVICE_ENDPOINT=unix:/var/run/opencloud/auth-service.sock" + +STORAGE_PUBLIC_LINK_GRPC_PROTOCOL=unix" +STORAGE_PUBLIC_LINK_GRPC_ADDR=/var/run/opencloud/storage-public-link.sock" +GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT=unix:/var/run/opencloud/storage-public-link.sock" + +STORAGE_USERS_GRPC_PROTOCOL=unix" +STORAGE_USERS_GRPC_ADDR=/var/run/opencloud/storage-users.sock" +GATEWAY_STORAGE_USERS_ENDPOINT=unix:/var/run/opencloud/storage-users.sock" +// graph sometimes bypasses the gateway so we need to configure the socket here as wel +GRAPH_SPACES_STORAGE_USERS_ADDRESS=unix:/var/run/opencloud/storage-users.sock" + +STORAGE_SHARES_GRPC_PROTOCOL=unix" +STORAGE_SHARES_GRPC_ADDR=/var/run/opencloud/storage-shares.sock" +GATEWAY_STORAGE_SHARES_ENDPOINT=unix:/var/run/opencloud/storage-shares.sock" + +APP_REGISTRY_GRPC_PROTOCOL=unix" +APP_REGISTRY_GRPC_ADDR=/var/run/opencloud/app-registry.sock" +GATEWAY_APP_REGISTRY_ENDPOINT=unix:/var/run/opencloud/app-registry.sock" + +OCM_GRPC_PROTOCOL=unix" +OCM_GRPC_ADDR=/var/run/opencloud/ocm.sock" +GATEWAY_OCM_ENDPOINT=unix:/var/run/opencloud/ocm.sock" + +// storage related +SETTINGS_STORAGE_GATEWAY_GRPC_ADDR="unix:/var/run/opencloud/storage-system.sock" +SETTINGS_STORAGE_GRPC_ADDR="unix:/var/run/opencloud/storage-system.sock" +STORAGE_SYSTEM_GRPC_PROTOCOL="unix" +STORAGE_SYSTEM_GRPC_ADDR="/var/run/opencloud/storage-system.sock" +SHARING_USER_CS3_PROVIDER_ADDR="unix:/var/run/opencloud/storage-system.sock" +SHARING_USER_JSONCS3_PROVIDER_ADDR="unix:/var/run/opencloud/storage-system.sock" +SHARING_PUBLIC_CS3_PROVIDER_ADDR="unix:/var/run/opencloud/storage-system.sock" +SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR="unix:/var/run/opencloud/storage-system.sock" +``` + +## Storage Registry + +In order to add another storage provider the CS3 storage registry that is running as part of the CS3 gateway has to be made aware of it. The easiest and cleanest way to do it is to set `GATEWAY_STORAGE_REGISTRY_CONFIG_JSON=/path/to/storages.json` and list all storage providers like this: + +```json +{ + "eu.opencloud.api.storage-users": { + "providerid": "{storage-users-mount-uuid}", + "spaces": { + "personal": { + "mount_point": "/users", + "path_template": "/users/{{.Space.Owner.Id.OpaqueId}}" + }, + "project": { + "mount_point": "/projects", + "path_template": "/projects/{{.Space.Name}}" + } + } + }, + "eu.opencloud.api.storage-shares": { + "providerid": "a0ca6a90-a365-4782-871e-d44447bbc668", + "spaces": { + "virtual": { + "mount_point": "/users/{{.CurrentUser.Id.OpaqueId}}/Shares" + }, + "grant": { + "mount_point": "." + }, + "mountpoint": { + "mount_point": "/users/{{.CurrentUser.Id.OpaqueId}}/Shares", + "path_template": "/users/{{.CurrentUser.Id.OpaqueId}}/Shares/{{.Space.Name}}" + } + } + }, + "eu.opencloud.api.storage-publiclink": { + "providerid": "7993447f-687f-490d-875c-ac95e89a62a4", + "spaces": { + "grant": { + "mount_point": "." + }, + "mountpoint": { + "mount_point": "/public", + "path_template": "/public/{{.Space.Root.OpaqueId}}" + } + } + }, + "eu.opencloud.api.ocm": { + "providerid": "89f37a33-858b-45fa-8890-a1f2b27d90e1", + "spaces": { + "grant": { + "mount_point": "." + }, + "mountpoint": { + "mount_point": "/ocm", + "path_template": "/ocm/{{.Space.Root.OpaqueId}}" + } + } + }, + "eu.opencloud.api.storage-hello": { + "providerid": "hello-storage-id", + "spaces": { + "project": { + "mount_point": "/hello", + "path_template": "/hello/{{.Space.Name}}" + } + } + } +} +``` + +In the above replace `{storage-users-mount-uuid}` with the mount UUID that was generated for the storage-users service. You can find it in the `config.yaml` generated on by `opencloud init`. The last entry `eu.opencloud.api.storage-hello` and its `providerid` `"hello-storage-id"` are an example for an additional storage provider, in this case running `hellofs`, an example minimal storage driver. + diff --git a/versioned_docs/version-7.x/_static/env-vars/global_configvars.md b/versioned_docs/version-7.x/_static/env-vars/global_configvars.md new file mode 100644 index 000000000..24c2ef591 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/global_configvars.md @@ -0,0 +1,120 @@ +# Environment variables with global scope available in multiple services + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|---| +| `IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | The default role assignments the demo users should be setup. | false | +| `OC_ADMIN_USER_ID` | 1.0.0 | string | ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. | | +| `OC_ASYNC_UPLOADS` | 1.0.0 | bool | Enable asynchronous file uploads. | true | +| `OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to use for authentication. Only applies when using the 'nats-js-kv' store type. | | +| `OC_CACHE_AUTH_USERNAME` | 1.0.0 | string | The username to use for authentication. Only applies when using the 'nats-js-kv' store type. | | +| `OC_CACHE_DATABASE` | 1.0.0 | string | The database name the configured store should use. | cache-stat | +| `OC_CACHE_DISABLE_PERSISTENCE` | 1.0.0 | bool | Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false. | false | +| `OC_CACHE_ENABLE_TLS` | next | bool | Enable TLS for the connection to file metadata cache. | false | +| `OC_CACHE_STORE` | 1.0.0 | string | The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. | memory | +| `OC_CACHE_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] | +| `OC_CACHE_TLS_INSECURE` | next | bool | Whether to verify the server TLS certificates. | false | +| `OC_CACHE_TLS_ROOT_CA_CERTIFICATE` | next | string | The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false. | | +| `OC_CACHE_TTL` | 1.0.0 | Duration | Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. | 5m0s | +| `OC_CORS_ALLOW_CREDENTIALS` | 1.0.0 | bool | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | false | +| `OC_CORS_ALLOW_HEADERS` | 1.0.0 | []string | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details. | [Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control] | +| `OC_CORS_ALLOW_METHODS` | 1.0.0 | []string | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details. | [OPTIONS HEAD GET PUT POST PATCH DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH] | +| `OC_CORS_ALLOW_ORIGINS` | 1.0.0 | []string | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | [https://localhost:9200] | +| `OC_DECOMPOSEDFS_PROPAGATOR` | 1.0.0 | string | The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option. | sync | +| `OC_DEFAULT_LANGUAGE` | 1.0.0 | string | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. | | +| `OC_DISABLE_VERSIONING` | 1.0.0 | bool | Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version. | false | +| `OC_ENABLE_OCM` | 1.0.0 | bool | Changing this value is NOT supported. Enables support for incoming federated sharing for clients. The backend behaviour is not changed. | false | +| `OC_EVENTS_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | | +| `OC_EVENTS_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | | +| `OC_EVENTS_CLUSTER` | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. | opencloud-cluster | +| `OC_EVENTS_ENABLE_TLS` | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false | +| `OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | 127.0.0.1:9233 | +| `OC_EVENTS_TLS_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false | +| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. | | +| `OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the GRPC service. | 127.0.0.1:9142 | +| `OC_GRPC_CLIENT_TLS_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. | | +| `OC_GRPC_CLIENT_TLS_MODE` | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. | | +| `OC_GRPC_PROTOCOL` | 1.0.0 | string | The transport protocol of the GRPC service. | tcp | +| `OC_HTTP_TLS_CERTIFICATE` | 1.0.0 | string | Path/File name of the TLS server certificate (in PEM format) for the http services. | | +| `OC_HTTP_TLS_ENABLED` | 1.0.0 | bool | Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. | false | +| `OC_HTTP_TLS_KEY` | 1.0.0 | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. | | +| `OC_INSECURE` | 1.0.0 | bool | Allow insecure connections to the frontend. | false | +| `OC_JWT_SECRET` | 1.0.0 | string | The secret to mint and validate jwt tokens. | | +| `OC_KEYCLOAK_BASE_PATH` | 1.0.0 | string | The URL to access keycloak. | | +| `OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client ID to authenticate with keycloak. | | +| `OC_KEYCLOAK_CLIENT_REALM` | 1.0.0 | string | The realm the client is defined in. | | +| `OC_KEYCLOAK_CLIENT_SECRET` | 1.0.0 | string | The client secret to use in authentication. | | +| `OC_KEYCLOAK_INSECURE_SKIP_VERIFY` | 1.0.0 | bool | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. | false | +| `OC_KEYCLOAK_USER_REALM` | 1.0.0 | string | The realm users are defined. | | +| `OC_LDAP_BIND_DN` | 1.0.0 | string | LDAP DN to use for simple bind authentication with the target LDAP server. | uid=idp,ou=sysusers,o=libregraph-idm | +| `OC_LDAP_BIND_PASSWORD` | 1.0.0 | string | Password to use for authenticating the 'bind_dn'. | | +| `OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. | | +| `OC_LDAP_DISABLED_USERS_GROUP_DN` | 1.0.0 | string | The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. | cn=DisabledUsersGroup,ou=groups,o=libregraph-idm | +| `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. | attribute | +| `OC_LDAP_GROUP_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP groups. | ou=groups,o=libregraph-idm | +| `OC_LDAP_GROUP_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for group searches. | | +| `OC_LDAP_GROUP_OBJECTCLASS` | 1.0.0 | string | The object class to use for groups in the default group search filter ('groupOfNames'). | groupOfNames | +| `OC_LDAP_GROUP_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). | cn | +| `OC_LDAP_GROUP_SCHEMA_GROUPNAME` | 1.0.0 | string | LDAP Attribute to use for the name of groups. | cn | +| `OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID). | openCloudUUID | +| `OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs. | false | +| `OC_LDAP_GROUP_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of groups (can be empty). | mail | +| `OC_LDAP_GROUP_SCHEMA_MEMBER` | 1.0.0 | string | LDAP Attribute that is used for group members. | member | +| `OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'. | sub | +| `OC_LDAP_INSECURE` | 1.0.0 | bool | Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. | false | +| `OC_LDAP_SERVER_WRITE_ENABLED` | 1.0.0 | bool | Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables). | true | +| `OC_LDAP_URI` | 1.0.0 | string | Url of the LDAP service to use as IDP. | ldap://localhost:9236 | +| `OC_LDAP_USER_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP users. | ou=users,o=libregraph-idm | +| `OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP Attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled | +| `OC_LDAP_USER_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'. | | +| `OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | LDAP User ObjectClass like 'inetOrgPerson'. | inetOrgPerson | +| `OC_LDAP_USER_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of users. | displayname | +| `OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP User UUID attribute like 'uid'. | openCloudUUID | +| `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs. | false | +| `OC_LDAP_USER_SCHEMA_MAIL` | 1.0.0 | string | LDAP User email attribute like 'mail'. | mail | +| `OC_LDAP_USER_SCHEMA_TENANT_ID` | 4.0.0 | string | LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment. | | +| `OC_LDAP_USER_SCHEMA_USERNAME` | 1.0.0 | string | LDAP User name attribute like 'displayName'. | displayName | +| `OC_LDAP_USER_SCHEMA_USER_TYPE` | 1.0.0 | string | LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'. | openCloudUserType | +| `OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. | sub | +| `OC_LOG_LEVEL` | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. | error | +| `OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | The machine auth API key used to validate internal requests necessary to access resources from other services. | | +| `OC_MAX_CONCURRENCY` | 1.0.0 | int | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 | +| `OC_OIDC_CLIENT_ID` | 1.0.0 | string | The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP. | web | +| `OC_OIDC_CLIENT_SCOPES` | 6.0.0 | []string | The OIDC client scopes the Android app should request. | [openid profile email offline_access] | +| `OC_OIDC_ISSUER` | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 | +| `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` | 1.0.0 | string | Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details. | | +| `OC_PASSWORD_POLICY_DISABLED` | 1.0.0 | bool | Disable the password policy. Defaults to false if not set. | false | +| `OC_PASSWORD_POLICY_MIN_CHARACTERS` | 1.0.0 | int | Define the minimum password length. Defaults to 8 if not set. | 8 | +| `OC_PASSWORD_POLICY_MIN_DIGITS` | 1.0.0 | int | Define the minimum number of digits. Defaults to 1 if not set. | 1 | +| `OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` | 1.0.0 | int | Define the minimum number of uppercase letters. Defaults to 1 if not set. | 1 | +| `OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` | 1.0.0 | int | Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set. | 1 | +| `OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` | 1.0.0 | int | Define the minimum number of lowercase letters. Defaults to 1 if not set. | 1 | +| `OC_PERSISTENT_STORE` | 1.0.0 | string | The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. | memory | +| `OC_PERSISTENT_STORE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | +| `OC_PERSISTENT_STORE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | +| `OC_PERSISTENT_STORE_ENABLE_TLS` | next | bool | Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured. | false | +| `OC_PERSISTENT_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [] | +| `OC_PERSISTENT_STORE_TLS_INSECURE` | next | bool | Whether to verify the server TLS certificates. | false | +| `OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE` | next | string | The root CA certificate used to validate the server's TLS certificate. If provided USERLOG_STORE_TLS_INSECURE will be seen as false. | | +| `OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. | 336h0m0s | +| `OC_REVA_GATEWAY` | 1.0.0 | string | The CS3 gateway endpoint. | eu.opencloud.api.gateway | +| `OC_SERVICE_ACCOUNT_ID` | 1.0.0 | string | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | +| `OC_SERVICE_ACCOUNT_SECRET` | 1.0.0 | string | The service account secret. | | +| `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords on all public shares. | true | +| `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords for writable shares. Only effective if the setting for 'passwords on all public shares' is set to false. | false | +| `OC_SHOW_USER_EMAIL_IN_RESULTS` | 1.0.0 | bool | Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. | false | +| `OC_SPACES_MAX_QUOTA` | 1.0.0 | uint64 | Set the global max quota value in bytes. A value of 0 equals unlimited. The value is provided via capabilities. | 0 | +| `OC_SYSTEM_USER_API_KEY` | 1.0.0 | string | API key for the STORAGE-SYSTEM system user. | | +| `OC_SYSTEM_USER_ID` | 1.0.0 | string | ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. | | +| `OC_SYSTEM_USER_IDP` | 1.0.0 | string | IDP of the OpenCloud STORAGE-SYSTEM system user. | internal | +| `OC_TRANSFER_SECRET` | 1.0.0 | string | Transfer secret for signing file up- and download requests. | | +| `OC_TRANSLATION_PATH` | 1.0.0 | string | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. | | +| `OC_URL` | 1.0.0 | string | The public facing URL of the OpenCloud frontend. | https://localhost:9200 | +| `OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable the chat functionality of the office app. | false | +| `SEARCH_EVENTS_ACK_WAIT` | 4.0.0 | Duration | The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes. | 1m0s | +| `SEARCH_EVENTS_MAX_ACK_PENDING` | 4.0.0 | int | The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time. | 10000 | +| `STORAGE_GATEWAY_GRPC_ADDR` | 1.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system | +| `STORAGE_GRPC_ADDR` | 1.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system | +| `STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY` | 1.0.0 | Duration | The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details. | 0s | +| `STORAGE_USERS_PERMISSION_ENDPOINT` | 1.0.0 | string | Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'. | eu.opencloud.api.settings | +| `WEB_OIDC_CLIENT_ID` | 1.0.0 | string | The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP. | web | +| `WEB_OIDC_SCOPE` | 1.0.0 | string | OIDC scopes to request during authentication to authorize access to user details. Defaults to 'openid profile email'. Values are separated by blank. More example values but not limited to are 'address' or 'phone' etc. | openid profile email | diff --git a/versioned_docs/version-7.x/_static/env-vars/graph.yaml b/versioned_docs/version-7.x/_static/env-vars/graph.yaml new file mode 100644 index 000000000..845691247 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/graph.yaml @@ -0,0 +1,166 @@ +# Autogenerated +# Filename: graph.yaml + +loglevel: error +cache: + store: memory + nodes: + - 127.0.0.1:9233 + database: cache-roles + table: "" + ttl: 24h0m0s + disable_persistence: false + username: "" + password: "" + enable_tls: false + tls_insecure: false + tls_root_ca_certificate: "" +debug: + addr: 127.0.0.1:9124 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9120 + root: /graph + tls: + enabled: false + cert: "" + key: "" + apitoken: "" + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Purge + - Restore + allow_credentials: true +api: + group_members_patch_limit: 20 + graph_username_match: default + graph_assign_default_user_role: true + graph_identity_search_min_length: 3 + show_email_in_results: false +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +token_manager: + jwt_secret: "" +grpc_client_tls: null +application: + id: "" + displayname: OpenCloud +spaces: + webdav_base: https://localhost:9200 + webdav_path: /dav/spaces/ + default_quota: "1000000000" + extended_space_properties_cache_ttl: 60000000000 + users_cache_ttl: 60000000000 + groups_cache_ttl: 60000000000 + storage_users_address: eu.opencloud.api.storage-users + default_language: "" + translation_path: "" +identity: + backend: ldap + ldap: + uri: ldap://localhost:9236 + cacert: "" + insecure: false + bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm + bind_password: "" + use_server_uuid: false + use_password_modify_exop: true + write_enabled: true + refint_enabled: false + user_base_dn: ou=users,o=libregraph-idm + user_search_scope: sub + user_filter: "" + user_objectclass: inetOrgPerson + user_mail_attribute: mail + user_displayname_attribute: displayName + user_name_attribute: uid + user_id_attribute: openCloudUUID + user_id_is_octet_string: false + user_type_attribute: openCloudUserType + user_enabled_attribute: openCloudUserEnabled + disable_user_mechanism: attribute + ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm + group_base_dn: ou=groups,o=libregraph-idm + group_create_base_dn: ou=groups,o=libregraph-idm + group_search_scope: sub + group_filter: "" + group_objectclass: groupOfNames + group_name_attribute: cn + group_member_attribute: member + group_id_attribute: openCloudUUID + group_id_is_octet_string: false + education_resources_enabled: false + educationconfig: + school_base_dn: "" + school_search_scope: "" + school_filter: "" + school_objectclass: "" + school_name_attribute: "" + school_number_attribute: "" + school_id_attribute: "" + school_termination_min_grace_days: 0 +include_ocm_sharees: false +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +unified_roles: + available_roles: + - b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 + - a8d5fe5e-96e3-418d-825b-534dbdf22b99 + - fb6c3e19-e378-47e5-b277-9732f9de6e21 + - 58c63c02-1d89-4572-916a-870abc5a1b7d + - 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a + - 1c996275-f1c9-4e71-abdf-a42f6495e960 + - 312c0871-5ef7-4b3a-85b6-0e4074c64049 +max_concurrency: 20 +keycloak: + base_path: "" + client_id: "" + client_secret: "" + client_realm: "" + user_realm: "" + insecure_skip_verify: false +service_account: + service_account_id: "" + service_account_secret: "" +metadata_config: + gateway_addr: eu.opencloud.api.storage-system + storage_addr: eu.opencloud.api.storage-system + system_user_id: "" + system_user_idp: internal + system_user_api_key: "" +user_soft_delete_retention_time: 0s +store: + nodes: + - 127.0.0.1:9233 + database: graph + username: "" + password: "" + enable_tls: false + tls_insecure: false + tls_root_ca_certificate: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/graph_configvars.md b/versioned_docs/version-7.x/_static/env-vars/graph_configvars.md new file mode 100644 index 000000000..b3228de03 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/graph_configvars.md @@ -0,0 +1,122 @@ +## Environment variables for the **graph** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`GRAPH_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`OC_CACHE_STORE`
`GRAPH_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`GRAPH_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`GRAPH_CACHE_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-roles`| +|`GRAPH_CACHE_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_CACHE_TTL`
`GRAPH_CACHE_TTL`| 1.0.0 |Duration|`Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`24h0m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`GRAPH_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`GRAPH_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`GRAPH_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`GRAPH_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`GRAPH_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`GRAPH_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false.`|``| +|`GRAPH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9124`| +|`GRAPH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`GRAPH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`GRAPH_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`GRAPH_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9120`| +|`GRAPH_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/graph`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`GRAPH_HTTP_API_TOKEN`| 1.0.0 |string|`An optional API bearer token`|``| +|`OC_CORS_ALLOW_ORIGINS`
`GRAPH_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`GRAPH_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`GRAPH_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Purge Restore]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`GRAPH_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`GRAPH_GROUP_MEMBERS_PATCH_LIMIT`| 1.0.0 |int|`The amount of group members allowed to be added with a single patch request.`|`20`| +|`GRAPH_USERNAME_MATCH`| 1.0.0 |string|`Apply restrictions to usernames. Supported values are 'default' and 'none'. When set to 'default', user names must not start with a number and are restricted to ASCII characters. When set to 'none', no restrictions are applied. The default value is 'default'.`|`default`| +|`GRAPH_ASSIGN_DEFAULT_USER_ROLE`| 1.0.0 |bool|`Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user.`|`true`| +|`GRAPH_IDENTITY_SEARCH_MIN_LENGTH`| 1.0.0 |int|`The minimum length the search term needs to have for unprivileged users when searching for users or groups.`|`3`| +|`OC_SHOW_USER_EMAIL_IN_RESULTS`| 1.0.0 |bool|`Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses.`|`false`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_JWT_SECRET`
`GRAPH_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`GRAPH_APPLICATION_ID`| 1.0.0 |string|`The OpenCloud application ID shown in the graph. All app roles are tied to this ID.`|``| +|`GRAPH_APPLICATION_DISPLAYNAME`| 1.0.0 |string|`The OpenCloud application name.`|`OpenCloud`| +|`OC_URL`
`GRAPH_SPACES_WEBDAV_BASE`| 1.0.0 |string|`The public facing URL of WebDAV.`|`https://localhost:9200`| +|`GRAPH_SPACES_WEBDAV_PATH`| 1.0.0 |string|`The WebDAV sub-path for spaces.`|`/dav/spaces/`| +|`GRAPH_SPACES_DEFAULT_QUOTA`| 1.0.0 |string|`The default quota in bytes.`|`1000000000`| +|`GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces property cache.`|`60000000000`| +|`GRAPH_SPACES_USERS_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces users cache.`|`60000000000`| +|`GRAPH_SPACES_GROUPS_CACHE_TTL`| 1.0.0 |int|`Max TTL in seconds for the spaces groups cache.`|`60000000000`| +|`GRAPH_SPACES_STORAGE_USERS_ADDRESS`| 1.0.0 |string|`The address of the storage-users service.`|`eu.opencloud.api.storage-users`| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``| +|`OC_TRANSLATION_PATH`
`GRAPH_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| +|`GRAPH_IDENTITY_BACKEND`| 1.0.0 |string|`The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.`|`ldap`| +|`OC_LDAP_URI`
`GRAPH_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldap://localhost:9236`| +|`OC_LDAP_CACERT`
`GRAPH_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|``| +|`OC_LDAP_INSECURE`
`GRAPH_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`OC_LDAP_BIND_DN`
`GRAPH_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=libregraph,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`GRAPH_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`GRAPH_LDAP_SERVER_UUID`| 1.0.0 |bool|`If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.`|`false`| +|`GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP`| 1.0.0 |bool|`Use the 'Password Modify Extended Operation' for updating user passwords.`|`true`| +|`OC_LDAP_SERVER_WRITE_ENABLED`
`GRAPH_LDAP_SERVER_WRITE_ENABLED`| 1.0.0 |bool|`Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables).`|`true`| +|`GRAPH_LDAP_REFINT_ENABLED`| 1.0.0 |bool|`Signals that the server has the refint plugin enabled, which makes some actions not needed.`|`false`| +|`OC_LDAP_USER_BASE_DN`
`GRAPH_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`GRAPH_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_USER_FILTER`
`GRAPH_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`GRAPH_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`GRAPH_LDAP_USER_EMAIL_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`| +|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the display name of users.`|`displayName`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`GRAPH_LDAP_USER_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`| +|`OC_LDAP_USER_SCHEMA_ID`
`GRAPH_LDAP_USER_UID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`| +|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`| +|`OC_LDAP_USER_SCHEMA_USER_TYPE`
`GRAPH_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.`|`openCloudUserType`| +|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`GRAPH_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`| +|`OC_LDAP_DISABLE_USER_MECHANISM`
`GRAPH_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'.`|`attribute`| +|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`GRAPH_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`| +|`OC_LDAP_GROUP_BASE_DN`
`GRAPH_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`| +|`GRAPH_LDAP_GROUP_CREATE_BASE_DN`| 1.0.0 |string|`Parent DN under which new groups are created. This DN needs to be subordinate to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups outside of this subtree are treated as readonly groups and cannot be updated.`|`ou=groups,o=libregraph-idm`| +|`OC_LDAP_GROUP_SCOPE`
`GRAPH_LDAP_GROUP_SEARCH_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_GROUP_FILTER`
`GRAPH_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``| +|`OC_LDAP_GROUP_OBJECTCLASS`
`GRAPH_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`| +|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`GRAPH_LDAP_GROUP_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`| +|`OC_LDAP_GROUP_SCHEMA_ID`
`GRAPH_LDAP_GROUP_ID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`| +|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for groups is of the 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`| +|`GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED`| 1.0.0 |bool|`Enable LDAP support for managing education related resources.`|`false`| +|`GRAPH_LDAP_SCHOOL_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP schools.`|``| +|`GRAPH_LDAP_SCHOOL_SEARCH_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'.`|``| +|`GRAPH_LDAP_SCHOOL_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for school searches.`|``| +|`GRAPH_LDAP_SCHOOL_OBJECTCLASS`| 1.0.0 |string|`The object class to use for schools in the default school search filter.`|``| +|`GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the name of a school.`|``| +|`GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use for the number of a school.`|``| +|`GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID.`|``| +|`GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS`| 1.0.0 |int|`When setting a 'terminationDate' for a school, require the date to be at least this number of days in the future.`|`0`| +|`OC_ENABLE_OCM`
`GRAPH_INCLUDE_OCM_SHAREES`| 1.0.0 |bool|`Include OCM sharees when listing users.`|`false`| +|`OC_EVENTS_ENDPOINT`
`GRAPH_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`GRAPH_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`GRAPH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`GRAPH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`GRAPH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`GRAPH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`GRAPH_AVAILABLE_ROLES`| 1.0.0 |[]string|`A comma separated list of roles that are available for assignment.`|`[b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049]`| +|`OC_MAX_CONCURRENCY`
`GRAPH_MAX_CONCURRENCY`| 1.0.0 |int|`The maximum number of concurrent requests the service will handle.`|`20`| +|`OC_KEYCLOAK_BASE_PATH`
`GRAPH_KEYCLOAK_BASE_PATH`| 1.0.0 |string|`The URL to access keycloak.`|``| +|`OC_KEYCLOAK_CLIENT_ID`
`GRAPH_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|`The client id to authenticate with keycloak.`|``| +|`OC_KEYCLOAK_CLIENT_SECRET`
`GRAPH_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|`The client secret to use in authentication.`|``| +|`OC_KEYCLOAK_CLIENT_REALM`
`GRAPH_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|`The realm the client is defined in.`|``| +|`OC_KEYCLOAK_USER_REALM`
`GRAPH_KEYCLOAK_USER_REALM`| 1.0.0 |string|`The realm users are defined.`|``| +|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`
`GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|`Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.`|`false`| +|`OC_SERVICE_ACCOUNT_ID`
`GRAPH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`GRAPH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`GRAPH_STORAGE_GATEWAY_GRPC_ADDR`
`STORAGE_GATEWAY_GRPC_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`GRAPH_STORAGE_GRPC_ADDR`
`STORAGE_GRPC_ADDR`| 4.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`GRAPH_SYSTEM_USER_ID`| 4.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`GRAPH_SYSTEM_USER_IDP`| 4.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`| 4.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`GRAPH_USER_SOFT_DELETE_RETENTION_TIME`| 4.0.0 |Duration|`The time after which a soft-deleted user is permanently deleted. If set to 0 (default), there is no soft delete retention time and users are deleted immediately after being soft-deleted. If set to a positive value, the user will be kept in the system for that duration before being permanently deleted.`|`0s`| +|`OC_PERSISTENT_STORE_NODES`
`GRAPH_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`GRAPH_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`graph`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`GRAPH_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`GRAPH_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_ENABLE_TLS`
`GRAPH_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`| +|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`GRAPH_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`GRAPH_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/graph_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/graph_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/graph_readme.md b/versioned_docs/version-7.x/_static/env-vars/graph_readme.md new file mode 100755 index 000000000..9b48eb186 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/graph_readme.md @@ -0,0 +1,207 @@ + + +## Abstract + + +The graph service provides the Graph API which is a RESTful web API used to access OpenCloud +resources. It is inspired by the [Microsoft Graph API](https://learn.microsoft.com/en-us/graph/use-the-api) +and can be used by clients or other services or extensions. Visit the [Libre Graph API](https://docs.opencloud.eu/swagger/libre-graph-api/) +for a detailed specification of the API implemented by the graph service. + + +## Table of Contents + +* [Sequence Diagram](#sequence-diagram) +* [Users and Groups API](#users-and-groups-api) + * [LDAP Configuration](#ldap-configuration) + * [Read-Only Access to Existing LDAP Servers](#readonly-access-to-existing-ldap-servers) + * [Using a Write Enabled LDAP Server](#using-a-write-enabled-ldap-server) +* [Query Filters Provided by the Graph API](#query-filters-provided-by-the-graph-api) +* [Caching](#caching) +* [Keycloak Configuration For The Personal Data Export](#keycloak-configuration-for-the-personal-data-export) + * [Keycloak Client Configuration](#keycloak-client-configuration) +* [Translations](#translations) + * [Translation Rules](#translation-rules) +* [Default Language](#default-language) +* [Unified Role Management](#unified-role-management) + +## Sequence Diagram + +The following image gives an overview of the scenario when a client requests to list available spaces the user has access to. To do so, the client is directed with his request automatically via the proxy service to the graph service. + +
+
+## Users and Groups API
+
+The graph service provides endpoints for querying users and groups. It features two different backend implementations:
+ * `ldap`: This is currently the default backend. It queries user and group information from an
+ LDAP server. Depending on the configuration, it can also be used to manage (create, update,
+ delete) users and groups provided by an LDAP server.
+ * `cs3`: This backend queries users and groups using the CS3 identity APIs as implemented by the
+ `users` and `groups` service. This backend is currently still experimental and only implements a
+ subset of the Libre Graph API. It should not be used in production.
+
+### LDAP Configuration
+
+The LDAP backend is configured using a set of environment variables. A detailed list of all the
+available configuration options can be found in the [documentation](https://docs.opencloud.eu/docs/dev/server/services/graph/environment-variables).
+The LDAP related options are prefixed with `OC_LDAP_` (or `GRAPH_LDAP_` for settings specific to graph service).
+
+#### Read-Only Access to Existing LDAP Servers
+
+To connect the graph service to an existing LDAP server, set `OC_LDAP_SERVER_WRITE_ENABLED` to
+`false` to prevent the graph service from sending write operations to the LDAP server. Also set the
+various `OC_LDAP_*` environment variables to match the configuration of the LDAP server you are connecting
+to. A more detailed explanation can be found [here](https://docs.opencloud.eu/docs/admin/configuration/authentication-and-user-management/.
+
+#### Using a Write Enabled LDAP Server
+
+To use the graph service for managing (create, update, delete) users and groups, a write enabled LDAP
+server is required. In the default configuration, the graph service will use the simple LDAP server
+that is bundled with OpenCloud in the `idm` service which provides all the required features.
+It is also possible to setup up an external LDAP server with write access for use with OpenCloud. It is
+recommend to use OpenLDAP for this. The LDAP server needs to fulfill a couple of requirements with
+respect to the available schema:
+ * The LDAP server must provide the `inetOrgPerson` object class for users and the `groupOfNames`
+ object class for groups.
+ * The graph service maintains a few additional attributes for users and groups that are not
+ available in the standard LDAP schema. An schema file, ready to use with OpenLDAP, defining those
+ additional attributes is available [here](https://github.com/opencloud-eu/opencloud-compose/blob/main/config/ldap/schemas/10_opencloud_schema.ldif)
+
+## Query Filters Provided by the Graph API
+
+Some API endpoints provided by the graph service allow to specify query filters. The filter syntax
+is based on the [OData Specification](https://docs.oasis-open.org/odata/odata/v4.01/odata-v4.01-part1-protocol.html#sec_SystemQueryOptionfilter).
+See the [Libre Graph API](https://docs.opencloud.eu/swagger/libre-graph-api/#/users/ListUsers) for examples
+on the filters supported when querying users.
+
+## Caching
+
+The `graph` service can use a configured store via `GRAPH_CACHE_STORE`. Possible stores are:
+ - `memory`: Basic in-memory store and the default.
+ - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster.
+ - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store)
+ - `noop`: Stores nothing. Useful for testing. Not recommended in production environments.
+
+Other store types may work but are not supported currently.
+
+Store specific notes:
+ - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of ``GROUPS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`GROUPS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9161`| +|`GROUPS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`GROUPS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`GROUPS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`GROUPS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9160`| +|`OC_GRPC_PROTOCOL`
`GROUPS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`GROUPS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`GROUPS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`GROUPS_DRIVER`| 1.0.0 |string|`The driver which should be used by the groups service. Supported values are 'ldap' and 'owncloudsql'.`|`ldap`| +|`OC_LDAP_URI`
`GROUPS_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldap://localhost:9236`| +|`OC_LDAP_CACERT`
`GROUPS_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|``| +|`OC_LDAP_INSECURE`
`GROUPS_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`OC_LDAP_BIND_DN`
`GROUPS_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`GROUPS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`OC_LDAP_USER_BASE_DN`
`GROUPS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_GROUP_BASE_DN`
`GROUPS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`GROUPS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_GROUP_SCOPE`
`GROUPS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`LDAP_GROUP_SUBSTRING_FILTER_TYPE`
`GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for groups. Supported values are 'initial', 'final' and 'any'. The value 'initial' is used for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|`any`| +|`OC_LDAP_USER_FILTER`
`GROUPS_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_GROUP_FILTER`
`GROUPS_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`GROUPS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter ('inetOrgPerson').`|`inetOrgPerson`| +|`OC_LDAP_GROUP_OBJECTCLASS`
`GROUPS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter ('groupOfNames').`|`groupOfNames`| +|`OC_URL`
`OC_OIDC_ISSUER`
`GROUPS_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider.`|`https://localhost:9200`| +|`OC_LDAP_USER_SCHEMA_ID`
`GROUPS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID.`|`openCloudUUID`| +|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`GROUPS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`| +|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`GROUPS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`| +|`OC_LDAP_GROUP_SCHEMA_ID`
`GROUPS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.`|`openCloudUUID`| +|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`| +|`OC_LDAP_GROUP_SCHEMA_MAIL`
`GROUPS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`| +|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`GROUPS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`| +|`GROUPS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`| +|`GROUPS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|``| +|`GROUPS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`| +|`GROUPS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`| +|`GROUPS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`| +|`GROUPS_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`GROUPS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`| +|`GROUPS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames.`|`false`| +|`GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user IDs.`|`false`| +|`GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|`Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.`|`false`| diff --git a/versioned_docs/version-7.x/_static/env-vars/groups_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/groups_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/groups_readme.md b/versioned_docs/version-7.x/_static/env-vars/groups_readme.md new file mode 100755 index 000000000..25426780e --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/groups_readme.md @@ -0,0 +1,41 @@ + + +## Abstract + + +The `groups` service provides the CS3 Groups API for OpenCloud. It is responsible for managing group information and memberships within the OpenCloud instance. + +This service implements the CS3 identity group provider interface, allowing other services to query and manage groups. It works as a backend provider for the `graph` service when using the CS3 backend mode. + + +## Table of Contents + +* [Backend Integration](#backend-integration) +* [API](#api) +* [Usage](#usage) +* [Scalability](#scalability) + +## Backend Integration + +The groups service can work with different storage backends: +- LDAP integration through the graph service +- Direct CS3 API implementation + +When using the `graph` service with the CS3 backend (`GRAPH_IDENTITY_BACKEND=cs3`), the graph service queries group information through this service. + +## API + +The service provides CS3 gRPC APIs for: +- Listing groups +- Getting group information +- Finding groups by name or ID +- Managing group memberships + +## Usage + +The groups service is only used internally by other OpenCloud services and not being accessed directly by clients. The `frontend` and `ocs` services translate HTTP API requests into CS3 API calls to this service. + +## Scalability + +Since the groups service queries backend systems (like LDAP through the configured identity backend), it can be scaled horizontally without additional configuration when using stateless backends. + diff --git a/versioned_docs/version-7.x/_static/env-vars/idm.yaml b/versioned_docs/version-7.x/_static/env-vars/idm.yaml new file mode 100644 index 000000000..b18d35d50 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/idm.yaml @@ -0,0 +1,23 @@ +# Autogenerated +# Filename: idm.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9239 + token: "" + pprof: false + zpages: false +idm: + ldaps_addr: "" + ldapaddr: 127.0.0.1:9236 + cert: "" + key: "" + database: /var/lib/opencloud/idm/idm.boltdb +create_demo_users: false +demo_users_issuer_url: https://localhost:9200 +service_user_passwords: + admin_password: "" + idm_password: "" + reva_password: "" + idp_password: "" +admin_user_id: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/idm_configvars.md b/versioned_docs/version-7.x/_static/env-vars/idm_configvars.md new file mode 100644 index 000000000..916708bef --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/idm_configvars.md @@ -0,0 +1,20 @@ +## Environment variables for the **idm** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`IDM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`IDM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9239`| +|`IDM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`IDM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`IDM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`IDM_LDAPS_ADDR`| 1.0.0 |string|`Listen address for the LDAPS listener (ip-addr:port).`|``| +|`IDM_LDAPS_CERT`| 1.0.0 |string|`File name of the TLS server certificate for the LDAPS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|``| +|`IDM_LDAPS_KEY`| 1.0.0 |string|`File name for the TLS certificate key for the server certificate. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|``| +|`IDM_DATABASE_PATH`| 1.0.0 |string|`Full path to the IDM backend database. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|`/var/lib/opencloud/idm/idm.boltdb`| +|`IDM_CREATE_DEMO_USERS`| 1.0.0 |bool|`Flag to enable or disable the creation of the demo users.`|`false`| +|`OC_URL`
`OC_OIDC_ISSUER`| 1.0.0 |string|`The OIDC issuer URL to assign to the demo users.`|`https://localhost:9200`| +|`IDM_ADMIN_PASSWORD`| 1.0.0 |string|`Password to set for the OpenCloud 'admin' user. Either cleartext or an argon2id hash.`|``| +|`IDM_SVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'idm' service user. Either cleartext or an argon2id hash.`|``| +|`IDM_REVASVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'reva' service user. Either cleartext or an argon2id hash.`|``| +|`IDM_IDPSVC_PASSWORD`| 1.0.0 |string|`Password to set for the 'idp' service user. Either cleartext or an argon2id hash.`|``| +|`OC_ADMIN_USER_ID`
`IDM_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/idm_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/idm_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/idm_readme.md b/versioned_docs/version-7.x/_static/env-vars/idm_readme.md new file mode 100755 index 000000000..a504c9188 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/idm_readme.md @@ -0,0 +1,29 @@ + + +## Abstract + + +The IDM service provides a minimal LDAP Service, based on [Libregraph idm](https://github.com/libregraph/idm), for OpenCloud. It is started as part of the default configuration and serves as a central place for storing user and group information. + +It is mainly targeted at small OpenCloud installations. For larger setups it is recommended to replace IDM with a “real” LDAP server or to switch to an external identity management solution. + +IDM listens on port 9235 by default. In the default configuration it only accepts TLS-protected connections (LDAPS). The BaseDN of the LDAP tree is `o=libregraph-idm`. IDM gives LDAP write permissions to a single user (DN: `uid=libregraph,ou=sysusers,o=libregraph-idm`). Any other authenticated user has read-only access. IDM stores its data in a boltdb file `idm/idm.boltdb` inside the OpenCloud base data directory. + +The internal LDAP certificate and key are stored as `ldap.crt` and `ldap.key` in the IDM data directory. By default, these certificates expire after 12 months. When the certificate has expired, IDM can no longer establish valid TLS connections and requests that depend on LDAP may fail with `500 Internal Server Error`. + +To renew the internal LDAP certificate, stop or restart the OpenCloud container after deleting the expired certificate and key: + +```bash +cd .opencloud/idm +rm ldap.crt ldap.key +docker compose restart +``` + +The certificate and key are automatically regenerated when the container starts again. For more details, see [Internal LibreIDM cert expires](https://docs.opencloud.eu/docs/admin/resources/common-issues/#internal-libreidm-cert-expires). + +Note: IDM is limited in its functionality. It only supports a subset of the LDAP operations (namely `BIND`, `SEARCH`, `ADD`, `MODIFY`, `DELETE`). Also, IDM currently does not do any schema verification (like. structural vs. auxiliary object classes, require and option attributes, syntax checks, …). Therefore it is not meant as a general purpose LDAP server. + +## Table of Contents + + + diff --git a/versioned_docs/version-7.x/_static/env-vars/idp.yaml b/versioned_docs/version-7.x/_static/env-vars/idp.yaml new file mode 100644 index 000000000..4f2ead2c3 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/idp.yaml @@ -0,0 +1,113 @@ +# Autogenerated +# Filename: idp.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9134 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9130 + root: / + tls_cert: /var/lib/opencloud/idp/server.crt + tls_key: /var/lib/opencloud/idp/server.key + tls: false +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +machine_auth_api_key: "" +asset: + asset: "" + login-background-url: "" +idp: + iss: https://localhost:9200 + identity_manager: ldap + uri_base_path: "" + sign_in_uri: "" + signed_out_uri: "" + authorization_endpoint_uri: "" + ldap_insecure: false + trusted_proxy: [] + allow_scope: [] + allow_client_guests: false + allow_dynamic_client_registration: false + encrypt_secret_file: /var/lib/opencloud/idp/encryption.key + listen: "" + identifierdefaultbannerlogo: "" + default_sign_in_page_text: "" + default_logo_target_uri: https://opencloud.eu + identifierdefaultusernamehinttext: "" + identifieruilocales: [] + signing_kid: private-key + signing_method: PS256 + signing_private_key_files: + - /var/lib/opencloud/idp/private-key.pem + validation_keys_path: "" + cookiebackenduri: "" + cookienames: [] + cookiesamesite: 3 + access_token_duration_seconds: 300 + id_token_duration_seconds: 300 + refresh_token_duration_seconds: 2592000 + dynamic_client_secret_duration_seconds: 0 +clients: +- id: web + name: OpenCloud Web App + trusted: true + secret: "" + redirect_uris: + - '{{OC_URL}}/' + - '{{OC_URL}}/oidc-callback.html' + - '{{OC_URL}}/oidc-silent-redirect.html' + post_logout_redirect_uris: [] + origins: + - '{{OC_URL}}' + application_type: "" +- id: OpenCloudDesktop + name: OpenCloud Desktop Client + trusted: false + secret: "" + redirect_uris: + - http://127.0.0.1 + - http://localhost + post_logout_redirect_uris: [] + origins: [] + application_type: native +- id: OpenCloudAndroid + name: OpenCloud Android App + trusted: false + secret: "" + redirect_uris: + - oc://android.opencloud.eu + post_logout_redirect_uris: + - oc://android.opencloud.eu + origins: [] + application_type: native +- id: OpenCloudIOS + name: OpenCloud iOS App + trusted: false + secret: "" + redirect_uris: + - oc://ios.opencloud.eu + post_logout_redirect_uris: + - oc://ios.opencloud.eu + origins: [] + application_type: native +ldap: + uri: ldap://localhost:9236 + cacert: "" + bind_dn: uid=idp,ou=sysusers,o=libregraph-idm + bind_password: "" + base_dn: ou=users,o=libregraph-idm + scope: sub + login_attribute: uid + email_attribute: mail + name_attribute: displayName + uuid_attribute: openCloudUUID + uuid_attribute_type: text + user_enabled_attribute: openCloudUserEnabled + filter: "" + objectclass: inetOrgPerson diff --git a/versioned_docs/version-7.x/_static/env-vars/idp_configvars.md b/versioned_docs/version-7.x/_static/env-vars/idp_configvars.md new file mode 100644 index 000000000..546a615e0 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/idp_configvars.md @@ -0,0 +1,55 @@ +## Environment variables for the **idp** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`IDP_PASSWORD_RESET_URI`| 1.0.0 |string|`The URI where a user can reset their password.`|``| +|`OC_LOG_LEVEL`
`IDP_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`IDP_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9134`| +|`IDP_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`IDP_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`IDP_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`IDP_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9130`| +|`IDP_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`IDP_TRANSPORT_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/var/lib/opencloud/idp/server.crt`| +|`IDP_TRANSPORT_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/var/lib/opencloud/idp/server.key`| +|`IDP_TLS`| 1.0.0 |bool|`Disable or Enable HTTPS for the communication between the Proxy service and the IDP service. If set to 'true', the key and cert files need to be configured and present.`|`false`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_MACHINE_AUTH_API_KEY`
`IDP_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``| +|`IDP_ASSET_PATH`| 1.0.0 |string|`Serve IDP assets from a path on the filesystem instead of the builtin assets.`|``| +|`IDP_LOGIN_BACKGROUND_URL`| 1.0.0 |string|`Configure an alternative URL to the background image for the login page.`|``| +|`OC_URL`
`OC_OIDC_ISSUER`
`IDP_ISS`| 1.0.0 |string|`The OIDC issuer URL to use.`|`https://localhost:9200`| +|`IDP_IDENTITY_MANAGER`| 1.0.0 |string|`The identity manager implementation to use. Supported identity managers are 'ldap', 'cs3', 'libregraph' and 'guest'.`|`ldap`| +|`IDP_URI_BASE_PATH`| 1.0.0 |string|`IDP uri base path (defaults to '').`|``| +|`IDP_SIGN_IN_URI`| 1.0.0 |string|`IDP sign-in url.`|``| +|`IDP_SIGN_OUT_URI`| 1.0.0 |string|`IDP sign-out url.`|``| +|`IDP_ENDPOINT_URI`| 1.0.0 |string|`URL of the IDP endpoint.`|``| +|`OC_LDAP_INSECURE`
`IDP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`IDP_ALLOW_CLIENT_GUESTS`| 1.0.0 |bool|`Allow guest clients to access OpenCloud.`|`false`| +|`IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION`| 1.0.0 |bool|`Allow dynamic client registration.`|`false`| +|`IDP_ENCRYPTION_SECRET_FILE`| 1.0.0 |string|`Path to the encryption secret file, if unset, a new certificate will be autogenerated upon each restart, thus invalidating all existing sessions. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|`/var/lib/opencloud/idp/encryption.key`| +|`IDP_DEFAULT_SIGNIN_PAGE_TEXT`| 2.0.0 |string|``|``| +|`IDP_DEFAULT_LOGO_TARGET_URI`| 4.0.0 |string|`Default logo target URI.`|`https://opencloud.eu`| +|`IDP_SIGNING_KID`| 1.0.0 |string|`Value of the KID (Key ID) field which is used in created tokens to uniquely identify the signing-private-key.`|`private-key`| +|`IDP_SIGNING_METHOD`| 1.0.0 |string|`Signing method of IDP requests like 'PS256'`|`PS256`| +|`IDP_SIGNING_PRIVATE_KEY_FILES`| 1.0.0 |[]string|`A list of private key files for signing IDP requests. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. See the Environment Variable Types description for more details.`|`[/var/lib/opencloud/idp/private-key.pem]`| +|`IDP_VALIDATION_KEYS_PATH`| 1.0.0 |string|`Path to validation keys for IDP requests.`|``| +|`IDP_ACCESS_TOKEN_EXPIRATION`| 1.0.0 |uint64|`'Access token lifespan in seconds (time before an access token is expired).'`|`300`| +|`IDP_ID_TOKEN_EXPIRATION`| 1.0.0 |uint64|`ID token lifespan in seconds (time before an ID token is expired).`|`300`| +|`IDP_REFRESH_TOKEN_EXPIRATION`| 1.0.0 |uint64|`Refresh token lifespan in seconds (time before an refresh token is expired). This also limits the duration of an idle offline session.`|`2592000`| +|`IDP_DYNAMIC_CLIENT_SECRET_DURATION`| 1.0.0 |uint64|`Lifespan in seconds of a dynamically registered OIDC client.`|`0`| +|`OC_LDAP_URI`
`IDP_LDAP_URI`| 1.0.0 |string|`Url of the LDAP service to use as IDP.`|`ldap://localhost:9236`| +|`OC_LDAP_CACERT`
`IDP_LDAP_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp.`|``| +|`OC_LDAP_BIND_DN`
`IDP_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=idp,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`IDP_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`OC_LDAP_USER_BASE_DN`
`IDP_LDAP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_USER_SCOPE`
`IDP_LDAP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.`|`sub`| +|`IDP_LDAP_LOGIN_ATTRIBUTE`| 1.0.0 |string|`LDAP User attribute to use for login like 'uid'.`|`uid`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`IDP_LDAP_EMAIL_ATTRIBUTE`| 1.0.0 |string|`LDAP User email attribute like 'mail'.`|`mail`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`IDP_LDAP_NAME_ATTRIBUTE`| 1.0.0 |string|`LDAP User name attribute like 'displayName'.`|`displayName`| +|`OC_LDAP_USER_SCHEMA_ID`
`IDP_LDAP_UUID_ATTRIBUTE`| 1.0.0 |string|`LDAP User UUID attribute like 'uid'.`|`openCloudUUID`| +|`IDP_LDAP_UUID_ATTRIBUTE_TYPE`| 1.0.0 |string|`LDAP User uuid attribute type like 'text'.`|`text`| +|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`IDP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to use as a flag telling if the user is enabled or disabled.`|`openCloudUserEnabled`| +|`OC_LDAP_USER_FILTER`
`IDP_LDAP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`IDP_LDAP_OBJECTCLASS`| 1.0.0 |string|`LDAP User ObjectClass like 'inetOrgPerson'.`|`inetOrgPerson`| diff --git a/versioned_docs/version-7.x/_static/env-vars/idp_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/idp_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/idp_readme.md b/versioned_docs/version-7.x/_static/env-vars/idp_readme.md new file mode 100755 index 000000000..c2d9fd6b6 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/idp_readme.md @@ -0,0 +1,92 @@ + + +## Abstract + + +This service provides a builtin minimal OpenID Connect provider based on [LibreGraph Connect (lico)](https://github.com/libregraph/lico) for OpenCloud. + +It is mainly targeted at smaller installations. For larger setups it is recommended to replace IDP with an external OpenID Connect Provider. + +By default, it is configured to use the OpenCloud IDM service as its LDAP backend for looking up and authenticating users. Other backends like an external LDAP server can be configured via a set of [enviroment variables](https://docs.opencloud.eu/docs/dev/server/services/idp/environment-variables). + +Note that translations provided by the IDP service are not maintained via OpenCloud but part of the embedded [LibreGraph Connect Identifier](https://github.com/libregraph/lico/tree/master/identifier) package. + + +## Table of Contents + +* [Configuration](#configuration) + * [Custom Clients](#custom-clients) + +## Configuration + +### Custom Clients + +By default the `idp` service generates a OIDC client configuration suitable for +using OpenCloud with the standard client applications (Web, Desktop, iOS and +Android). If you need to configure additional client it is possible to inject a +custom configuration via `yaml`. This can be done by adding a section `clients` +to the `idp` section of the main configuration file (`opencloud.yaml`). This section +needs to contain configuration for all clients (including the standard clients). + +For example if you want to add a (public) client for use with the oidc-agent you would +need to add this snippet to the `idp` section in `opencloud.yaml`. + +```yaml +clients: +- id: web + name: OpenCloud Web App + trusted: true + secret: "" + redirect_uris: + - https://opencloud.k8s:9200/ + - https://opencloud.k8s:9200/oidc-callback.html + - https://opencloud.k8s:9200/oidc-silent-redirect.html + post_logout_redirect_uris: [] + origins: + - https://opencloud.k8s:9200 + application_type: "" +- id: OpenCloudDesktop + name: OpenCloud Desktop Client + trusted: false + secret: "" + redirect_uris: + - http://127.0.0.1 + - http://localhost + post_logout_redirect_uris: [] + origins: [] + application_type: native +- id: OpenCloudAndroid + name: OpenCloud Android App + trusted: false + secret: "" + redirect_uris: + - oc://android.opencloud.eu + post_logout_redirect_uris: + - oc://android.opencloud.eu + origins: [] + application_type: native +- id: OpenCloudIOS + name: OpenCloud iOS App + trusted: false + secret: "" + redirect_uris: + - oc://ios.opencloud.eu + post_logout_redirect_uris: + - oc://ios.opencloud.eu + origins: [] + application_type: native +- id: oidc-agent + name: OIDC Agent + trusted: false + secret: "" + redirect_uris: + - http://127.0.0.1 + - http://localhost + post_logout_redirect_uris: [] + origins: [] + application_type: native +``` + + + + diff --git a/versioned_docs/version-7.x/_static/env-vars/invitations.yaml b/versioned_docs/version-7.x/_static/env-vars/invitations.yaml new file mode 100644 index 000000000..5b61607dd --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/invitations.yaml @@ -0,0 +1,31 @@ +# Autogenerated +# Filename: invitations.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9269 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9265 + root: /graph/v1.0 + cors: + allow_origins: + - https://localhost:9200 + allow_methods: [] + allow_headers: [] + allow_credentials: false + tls: + enabled: false + cert: "" + key: "" +keycloak: + base_path: "" + client_id: "" + client_secret: "" + client_realm: "" + user_realm: "" + insecure_skip_verify: false +token_manager: + jwt_secret: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/invitations_configvars.md b/versioned_docs/version-7.x/_static/env-vars/invitations_configvars.md new file mode 100644 index 000000000..62db49b8c --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/invitations_configvars.md @@ -0,0 +1,25 @@ +## Environment variables for the **invitations** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`INVITATIONS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`INVITATIONS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9269`| +|`INVITATIONS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`INVITATIONS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`INVITATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`INVITATIONS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9265`| +|`INVITATIONS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/graph/v1.0`| +|`OC_CORS_ALLOW_ORIGINS`
`INVITATIONS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`INVITATIONS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[]`| +|`OC_CORS_ALLOW_HEADERS`
`INVITATIONS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`INVITATIONS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_KEYCLOAK_BASE_PATH`
`INVITATIONS_KEYCLOAK_BASE_PATH`| 1.0.0 |string|`The URL to access keycloak.`|``| +|`OC_KEYCLOAK_CLIENT_ID`
`INVITATIONS_KEYCLOAK_CLIENT_ID`| 1.0.0 |string|`The client ID to authenticate with keycloak.`|``| +|`OC_KEYCLOAK_CLIENT_SECRET`
`INVITATIONS_KEYCLOAK_CLIENT_SECRET`| 1.0.0 |string|`The client secret to use in authentication.`|``| +|`OC_KEYCLOAK_CLIENT_REALM`
`INVITATIONS_KEYCLOAK_CLIENT_REALM`| 1.0.0 |string|`The realm the client is defined in.`|``| +|`OC_KEYCLOAK_USER_REALM`
`INVITATIONS_KEYCLOAK_USER_REALM`| 1.0.0 |string|`The realm users are defined.`|``| +|`OC_KEYCLOAK_INSECURE_SKIP_VERIFY`
`INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY`| 1.0.0 |bool|`Disable TLS certificate validation for Keycloak connections. Do not set this in production environments.`|`false`| +|`OC_JWT_SECRET`
`INVITATIONS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/invitations_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/invitations_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/invitations_readme.md b/versioned_docs/version-7.x/_static/env-vars/invitations_readme.md new file mode 100755 index 000000000..92cb10047 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/invitations_readme.md @@ -0,0 +1,58 @@ + + +## Abstract + + +The invitations service provides an [Invitation Manager](https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http) that can be used to invite external users, aka guests, to an organization. + +* Users invited via the Invitation Manager (via the libre graph API) will have the `userType="Guest"`. +* Users belonging to the organization have the `userType="Member"`. + +The corresponding CS3 API [user types](https://cs3org.github.io/cs3apis/#cs3.identity.user.v1beta1.UserType) used to reperesent this are: `USER_TYPE_GUEST` and `USER_TYPE_PRIMARY`. + + +## Table of Contents + +* [Provisioning Backends](#provisioning-backends) + * [Keycloak](#keycloak) + * [Keycloak Realm Configuration](#keycloak-realm-configuration) +* [Backend Configuration](#backend-configuration) +* [Bridging Provisioning Delay](#bridging-provisioning-delay) + +## Provisioning Backends + +When OpenCloud is used via the IDM service for the user management, users are created using the `/graph/v1.0/users` endpoint via the libre graph API. For larger deployments, the Keycloak admin API can be used to provision users. In a future step, the endpoint, credentials and body might be made configurable using templates. + +### Keycloak + +The default and currently only available backend used to handle invitations is [Keycloak](https://www.keycloak.org/). Keycloak is an open source identity and access management (IAM) system which is also integrated by other OpenCloud services as an authentication and authorization backend. + +#### Keycloak Realm Configuration + + + +See the [example configuration json file](https://github.com/opencloud-eu/opencloud/blob/main/services/invitations/md-sources/example-realm.json) of a Keycloak realm the backend will work with. This file includes the `invitations` client, which is relevant for this service. + +To use the example json, set the `INVITATIONS_KEYCLOAK_CLIENT_ID` setting to `invitations`, though any other client ID can be configured. + +Importing this example into Keycloak will give you a realm that federates with an LDAP server, has the right +clients configured and all mappers correctly set. Be sure to set all the credentials after the import, +as they will be disabled. + +The most relevant bits are the mappers for the `OPENCLOUD_ID` and `OPENCLOUD_USER_TYPE` user properties. + +## Backend Configuration + +After Keycloak has been configured, the invitation service needs to be configured with the following environment variables: + +* `INVITATIONS_KEYCLOAK_BASE_PATH`: The URL to access Keycloak. +* `INVITATIONS_KEYCLOAK_CLIENT_ID`: The client ID of the client to use. In the above example, `invitations` is used. +* `INVITATIONS_KEYCLOAK_CLIENT_SECRET`: The client secret used to authenticate. This can be found in the Keycloak UI. +* `INVITATIONS_KEYCLOAK_CLIENT_REALM`: The realm where the client was added. In the example above, `opencloud` is used. +* `INVITATIONS_KEYCLOAK_USER_REALM`: The realm where to add the users. In the example above, `opencloud` is used. +* `INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY`: If set to true, the verification of the Keycloak HTTPS certificate is skipped. This is not recommended in production environments. + +## Bridging Provisioning Delay + +Consider that when a guest account has to be provisioned in an external user management, there might be a delay between creating the user and the user being available in the local OpenCloud system. + diff --git a/versioned_docs/version-7.x/_static/env-vars/nats.yaml b/versioned_docs/version-7.x/_static/env-vars/nats.yaml new file mode 100644 index 000000000..919f81a74 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/nats.yaml @@ -0,0 +1,18 @@ +# Autogenerated +# Filename: nats.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9234 + token: "" + pprof: false + zpages: false +nats: + host: 127.0.0.1 + port: 9233 + clusterid: opencloud-cluster + store_dir: /var/lib/opencloud/nats + tls_cert: /var/lib/opencloud/nats/tls.crt + tls_key: /var/lib/opencloud/nats/tls.key + tls_skip_verify_client_cert: false + enable_tls: false diff --git a/versioned_docs/version-7.x/_static/env-vars/nats_configvars.md b/versioned_docs/version-7.x/_static/env-vars/nats_configvars.md new file mode 100644 index 000000000..e8deae91f --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/nats_configvars.md @@ -0,0 +1,17 @@ +## Environment variables for the **nats** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`NATS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`NATS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9234`| +|`NATS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`NATS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`NATS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`NATS_NATS_HOST`| 1.0.0 |string|`Bind address.`|`127.0.0.1`| +|`NATS_NATS_PORT`| 1.0.0 |int|`Bind port.`|`9233`| +|`NATS_NATS_CLUSTER_ID`| 1.0.0 |string|`ID of the NATS cluster.`|`opencloud-cluster`| +|`NATS_NATS_STORE_DIR`| 1.0.0 |string|`The directory where the filesystem storage will store NATS JetStream data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/var/lib/opencloud/nats`| +|`NATS_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/var/lib/opencloud/nats/tls.crt`| +|`NATS_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats.`|`/var/lib/opencloud/nats/tls.key`| +|`OC_INSECURE`
`NATS_TLS_SKIP_VERIFY_CLIENT_CERT`| 1.0.0 |bool|`Whether the NATS server should skip the client certificate verification during the TLS handshake.`|`false`| +|`OC_EVENTS_ENABLE_TLS`
`NATS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| diff --git a/versioned_docs/version-7.x/_static/env-vars/nats_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/nats_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/nats_readme.md b/versioned_docs/version-7.x/_static/env-vars/nats_readme.md new file mode 100755 index 000000000..9f232cea0 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/nats_readme.md @@ -0,0 +1,37 @@ + + +## Abstract + + +The nats service is the event broker of the system. It distributes events among all other services and enables other services to communicate asynchronous. + +Services can `Publish` events to the nats service and nats will store these events on disk and distribute these events to other services eventually. Services can `Consume` events from the nats service by registering to a `ConsumerGroup`. Each `ConsumerGroup` is guaranteed to get each event exactly once. In most cases, each service will register its own `ConsumerGroup`. When there are multiple instances of a service, those instances will usually use that `ConsumerGroup` as common resource. + + +## Table of Contents + +* [Underlying Technology](#underlying-technology) +* [Default Registry](#default-registry) +* [Persistance](#persistance) +* [TLS Encryption](#tls-encryption) + +## Underlying Technology + +As the service name suggests, this service is based on [NATS](https://nats.io/) specifically on [NATS Jetstream](https://docs.nats.io/nats-concepts/jetstream) to enable persistence. + +## Default Registry + +By default, `nats-js-kv` is configured as embedded default registry via the `MICRO_REGISTRY` environment variable. If you do not want using the build-in nats registry, set `MICRO_REGISTRY_ADDRESS` to the address of the nats-js cluster, which is the same value as `OC_EVENTS_ENDPOINT`. Optionally use `MICRO_REGISTRY_AUTH_USERNAME` and `MICRO_REGISTRY_AUTH_PASSWORD` to authenticate with the external nats cluster. + +## Persistance + +To be able to deliver events even after a system or service restart, nats will store events in a folder on the local filesystem. This folder can be specified by setting the `NATS_NATS_STORE_DIR` enviroment variable. If not set, the service will fall back to `$OC_BASE_DATA_PATH/nats`. + +## TLS Encryption + +Connections to the nats service (`Publisher`/`Consumer` see above) can be TLS encrypted by setting the corresponding env vars `NATS_TLS_CERT`, `NATS_TLS_KEY` to the cert and key files and `ENABLE_TLS` to true. Checking the certificate of incoming request can be disabled with the `NATS_EVENTS_ENABLE_TLS` environment variable. + +Certificate files can also be set via global variables starting with `OC_`, for details see the environment variable list. + +Note that using TLS is highly recommended for productive environments, especially when using container orchestration with Kubernetes. + diff --git a/versioned_docs/version-7.x/_static/env-vars/notifications.yaml b/versioned_docs/version-7.x/_static/env-vars/notifications.yaml new file mode 100644 index 000000000..0c49b9ae4 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/notifications.yaml @@ -0,0 +1,51 @@ +# Autogenerated +# Filename: notifications.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9174 + token: "" + pprof: false + zpages: false +opencloud_url: https://localhost:9200 +notifications: + SMTP: + smtp_host: "" + smtp_port: 0 + smtp_sender: "" + smtp_username: "" + smtp_password: "" + insecure: false + smtp_authentication: "" + smtp_encryption: none + events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" + email_template_path: "" + translation_path: "" + default_language: "" + reva_gateway: eu.opencloud.api.gateway + grpc_client_tls: null +grpc_client_tls: + mode: "" + cacert: "" +service_account: + service_account_id: "" + service_account_secret: "" +store: + store: nats-js-kv + nodes: + - 127.0.0.1:9233 + database: notifications + table: "" + ttl: 336h0m0s + username: "" + password: "" + enable_tls: false + tls_insecure: false + tls_root_ca_certificate: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/notifications_configvars.md b/versioned_docs/version-7.x/_static/env-vars/notifications_configvars.md new file mode 100644 index 000000000..3e8a1c13c --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/notifications_configvars.md @@ -0,0 +1,43 @@ +## Environment variables for the **notifications** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`NOTIFICATIONS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`NOTIFICATIONS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9174`| +|`NOTIFICATIONS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`NOTIFICATIONS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`NOTIFICATIONS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_URL`
`NOTIFICATIONS_WEB_UI_URL`| 1.0.0 |string|`The public facing URL of the OpenCloud Web UI, used e.g. when sending notification eMails`|`https://localhost:9200`| +|`NOTIFICATIONS_SMTP_HOST`| 1.0.0 |string|`SMTP host to connect to.`|``| +|`NOTIFICATIONS_SMTP_PORT`| 1.0.0 |int|`Port of the SMTP host to connect to.`|`0`| +|`NOTIFICATIONS_SMTP_SENDER`| 1.0.0 |string|`Sender address of emails that will be sent (e.g. 'OpenCloud
`NOTIFICATIONS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`NOTIFICATIONS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`NOTIFICATIONS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`NOTIFICATIONS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`NOTIFICATIONS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`NOTIFICATIONS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EMAIL_TEMPLATE_PATH`
`NOTIFICATIONS_EMAIL_TEMPLATE_PATH`| 1.0.0 |string|`Path to Email notification templates overriding embedded ones.`|``| +|`OC_TRANSLATION_PATH`
`NOTIFICATIONS_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`NOTIFICATIONS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`NOTIFICATIONS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`OC_PERSISTENT_STORE`
`NOTIFICATIONS_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`NOTIFICATIONS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`NOTIFICATIONS_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`notifications`| +|`NOTIFICATIONS_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`NOTIFICATIONS_STORE_TTL`| 1.0.0 |Duration|`Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`NOTIFICATIONS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`NOTIFICATIONS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_ENABLE_TLS`
`NOTIFICATIONS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`| +|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`NOTIFICATIONS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`NOTIFICATIONS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_STORE_TLS_INSECURE will be seen as false.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/notifications_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/notifications_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/notifications_readme.md b/versioned_docs/version-7.x/_static/env-vars/notifications_readme.md new file mode 100755 index 000000000..ab986e6de --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/notifications_readme.md @@ -0,0 +1,120 @@ + + +## Abstract + + +The notification service is responsible for sending emails to users informing them about events that happened. To do this, it hooks into the event system and listens for certain events that the users need to be informed about. + + +## Table of Contents + +* [Email Notification Templates](#email-notification-templates) + * [Templates subfolder hierarchy](#templates-subfolder-hierarchy) +* [Sending Grouped Emails](#sending-grouped-emails) + * [Storing](#storing) +* [Translations](#translations) + * [Translation Rules](#translation-rules) +* [Default Language](#default-language) + +## Email Notification Templates + +The `notifications` service has embedded email text and html body templates. + +Email templates can use the placeholders `{{ .Greeting }}`, `{{ .MessageBody }}` and `{{ .CallToAction }}` which are replaced with translations when sent, see the [Translations](#translations) section for more details. Though the email subject is also part of translations, it has no placeholder as it is a mandatory email component. + +Depending on the email purpose, placeholders will contain different strings. An individual translatable string is available for each purpose, finally resolved by the placeholder. The embedded templates are available for all deployment scenarios. + +```text +template + placeholders + translated strings <-- source strings <-- purpose +final output +``` + +In addition, the notifications service supports custom templates. Custom email templates take precedence over the embedded ones. If a custom email template exists, the embedded templates are not used. To configure custom email templates, the `NOTIFICATIONS_EMAIL_TEMPLATE_PATH` environment variable needs to point to a base folder that will contain the email templates and follow the [templates subfolder hierarchy](#templates-subfolder-hierarchy).This path must be available from all instances of the notifications service, a shared storage is recommended. +```text +{NOTIFICATIONS_EMAIL_TEMPLATE_PATH}/templates/text/email.text.tmpl +{NOTIFICATIONS_EMAIL_TEMPLATE_PATH}/templates/html/email.html.tmpl +{NOTIFICATIONS_EMAIL_TEMPLATE_PATH}/templates/html/img/ +``` +The source templates provided by OpenCloud you can derive from are located in the following base folder [https://github.com/opencloud-eu/opencloud/tree/main/services/notifications/pkg/email/templates](https://github.com/opencloud-eu/opencloud/tree/main/services/notifications/pkg/email/templates) with subfolders `templates/text` and `templates/html`. + +- [text/email.text.tmpl](https://github.com/opencloud-eu/opencloud/blob/main/services/notifications/pkg/email/templates/text/email.text.tmpl) +- [html/email.html.tmpl](https://github.com/opencloud-eu/opencloud/blob/main/services/notifications/pkg/email/templates/html/email.html.tmpl) + +### Templates subfolder hierarchy +```text +templates +│ +└───html +│ │ email.html.tmpl +│ │ +│ └───img +│ │ logo-mail.gif +│ +└───text + │ email.text.tmpl +``` + +Custom email templates referenced via `NOTIFICATIONS_EMAIL_TEMPLATE_PATH` must also be located in subfolder `templates/text` and `templates/html` and must have the same names as the embedded templates. It is important that the names of these files and folders match the embedded ones. +The `templates/html` subfolder contains a default HTML template provided by OpenCloud. When using a custom HTML template, hosted images can either be linked with standard HTML code like ```
``` or embedded as a CID source ```
```. In the latter case, image files must be located in the `templates/html/img` subfolder. Supported embedded image types are png, jpeg, and gif.
+Consider that embedding images via a CID resource may not be fully supported in all email web clients.
+
+## Sending Grouped Emails
+
+The `notification` service can initiate sending emails based on events stored in the configured store that are grouped into a `daily` or `weekly` bucket. These groups contain events that get populated e.g. when the user configures `daily` or `weekly` email notifications in his personal settings in the web UI. If a user does not define any of the named groups for notification events, no event is stored.
+
+Grouped events are stored for the TTL defined in `OC_PERSISTENT_STORE_TTL`. This TTL can either be configured globally or individually for the notification service via the `NOTIFICATIONS_STORE_TTL` envvar.
+
+Grouped events that have passed the TTL are removed automatically without further notice or sending!
+
+To initiate sending grouped emails like via a cron job, use the `opencloud notifications send-email` command. Note that the command mandatory requires at least one option which is `--daily` or `--weekly`. Note that both options can be used together.
+
+### Storing
+
+The `notifications` service persists information via the configured store in `NOTIFICATIONS_STORE`. Possible stores are:
+- `memory`: Basic in-memory store. Will not survive a restart. This is not recommended for this service.
+- `redis-sentinel`: Stores data in a configured Redis Sentinel cluster.
+- `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store). This is the default value.
+- `noop`: Stores nothing. Useful for testing. Not recommended in production environments.
+
+Other store types may work but are not supported currently.
+
+Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances!
+
+Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version.
+
+Store specific notes:
+- When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of ``OCM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`OCM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9281`| +|`OCM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`OCM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`OCM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OCM_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9280`| +|`OCM_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`OCM_HTTP_PREFIX`| 1.0.0 |string|`The path prefix where OCM can be accessed (defaults to /).`|``| +|`OC_CORS_ALLOW_ORIGINS`
`OCM_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`OCM_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`| +|`OC_CORS_ALLOW_HEADERS`
`OCM_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`OCM_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OCM_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9282`| +|`OC_GRPC_PROTOCOL`
`OCM_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`OCM_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`OCM_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`OC_EVENTS_ENDPOINT`
`OCM_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`OCM_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`OCM_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`OCM_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided OCM_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`OCM_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`OCM_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`OCM_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_JWT_SECRET`
`OCM_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OCM_OCMD_PREFIX`| 1.0.0 |string|`URL path prefix for the OCMD service. Note that the string must not start with '/'.`|`ocm`| +|`OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME`| 1.0.0 |bool|`Expose the display name of OCM share recipients.`|`false`| +|`OCM_SCIENCEMESH_PREFIX`| 1.0.0 |string|`URL path prefix for the ScienceMesh service. Note that the string must not start with '/'.`|`sciencemesh`| +|`OCM_MESH_DIRECTORY_URL`| 1.0.0 |string|`URL of the mesh directory service.`|``| +|`OCM_DIRECTORY_SERVICE_URLS`| 3.5.0 |string|`Space delimited URLs of the directory services.`|``| +|`OCM_INVITE_ACCEPT_DIALOG`| 3.5.0 |string|`/open-cloud-mesh/accept-invite;The frontend URL where to land when receiving an invitation`|`/open-cloud-mesh/accept-invite`| +|`OC_INSECURE`
`OCM_CLIENT_INSECURE`| 6.0.0 |bool|`Dev-only. Disable TLS verification for the OCM discovery client (directory fetch and provider discovery). Does not affect OCM invite manager, storage provider, or share provider. Do not set in production.`|`false`| +|`OCM_OCM_INVITE_MANAGER_DRIVER`| 1.0.0 |string|`Driver to be used to persist OCM invites. Supported value is only 'json'.`|`json`| +|`OCM_OCM_INVITE_MANAGER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM invite data will be stored. This file is maintained by the instance and must not be changed manually. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/ocm.`|`/var/lib/opencloud/storage/ocm/ocminvites.json`| +|`OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION`| 1.0.0 |Duration|`Expiry duration for invite tokens.`|`24h0m0s`| +|`OCM_OCM_INVITE_MANAGER_TIMEOUT`| 1.0.0 |Duration|`Timeout specifies a time limit for requests made to OCM endpoints.`|`30s`| +|`OCM_OCM_INVITE_MANAGER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`| +|`SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER`| 1.0.0 |string|`Driver to be used to persist ocm invites. Supported value is only 'json'.`|`json`| +|`OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE`| 1.0.0 |string|`Path to the JSON file where ocm invite data will be stored. Defaults to $OC_CONFIG_DIR/ocmproviders.json.`|`/etc/opencloud/ocmproviders.json`| +|`OCM_OCM_SHARE_PROVIDER_DRIVER`| 1.0.0 |string|`Driver to be used for the OCM share provider. Supported value is only 'json'.`|`json`| +|`OCM_OCM_SHAREPROVIDER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/ocm/ocmshares.json`| +|`OCM_OCM_SHARE_PROVIDER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`| +|`OCM_WEBAPP_TEMPLATE`| 1.0.0 |string|`Template for the webapp url.`|``| +|`OCM_OCM_CORE_DRIVER`| 1.0.0 |string|`Driver to be used for the OCM core. Supported value is only 'json'.`|`json`| +|`OCM_OCM_CORE_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/ocm/ocmshares.json`| +|`OCM_OCM_STORAGE_PROVIDER_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the OCM connections. Do not set this in production environments.`|`false`| +|`OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT`| 1.0.0 |string|`Directory where the ocm storage provider persists its data like tus upload info files.`|`/var/lib/opencloud/storage/ocm`| +|`OCM_OCM_STORAGE_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.`|`http://localhost:9280/data`| diff --git a/versioned_docs/version-7.x/_static/env-vars/ocm_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/ocm_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/ocm_readme.md b/versioned_docs/version-7.x/_static/env-vars/ocm_readme.md new file mode 100755 index 000000000..f98eb9bd8 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/ocm_readme.md @@ -0,0 +1,144 @@ + + +## Abstract + + +The `ocm` service provides federated sharing functionality based on the [sciencemesh](https://sciencemesh.io/) and [ocm](https://github.com/cs3org/OCM-API) HTTP APIs. Internally the `ocm` service consists of the following services and endpoints: + +External HTTP APIs: +* sciencemesh: serves the API for the invitation workflow +* ocmd: serves the API for managing federated shares + +Internal GRPC APIs: +* ocmproviderauthorizer: manages the list of trusted providers and verifies requests +* ocminvitemanager: manages the list and state of invite tokens +* ocmshareprovider: manages ocm shares on the sharer +* ocmcore: used for creating federated shares on the receiver side +* authprovider: authenticates webdav requests using the ocm share tokens + + +## Table of Contents + +* [Enable OCM](#enable-ocm) +* [Trust Between Instances](#trust-between-instances) +* [Invitation Workflow](#invitation-workflow) +* [Creating Shares](#creating-shares) + +## Enable OCM + +To enable OpenCloudMesh, you have to set the following environment variable. + +```console +OC_ENABLE_OCM=true +``` + +## Trust Between Instances + +The `ocm` services implements an invitation workflow which needs to be followed before creating federated shares. Invitations are limited to trusted instances, however. + +The list of trusted instances is managed by the `ocmproviderauthorizer` service. The only supported backend currently is `json` which stores the list in a json file on disk. Note that the `ocmproviders.json` file, which holds that configuration, is expected to be located in the root of the OpenCloud config directory if not otherwise defined. See the `OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE` envvar for more details. + +When all instances of a federation should trust each other, an `ocmproviders.json` file like this can be used for all instances: +```json +[ + { + "name": "OpenCloud Test 1", + "full_name": "OpenCloud Test provider 1", + "organization": "OpenCloud One", + "domain": "cloud1.opencloud.test", + "homepage": "https://cloud1.opencloud.test", + "description": "First OpenCloud Example cloud storage", + "services": [ + { + "endpoint": { + "type": { + "name": "OCM", + "description": "cloud1.opencloud.test Open Cloud Mesh API" + }, + "name": "cloud1.opencloud.test - OCM API", + "path": "https://cloud1.opencloud.test/ocm/", + "is_monitored": true + }, + "api_version": "0.0.1", + "host": "http://cloud1.opencloud.test" + }, + { + "endpoint": { + "type": { + "name": "Webdav", + "description": "cloud1.opencloud.test Webdav API" + }, + "name": "cloud1.opencloud.test Example - Webdav API", + "path": "https://cloud1.opencloud.test/dav/", + "is_monitored": true + }, + "api_version": "0.0.1", + "host": "https://cloud1.opencloud.test/" + } + ] + }, + { + "name": "OpenCloud Test 2", + "full_name": "OpenCloud Test provider 2", + "organization": "OpenCloud Two", + "domain": "cloud2.opencloud.test", + "homepage": "https://cloud2.opencloud.test", + "description": "Second OpenCloud Example cloud storage", + "services": [ + { + "endpoint": { + "type": { + "name": "OCM", + "description": "cloud2.opencloud.test Open Cloud Mesh API" + }, + "name": "cloud2.opencloud.test - OCM API", + "path": "https://cloud2.opencloud.test/ocm/", + "is_monitored": true + }, + "api_version": "0.0.1", + "host": "http://cloud2.opencloud.test" + }, + { + "endpoint": { + "type": { + "name": "Webdav", + "description": "cloud2.opencloud.test Webdav API" + }, + "name": "cloud2.opencloud.test Example - Webdav API", + "path": "https://cloud2.opencloud.test/dav/", + "is_monitored": true + }, + "api_version": "0.0.1", + "host": "https://cloud2.opencloud.test/" + } + ] + } +] +``` + +:::info +Note: the `domain` must not contain the protocol as it has to match the [GOCDB site object domain](https://developer.sciencemesh.io/docs/technical-documentation/central-database/#site-object). +::: + +The above federation consists of two instances: `cloud1.opencloud.test` and `cloud2.opencloud.test` that can use the Invitation workflow described below to generate, send and accept invitations. + +## Invitation Workflow + +Before sharing a resource with a remote user this user has to be invited by the sharer. + +In order to do so a POST request is sent to the `generate-invite` endpoint of the sciencemesh API. The generated token is passed on to the receiver, who will then use the `accept-invite` endpoint to accept the invitation. As a result remote users will be added to the `ocminvitemanager` on both sides. See [invitation flow](invitation-flow) for the according sequence diagram. + +The data backend of the `ocminvitemanager` is configurable. The only supported backend currently is `json` which stores the data in a json file on disk. + +## Creating Shares + +:::info +The below info is outdated as we allow creating federated shares using the graph API. Clients can now discover the available sharing roles and invite federated users using the graph API. +::: + +OCM Shares are currently created using the ocs API, just like regular shares. The difference is the share type, which is 6 (ShareTypeFederatedCloudShare) in this case, and a few additional parameters required for identifying the remote user. + +See [Create share flow](create-share-flow) for the according sequence diagram. + +The data backends of the `ocmshareprovider` and `ocmcore` services are configurable. The only supported backend currently is `json` which stores the data in a json file on disk. + diff --git a/versioned_docs/version-7.x/_static/env-vars/ocs.yaml b/versioned_docs/version-7.x/_static/env-vars/ocs.yaml new file mode 100644 index 000000000..7bcc86906 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/ocs.yaml @@ -0,0 +1,48 @@ +# Autogenerated +# Filename: ocs.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9114 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9110 + root: /ocs + cors: + allow_origins: + - '*' + allow_methods: + - GET + - POST + - PUT + - PATCH + - DELETE + - OPTIONS + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Cache-Control + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +grpc_client_tls: null +signing_keys: + store: nats-js-kv + addresses: + - 127.0.0.1:9233 + ttl: 24h0m0s + username: "" + password: "" + enable_tls: false + tls_insecure: false + tls_root_ca_certificate: "" +token_manager: + jwt_secret: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/ocs_configvars.md b/versioned_docs/version-7.x/_static/env-vars/ocs_configvars.md new file mode 100644 index 000000000..b7f82885a --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/ocs_configvars.md @@ -0,0 +1,27 @@ +## Environment variables for the **ocs** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`OCS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`OCS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9114`| +|`OCS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`OCS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`OCS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OCS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9110`| +|`OCS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/ocs`| +|`OC_CORS_ALLOW_ORIGINS`
`OCS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`OCS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`OCS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`OCS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_CACHE_STORE`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|`The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details.`|`nats-js-kv`| +|`OC_CACHE_STORE_NODES`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_TTL`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|`24h0m0s`| +|`OC_CACHE_AUTH_USERNAME`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false.`|``| +|`OC_JWT_SECRET`
`OCS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/ocs_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/ocs_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/ocs_readme.md b/versioned_docs/version-7.x/_static/env-vars/ocs_readme.md new file mode 100755 index 000000000..48a0f02ce --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/ocs_readme.md @@ -0,0 +1,34 @@ + + +## Abstract + + +The `ocs` service (open collaboration services) serves one purpose: it has an endpoint for signing keys which the web frontend accesses when uploading data. + + +## Table of Contents + +* [Signing-Keys Endpoint](#signingkeys-endpoint) +* [Signing-Keys Store](#signingkeys-store) + +## Signing-Keys Endpoint + +The `ocs` service contains an endpoint `/cloud/user/signing-key` on which a user can GET a signing key. Note, this functionality might be deprecated or moved in the future. + +## Signing-Keys Store + +To authenticate presigned URLs the proxy service needs to read the signing keys from a store that is populated by the ocs service. +Possible stores that can be configured via `OCS_PRESIGNEDURL_SIGNING_KEYS_STORE` are: + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `opencloudstoreservice`: Stores data in the legacy OpenCloud store service. Requires setting `OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` to `eu.opencloud.api.store`. + +The `memory` store cannot be used as it does not share the memory from the ocs service signing key memory store, even in a single process. + +Make sure to configure the same store in the proxy service. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` in the form of `
`POLICIES_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`POLICIES_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`POLICIES_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the server should skip the client certificate verification during the TLS handshake.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`POLICIES_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`POLICIES_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`POLICIES_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_LOG_LEVEL`
`POLICIES_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`POLICIES_ENGINE_TIMEOUT`| 1.0.0 |Duration|`Sets the timeout the rego expression evaluation can take. Rules default to deny if the timeout was reached. See the Environment Variable Types description for more details.`|`10s`| +|`POLICIES_ENGINE_MIMES`| 1.0.0 |string|`Sets the mimes file path which maps mimetypes to associated file extensions. See the text description for details.`|``| +|`POLICIES_POSTPROCESSING_QUERY`| 1.0.0 |string|`Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Defaults to deny if the variable was not found.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/policies_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/policies_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/policies_readme.md b/versioned_docs/version-7.x/_static/env-vars/policies_readme.md new file mode 100755 index 000000000..65da04385 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/policies_readme.md @@ -0,0 +1,187 @@ + + +## Abstract + + +The policies service provides a new gRPC API which can be used to check whether a requested operation is allowed or not. To do so, Open Policy Agent (OPA) is used to define the set of rules of what is permitted and what is not. + +Policies are written in the [rego query language](https://www.openpolicyagent.org/docs/latest/policy-language/). The location of the rego files can be configured via yaml, a configuration via environment variables is not possible. + + +## Table of Contents + +* [General Information](#general-information) +* [Modules](#modules) + * [gRPC API](#grpc-api) + * [Proxy Middleware](#proxy-middleware) + * [Event Service (Postprocessing)](#event-service-postprocessing) +* [Defining Policies to Evaluate](#defining-policies-to-evaluate) +* [Setting the Query Configuration](#setting-the-query-configuration) + * [Proxy](#proxy) + * [Postprocessing](#postprocessing) +* [Rego Key Match](#rego-key-match) +* [Extend Mimetype File Extension Mapping](#extend-mimetype-file-extension-mapping) +* [Example Policies](#example-policies) + +## General Information + +The policies service consists of the following modules: + +* Proxy authorization (middleware) +* Event authorization (async post-processing) +* gRPC API (can be used by other services) + +To configure the policies service, three environment variables need to be defined: + +* `POLICIES_ENGINE_TIMEOUT` +* `POLICIES_POSTPROCESSING_QUERY` +* `PROXY_POLICIES_QUERY` + +Note that each query setting defines the [Complete Rules](https://www.openpolicyagent.org/docs/latest/#complete-rules) variable defined in the rego rule set the corresponding step uses for the evaluation. If the variable is mistyped or not found, the evaluation defaults to deny. Individual query definitions can be defined for each module. + +To activate the policies service for a module, it must be started with a yaml configuration that points to one or more rego files. Note that if the service is scaled horizontally, each instance should have access to the same rego files to avoid unpredictable results. If a file path has been configured but the file is not present or accessible, the evaluation defaults to deny. + +When using async post-processing which is done via the postprocessing service, the value `policies` must be added to the `POSTPROCESSING_STEPS` configuration in postprocessing service in the order where the evaluation should take place. + +variable defined in the Rego rule set the corresponding step uses for the evaluation. If the variable is mistyped or not found, the evaluation defaults to deny. Individual query definitions can be defined for each module. + +To activate the policies service for a module, it must be started with a yaml configuration that points to at least one Rego file that contains the complete rule variable to be queried. Note that if the service is scaled horizontally, each instance should have access to the same Rego files to avoid unpredictable results. If a file path has been configured but the file it is not present or accessible, the evaluation defaults to deny. + +When using async post-processing via the postprocessing service, the value `policies` must be added to the `POSTPROCESSING_STEPS` configuration in the order in which the evaluation should take place. Example: First check if a file contains questionable content via policies. If it looks okay, continue to check for viruses. + +For configuration examples, the [Example Policies](#example-policies) from below are used. + +## Modules + +### gRPC API + +The gRPC API can be used by any other internal service. It can also be used for example by third parties to find out if an action is allowed or not. This layer is already used by the proxy middleware. There is no configuration necessary, because the query setting (complete rule variable) must be part of the request. + +### Proxy Middleware + +The proxy service already includes a middleware which uses the internal [gRPC API](#grpc-api) to evaluate the policies. Since the proxy is in heavy use and every HTTP request is processed here, only simple and quick decisions should be evaluated. More complex queries such as file content evaluation are _strongly_ discouraged. + +If the evaluation in the proxy results in a "denied" outcome, the response will return a `403 Permission Denied` with the following response body + +```json +{ + "error": + { + "code": "deniedByPolicy", + "message": "Operation denied due to security policies", + "innererror": + { + "date": "2023-09-19T13:22:20Z", + "filename": "File", + "method": "POST", + "path": "/dav/spaces/some-space-id/Folder/", + "request-id": "9CFCE925-F9D9-4F26-AB3B-2C1C40A9CD0C" + } + } +} +``` + +### Event Service (Postprocessing) + +This layer is event-based and part of the postprocessing service. Since processing at this point is asynchronous, the operations can also take longer and be more expensive, like evaluating the contents of a file. + +## Defining Policies to Evaluate + +Each module can have as many policy files as needed for evaluation. Files can also include other files if necessary. To use policies, they have to be saved to a location that is accessible to the policies service. As a good starting point, take the config directory and use a subdirectory collecting all the `.rego` files, though any other directory can be defined. The config directory is already accessible by all services and usually is included in a xref:maintenance/b-r/backup.adoc[backup] plan. + +If this is done, it's required to configure the policies service to use these files: + +NOTE: It is important that *all* necessary files are added to the list of files the policies service uses. + +```yaml +policies: + engine: + policies: + - your_path_to_policies/proxy.rego + - your_path_to_policies/postprocessing.rego + - your_path_to_policies/util.rego +``` + +Once the references to policy files are configured correctly, the `_QUERY` configuration needs to be defined for the proxy middleware and for the events service. + +## Setting the Query Configuration + +To define a value for the query evaluation, the following scheme is necessary: + +`data.
`POSTPROCESSING_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`POSTPROCESSING_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9255`| +|`POSTPROCESSING_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`POSTPROCESSING_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`POSTPROCESSING_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`OC_PERSISTENT_STORE`
`POSTPROCESSING_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_PERSISTENT_STORE_NODES`
`POSTPROCESSING_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`POSTPROCESSING_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`postprocessing`| +|`POSTPROCESSING_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_PERSISTENT_STORE_TTL`
`POSTPROCESSING_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. See the Environment Variable Types description for more details.`|`168h0m0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`POSTPROCESSING_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`POSTPROCESSING_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_ENABLE_TLS`
`POSTPROCESSING_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`| +|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`POSTPROCESSING_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`POSTPROCESSING_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_STORE_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENDPOINT`
`POSTPROCESSING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`POSTPROCESSING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`POSTPROCESSING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether the OpenCloud server should skip the client certificate verification during the TLS handshake.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`POSTPROCESSING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`POSTPROCESSING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`POSTPROCESSING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`SEARCH_EVENTS_MAX_ACK_PENDING`| 4.0.0 |int|`The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time.`|`10000`| +|`SEARCH_EVENTS_ACK_WAIT`| 4.0.0 |Duration|`The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes.`|`1m0s`| +|`POSTPROCESSING_WORKERS`| 1.0.0 |int|`The number of concurrent go routines that fetch events from the event queue.`|`3`| +|`POSTPROCESSING_STEPS`| 1.0.0 |[]string|`A list of postprocessing steps processed in order of their appearance. Currently supported values by the system are: 'virusscan', 'policies' and 'delay'. Custom steps are allowed. See the documentation for instructions. See the Environment Variable Types description for more details.`|`[]`| +|`POSTPROCESSING_DELAY`| 1.0.0 |Duration|`After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. If a duration is set but the keyword 'delay' is not explicitely added to 'POSTPROCESSING_STEPS', the delay step will be processed as last step. In such a case, a log entry will be written on service startup to remind the admin about that situation. See the Environment Variable Types description for more details.`|`0s`| +|`POSTPROCESSING_RETRY_BACKOFF_DURATION`| 1.0.0 |Duration|`The base for the exponential backoff duration before retrying a failed postprocessing step. See the Environment Variable Types description for more details.`|`5s`| +|`POSTPROCESSING_MAX_RETRIES`| 1.0.0 |int|`The maximum number of retries for a failed postprocessing step.`|`14`| diff --git a/versioned_docs/version-7.x/_static/env-vars/postprocessing_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/postprocessing_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/postprocessing_readme.md b/versioned_docs/version-7.x/_static/env-vars/postprocessing_readme.md new file mode 100755 index 000000000..7ef4047a4 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/postprocessing_readme.md @@ -0,0 +1,156 @@ + + +## Abstract + + +The `postprocessing` service handles the coordination of asynchronous postprocessing steps. + + +## Table of Contents + +* [General Prerequisites](#general-prerequisites) +* [Postprocessing Functionality](#postprocessing-functionality) +* [Storing Postprocessing Data](#storing-postprocessing-data) +* [Additional Prerequisites for the Postprocessing Service](#additional-prerequisites-for-the-postprocessing-service) +* [Postprocessing Steps](#postprocessing-steps) + * [Virus Scanning](#virus-scanning) + * [Delay](#delay) + * [Custom Postprocessing Steps](#custom-postprocessing-steps) + * [Prerequisites](#prerequisites) + * [Workflow](#workflow) +* [CLI Commands](#cli-commands) + * [Resume Postprocessing](#resume-postprocessing) +* [Metrics](#metrics) + +## General Prerequisites + +To use the postprocessing service, an event system needs to be configured for all services. By default, `OpenCloud` ships with a preconfigured `nats` service. + +## Postprocessing Functionality + +The storageprovider service (`storage-users`) can be configured to initiate asynchronous postprocessing by setting the `OC_ASYNC_UPLOADS` environment variable to `true`. If this is the case, postprocessing will get initiated *after* uploading a file and all bytes have been received. + +The `postprocessing` service will then coordinate configured postprocessing steps like scanning the file for viruses. During postprocessing, the file will be in a `processing state` where only a limited set of actions are available. Note that this processing state excludes file accessibility by users. + +When all postprocessing steps have completed successfully, the file will be made accessible for users. + +## Storing Postprocessing Data + +The `postprocessing` service needs to store some metadata about uploads to be able to orchestrate post-processing. When running in single binary mode, the default in-memory implementation will be just fine. In distributed deployments it is recommended to use a persistent store, see below for more details. + +The `postprocessing` service stores its metadata via the configured store in `POSTPROCESSING_STORE`. Possible stores are: + - `memory`: Basic in-memory store and the default. + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) + - `noop`: Stores nothing. Useful for testing. Not recommended in production environments. + +Other store types may work but are not supported currently. + +Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances! + +Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `
`PROXY_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`PROXY_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9205`| +|`PROXY_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`PROXY_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`PROXY_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`PROXY_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`0.0.0.0:9200`| +|`PROXY_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`PROXY_TRANSPORT_TLS_CERT`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.`|`/var/lib/opencloud/proxy/server.crt`| +|`PROXY_TRANSPORT_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy.`|`/var/lib/opencloud/proxy/server.key`| +|`PROXY_TLS`| 1.0.0 |bool|`Enable/Disable HTTPS for external HTTP services. Must be set to 'true' if the built-in IDP service and no reverse proxy is used. See the text description for details.`|`true`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_URL`
`OC_OIDC_ISSUER`
`PROXY_OIDC_ISSUER`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`| +|`OC_INSECURE`
`PROXY_OIDC_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments.`|`false`| +|`PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD`| 1.0.0 |string|`Sets how OIDC access tokens should be verified. Possible values are 'none' and 'jwt'. When using 'none', no special validation apart from using it for accessing the IDP's userinfo endpoint will be done. When using 'jwt', it tries to parse the access token as a jwt token and verifies the signature using the keys published on the IDP's 'jwks_uri'.`|`jwt`| +|`PROXY_OIDC_SKIP_USER_INFO`| 1.0.0 |bool|`Do not look up user claims at the userinfo endpoint and directly read them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'.`|`false`| +|`OC_CACHE_STORE`
`PROXY_OIDC_USERINFO_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`PROXY_OIDC_USERINFO_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`cache-userinfo`| +|`PROXY_OIDC_USERINFO_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use.`|``| +|`OC_CACHE_TTL`
`PROXY_OIDC_USERINFO_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`10s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`PROXY_OIDC_USERINFO_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`PROXY_OIDC_USERINFO_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE will be seen as false.`|``| +|`PROXY_OIDC_JWKS_REFRESH_INTERVAL`| 1.0.0 |uint64|`The interval for refreshing the JWKS (JSON Web Key Set) in minutes in the background via a new HTTP request to the IDP.`|`60`| +|`PROXY_OIDC_JWKS_REFRESH_TIMEOUT`| 1.0.0 |uint64|`The timeout in seconds for an outgoing JWKS request.`|`10`| +|`PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT`| 1.0.0 |uint64|`Limits the rate in seconds at which refresh requests are performed for unknown keys. This is used to prevent malicious clients from imposing high network load on the IDP via OpenCloud.`|`60`| +|`PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID`| 1.0.0 |bool|`If set to 'true', the JWKS refresh request will occur every time an unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this.`|`true`| +|`PROXY_OIDC_REWRITE_WELLKNOWN`| 1.0.0 |bool|`Enables rewriting the /.well-known/openid-configuration to the configured OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover the OIDC provider.`|`false`| +|`OC_SERVICE_ACCOUNT_ID`
`PROXY_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`PROXY_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`PROXY_ROLE_ASSIGNMENT_DRIVER`| 1.0.0 |string|`The mechanism that should be used to assign roles to user upon login. Supported values: 'default' or 'oidc'. 'default' will assign the role 'user' to users which don't have a role assigned at the time they login. 'oidc' will assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) from the users OIDC claims.`|`default`| +|`PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM`| 1.0.0 |string|`The OIDC claim used to create the users role assignment.`|`roles`| +|`PROXY_ENABLE_PRESIGNEDURLS`| 1.0.0 |bool|`Allow OCS to get a signing key to sign requests.`|`true`| +|`OC_CACHE_STORE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE`| 1.0.0 |string|`The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details.`|`nats-js-kv`| +|`OC_CACHE_STORE_NODES`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_TTL`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL`| 1.0.0 |Duration|`Default time to live for signing keys. See the Environment Variable Types description for more details.`|`12h0m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true.`|`true`| +|`OC_CACHE_AUTH_USERNAME`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false.`|``| +|`PROXY_ACCOUNT_BACKEND_TYPE`| 1.0.0 |string|`Account backend the PROXY service should use. Currently only 'cs3' is possible here.`|`cs3`| +|`PROXY_USER_OIDC_CLAIM`| 1.0.0 |string|`The name of an OpenID Connect claim that is used for resolving users with the account backend. The value of the claim must hold a per user unique, stable and non re-assignable identifier. The availability of claims depends on your Identity Provider. There are common claims available for most Identity providers like 'email' or 'preferred_username' but you can also add your own claim.`|`preferred_username`| +|`PROXY_USER_CS3_CLAIM`| 1.0.0 |string|`The name of a CS3 user attribute (claim) that should be mapped to the 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'.`|`username`| +|`PROXY_TENANT_OIDC_CLAIM`| 6.1.0 |string|`JMESPath expression to extract the tenant ID from the OIDC token claims. When set, the extracted value is verified against the tenant ID returned by the user backend, rejecting requests where they do not match. Only relevant when multi-tenancy is enabled.`|``| +|`PROXY_TENANT_ID_MAPPING_ENABLED`| 6.1.0 |bool|`When set to 'true', the proxy will resolve the internal tenant ID from the external tenant ID provided in the OIDC claims by calling the TenantAPI before verifying the tenant. Use this when the external tenant ID in the OIDC token differs from the internal tenant ID stored on the user. Requires 'tenant_oidc_claim' to be set. Only relevant when multi-tenancy is enabled.`|`false`| +|`OC_MACHINE_AUTH_API_KEY`
`PROXY_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary to access resources from other services.`|``| +|`PROXY_AUTOPROVISION_ACCOUNTS`| 1.0.0 |bool|`Set this to 'true' to automatically provision users that do not yet exist in the users service on-demand upon first sign-in. To use this a write-enabled libregraph user backend needs to be setup an running.`|`false`| +|`PROXY_AUTOPROVISION_CLAIM_USERNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the username.`|`preferred_username`| +|`PROXY_AUTOPROVISION_CLAIM_EMAIL`| 1.0.0 |string|`The name of the OIDC claim that holds the email.`|`email`| +|`PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME`| 1.0.0 |string|`The name of the OIDC claim that holds the display name.`|`name`| +|`PROXY_AUTOPROVISION_CLAIM_GROUPS`| 1.0.0 |string|`The name of the OIDC claim that holds the groups.`|`groups`| +|`PROXY_ENABLE_BASIC_AUTH`| 1.0.0 |bool|`Set this to true to enable 'basic authentication' (username/password).`|`false`| +|`PROXY_INSECURE_BACKENDS`| 1.0.0 |bool|`Disable TLS certificate validation for all HTTP backend connections.`|`false`| +|`PROXY_HTTPS_CACERT`| 1.0.0 |string|`Path/File for the root CA certificate used to validate the server’s TLS certificate for https enabled backend services.`|``| +|`PROXY_ENABLE_APP_AUTH`| 1.0.0 |bool|`Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work.`|`true`| +|`PROXY_POLICIES_QUERY`| 1.0.0 |string|`Defines the 'Complete Rules' variable defined in the rego rule set this step uses for its evaluation. Rules default to deny if the variable was not found.`|``| +|`PROXY_CSP_CONFIG_FILE_LOCATION`| 1.0.0 |string|`The location of the CSP configuration file.`|``| +|`PROXY_CSP_CONFIG_FILE_OVERRIDE_LOCATION`| 4.0.0 |string|`The location of the CSP configuration file override.`|``| +|`OC_EVENTS_ENDPOINT`
`PROXY_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`PROXY_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`PROXY_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`PROXY_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`PROXY_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`PROXY_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/proxy_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/proxy_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/proxy_readme.md b/versioned_docs/version-7.x/_static/env-vars/proxy_readme.md new file mode 100755 index 000000000..8673b8ea0 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/proxy_readme.md @@ -0,0 +1,348 @@ + + +## Abstract + + +The proxy service is an API-Gateway for the OpenCloud microservices. Every HTTP request goes through this service. Authentication, logging and other preprocessing of requests also happens here. Mechanisms like request rate limiting or intrusion prevention are **not** included in the proxy service and must be setup in front like with an external reverse proxy. + +The proxy service is the only service communicating to the outside and needs therefore usual protections against DDOS, Slow Loris or other attack vectors. All other services are not exposed to the outside, but also need protective measures when it comes to distributed setups like when using container orchestration over various physical servers. + + +## Table of Contents + +* [Authentication](#authentication) +* [Configuring Routes](#configuring-routes) +* [Automatic User and Group Provisioning](#automatic-user-and-group-provisioning) + * [Prequisites](#prequisites) + * [Configuration](#configuration) + * [How it Works](#how-it-works) + * [Claim Updates](#claim-updates) + * [Impacts](#impacts) +* [Automatic Quota Assignments](#automatic-quota-assignments) +* [Automatic Role Assignments](#automatic-role-assignments) +* [Recommendations for Production Deployments](#recommendations-for-production-deployments) + * [Content Security Policy](#content-security-policy) +* [Caching](#caching) +* [Presigned Urls](#presigned-urls) +* [Special Settings](#special-settings) +* [Metrics](#metrics) + * [1) Single Process Mode](#1-single-process-mode) + * [2) Standalone Mode](#2-standalone-mode) + * [Available Metrics](#available-metrics) + * [Prometheus Configuration](#prometheus-configuration) + +## Authentication + +The following request authentication schemes are implemented: + +- Basic Auth (Only use in development, **never in production** setups!) +- OpenID Connect +- Signed URL +- Public Share Token + +## Configuring Routes + +The proxy handles routing to all endpoints that OpenCloud offers. The currently availabe default routes can be found [in the code](https://github.com/opencloud-eu/opencloud/blob/main/services/proxy/pkg/config/defaults/defaultconfig.go). Changing or adding routes can be necessary when writing own OpenCloud extensions. + +Due to the complexity when defining routes, these can only be defined in the yaml file but not via environment variables. + +For _overwriting_ default routes, use the following yaml example: + +```yaml +policies: + - name: opencloud + routes: + - endpoint: / + service: eu.opencloud.web.web + - endpoint: /dav/ + service: eu.opencloud.web.frontend +``` + +For adding _additional_ routes to the default routes use: + +```yaml +additional_policies: + - name: opencloud + routes: + - endpoint: /custom/endpoint + service: eu.opencloud.custom.custom +``` + +A route has the following configurable parameters: + +```yaml +endpoint: "" # the url that should be routed +service: "" # the service the url should be routed to +unprotected: false # with false (default), calling the endpoint requires authorization. + # with true, anyone can call the endpoint without authorisation. +``` + +## Automatic User and Group Provisioning + +When using an external OpenID Connect IDP, the proxy can be configured to automatically provision +users upon their first login. + +### Prequisites + +A number of prerequisites must be met for automatic user provisioning to work: + +* OpenCloud must be configured to use an external OpenID Connect IDP +* The `graph` service must be configured to allow updating users and groups + (`GRAPH_LDAP_SERVER_WRITE_ENABLED`). +* One of the claim values returned by the IDP as part of the userinfo response + or the access token must be unique and stable for the user. I.e. the value + must not change for the whole lifetime of the user. This claim is configured + via the `PROXY_USER_OIDC_CLAIM` environment variable (see below). A natural + choice would e.g. be the `sub` claim which is guaranteed to be unique and + stable per IDP. If a claim like `email` or `preferred_username` is used, you + have to ensure that the user's email address or username never changes. + +### Configuration + +To enable automatic user provisioning, the following environment variables must +be set for the proxy service: + +* `PROXY_AUTOPROVISION_ACCOUNTS`\ +Set to `true` to enable automatic user provisioning. +* `PROXY_AUTOPROVISION_CLAIM_USERNAME`\ +The name of an OIDC claim whose value should be used as the username for the +autoprovsioned user in OpenCloud. Defaults to `preferred_username`. +Can also be set to e.g. `sub` to guarantee a unique and stable username. +* `PROXY_AUTOPROVISION_CLAIM_EMAIL`\ +The name of an OIDC claim whose value should be used for the `mail` attribute +of the autoprovisioned user in OpenCloud. Defaults to `email`. +* `PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME`\ +The name of an OIDC claim whose value should be used for the `displayname` +attribute of the autoprovisioned user in OpenCloud. Defaults to `name`. +* `PROXY_AUTOPROVISION_CLAIM_GROUPS`\ +The name of an OIDC claim whose value should be used to maintain a user's group +membership. The claim value should contain a list of group names the user should +be a member of. Defaults to `groups`. +* `PROXY_USER_OIDC_CLAIM`\ +When resolving and authenticated OIDC user, the value of this claims is used to +lookup the user in the users service. For auto provisioning setups this usually is the +same claims as set via `PROXY_AUTOPROVISION_CLAIM_USERNAME`. +* `PROXY_USER_CS3_CLAIM`\ +This is the name of the user attribute in OpenCloud that is used to lookup the user by the +value of the `PROXY_USER_OIDC_CLAIM`. For auto provisioning setups this usually +needs to be set to `username`. + +### How it Works + +When a user logs into OpenCloud for the first time, the proxy +checks if that user already exists. This is done by querying the `users` service for users, +where the attribute set in `PROXY_USER_CS3_CLAIM` matches the value of the OIDC +claim configured in `PROXY_USER_OIDC_CLAIM`. + +If the users does not exist, the proxy will create a new user via the `graph` +service using the claim values configured in +`PROXY_AUTOPROVISION_CLAIM_USERNAME`, `PROXY_AUTOPROVISION_CLAIM_EMAIL` and +`PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME`. + +If the user does already exist, the proxy checks if the displayname has changed +and updates that accordingly via `graph` service. + +Unless the claim configured via `PROXY_AUTOPROVISION_CLAIM_EMAIL` is the same +as the one set via `PROXY_USER_OIDC_CLAIM` the proxy will also check if the +email address has changed and update that as well. + +Next, the proxy will check if the user is a member of the groups configured in +`PROXY_AUTOPROVISION_CLAIM_GROUPS`. It will add the user to the groups listed +via the OIDC claim that holds the groups defined in the envvar and removes it from +all other groups that he is currently a member of. +Groups that do not exist in the external IDP yet will be created. Note: This can be a +somewhat costly operation, especially if the user is a member of a large number of +groups. If the group memberships of a user are changed in the IDP after the +first login, it can take up to 5 minutes until the changes are reflected in OpenCloud. + +### Claim Updates + +OpenID Connect (OIDC) scopes are used by an application during authentication to authorize access to a user's detail, like name, email or picture information. A scope can also contain among other things groups, roles, and permissions data. Each scope returns a set of attributes, which are called claims. The scopes an application requests, depends on which attributes the application needs. Once the user authorizes the requested scopes, the claims are returned in a token. + +These issued JWT tokens are immutable and integrity-protected. Which means, any change in the source requires issuing a new token containing updated claims. On the other hand side, there is no active synchronisation process between the identity provider (IDP) who issues the token and OpenCloud. The earliest possible time that OpenCloud will notice changes is, when the current access token has expired and a new access token is issued by the IDP, or the user logs out and relogs in. + +**NOTES** + +* For resource optimisation, OpenCloud skips any checks and updates on groupmemberships, if the last update happened less than 5min ago. + +* OpenCloud can't differentiate between a group being renamed in the IDP and users being reassigned to a different group. + +* OpenCloud does not get aware when a group is being deleted in the IDP, a new claim will not hold any information from the deleted group. OpenCloud does not track a claim history to compare. + +#### Impacts + +For shares or space memberships based on groups, a renamed or deleted group will impact accessing the resource: + +* There is no user notification about the inability accessing the resource. +* The user will only experience rejected access. +* This also applies for connected apps like the Desktop, iOS or Android app! + +To give access for rejected users on a resource, one with rights to share must update the group information. + +## Automatic Quota Assignments + +It is possible to automatically assign a specific quota to new users depending on their role. +To do this, you need to configure a mapping between roles defined by their ID and the quota in bytes. +The assignment can only be done via a `yaml` configuration and not via environment variables. +See the following `proxy.yaml` config snippet for a configuration example. + +```yaml +role_quotas: +
`SEARCH_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`SEARCH_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9224`| +|`SEARCH_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`SEARCH_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`SEARCH_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`SEARCH_GRPC_DISABLED`| 4.0.0 |bool|`Disables the GRPC service. Set this to true if the service should only handle events.`|`false`| +|`SEARCH_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9220`| +|`OC_JWT_SECRET`
`SEARCH_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`SEARCH_EVENTS_DISABLED`| 4.0.0 |bool|`Disables listening for events. Set this to true if the service should only handle GRPC requests.`|`false`| +|`OC_EVENTS_ENDPOINT`
`SEARCH_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`SEARCH_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_ASYNC_UPLOADS`
`SEARCH_EVENTS_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`| +|`SEARCH_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|`The amount of concurrent event consumers to start. Event consumers are used for searching files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands.`|`1`| +|`SEARCH_EVENTS_REINDEX_DEBOUNCE_DURATION`| 1.0.0 |int|`The duration in milliseconds the reindex debouncer waits before triggering a reindex of a space that was modified.`|`1000`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`SEARCH_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`SEARCH_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`SEARCH_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`SEARCH_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`SEARCH_EVENTS_MAX_ACK_PENDING`| 4.0.0 |int|`The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time.`|`1000`| +|`SEARCH_EVENTS_ACK_WAIT`| 4.0.0 |Duration|`The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes.`|`1m0s`| +|`SEARCH_ENGINE_TYPE`| 1.0.0 |string|`Defines which search engine to use. Defaults to 'bleve'. Supported values are: 'bleve'.`|`bleve`| +|`SEARCH_ENGINE_BLEVE_DATA_PATH`| 1.0.0 |string|`The directory where the filesystem will store search data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/search.`|`/var/lib/opencloud/search`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ADDRESSES`| 4.0.0 |[]string|`The addresses of the OpenSearch nodes..`|`[]`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_USERNAME`| 4.0.0 |string|`Username for HTTP Basic Authentication.`|``| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_PASSWORD`| 4.0.0 |string|`Password for HTTP Basic Authentication.`|``| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_HEADER`| 4.0.0 |Header|`HTTP headers to include in requests.`|`map[]`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT`| 4.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the opensearch server.`|``| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_RETRY_ON_STATUS`| 4.0.0 |[]int|`HTTP status codes that trigger a retry.`|`[]`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISABLE_RETRY`| 4.0.0 |bool|`Disable retries on errors.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_RETRY_ON_TIMEOUT`| 4.0.0 |bool|`Enable retries on timeout.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_MAX_RETRIES`| 4.0.0 |int|`Maximum number of retries for requests.`|`0`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_COMPRESS_REQUEST_BODY`| 4.0.0 |bool|`Compress request bodies.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_ON_START`| 4.0.0 |bool|`Discover nodes on service start.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_INTERVAL`| 4.0.0 |Duration|`Interval for discovering nodes.`|`0s`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_METRICS`| 4.0.0 |bool|`Enable metrics collection.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_DEBUG_LOGGER`| 4.0.0 |bool|`Enable debug logging.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_CLIENT_INSECURE`| 4.0.0 |bool|`Skip TLS certificate verification.`|`false`| +|`SEARCH_ENGINE_OPEN_SEARCH_RESOURCE_INDEX_NAME`| 4.0.0 |string|`The name of the OpenSearch index for resources.`|`opencloud-resource`| +|`SEARCH_EXTRACTOR_TYPE`| 1.0.0 |string|`Defines the content extraction engine. Defaults to 'basic'. Supported values are: 'basic' and 'tika'.`|`basic`| +|`OC_INSECURE`
`SEARCH_EXTRACTOR_CS3SOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the CS3 source.`|`false`| +|`SEARCH_EXTRACTOR_TIKA_TIKA_URL`| 1.0.0 |string|`URL of the tika server.`|`http://127.0.0.1:9998`| +|`SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS`| 1.0.0 |bool|`Defines if stop words should be cleaned or not. See the documentation for more details.`|`false`| +|`SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT`| 1.0.0 |uint64|`Maximum file size in bytes that is allowed for content extraction.`|`20971520`| +|`SEARCH_BATCH_SIZE`| 1.0.0 |int|`The number of documents to process in a single batch. Defaults to 500.`|`50`| +|`OC_SERVICE_ACCOUNT_ID`
`SEARCH_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`SEARCH_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/search_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/search_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/search_readme.md b/versioned_docs/version-7.x/_static/env-vars/search_readme.md new file mode 100755 index 000000000..20231c7da --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/search_readme.md @@ -0,0 +1,156 @@ + + +## Abstract + + +The search service is responsible for metadata and content extraction, +the retrieved data is indexed and made searchable. + +The search service runs out of the box with the shipped default `basic` configuration. +No further configuration is needed. + +Note that as of now, the search service cannot be scaled. +Consider using dedicated hardware for this service in case more resources are needed. + + +## Table of Contents + +* [Search backends](#search-backends) + * [Bleve](#bleve) + * [OpenSearch](#opensearch) +* [Query language](#query-language) +* [Content analysis / Extraction](#content-analysis--extraction) + * [Basic](#basic) + * [Tika](#tika) +* [Manually Trigger Re-Indexing a Space](#manually-trigger-reindexing-a-space) +* [Metrics](#metrics) + +## Search backends + +To store and query the indexed data, a search backend is needed. + +As of now, the search service supports the following backends: + +- [bleve](https://github.com/blevesearch/bleve) (default) +- [opensearch](https://opensearch.org/) + +### Bleve + +Bleve is a lightweight, embedded full-text search engine written in Go and is the default search backend. +It is straightforward to set up and requires no additional services to run. + +The following optional settings can be set: + +* `SEARCH_ENGINE_BLEVE_DATA_PATH=/path/to/bleve/index` (default: `$OC_BASE_DATA_PATH/search`): Path to store the bleve index. + +### OpenSearch + +OpenSearch is a distributed, RESTful search and analytics engine capable of addressing a growing number of use cases. +Additionally, it provides advanced features like clustering, replication, and sharding. + +To enable OpenSearch as a backend, the following settings must be set: + +* `SEARCH_ENGINE_TYPE=open-search` +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ADDRESSES=http://YOUR-OPENSEARCH.URL:9200` (comma-separated list of OpenSearch addresses) + +Additionally, the following optional settings can be set: + +* `SEARCH_ENGINE_OPEN_SEARCH_RESOURCE_INDEX_NAME=val` (default: `opencloud-resource`): Name of the OpenSearch index +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_USERNAME=val`: Username for HTTP Basic Authentication. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_PASSWORD=val`: Password for HTTP Basic Authentication. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_HEADER=val`: HTTP headers to include in requests. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_CA_CERT=val` CA certificate for TLS connections. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_RETRY_ON_STATUS=val` HTTP status codes that trigger a retry. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISABLE_RETRY=val` Disable retries on errors. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_RETRY_ON_TIMEOUT=val`: Enable retries on timeout. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_MAX_RETRIES=val`: Maximum number of retries for requests. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_COMPRESS_REQUEST_BODY=val`: Compress request bodies. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_ON_START=val`: Discover nodes on service start. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_DISCOVER_NODES_INTERVAL=val`: Interval for discovering nodes. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_METRICS=val`: Enable metrics collection. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_ENABLE_DEBUG_LOGGER=val`: Enable debug logging. +* `SEARCH_ENGINE_OPEN_SEARCH_CLIENT_INSECURE=val`: Skip TLS certificate verification. + +## Query language + +By default, [KQL](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference) is used as the query language. +For an overview of how to write kql queries, please read the [microsoft documentation](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference). + +Not all parts are supported, the following list gives an overview of parts that are not implemented yet: + +* Synonym operators +* Inclusion and exclusion operators +* Dynamic ranking operator +* ONEAR operator +* NEAR operator +* Date intervals + +In [this ADR](https://github.com/owncloud/ocis/blob/docs/ocis/adr/0020-file-search-query-language.md) you can read why KQL was chosen. + +## Content analysis / Extraction + +The search service supports the following content extraction methods: + +* `Basic`: enabled by default, only provides metadata extraction. +* `Tika`: needs to be installed and configured separately, provides content extraction for many file types. + +Note that the file content has to be transferred to the search service internally for content extraction, +which is resource-intensive and can lead to delays with larger documents. + +### Basic + +This extractor is the simplest one and just uses the resource information provided by OpenCloud. +It does not do any further content analysis. + +### Tika + +The main difference is that this extractor is able to analyze and extract data from more advanced file types like PDF, DOCX, PPTX, etc. +However, [Apache Tika](https://tika.apache.org/) is required for this task. +Read the [Getting Started with Apache Tika](https://tika.apache.org/2.6.0/gettingstarted.html) guide on how to install and run Tika or use a ready to run [Tika container](https://hub.docker.com/r/apache/tika). +See the [Tika container usage document](https://github.com/apache/tika-docker#usage) for a quickstart. + +As soon as Tika is installed and configured, the search service needs to be told to use it. + +The following settings must be set: + +* `SEARCH_EXTRACTOR_TYPE=tika` +* `SEARCH_EXTRACTOR_TIKA_TIKA_URL=http://YOUR-TIKA.URL` + +Additionally, the following optional settings can be set: + +* `SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS=true` (default: `true`): ignore stop words like `I`, `you`, `the` during content extraction. + +## Manually Trigger Re-Indexing a Space + +The service includes a command-line interface to trigger re-indexing a space: + +```shell +opencloud search index --space $SPACE_ID +``` + +It can also be used to re-index all spaces: + +```shell +opencloud search index --all-spaces +``` + +Please note that a reindex only picks up new or changed files. Files that have already been indexed are not scanned again, even if the configuration or the whole extractor has been changed. To force a full rescan (re-running the extractor on every file) you need to use the `force-rescan` flag: + + +```shell +opencloud search index --all-spaces --force-rescan +``` + +## Metrics + +The search service exposes the following prometheus metrics at `
`SETTINGS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`SETTINGS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9194`| +|`SETTINGS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`SETTINGS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`SETTINGS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`SETTINGS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9190`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`SETTINGS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`SETTINGS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`SETTINGS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`SETTINGS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`SETTINGS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`SETTINGS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9191`| +|`SETTINGS_STORAGE_GATEWAY_GRPC_ADDR`
`STORAGE_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`SETTINGS_STORAGE_GRPC_ADDR`
`STORAGE_GRPC_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SETTINGS_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SETTINGS_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`OC_CACHE_STORE`
`SETTINGS_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`SETTINGS_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`settings-cache`| +|`SETTINGS_FILE_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use for the file cache.`|`settings_files`| +|`SETTINGS_DIRECTORY_CACHE_TABLE`| 1.0.0 |string|`The database table the store should use for the directory cache.`|`settings_dirs`| +|`OC_CACHE_TTL`
`SETTINGS_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`10m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`SETTINGS_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`SETTINGS_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`SETTINGS_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`SETTINGS_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`SETTINGS_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`SETTINGS_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided SETTINGS_CACHE_TLS_INSECURE will be seen as false.`|``| +|`SETTINGS_BUNDLES_PATH`| 1.0.0 |string|`The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.`|``| +|`OC_ADMIN_USER_ID`
`SETTINGS_ADMIN_USER_ID`| 1.0.0 |string|`ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``| +|`OC_JWT_SECRET`
`SETTINGS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`IDM_CREATE_DEMO_USERS`
`SETTINGS_SETUP_DEFAULT_ASSIGNMENTS`| 1.0.0 |bool|`The default role assignments the demo users should be setup.`|`false`| +|`SETTINGS_SERVICE_ACCOUNT_IDS`
`OC_SERVICE_ACCOUNT_ID`| 1.0.0 |[]string|`The list of all service account IDs. These will be assigned the hidden 'service-account' role. Note: When using 'OC_SERVICE_ACCOUNT_ID' this will contain only one value while 'SETTINGS_SERVICE_ACCOUNT_IDS' can have multiple. See the 'auth-service' service description for more details about service accounts.`|`[service-user-id]`| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``| +|`OC_TRANSLATION_PATH`
`SETTINGS_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/settings_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/settings_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/settings_readme.md b/versioned_docs/version-7.x/_static/env-vars/settings_readme.md new file mode 100755 index 000000000..e48f9bc13 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/settings_readme.md @@ -0,0 +1,468 @@ + + +## Abstract + + +The `settings` service provides functionality for other services to register new settings as well as storing and retrieving the respective settings' values. + + +## Table of Contents + +* [Settings Managed](#settings-managed) +* [Caching](#caching) +* [Settings Management](#settings-management) +* [Settings Usage](#settings-usage) +* [Service Accounts](#service-accounts) +* [Translations](#translations) + * [Translation Rules](#translation-rules) +* [Default Language](#default-language) +* [Custom Roles](#custom-roles) + +## Settings Managed + +The settings service is currently used for managing the: + +* users' `profile` settings like the language and the email notification settings, +* possible user roles and their respective permissions, +* assignment of roles to users. + +As an example, user profile settings that can be changed in the Web UI must be persistent. + +The settings service persists the settings data via the `storage-system` service. + + + +## Caching + +The `settings` service caches the results of queries against the storage backend to provide faster responses. The content of this cache is independent of the cache used in the `storage-system` service as it caches directory listing and settings content stored in files. + +The store used for the cache can be configured using the `SETTINGS_CACHE_STORE` environment variable. Possible stores are: + - `memory`: Basic in-memory store and the default. + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) + - `noop`: Stores nothing. Useful for testing. Not recommended in production environments. + +Other store types may work but are not supported currently. + +Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances! + + +Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `
`SHARING_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`SHARING_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9151`| +|`SHARING_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`SHARING_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`SHARING_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`SHARING_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9150`| +|`OC_GRPC_PROTOCOL`
`SHARING_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`SHARING_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_EVENTS_ENDPOINT`
`SHARING_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`SHARING_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`SHARING_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`SHARING_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`SHARING_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`Username for the events broker.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`SHARING_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`Password for the events broker.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`SHARING_SERVICE_ACCOUNT`| 7.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`SHARING_SERVICE_ACCOUNT_SECRET`| 7.0.0 |string|`The service account secret.`|``| +|`SHARING_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`SHARING_USER_DRIVER`| 1.0.0 |string|`Driver to be used to persist shares. Supported values are 'jsoncs3', 'json', 'cs3' (deprecated) and 'owncloudsql'.`|`jsoncs3`| +|`SHARING_USER_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SHARING_USER_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SHARING_USER_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`SHARING_USER_JSONCS3_CACHE_TTL`| 1.0.0 |int|`TTL for the internal caches in seconds.`|`0`| +|`OC_MAX_CONCURRENCY`
`SHARING_USER_JSONCS3_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`| +|`SHARING_USER_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where shares will be persisted. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/shares.json`| +|`SHARING_USER_CS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SHARING_USER_CS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SHARING_USER_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`SHARING_USER_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`SHARING_USER_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Username for the database.`|`owncloud`| +|`SHARING_USER_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database.`|``| +|`SHARING_USER_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname or IP of the database server.`|`mysql`| +|`SHARING_USER_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Port that the database server is listening on.`|`3306`| +|`SHARING_USER_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the database to be used.`|`owncloud`| +|`SHARING_USER_OWNCLOUDSQL_USER_STORAGE_MOUNT_ID`| 1.0.0 |string|`Mount ID of the ownCloudSQL users storage for mapping ownCloud 10 shares.`|``| +|`SHARING_PUBLIC_DRIVER`| 1.0.0 |string|`Driver to be used to persist public shares. Supported values are 'jsoncs3', 'json' and 'cs3' (deprecated).`|`jsoncs3`| +|`SHARING_PUBLIC_JSON_FILE`| 1.0.0 |string|`Path to the JSON file where public share meta-data will be stored. This JSON file contains the information about public shares that have been created. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/publicshares.json`| +|`SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`SHARING_PUBLIC_CS3_PROVIDER_ADDR`| 1.0.0 |string|`GRPC address of the STORAGE-SYSTEM service.`|`eu.opencloud.api.storage-system`| +|`OC_SYSTEM_USER_ID`
`SHARING_PUBLIC_CS3_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_IDP`
`SHARING_PUBLIC_CS3_SYSTEM_USER_IDP`| 1.0.0 |string|`IDP of the OpenCloud STORAGE-SYSTEM system user.`|`internal`| +|`OC_SYSTEM_USER_API_KEY`
`SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`
`SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service.`|`false`| +|`OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`
`SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD`| 1.0.0 |bool|`Set this to true if you want to enforce passwords on all public shares.`|`true`| +|`OC_PASSWORD_POLICY_DISABLED`
`SHARING_PASSWORD_POLICY_DISABLED`| 1.0.0 |bool|`Disable the password policy. Defaults to false if not set.`|`false`| +|`OC_PASSWORD_POLICY_MIN_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_CHARACTERS`| 1.0.0 |int|`Define the minimum password length. Defaults to 8 if not set.`|`8`| +|`OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of uppercase letters. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS`| 1.0.0 |int|`Define the minimum number of lowercase letters. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_DIGITS`
`SHARING_PASSWORD_POLICY_MIN_DIGITS`| 1.0.0 |int|`Define the minimum number of digits. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`
`SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS`| 1.0.0 |int|`Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.`|`1`| +|`OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`
`SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST`| 1.0.0 |string|`Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/sharing_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/sharing_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/sharing_readme.md b/versioned_docs/version-7.x/_static/env-vars/sharing_readme.md new file mode 100755 index 000000000..d9409b5f6 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/sharing_readme.md @@ -0,0 +1,55 @@ + + +## Abstract + + +The `sharing` service provides the CS3 Sharing API for OpenCloud. It manages user shares and public link shares, implementing the core sharing functionality. + + +## Table of Contents + +* [Overview](#overview) +* [Integration](#integration) +* [Share Types](#share-types) +* [Configuration](#configuration) +* [Scalability](#scalability) + +## Overview + +The sharing service handles: +- User-to-user shares (share a file or folder with another user) +- Public link shares (share via a public URL) +- Share permissions and roles +- Share lifecycle management (create, update, delete) + +This service works in conjunction with the storage providers (`storage-shares` and `storage-publiclink`) to persist and manage share information. + +## Integration + +The sharing service integrates with: +- `frontend` and `ocs` - Provide HTTP APIs that translate to CS3 sharing calls +- `storage-shares` - Stores and manages received shares +- `storage-publiclink` - Manages public link shares +- `graph` - Provides LibreGraph API for sharing with roles + +## Share Types + +The service supports different types of shares: +- **User shares** - Share resources with specific users +- **Group shares** - Share resources with groups +- **Public link shares** - Create public URLs for sharing +- **Federated shares** - Share with users on other OpenCloud instances (via `ocm` service) + +## Configuration + +Share behavior can be configured via environment variables: +- Password enforcement for public shares +- Auto-acceptance of shares +- Share permissions and restrictions + +See the `frontend` service README for more details on share-related configuration options. + +## Scalability + +The sharing service depends on the configured storage backends for share metadata. Scalability characteristics depend on the chosen storage backend configuration. + diff --git a/versioned_docs/version-7.x/_static/env-vars/sse.yaml b/versioned_docs/version-7.x/_static/env-vars/sse.yaml new file mode 100644 index 000000000..e2767c3a9 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/sse.yaml @@ -0,0 +1,41 @@ +# Autogenerated +# Filename: sse.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9139 + token: "" + pprof: false + zpages: false +keepalive_interval: 0s +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +http: + addr: 127.0.0.1:9135 + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Ocs-Apirequest + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +token_manager: + jwt_secret: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/sse_configvars.md b/versioned_docs/version-7.x/_static/env-vars/sse_configvars.md new file mode 100644 index 000000000..520e50300 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/sse_configvars.md @@ -0,0 +1,27 @@ +## Environment variables for the **sse** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`SSE_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`SSE_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9139`| +|`SSE_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`SSE_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`SSE_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`SSE_KEEPALIVE_INTERVAL`| 1.0.0 |Duration|`To prevent intermediate proxies from closing the SSE connection, send periodic SSE comments to keep it open.`|`0s`| +|`OC_EVENTS_ENDPOINT`
`SSE_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`SSE_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`SSE_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided SSE_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`SSE_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`SSE_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`SSE_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`SSE_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9135`| +|`SSE_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`SSE_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`SSE_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`| +|`OC_CORS_ALLOW_HEADERS`
`SSE_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`SSE_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_JWT_SECRET`
`SSE_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/sse_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/sse_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/sse_readme.md b/versioned_docs/version-7.x/_static/env-vars/sse_readme.md new file mode 100755 index 000000000..2034844fb --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/sse_readme.md @@ -0,0 +1,30 @@ + + +## Abstract + + +The `sse` service is responsible for sending sse (Server-Sent Events) to a user. See [What is Server-Sent Events](https://medium.com/yemeksepeti-teknoloji/what-is-server-sent-events-sse-and-how-to-implement-it-904938bffd73) for a simple introduction and examples of server sent events. + + +## Table of Contents + +* [The Log Service Ecosystem](#the-log-service-ecosystem) +* [Subscribing](#subscribing) +* [Keep SSE Connections Alive](#keep-sse-connections-alive) + +## The Log Service Ecosystem + +Log services like the `userlog`, `clientlog` and `sse` are responsible for composing notifications for a certain audience. + - The `userlog` service translates and adjusts messages to be human readable. + - The `clientlog` service composes machine readable messages, so clients can act without the need to query the server. + - The `sse` service is only responsible for sending these messages. It does not care about their form or language. + +## Subscribing + +Clients can subscribe to the `/sse` endpoint to be informed by the server when an event happens. The `sse` endpoint will respect language changes of the user without needing to reconnect. Note that SSE has a limitation of six open connections per browser which can be reached if one has opened various tabs of the Web UI pointing to the same OpenCloud instance. + +## Keep SSE Connections Alive + +Some intermediate proxies drop connections after an idle time with no activity. If this is the case, configure the `SSE_KEEPALIVE_INTERVAL` envvar. This will send periodic SSE comments to keep connections open. + + diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-publiclink.yaml b/versioned_docs/version-7.x/_static/env-vars/storage-publiclink.yaml new file mode 100644 index 000000000..66f3b842a --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-publiclink.yaml @@ -0,0 +1,23 @@ +# Autogenerated +# Filename: storage-publiclink.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9179 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9178 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +storage_provider: + mount_id: 7993447f-687f-490d-875c-ac95e89a62a4 diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-publiclink_configvars.md b/versioned_docs/version-7.x/_static/env-vars/storage-publiclink_configvars.md new file mode 100644 index 000000000..f4eef664a --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-publiclink_configvars.md @@ -0,0 +1,17 @@ +## Environment variables for the **storage-publiclink** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`STORAGE_PUBLICLINK_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`STORAGE_PUBLICLINK_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9179`| +|`STORAGE_PUBLICLINK_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`STORAGE_PUBLICLINK_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`STORAGE_PUBLICLINK_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`STORAGE_PUBLICLINK_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9178`| +|`OC_GRPC_PROTOCOL`
`STORAGE_PUBLICLINK_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`STORAGE_PUBLICLINK_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`STORAGE_PUBLICLINK_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`STORAGE_PUBLICLINK_STORAGE_PROVIDER_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|`7993447f-687f-490d-875c-ac95e89a62a4`| diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-publiclink_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/storage-publiclink_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-publiclink_readme.md b/versioned_docs/version-7.x/_static/env-vars/storage-publiclink_readme.md new file mode 100755 index 000000000..911f710f0 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-publiclink_readme.md @@ -0,0 +1,50 @@ + + +## Abstract + + +The `storage-publiclink` service provides storage backend functionality for public link shares in OpenCloud. It implements the CS3 storage provider interface specifically for working with public link shared resources. + + +## Table of Contents + +* [Overview](#overview) +* [Integration](#integration) +* [Storage Registry](#storage-registry) +* [Access Control](#access-control) +* [Scalability](#scalability) + +## Overview + +This service is part of the storage services family and is responsible for: +- Providing access to publicly shared resources +- Handling anonymous access to shared content + +## Integration + +The storage-publiclink service integrates with: +- `sharing` service - Manages and persists public link shares +- `frontend` service - Provides HTTP/WebDAV access to public links +- Storage drivers - Accesses the actual file content + +## Storage Registry + +The service is registered in the gateway's storage registry with: +- Provider ID: `7993447f-687f-490d-875c-ac95e89a62a4` +- Mount point: `/public` +- Space types: `grant` and `mountpoint` + +See the `gateway` README for more details on storage registry configuration. + +## Access Control + +Public link shares can be configured with: +- Password protection +- Expiration dates +- Read-only or read-write permissions +- Download limits + +## Scalability + +The storage-publiclink service can be scaled horizontally. + diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-shares.yaml b/versioned_docs/version-7.x/_static/env-vars/storage-shares.yaml new file mode 100644 index 000000000..4f1502c23 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-shares.yaml @@ -0,0 +1,24 @@ +# Autogenerated +# Filename: storage-shares.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9156 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9154 + tls: null + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +skip_user_groups_in_token: false +mount_id: 7639e57c-4433-4a12-8201-722fd0009154 +readonly: false +user_share_provider_endpoint: eu.opencloud.api.sharing diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-shares_configvars.md b/versioned_docs/version-7.x/_static/env-vars/storage-shares_configvars.md new file mode 100644 index 000000000..dc878fa31 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-shares_configvars.md @@ -0,0 +1,19 @@ +## Environment variables for the **storage-shares** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`STORAGE_SHARES_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`STORAGE_SHARES_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9156`| +|`STORAGE_SHARES_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`STORAGE_SHARES_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`STORAGE_SHARES_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`STORAGE_SHARES_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9154`| +|`OC_GRPC_PROTOCOL`
`STORAGE_SHARES_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GRPC service.`|`tcp`| +|`OC_JWT_SECRET`
`STORAGE_SHARES_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`STORAGE_SHARES_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`STORAGE_SHARES_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage. Admins can set the ID for the storage in this config option manually which is then used to reference the storage. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|`7639e57c-4433-4a12-8201-722fd0009154`| +|`STORAGE_SHARES_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|`false`| +|`STORAGE_SHARES_USER_SHARE_PROVIDER_ENDPOINT`| 1.0.0 |string|`GRPC endpoint of the SHARING service.`|`eu.opencloud.api.sharing`| diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-shares_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/storage-shares_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-shares_readme.md b/versioned_docs/version-7.x/_static/env-vars/storage-shares_readme.md new file mode 100755 index 000000000..3651f0017 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-shares_readme.md @@ -0,0 +1,46 @@ + + +## Abstract + + +The `storage-shares` service provides storage backend functionality for user and group shares in OpenCloud. It implements the CS3 storage provider interface specifically for working with shared resources. + + +## Table of Contents + +* [Overview](#overview) +* [Integration](#integration) +* [Virtual Shares Folder](#virtual-shares-folder) +* [Storage Registry](#storage-registry) +* [Scalability](#scalability) + +## Overview + +This service is part of the storage services family and is responsible for: +- Providing a virtual view of received shares +- Handling access to resources shared by other users + +## Integration + +The storage-shares service integrates with: +- `sharing` service - Manages and persists shares +- `storage-users` service - Accesses the underlying file content +- `frontend` service - Provides HTTP/WebDAV access to shares + +## Virtual Shares Folder + +The service provides a virtual "Shares" folder for each user where all received shares are mounted. This allows users to access all files and folders that have been shared with them in a centralized location. + +## Storage Registry + +The service is registered in the gateway's storage registry with: +- Provider ID: `a0ca6a90-a365-4782-871e-d44447bbc668` +- Mount point: `/users/{{.CurrentUser.Id.OpaqueId}}/Shares` +- Space types: `virtual`, `grant`, and `mountpoint` + +See the `gateway` README for more details on storage registry configuration. + +## Scalability + +The storage-shares service can be scaled horizontally. + diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-system.yaml b/versioned_docs/version-7.x/_static/env-vars/storage-system.yaml new file mode 100644 index 000000000..850524914 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-system.yaml @@ -0,0 +1,45 @@ +# Autogenerated +# Filename: storage-system.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9217 + token: "" + pprof: false + zpages: false +grpc: + addr: 127.0.0.1:9215 + tls: null + protocol: tcp +http: + addr: 127.0.0.1:9216 + protocol: tcp +token_manager: + jwt_secret: "" +reva: + address: eu.opencloud.api.gateway + tls: + mode: "" + cacert: "" +system_user_id: "" +system_user_api_key: "" +skip_user_groups_in_token: false +cache: + store: memory + nodes: + - 127.0.0.1:9233 + database: storage-system + ttl: 24h0m0s + disable_persistence: false + auth_username: "" + auth_password: "" + enable_tls: false + tls_insecure: false + tls_root_ca_certificate: "" +driver: decomposed +drivers: + decomposed: + root: /var/lib/opencloud/storage/metadata + max_acquire_lock_cycles: 20 + lock_cycle_duration_factor: 30 +data_server_url: http://localhost:9216/data diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-system_configvars.md b/versioned_docs/version-7.x/_static/env-vars/storage-system_configvars.md new file mode 100644 index 000000000..8ad08ebb3 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-system_configvars.md @@ -0,0 +1,35 @@ +## Environment variables for the **storage-system** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`STORAGE_SYSTEM_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`STORAGE_SYSTEM_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9217`| +|`STORAGE_SYSTEM_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint`|``| +|`STORAGE_SYSTEM_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling`|`false`| +|`STORAGE_SYSTEM_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`STORAGE_SYSTEM_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9215`| +|`OC_GRPC_PROTOCOL`
`STORAGE_SYSTEM_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`| +|`STORAGE_SYSTEM_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9216`| +|`STORAGE_SYSTEM_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`OC_JWT_SECRET`
`STORAGE_SYSTEM_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`OC_SYSTEM_USER_ID`| 1.0.0 |string|`ID of the OpenCloud storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.`|``| +|`OC_SYSTEM_USER_API_KEY`| 1.0.0 |string|`API key for the STORAGE-SYSTEM system user.`|``| +|`STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`OC_CACHE_STORE`
`STORAGE_SYSTEM_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`STORAGE_SYSTEM_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-system`| +|`OC_CACHE_TTL`
`STORAGE_SYSTEM_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`24h0m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`STORAGE_SYSTEM_CACHE_AUTH_USERNAME`| 1.0.0 |string|`Username for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_SYSTEM_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`Password for the configured store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`STORAGE_SYSTEM_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`STORAGE_SYSTEM_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_SYSTEM_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_SYSTEM_CACHE_TLS_INSECURE will be seen as false.`|``| +|`STORAGE_SYSTEM_DRIVER`| 1.0.0 |string|`The driver which should be used by the service. The only supported driver is 'decomposed'. For backwards compatibility reasons it's also possible to use the 'ocis' driver and configure it using the 'decomposed' options. `|`decomposed`| +|`STORAGE_SYSTEM_OC_ROOT`| 1.0.0 |string|`Path for the directory where the STORAGE-SYSTEM service stores it's persistent data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage.`|`/var/lib/opencloud/storage/metadata`| +|`STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|`20`| +|`STORAGE_SYSTEM_OC_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.`|`30`| +|`STORAGE_SYSTEM_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by other services using this service.`|`http://localhost:9216/data`| diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-system_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/storage-system_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-system_readme.md b/versioned_docs/version-7.x/_static/env-vars/storage-system_readme.md new file mode 100755 index 000000000..9a7901e39 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-system_readme.md @@ -0,0 +1,31 @@ + + +## Abstract + + +The OpenCloud Storage-System service persists and caches user related data that is defined via OpenCloud. This can be among other data role assignments, user settings and users shares. + + +## Table of Contents + +* [Caching](#caching) + +## Caching + +The `storage-system` service caches file metadata via the configured store in `STORAGE_SYSTEM_CACHE_STORE`. Possible stores are: + - `memory`: Basic in-memory store and the default. + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) + - `noop`: Stores nothing. Useful for testing. Not recommended in production environments. + +Other store types may work but are not supported currently. + +Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances! + +Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `
`STORAGE_USERS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`STORAGE_USERS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9159`| +|`STORAGE_USERS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`STORAGE_USERS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`STORAGE_USERS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`STORAGE_USERS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9157`| +|`OC_GRPC_PROTOCOL`
`STORAGE_USERS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`| +|`STORAGE_USERS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9158`| +|`STORAGE_USERS_HTTP_PROTOCOL`| 1.0.0 |string|`The transport protocol of the HTTP service.`|`tcp`| +|`OC_CORS_ALLOW_ORIGINS`
`STORAGE_USERS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`STORAGE_USERS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[POST HEAD PATCH OPTIONS GET DELETE]`| +|`OC_CORS_ALLOW_HEADERS`
`STORAGE_USERS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin X-Requested-With X-Request-Id X-HTTP-Method-Override Content-Type Upload-Length Upload-Offset Tus-Resumable Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`STORAGE_USERS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_CORS_EXPOSE_HEADERS`
`STORAGE_USERS_CORS_EXPOSE_HEADERS`| 1.0.0 |[]string|`A list of exposed CORS headers. See following chapter for more details: *Access-Control-Expose-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers. See the Environment Variable Types description for more details.`|`[Upload-Offset Location Upload-Length Tus-Version Tus-Resumable Tus-Max-Size Tus-Extension Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]`| +|`OC_CORS_MAX_AGE`
`STORAGE_USERS_CORS_MAX_AGE`| 1.0.0 |uint|`The max cache duration of preflight headers. See following chapter for more details: *Access-Control-Max-Age* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age. See the Environment Variable Types description for more details.`|`86400`| +|`OC_JWT_SECRET`
`STORAGE_USERS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`STORAGE_USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT`| 1.0.0 |int|`The number of seconds to wait for the 'storage-users' service to shutdown cleanly before exiting with an error that gets logged. Note: This setting is only applicable when running the 'storage-users' service as a standalone service. See the text description for more details.`|`30`| +|`STORAGE_USERS_DRIVER`| 1.0.0 |string|`The storage driver which should be used by the service. Defaults to 'posix'. Supported values are: 'posix', 'decomposed', 'decomposeds3' and 'owncloudsql'. For backwards compatibility reasons it's also possible to use the 'ocis' and 's3ng' driver and configure them using the 'decomposed'/'decomposeds3' options. The 'posix' driver stores data directly on a POSIX-compliant filesystem. The 'decomposed' driver stores all data (blob and meta data) in a POSIX compliant volume. The 'decomposeds3' driver stores metadata in a POSIX compliant volume and uploads blobs to the s3 bucket.`|`posix`| +|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_DECOMPOSED_PROPAGATOR`| 1.0.0 |string|`The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|`sync`| +|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`| +|`STORAGE_USERS_DECOMPOSED_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store blobs and metadata. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/var/lib/opencloud/storage/users`| +|`STORAGE_USERS_DECOMPOSED_USER_LAYOUT`| 1.0.0 |string|`Template string for the user storage layout in the user directory.`|`{{.Id.OpaqueId}}`| +|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_DECOMPOSED_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.`|`eu.opencloud.api.settings`| +|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`| +|`STORAGE_USERS_DECOMPOSED_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|``| +|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`| +|`STORAGE_USERS_DECOMPOSED_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|``| +|`STORAGE_USERS_DECOMPOSED_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`| +|`STORAGE_USERS_DECOMPOSED_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.`|`20`| +|`STORAGE_USERS_DECOMPOSED_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.`|`30`| +|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_DECOMPOSED_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`5`| +|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`| +|`OC_SPACES_MAX_QUOTA`
`STORAGE_USERS_DECOMPOSED_MAX_QUOTA`| 1.0.0 |uint64|`Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.`|`0`| +|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`| +|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_DECOMPOSEDS3_PROPAGATOR`| 1.0.0 |string|`The propagator used for decomposedfs. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|`sync`| +|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`| +|`STORAGE_USERS_DECOMPOSEDS3_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store metadata for blobs. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/var/lib/opencloud/storage/users`| +|`STORAGE_USERS_DECOMPOSEDS3_USER_LAYOUT`| 1.0.0 |string|`Template string for the user storage layout in the user directory.`|`{{.Id.OpaqueId}}`| +|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_DECOMPOSEDS3_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'.`|`eu.opencloud.api.settings`| +|`STORAGE_USERS_DECOMPOSEDS3_REGION`| 1.0.0 |string|`Region of the S3 bucket.`|`default`| +|`STORAGE_USERS_DECOMPOSEDS3_ACCESS_KEY`| 1.0.0 |string|`Access key for the S3 bucket.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_SECRET_KEY`| 1.0.0 |string|`Secret key for the S3 bucket.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_ENDPOINT`| 1.0.0 |string|`Endpoint for the S3 bucket.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_BUCKET`| 1.0.0 |string|`Name of the S3 bucket.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_CONTENT_SHA256`| 1.0.0 |bool|`Disable sending content sha256 when copying objects to S3.`|`false`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_DISABLE_MULTIPART`| 1.0.0 |bool|`Disable multipart uploads when copying objects to S3.`|`false`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_SEND_CONTENT_MD5`| 1.0.0 |bool|`Send a Content-MD5 header when copying objects to S3.`|`true`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_CONCURRENT_STREAM_PARTS`| 1.0.0 |bool|`Always precreate parts when copying objects to S3. This is not recommended. It uses a memory buffer. If true, PartSize needs to be set.`|`false`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_NUM_THREADS`| 1.0.0 |uint|`Number of concurrent uploads to use when copying objects to S3.`|`4`| +|`STORAGE_USERS_DECOMPOSEDS3_PUT_OBJECT_PART_SIZE`| 1.0.0 |uint64|`Part size for concurrent uploads to S3. If no value or 0 is set, the library automatically calculates the part size according to the total size of the file to be uploaded. The value range is min 5MB and max 5GB.`|`0`| +|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`| +|`STORAGE_USERS_DECOMPOSEDS3_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`| +|`STORAGE_USERS_DECOMPOSEDS3_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|``| +|`STORAGE_USERS_DECOMPOSEDS3_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`| +|`STORAGE_USERS_DECOMPOSEDS3_MAX_ACQUIRE_LOCK_CYCLES`| 1.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value of 20 will be used.`|`20`| +|`STORAGE_USERS_DECOMPOSEDS3_LOCK_CYCLE_DURATION_FACTOR`| 1.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value of 30 will be used.`|`30`| +|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_DECOMPOSEDS3_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value of 100 will be used.`|`5`| +|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`| +|`OC_DISABLE_VERSIONING`| 1.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`| +|`STORAGE_USERS_OWNCLOUDSQL_DATADIR`| 1.0.0 |string|`The directory where the filesystem storage will store SQL migration data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/owncloud.`|`/var/lib/opencloud/storage/owncloud`| +|`STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER`| 1.0.0 |string|`Name of the folder jailing all shares.`|`/Shares`| +|`STORAGE_USERS_OWNCLOUDSQL_LAYOUT`| 1.0.0 |string|`Path layout to use to navigate into a users folder in an owncloud data directory`|`{{.Username}}`| +|`STORAGE_USERS_OWNCLOUDSQL_UPLOADINFO_DIR`| 1.0.0 |string|`The directory where the filesystem will store uploads temporarily. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/uploadinfo.`|`/var/lib/opencloud/storage/uploadinfo`| +|`STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Username for the database.`|`owncloud`| +|`STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database.`|`owncloud`| +|`STORAGE_USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname or IP of the database server.`|``| +|`STORAGE_USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Port that the database server is listening on.`|`3306`| +|`STORAGE_USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the database to be used.`|`owncloud`| +|`STORAGE_USERS_OWNCLOUDSQL_USERS_PROVIDER_ENDPOINT`| 1.0.0 |string|`Endpoint of the users provider.`|`eu.opencloud.api.users`| +|`STORAGE_USERS_POSIX_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users.`|`/var/lib/opencloud/storage/users`| +|`OC_DECOMPOSEDFS_PROPAGATOR`
`STORAGE_USERS_POSIX_PROPAGATOR`| 2.0.0 |string|`The propagator used for the posix driver. At the moment, only 'sync' is fully supported, 'async' is available as an experimental option.`|``| +|`STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY`| 1.0.0 |Duration|`The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details.`|`0s`| +|`STORAGE_USERS_POSIX_PERSONAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct personal space aliases.`|`{{.SpaceType}}/{{.User.Username \| lower}}`| +|`STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the personal space roots.`|`users/{{.User.Id.OpaqueId}}`| +|`STORAGE_USERS_POSIX_GENERAL_SPACE_ALIAS_TEMPLATE`| 1.0.0 |string|`Template string to construct general space aliases.`|`{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| lower}}`| +|`STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE`| 1.0.0 |string|`Template string to construct the paths of the projects space roots.`|`projects/{{.SpaceId}}`| +|`STORAGE_USERS_PERMISSION_ENDPOINT`
`STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT`| 1.0.0 |string|`Endpoint of the permissions service. The endpoints can differ for 'decomposed', 'posix' and 'decomposeds3'.`|`eu.opencloud.api.settings`| +|`OC_ASYNC_UPLOADS`| 1.0.0 |bool|`Enable asynchronous file uploads.`|`true`| +|`STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY`| 1.0.0 |Duration|`The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected.`|`1s`| +|`OC_SPACES_MAX_QUOTA`
`STORAGE_USERS_POSIX_MAX_QUOTA`| 2.0.0 |uint64|`Set a global max quota for spaces in bytes. A value of 0 equals unlimited. If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA in the frontend service.`|`0`| +|`STORAGE_USERS_POSIX_MAX_ACQUIRE_LOCK_CYCLES`| 2.0.0 |int|`When trying to lock files, OpenCloud will try this amount of times to acquire the lock before failing. After each try it will wait for an increasing amount of time. Values of 0 or below will be ignored and the default value will be used.`|`0`| +|`STORAGE_USERS_POSIX_LOCK_CYCLE_DURATION_FACTOR`| 2.0.0 |int|`When trying to lock files, OpenCloud will multiply the cycle with this factor and use it as a millisecond timeout. Values of 0 or below will be ignored and the default value will be used.`|`0`| +|`OC_MAX_CONCURRENCY`
`STORAGE_USERS_POSIX_MAX_CONCURRENCY`| 2.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`0`| +|`OC_DISABLE_VERSIONING`| 2.0.0 |bool|`Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version.`|`false`| +|`STORAGE_USERS_POSIX_USE_SPACE_GROUPS`| 1.0.0 |bool|`Use space groups to manage permissions on spaces.`|`false`| +|`STORAGE_USERS_POSIX_ENABLE_FS_REVISIONS`| 1.0.0 |bool|`Allow for generating revisions from changes done to the local storage. Note: This doubles the number of bytes stored on disk because a copy of the current revision is stored to be turned into a revision later.`|`false`| +|`STORAGE_USERS_POSIX_SCAN_FS`| 6.2.0 |bool|`Scan the filesystem at startup for changes and update the metadata accordingly.`|`true`| +|`STORAGE_USERS_POSIX_WATCH_FS`| 2.0.0 |bool|`Enable the filesystem watcher to detect changes to the filesystem. This is used to detect changes to the filesystem and update the metadata accordingly.`|`false`| +|`STORAGE_USERS_POSIX_WATCH_TYPE`| 1.0.0 |string|`Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are 'inotifywait' (default), 'cephfs', 'gpfswatchfolder' and 'gpfsfileauditlogging'.`|``| +|`STORAGE_USERS_POSIX_WATCH_PATH`| 1.0.0 |string|`Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' and 'inotifywait' watcher, in which case it is the path of the file audit log file/base directory to watch.`|``| +|`STORAGE_USERS_POSIX_WATCH_NOTIFICATION_BROKERS,STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS`| 1.0.0 |string|`Comma-separated list of kafka brokers to read the watchfolder events from.`|``| +|`STORAGE_USERS_POSIX_WATCH_ROOT`| 4.0.0 |string|`Path to the watch root directory. Event paths will be considered relative to this path. Only applies to the 'gpswatchfolder' and 'cephfs' watchers.`|``| +|`STORAGE_USERS_POSIX_INOTIFY_STATS_FREQUENCY`| 4.0.0 |Duration|`Frequency to log inotify stats.`|`5m0s`| +|`STORAGE_USERS_DATA_SERVER_URL`| 1.0.0 |string|`URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed.`|`http://localhost:9158/data`| +|`STORAGE_USERS_DATA_GATEWAY_URL`| 1.0.0 |string|`URL of the data gateway server`|`http://localhost:9140/data`| +|`STORAGE_USERS_TRANSFER_EXPIRES`| 1.0.0 |int64|`The time after which the token for upload postprocessing expires`|`86400`| +|`OC_EVENTS_ENDPOINT`
`STORAGE_USERS_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`STORAGE_USERS_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`STORAGE_USERS_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`STORAGE_USERS_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`STORAGE_USERS_EVENTS_NUM_CONSUMERS`| 1.0.0 |int|`The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1.`|`0`| +|`OC_EVENTS_AUTH_USERNAME`
`STORAGE_USERS_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`STORAGE_USERS_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_CACHE_STORE`
`STORAGE_USERS_FILEMETADATA_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`memory`| +|`OC_CACHE_STORE_NODES`
`STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`
`STORAGE_USERS_FILEMETADATA_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`storage-users`| +|`OC_CACHE_TTL`
`STORAGE_USERS_FILEMETADATA_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.`|`24h0m0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`STORAGE_USERS_FILEMETADATA_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_USERS_FILEMETADATA_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE will be seen as false.`|``| +|`OC_CACHE_STORE`
`STORAGE_USERS_ID_CACHE_STORE`| 1.0.0 |string|`The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.`|`nats-js-kv`| +|`OC_CACHE_STORE_NODES`
`STORAGE_USERS_ID_CACHE_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[127.0.0.1:9233]`| +|`OC_CACHE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`ids-storage-users`| +|`OC_CACHE_TTL`
`STORAGE_USERS_ID_CACHE_TTL`| 1.0.0 |Duration|`Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details.`|`0s`| +|`OC_CACHE_DISABLE_PERSISTENCE`
`STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE`| 1.0.0 |bool|`Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.`|`false`| +|`OC_CACHE_AUTH_USERNAME`
`STORAGE_USERS_ID_CACHE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_AUTH_PASSWORD`
`STORAGE_USERS_ID_CACHE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_CACHE_ENABLE_TLS`
`STORAGE_USERS_ID_CACHE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to file metadata cache.`|`false`| +|`OC_INSECURE`
`OC_CACHE_TLS_INSECURE`
`STORAGE_USERS_ID_CACHE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_CACHE_TLS_ROOT_CA_CERTIFICATE`
`STORAGE_USERS_ID_CACHE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_ID_CACHE_TLS_INSECURE will be seen as false.`|``| +|`STORAGE_USERS_MOUNT_ID`| 1.0.0 |string|`Mount ID of this storage.`|``| +|`STORAGE_USERS_EXPOSE_DATA_SERVER`| 1.0.0 |bool|`Exposes the data server directly to users and bypasses the data gateway. Ensure that the data server address is reachable by users.`|`false`| +|`STORAGE_USERS_READ_ONLY`| 1.0.0 |bool|`Set this storage to be read-only.`|`false`| +|`STORAGE_USERS_UPLOAD_EXPIRATION`| 1.0.0 |int64|`Duration in seconds after which uploads will expire. Note that when setting this to a low number, uploads could be cancelled before they are finished and return a 403 to the user.`|`86400`| +|`OC_ADMIN_USER_ID`
`STORAGE_USERS_PURGE_TRASH_BIN_USER_ID`| 1.0.0 |string|`ID of the user who collects all necessary information for deletion. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.`|``| +|`STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE`| 1.0.0 |Duration|`Specifies the period of time in which items that have been in the personal trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.`|`720h0m0s`| +|`STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE`| 1.0.0 |Duration|`Specifies the period of time in which items that have been in the project trash-bin for longer than this value should be deleted. A value of 0 means no automatic deletion. See the Environment Variable Types description for more details.`|`720h0m0s`| +|`OC_SERVICE_ACCOUNT_ID`
`STORAGE_USERS_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`STORAGE_USERS_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| +|`OC_GATEWAY_GRPC_ADDR`
`STORAGE_USERS_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the gateway GRPC address.`|`127.0.0.1:9142`| +|`OC_MACHINE_AUTH_API_KEY`
`STORAGE_USERS_MACHINE_AUTH_API_KEY`| 1.0.0 |string|`Machine auth API key used to validate internal requests necessary for the access to resources from other services.`|``| +|`STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE`| 1.0.0 |int|`The maximum number of attempts to rename a file when a user restores a file to an existing destination with the same name. The minimum value is 100.`|`0`| diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-users_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/storage-users_deprecation.md new file mode 100644 index 000000000..c59cea0de --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-users_deprecation.md @@ -0,0 +1,4 @@ + +:::danger +storage-users has deprecated environment variables. Please refer to the table below for more information. +::: \ No newline at end of file diff --git a/versioned_docs/version-7.x/_static/env-vars/storage-users_readme.md b/versioned_docs/version-7.x/_static/env-vars/storage-users_readme.md new file mode 100755 index 000000000..767ef7558 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/storage-users_readme.md @@ -0,0 +1,246 @@ + + +## Abstract + + +Purpose and description to be added + + +## Table of Contents + +* [Graceful Shutdown](#graceful-shutdown) +* [CLI Commands](#cli-commands) + * [Manage Unfinished Uploads](#manage-unfinished-uploads) + * [Sessions command](#sessions-command) + * [Command Examples](#command-examples) + * [Manage Trash-Bin Items](#manage-trashbin-items) + * [Purge Expired](#purge-expired) + * [List and Restore Trash-Bins Items](#list-and-restore-trashbins-items) +* [Caching](#caching) + +## Graceful Shutdown + +You can define a graceful shutdown period for the `storage-users` service. + +IMPORTANT: The graceful shutdown period is only applicable if the `storage-users` service runs as standalone service. It does not apply if the `storage-users` service runs as part of the single binary or as single Docker environment. To build an environment where the `storage-users` service runs as a standalone service, you must start two instances, one _without_ the `storage-users` service and one _only with_ the the `storage-users` service. Note that both instances must be able to communicate on the same network. + +When hard-stopping OpenCloud, for example with the `kill
`THUMBNAILS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`THUMBNAILS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9189`| +|`THUMBNAILS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`THUMBNAILS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`THUMBNAILS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`THUMBNAILS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9185`| +|`THUMBNAILS_MAX_CONCURRENT_REQUESTS`| 1.0.0 |int|`Number of maximum concurrent thumbnail requests. Default is 0 which is unlimited.`|`0`| +|`THUMBNAILS_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9186`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`THUMBNAILS_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/thumbnails`| +|`OC_CORS_ALLOW_ORIGINS`
`THUMBNAILS_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`THUMBNAILS_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`THUMBNAILS_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`THUMBNAILS_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`THUMBNAILS_RESOLUTIONS`| 1.0.0 |[]string|`The supported list of target resolutions in the format WidthxHeight like 32x32. You can define any resolution as required. See the Environment Variable Types description for more details.`|`[16x16 32x32 64x64 128x128 1080x1920 1920x1080 2160x3840 3840x2160 4320x7680 7680x4320]`| +|`THUMBNAILS_FILESYSTEMSTORAGE_ROOT`| 1.0.0 |string|`The directory where the filesystem storage will store the thumbnails. If not defined, the root directory derives from $OC_BASE_DATA_PATH/thumbnails.`|`/var/lib/opencloud/thumbnails`| +|`OC_INSECURE`
`THUMBNAILS_WEBDAVSOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the webdav source.`|`false`| +|`OC_INSECURE`
`THUMBNAILS_CS3SOURCE_INSECURE`| 1.0.0 |bool|`Ignore untrusted SSL certificates when connecting to the CS3 source.`|`false`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`THUMBNAILS_TXT_FONTMAP_FILE`| 1.0.0 |string|`The path to a font file for txt thumbnails.`|``| +|`THUMBNAILS_TRANSFER_TOKEN`| 1.0.0 |string|`The secret to sign JWT to download the actual thumbnail file.`|``| +|`THUMBNAILS_DATA_ENDPOINT`| 1.0.0 |string|`The HTTP endpoint where the actual thumbnail file can be downloaded.`|`http://127.0.0.1:9186/thumbnails/data`| +|`THUMBNAILS_MAX_INPUT_WIDTH`| 1.0.0 |int|`The maximum width of an input image which is being processed.`|`7680`| +|`THUMBNAILS_MAX_INPUT_HEIGHT`| 1.0.0 |int|`The maximum height of an input image which is being processed.`|`7680`| +|`THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE`| 1.0.0 |string|`The maximum file size of an input image which is being processed. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB.`|`50MB`| diff --git a/versioned_docs/version-7.x/_static/env-vars/thumbnails_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/thumbnails_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/thumbnails_readme.md b/versioned_docs/version-7.x/_static/env-vars/thumbnails_readme.md new file mode 100755 index 000000000..43500cb73 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/thumbnails_readme.md @@ -0,0 +1,142 @@ + + +## Abstract + + +The thumbnails service provides methods to generate thumbnails for various files and resolutions based on requests. It retrieves the sources at the location where the user files are stored and saves the thumbnails where system files are stored. Those locations have defaults but can be manually defined via environment variables. + + +## Table of Contents + +* [File Locations Overview](#file-locations-overview) +* [Thumbnail Location](#thumbnail-location) +* [Thumbnail Source File Types](#thumbnail-source-file-types) +* [Thumbnail Target File Types](#thumbnail-target-file-types) +* [Thumbnail Query String Parameters](#thumbnail-query-string-parameters) +* [Thumbnail Resolution](#thumbnail-resolution) +* [Thumbnail Processors](#thumbnail-processors) +* [Deleting Thumbnails](#deleting-thumbnails) +* [Memory Considerations](#memory-considerations) +* [Thumbnails and SecureView](#thumbnails-and-secureview) +* [Using libvips for Thumbnail Generation](#using-libvips-for-thumbnail-generation) + +## File Locations Overview + +The relevant environment variables defining file locations are: + +- (1) `OC_BASE_DATA_PATH` +- (2) `STORAGE_USERS_DECOMPOSED_ROOT` +- (3) `THUMBNAILS_FILESYSTEMSTORAGE_ROOT` + +(1) ... Having a default set by the OpenCloud code, but if defined, used as base path for other services. +(2) ... Source files, defaults to (1) plus path component, but can be freely defined if required. +(3) ... Target files, defaults to (1) plus path component, but can be freely defined if required. + +For details and defaults for these environment variables see the OpenCloud admin documentation. + +## Thumbnail Location + +It may be beneficial to define the location of the thumbnails to be other than the default (with system files). This is due the fact that storing thumbnails can consume a lot of space over time which not necessarily needs to reside on the same partition or mount or expensive drives. + +## Thumbnail Source File Types + +Thumbnails can be generated from the following source file types: + +- png +- jpg +- gif +- tiff +- bmp +- txt + +The thumbnail service retrieves source files using the information provided by the backend. The Linux backend identifies source files usually based on the extension. + +If a file type was not properly assigned or the type identification failed, thumbnail generation will fail and an error will be logged. + +## Thumbnail Target File Types + +Thumbnails can either be generated as `png`, `jpg` or `gif` files. These types are hardcoded and no other types can be requested. A requestor, like another service or a client, can request one of the available types to be generated. If more than one type is required, each type must be requested individually. + +## Thumbnail Query String Parameters + +Clients can request thumbnail previews for files by adding `?preview=1` to the file URL. Requests for files with no thumbnail available respond with HTTP status `404`. + +The following query parameters are supported: + +| Parameter | Required | Default Value | Description | +|-----------|----------|------------------------------------------------------|---------------------------------------------------------------------------------| +| preview | YES | 1 | generates preview | +| x | YES | first x-value configured in `THUMBNAILS_RESOLUTIONS` | horizontal target size | +| y | YES | first y-value configured in `THUMBNAILS_RESOLUTIONS` | vertical target size | +| scalingup | NO | 0 | prevents up-scaling of small images | +| a | NO | 1 | aspect ratio | +| c | NO | Caching string | Clients should send the etag, so they get a fresh thumbnail after a file change | +| processor | NO | `resize` for gifs and `thumbnail` for all others | preferred thumbnail processor | + +## Thumbnail Resolution + +Various resolutions can be defined via `THUMBNAILS_RESOLUTIONS`. A requestor can request any arbitrary resolution and the thumbnail service will use the one closest to the requested resolution. If more than one resolution is required, each resolution must be requested individually. + +Example: + +Requested: 18x12\ +Available: 30x20, 15x10, 9x6\ +Returned: 15x10 + +## Thumbnail Processors + +Normally, an image might get cropped when creating a preview, depending on the aspect ratio of the original image. This can have negative +impacts on previews as only a part of the image will be shown. When using an _optional_ processor in the request, cropping can be avoided by defining on how the preview image generation will be done. The following processors are available: + +* `resize` resizes the image to the specified width and height and returns the transformed image. If one of width or height is 0, the image aspect ratio is preserved. +* `fit` scales down the image to fit the specified maximum width and height and returns the transformed image. +* `fill`: creates an image with the specified dimensions and fills it with the scaled source image. To achieve the correct aspect ratio without stretching, the source image will be cropped. +* `thumbnail` scales the image up or down, crops it to the specified width and height and returns the transformed image. + +To apply one of those, a query parameter has to be added to the request, like `?processor=fit`. If no query parameter or processor is added, the default behaviour applies which is `resize` for gifs and `thumbnail` for all others. + +## Deleting Thumbnails + +As of now, there is no automated thumbnail deletion. This is especially true when a source file gets deleted or moved. This situation will be solved at a later stage. For the time being, if you run short on physical thumbnails space, you have to manually delete the thumbnail store to free space. Thumbnails will then be recreated on request. + +## Memory Considerations + +Since source files need to be loaded into memory when generating thumbnails, large source files could potentially crash this service if there is insufficient memory available. For bigger instances when using container orchestration deployment methods, this service can be dedicated to its own server(s) with more memory. +To have more control over memory (and CPU) consumption the maximum number of concurrent requests can be limited by setting the environment variable `THUMBNAILS_MAX_CONCURRENT_REQUESTS`. The default value is 0 which does not apply any restrictions to the number of concurrent requests. As soon as the number of concurrent requests is reached any further request will be responded with `429/Too Many Requests` and the client can retry at a later point in time. + +## Thumbnails and SecureView + +If a resource is shared using SecureView, the share reciever will get a 403 (forbidden) response when requesting a thumbnail. The requesting client needs to decide what to show and usually a placeholder thumbnail is used. + +## Using libvips for Thumbnail Generation + +To improve performance and to support a wider range of images formats, the thumbnails service is able to utilize the [libvips library](https://www.libvips.org/) for thumbnail generation. Support for libvips needs to be +enabled at buildtime and has a couple of implications: + +* With libvips support enabled, it is not possible to create a statically linked OpenCloud binary. +* Therefore, the libvips shared libraries need to be available at runtime in the same release that was used to build the OpenCloud binary. +* When using the OpenCloud docker images, the libvips shared libraries are included in the image and are correctly embedded. + +Support of libvips is disabled by default. To enable it, make sure libvips and its buildtime dependencies are installed in your build environment. For macOS users, add the build time dependencies via: + +```shell +brew install vips pkg-config +export PKG_CONFIG_PATH="/usr/local/opt/libffi/lib/pkgconfig" +``` + +Then you just need to set the `ENABLE_VIPS` variable on the `make` command: + +```shell +make -C opencloud build ENABLE_VIPS=1 +``` + +Or include the `enable_vips` build tag in the `go build` command: + +```shell +go build -tags enable_vips -o opencloud -o bin/opencloud ./cmd/opencloud +``` + +When building a docker image using the Dockerfile in the top-level directory of OpenCloud, libvips support is enabled and the libvips shared libraries are included +in the resulting docker image. + + diff --git a/versioned_docs/version-7.x/_static/env-vars/userlog.yaml b/versioned_docs/version-7.x/_static/env-vars/userlog.yaml new file mode 100644 index 000000000..756fa70d8 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/userlog.yaml @@ -0,0 +1,61 @@ +# Autogenerated +# Filename: userlog.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9214 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9210 + root: / + cors: + allow_origins: + - '*' + allow_methods: + - GET + allow_headers: + - Authorization + - Origin + - Content-Type + - Accept + - X-Requested-With + - X-Request-Id + - Ocs-Apirequest + allow_credentials: true + tls: + enabled: false + cert: "" + key: "" +grpc_client_tls: null +token_manager: + jwt_secret: "" +reva_gateway: eu.opencloud.api.gateway +translation_path: "" +default_language: "" +events: + endpoint: 127.0.0.1:9233 + cluster: opencloud-cluster + tls_insecure: false + tls_root_ca_certificate: "" + enable_tls: false + username: "" + password: "" +max_concurrency: 1 +persistence: + store: memory + nodes: [] + database: userlog + table: events + ttl: 336h0m0s + username: "" + password: "" + enable_tls: false + tls_insecure: false + tls_root_ca_certificate: "" +disable_sse: false +global_notifications_secret: "" +service_account: + service_account_id: "" + service_account_secret: "" diff --git a/versioned_docs/version-7.x/_static/env-vars/userlog_configvars.md b/versioned_docs/version-7.x/_static/env-vars/userlog_configvars.md new file mode 100644 index 000000000..34ae372c4 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/userlog_configvars.md @@ -0,0 +1,44 @@ +## Environment variables for the **userlog** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`USERLOG_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`USERLOG_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9214`| +|`USERLOG_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`USERLOG_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`USERLOG_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`USERLOG_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9210`| +|`USERLOG_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`USERLOG_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`USERLOG_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET]`| +|`OC_CORS_ALLOW_HEADERS`
`USERLOG_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`USERLOG_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_JWT_SECRET`
`USERLOG_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| +|`OC_TRANSLATION_PATH`
`USERLOG_TRANSLATION_PATH`| 1.0.0 |string|`(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.`|``| +|`OC_DEFAULT_LANGUAGE`| 1.0.0 |string|`The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.`|``| +|`OC_EVENTS_ENDPOINT`
`USERLOG_EVENTS_ENDPOINT`| 1.0.0 |string|`The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.`|`127.0.0.1:9233`| +|`OC_EVENTS_CLUSTER`
`USERLOG_EVENTS_CLUSTER`| 1.0.0 |string|`The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.`|`opencloud-cluster`| +|`OC_INSECURE`
`OC_EVENTS_TLS_INSECURE`
`USERLOG_EVENTS_TLS_INSECURE`| 1.0.0 |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_EVENTS_TLS_ROOT_CA_CERTIFICATE`
`USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`| 1.0.0 |string|`The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.`|``| +|`OC_EVENTS_ENABLE_TLS`
`USERLOG_EVENTS_ENABLE_TLS`| 1.0.0 |bool|`Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|`false`| +|`OC_EVENTS_AUTH_USERNAME`
`USERLOG_EVENTS_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_EVENTS_AUTH_PASSWORD`
`USERLOG_EVENTS_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services.`|``| +|`OC_MAX_CONCURRENCY`
`USERLOG_MAX_CONCURRENCY`| 1.0.0 |int|`Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.`|`1`| +|`OC_PERSISTENT_STORE`
`USERLOG_STORE`| 1.0.0 |string|`The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.`|`memory`| +|`OC_PERSISTENT_STORE_NODES`
`USERLOG_STORE_NODES`| 1.0.0 |[]string|`A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.`|`[]`| +|`USERLOG_STORE_DATABASE`| 1.0.0 |string|`The database name the configured store should use.`|`userlog`| +|`USERLOG_STORE_TABLE`| 1.0.0 |string|`The database table the store should use.`|`events`| +|`OC_PERSISTENT_STORE_TTL`
`USERLOG_STORE_TTL`| 1.0.0 |Duration|`Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.`|`336h0m0s`| +|`OC_PERSISTENT_STORE_AUTH_USERNAME`
`USERLOG_STORE_AUTH_USERNAME`| 1.0.0 |string|`The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_AUTH_PASSWORD`
`USERLOG_STORE_AUTH_PASSWORD`| 1.0.0 |string|`The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.`|``| +|`OC_PERSISTENT_STORE_ENABLE_TLS`
`USERLOG_STORE_ENABLE_TLS`| next |bool|`Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured.`|`false`| +|`OC_INSECURE`
`OC_PERSISTENT_STORE_TLS_INSECURE`
`USERLOG_STORE_TLS_INSECURE`| next |bool|`Whether to verify the server TLS certificates.`|`false`| +|`OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE`
`USERLOG_STORE_TLS_ROOT_CA_CERTIFICATE`| next |string|`The root CA certificate used to validate the server's TLS certificate. If provided USERLOG_STORE_TLS_INSECURE will be seen as false.`|``| +|`OC_DISABLE_SSE,USERLOG_DISABLE_SSE`| 1.0.0 |bool|`Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.`|`false`| +|`USERLOG_GLOBAL_NOTIFICATIONS_SECRET`| 1.0.0 |string|`The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.`|``| +|`OC_SERVICE_ACCOUNT_ID`
`USERLOG_SERVICE_ACCOUNT_ID`| 1.0.0 |string|`The ID of the service account the service should use. See the 'auth-service' service description for more details.`|``| +|`OC_SERVICE_ACCOUNT_SECRET`
`USERLOG_SERVICE_ACCOUNT_SECRET`| 1.0.0 |string|`The service account secret.`|``| diff --git a/versioned_docs/version-7.x/_static/env-vars/userlog_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/userlog_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/userlog_readme.md b/versioned_docs/version-7.x/_static/env-vars/userlog_readme.md new file mode 100755 index 000000000..1feed61fa --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/userlog_readme.md @@ -0,0 +1,105 @@ + + +## Abstract + + +The `userlog` service is a mediator between the `eventhistory` service and clients who want to be informed about user related events. It provides an API to retrieve those. + + +## Table of Contents + +* [The Log Service Ecosystem](#the-log-service-ecosystem) +* [Prerequisites](#prerequisites) +* [Storing](#storing) +* [Configuring](#configuring) +* [Retrieving](#retrieving) +* [Posting](#posting) + * [Authentication](#authentication) + * [Deprovisioning](#deprovisioning) +* [Deleting](#deleting) +* [Translations](#translations) + * [Translation Rules](#translation-rules) +* [Default Language](#default-language) + +## The Log Service Ecosystem + +Log services like the `userlog`, `clientlog` and `sse` are responsible for composing notifications for a certain audience. + - The `userlog` service translates and adjusts messages to be human readable. + - The `clientlog` service composes machine readable messages, so clients can act without the need to query the server. + - The `sse` service is only responsible for sending these messages. It does not care about their form or language. + +## Prerequisites + +Running the `userlog` service without running the `eventhistory` service is not possible. + +## Storing + +The `userlog` service persists information via the configured store in `USERLOG_STORE`. Possible stores are: + - `memory`: Basic in-memory store and the default. + - `redis-sentinel`: Stores data in a configured Redis Sentinel cluster. + - `nats-js-kv`: Stores data using key-value-store feature of [nats jetstream](https://docs.nats.io/nats-concepts/jetstream/key-value-store) + - `noop`: Stores nothing. Useful for testing. Not recommended in production environments. + +Other store types may work but are not supported currently. + +Note: The service can only be scaled if not using `memory` store and the stores are configured identically over all instances! + +Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version. + +Store specific notes: + - When using `redis-sentinel`, the Redis master to use is configured via e.g. `OC_CACHE_STORE_NODES` in the form of `
`USERS_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`USERS_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9145`| +|`USERS_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`USERS_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`USERS_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`USERS_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`127.0.0.1:9144`| +|`OC_GRPC_PROTOCOL`
`USERS_GRPC_PROTOCOL`| 1.0.0 |string|`The transport protocol of the GPRC service.`|`tcp`| +|`OC_JWT_SECRET`
`USERS_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`The CS3 gateway endpoint.`|`eu.opencloud.api.gateway`| +|`OC_GRPC_CLIENT_TLS_MODE`| 1.0.0 |string|`TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.`|``| +|`OC_GRPC_CLIENT_TLS_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.`|``| +|`USERS_SKIP_USER_GROUPS_IN_TOKEN`| 1.0.0 |bool|`Disables the loading of user's group memberships from the reva access token.`|`false`| +|`USERS_DRIVER`| 1.0.0 |string|`The driver which should be used by the users service. Supported values are 'ldap' and 'owncloudsql'.`|`ldap`| +|`OC_LDAP_URI`
`USERS_LDAP_URI`| 1.0.0 |string|`URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'`|`ldap://localhost:9236`| +|`OC_LDAP_CACERT`
`USERS_LDAP_CACERT`| 1.0.0 |string|`Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm.`|``| +|`OC_LDAP_INSECURE`
`USERS_LDAP_INSECURE`| 1.0.0 |bool|`Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.`|`false`| +|`OC_LDAP_BIND_DN`
`USERS_LDAP_BIND_DN`| 1.0.0 |string|`LDAP DN to use for simple bind authentication with the target LDAP server.`|`uid=reva,ou=sysusers,o=libregraph-idm`| +|`OC_LDAP_BIND_PASSWORD`
`USERS_LDAP_BIND_PASSWORD`| 1.0.0 |string|`Password to use for authenticating the 'bind_dn'.`|``| +|`OC_LDAP_USER_BASE_DN`
`USERS_LDAP_USER_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP users.`|`ou=users,o=libregraph-idm`| +|`OC_LDAP_GROUP_BASE_DN`
`USERS_LDAP_GROUP_BASE_DN`| 1.0.0 |string|`Search base DN for looking up LDAP groups.`|`ou=groups,o=libregraph-idm`| +|`OC_LDAP_TENANT_BASE_DN`
`USERS_LDAP_TENANT_BASE_DN`| 6.1.0 |string|`Search base DN for looking up LDAP tenants. Only relevant in multi-tenant setups.`|``| +|`OC_LDAP_TENANT_SCOPE`
`USERS_LDAP_TENANT_SCOPE`| 6.1.0 |string|`LDAP search scope to use when looking up tenants. Supported values are 'base', 'one' and 'sub'. Only relevant in multi-tenant setups.`|`sub`| +|`OC_LDAP_TENANT_FILTER`
`USERS_LDAP_TENANT_FILTER`| 6.1.0 |string|`LDAP filter to add to the default filters for tenant searches. Only relevant in multi-tenant setups.`|``| +|`OC_LDAP_TENANT_OBJECTCLASS`
`USERS_LDAP_TENANT_OBJECTCLASS`| 6.1.0 |string|`The object class to use for tenants in the default tenant search filter. Only relevant in multi-tenant setups.`|``| +|`OC_LDAP_TENANT_SCHEMA_ID`
`USERS_LDAP_TENANT_SCHEMA_ID`| 6.1.0 |string|`LDAP Attribute to use as the unique internal ID for tenants. Only relevant in multi-tenant setups.`|``| +|`OC_LDAP_TENANT_SCHEMA_EXTERNAL_ID`
`USERS_LDAP_TENANT_SCHEMA_EXTERNAL_ID`| 6.1.0 |string|`LDAP Attribute that holds the external tenant ID as it appears in OIDC claims. Only relevant in multi-tenant setups.`|``| +|`OC_LDAP_TENANT_SCHEMA_NAME`
`USERS_LDAP_TENANT_SCHEMA_NAME`| 6.1.0 |string|`LDAP Attribute to use for the human-readable name of a tenant. Only relevant in multi-tenant setups.`|``| +|`OC_LDAP_USER_SCOPE`
`USERS_LDAP_USER_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'.`|`sub`| +|`OC_LDAP_GROUP_SCOPE`
`USERS_LDAP_GROUP_SCOPE`| 1.0.0 |string|`LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'.`|`sub`| +|`LDAP_USER_SUBSTRING_FILTER_TYPE`
`USERS_LDAP_USER_SUBSTRING_FILTER_TYPE`| 1.0.0 |string|`Type of substring search filter to use for substring searches for users. Possible values: 'initial' for doing prefix only searches, 'final' for doing suffix only searches or 'any' for doing full substring searches`|`any`| +|`OC_LDAP_USER_FILTER`
`USERS_LDAP_USER_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'.`|``| +|`OC_LDAP_GROUP_FILTER`
`USERS_LDAP_GROUP_FILTER`| 1.0.0 |string|`LDAP filter to add to the default filters for group searches.`|``| +|`OC_LDAP_USER_OBJECTCLASS`
`USERS_LDAP_USER_OBJECTCLASS`| 1.0.0 |string|`The object class to use for users in the default user search filter like 'inetOrgPerson'.`|`inetOrgPerson`| +|`OC_LDAP_GROUP_OBJECTCLASS`
`USERS_LDAP_GROUP_OBJECTCLASS`| 1.0.0 |string|`The object class to use for groups in the default group search filter like 'groupOfNames'.`|`groupOfNames`| +|`OC_URL`
`OC_OIDC_ISSUER`
`USERS_IDP_URL`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`OC_LDAP_DISABLE_USER_MECHANISM`
`USERS_LDAP_DISABLE_USER_MECHANISM`| 1.0.0 |string|`An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed.`|`attribute`| +|`OC_LDAP_USER_SCHEMA_USER_TYPE`
`USERS_LDAP_USER_TYPE_ATTRIBUTE`| 1.0.0 |string|`LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'.`|`openCloudUserType`| +|`OC_LDAP_DISABLED_USERS_GROUP_DN`
`USERS_LDAP_DISABLED_USERS_GROUP_DN`| 1.0.0 |string|`The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'.`|`cn=DisabledUsersGroup,ou=groups,o=libregraph-idm`| +|`OC_LDAP_USER_SCHEMA_ID`
`USERS_LDAP_USER_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.`|`openclouduuid`| +|`OC_LDAP_USER_SCHEMA_TENANT_ID`
`USERS_LDAP_USER_SCHEMA_TENANT_ID`| 4.0.0 |string|`LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment.`|``| +|`OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`
`USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's.`|`false`| +|`OC_LDAP_USER_SCHEMA_MAIL`
`USERS_LDAP_USER_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of users.`|`mail`| +|`OC_LDAP_USER_SCHEMA_DISPLAYNAME`
`USERS_LDAP_USER_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of users.`|`displayname`| +|`OC_LDAP_USER_SCHEMA_USERNAME`
`USERS_LDAP_USER_SCHEMA_USERNAME`| 1.0.0 |string|`LDAP Attribute to use for username of users.`|`uid`| +|`OC_LDAP_USER_ENABLED_ATTRIBUTE`
`USERS_LDAP_USER_ENABLED_ATTRIBUTE`| 1.0.0 |string|`LDAP attribute to use as a flag telling if the user is enabled or disabled.`|`openclouduserenabled`| +|`OC_LDAP_GROUP_SCHEMA_ID`
`USERS_LDAP_GROUP_SCHEMA_ID`| 1.0.0 |string|`LDAP Attribute to use as the unique ID for groups. This should be a stable globally unique ID like a UUID.`|`openclouduuid`| +|`OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`
`USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING`| 1.0.0 |bool|`Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's.`|`false`| +|`OC_LDAP_GROUP_SCHEMA_MAIL`
`USERS_LDAP_GROUP_SCHEMA_MAIL`| 1.0.0 |string|`LDAP Attribute to use for the email address of groups (can be empty).`|`mail`| +|`OC_LDAP_GROUP_SCHEMA_DISPLAYNAME`
`USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME`| 1.0.0 |string|`LDAP Attribute to use for the displayname of groups (often the same as groupname attribute).`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_GROUPNAME`
`USERS_LDAP_GROUP_SCHEMA_GROUPNAME`| 1.0.0 |string|`LDAP Attribute to use for the name of groups.`|`cn`| +|`OC_LDAP_GROUP_SCHEMA_MEMBER`
`USERS_LDAP_GROUP_SCHEMA_MEMBER`| 1.0.0 |string|`LDAP Attribute that is used for group members.`|`member`| +|`USERS_OWNCLOUDSQL_DB_USERNAME`| 1.0.0 |string|`Database user to use for authenticating with the owncloud database.`|`owncloud`| +|`USERS_OWNCLOUDSQL_DB_PASSWORD`| 1.0.0 |string|`Password for the database user.`|`secret`| +|`USERS_OWNCLOUDSQL_DB_HOST`| 1.0.0 |string|`Hostname of the database server.`|`mysql`| +|`USERS_OWNCLOUDSQL_DB_PORT`| 1.0.0 |int|`Network port to use for the database connection.`|`3306`| +|`USERS_OWNCLOUDSQL_DB_NAME`| 1.0.0 |string|`Name of the owncloud database.`|`owncloud`| +|`USERS_OWNCLOUDSQL_IDP`| 1.0.0 |string|`The identity provider value to set in the userids of the CS3 user objects for users returned by this user provider.`|`https://localhost:9200`| +|`USERS_OWNCLOUDSQL_NOBODY`| 1.0.0 |int64|`Fallback number if no numeric UID and GID properties are provided.`|`90`| +|`USERS_OWNCLOUDSQL_JOIN_USERNAME`| 1.0.0 |bool|`Join the user properties table to read usernames`|`false`| +|`USERS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID`| 1.0.0 |bool|`Join the user properties table to read user IDs.`|`false`| +|`USERS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH`| 1.0.0 |bool|`Allow 'medial search' when searching for users instead of just doing a prefix search. This allows finding 'Alice' when searching for 'lic'.`|`false`| diff --git a/versioned_docs/version-7.x/_static/env-vars/users_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/users_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/users_readme.md b/versioned_docs/version-7.x/_static/env-vars/users_readme.md new file mode 100755 index 000000000..26a1b4af1 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/users_readme.md @@ -0,0 +1,40 @@ + + +## Abstract + + +The `users` service provides the CS3 Users API for OpenCloud. It is responsible for managing user information and authentication within the OpenCloud instance. + +This service implements the CS3 identity user provider interface, allowing other services to query and manage user accounts. It works as a backend provider for the `graph` service when using the CS3 backend mode. + + +## Table of Contents + +* [Backend Integration](#backend-integration) +* [API](#api) +* [Usage](#usage) +* [Scalability](#scalability) + +## Backend Integration + +The users service can work with different storage backends: +- LDAP integration through the graph service +- Direct CS3 API implementation + +When using the `graph` service with the CS3 backend (`GRAPH_IDENTITY_BACKEND=cs3`), the graph service queries user information through this service. + +## API + +The service provides CS3 gRPC APIs for: +- Listing users +- Getting user information +- Finding users by username, email, or ID + +## Usage + +The users service is only used internally by other OpenCloud services and not being accessed directly by clients. The `frontend`, `ocs`, and `graph` services translate HTTP API requests into CS3 API calls to this service. + +## Scalability + +Since the users service queries backend systems (like LDAP through the configured identity backend), it can be scaled horizontally without additional configuration when using stateless backends. + diff --git a/versioned_docs/version-7.x/_static/env-vars/web.yaml b/versioned_docs/version-7.x/_static/env-vars/web.yaml new file mode 100644 index 000000000..716cfa412 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/web.yaml @@ -0,0 +1,126 @@ +# Autogenerated +# Filename: web.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9104 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9100 + tls: + enabled: false + cert: "" + key: "" + root: / + cache_ttl: 604800 + cors: + allow_origins: + - https://localhost:9200 + allow_methods: + - OPTIONS + - HEAD + - GET + - PUT + - PATCH + - POST + - DELETE + - MKCOL + - PROPFIND + - PROPPATCH + - MOVE + - COPY + - REPORT + - SEARCH + allow_headers: + - Origin + - Accept + - Content-Type + - Depth + - Authorization + - Ocs-Apirequest + - If-None-Match + - If-Match + - Destination + - Overwrite + - X-Request-Id + - X-Requested-With + - Tus-Resumable + - Tus-Checksum-Algorithm + - Upload-Concat + - Upload-Length + - Upload-Metadata + - Upload-Defer-Length + - Upload-Expires + - Upload-Checksum + - Upload-Offset + - X-HTTP-Method-Override + allow_credentials: false +asset: + core_path: /var/lib/opencloud/web/assets/core + themes_path: /var/lib/opencloud/web/assets/themes + apps_path: /var/lib/opencloud/web/assets/apps +file: "" +web: + theme_server: https://localhost:9200 + theme_path: /themes/opencloud/theme.json + config: + server: https://localhost:9200 + oidc: + metadata_url: https://localhost:9200/.well-known/openid-configuration + authority: https://localhost:9200 + client_id: web + response_type: code + scope: openid profile email + post_logout_redirect_uri: "" + apps: + - files + - search + - text-editor + - pdf-viewer + - external + - admin-settings + - epub-reader + - preview + - app-store + applications: [] + external_apps: [] + options: + accountEditLink: null + disableFeedbackLink: false + feedbackLink: null + runningOnEos: false + cernFeatures: false + openFilesInNewTab: false + upload: null + editor: null + contextHelpersReadMore: true + logoutUrl: "" + loginUrl: "" + tokenStorageLocal: true + disabledExtensions: [] + embed: + enabled: "" + target: "" + messagesOrigin: "" + delegateAuthentication: false + delegateAuthenticationOrigin: "" + userListRequiresFilter: false + concurrentRequests: + resourceBatchActions: 0 + sse: 0 + shares: + create: 0 + list: 0 + defaultAppId: "" + oxAppSuite: + enabled: false + apiUrl: "" + styles: [] + scripts: [] + custom_translations: [] +apps: {} +token_manager: + jwt_secret: "" +gateway_addr: eu.opencloud.api.gateway diff --git a/versioned_docs/version-7.x/_static/env-vars/web_configvars.md b/versioned_docs/version-7.x/_static/env-vars/web_configvars.md new file mode 100644 index 000000000..fa88fbbef --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/web_configvars.md @@ -0,0 +1,65 @@ + +2026-06-19-00-12-13 + +## Deprecation Notice + +| Deprecation Info | Deprecation Version | Removal Version | Deprecation Replacement | +|---|---|---|:---| +| WEB_OPTION_RUNNING_ON_EOS is deprecated and will be removed in a future release. | 6.2.0 | next-prod | | + +## Environment variables for the **web** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`WEB_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`WEB_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9104`| +|`WEB_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`WEB_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`WEB_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`WEB_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9100`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`WEB_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`WEB_CACHE_TTL`| 1.0.0 |int|`Cache policy in seconds for OpenCloud Web assets.`|`604800`| +|`OC_CORS_ALLOW_ORIGINS`
`WEB_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`WEB_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[OPTIONS HEAD GET PUT PATCH POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]`| +|`OC_CORS_ALLOW_HEADERS`
`WEB_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`WEB_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS. See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`WEB_ASSET_CORE_PATH`| 1.0.0 |string|`Serve OpenCloud Web assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/core`|`/var/lib/opencloud/web/assets/core`| +|`OC_ASSET_THEMES_PATH`
`WEB_ASSET_THEMES_PATH`| 1.0.0 |string|`Serve OpenCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes`|`/var/lib/opencloud/web/assets/themes`| +|`WEB_ASSET_APPS_PATH`| 1.0.0 |string|`Serve OpenCloud Web apps assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/apps`|`/var/lib/opencloud/web/assets/apps`| +|`WEB_UI_CONFIG_FILE`| 1.0.0 |string|`Read the OpenCloud Web json based configuration from this path/file. The config file takes precedence over WEB_OPTION_xxx environment variables. See the text description for more details.`|``| +|`OC_URL`
`WEB_UI_THEME_SERVER`| 1.0.0 |string|`Base URL to load themes from. Will be prepended to the theme path.`|`https://localhost:9200`| +|`WEB_UI_THEME_PATH`| 1.0.0 |string|`Path to the theme json file. Will be appended to the URL of the theme server.`|`/themes/opencloud/theme.json`| +|`OC_URL`
`WEB_UI_CONFIG_SERVER`| 1.0.0 |string|`URL, where the OpenCloud APIs are reachable for OpenCloud Web.`|`https://localhost:9200`| +|`WEB_OIDC_METADATA_URL`| 1.0.0 |string|`URL for the OIDC well-known configuration endpoint. Defaults to the OpenCloud API URL + '/.well-known/openid-configuration'.`|`https://localhost:9200/.well-known/openid-configuration`| +|`OC_URL`
`OC_OIDC_ISSUER`
`WEB_OIDC_AUTHORITY`| 1.0.0 |string|`URL of the OIDC issuer. It defaults to URL of the builtin IDP.`|`https://localhost:9200`| +|`OC_OIDC_CLIENT_ID`
`WEB_OIDC_CLIENT_ID`| 1.0.0 |string|`The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP.`|`web`| +|`WEB_OIDC_RESPONSE_TYPE`| 1.0.0 |string|`The OIDC response type to use for authentication.`|`code`| +|`WEB_OIDC_SCOPE`| 1.0.0 |string|`OIDC scopes to request during authentication to authorize access to user details. Defaults to 'openid profile email'. Values are separated by blank. More example values but not limited to are 'address' or 'phone' etc.`|`openid profile email`| +|`WEB_OIDC_POST_LOGOUT_REDIRECT_URI`| 1.0.0 |string|`This value needs to point to a valid and reachable web page. The web client will trigger a redirect to that page directly after the logout action. The default value is empty and redirects to the login page.`|``| +|`WEB_UI_CORE_APPS`| next |[]string|`Allows to override the default list of core apps in OpenCloud Web.`|`[files search text-editor pdf-viewer external admin-settings epub-reader preview app-store]`| +|`WEB_OPTION_DISABLE_FEEDBACK_LINK`| 1.0.0 |bool|`Set this option to 'true' to disable the feedback link in the top bar. Keeping it enabled by setting the value to 'false' or with the absence of the option, allows OpenCloud to get feedback from your user base through a dedicated survey website.`|`false`| +|`WEB_OPTION_RUNNING_ON_EOS`| 1.0.0 |bool|`Set this option to 'true' if running on an EOS storage backend (\https://eos-web.web.cern.ch/eos-web/) to enable its specific features. Defaults to 'false'.`|`false`| +|`WEB_OPTION_OPEN_FILES_IN_NEW_TAB`| 5.3.0 |bool|`Set this option to 'true' to open files in a new browser tab instead of navigating in the same tab. Defaults to 'false'.`|`false`| +|`WEB_OPTION_CONTEXTHELPERS_READ_MORE`| 1.0.0 |bool|`Specifies whether the 'Read more' link should be displayed or not.`|`true`| +|`WEB_OPTION_LOGOUT_URL`| 1.0.0 |string|`Adds a link to the user's profile page to point him to an external page, where he can manage his session and devices. This is helpful when an external IdP is used. This option is disabled by default.`|``| +|`WEB_OPTION_LOGIN_URL`| 1.0.0 |string|`Specifies the target URL to the login page. This is helpful when an external IdP is used. This option is disabled by default. Example URL like: \https://www.myidp.com/login.`|``| +|`WEB_OPTION_TOKEN_STORAGE_LOCAL`| 1.0.0 |bool|`Specifies whether the access token will be stored in the local storage when set to 'true' or in the session storage when set to 'false'. If stored in the local storage, login state will be persisted across multiple browser tabs, means no additional logins are required.`|`true`| +|`WEB_OPTION_DISABLED_EXTENSIONS`| 1.0.0 |[]string|`A list to disable specific Web extensions identified by their ID. The ID can e.g. be taken from the 'index.ts' file of the web extension. Example: 'com.github.opencloud-eu.web.files.search,com.github.opencloud-eu.web.files.print'. See the Environment Variable Types description for more details.`|`[]`| +|`WEB_OPTION_EMBED_ENABLED`| 1.0.0 |string|`Defines whether Web should be running in 'embed' mode. Setting this to 'true' will enable a stripped down version of Web with reduced functionality used to integrate Web into other applications like via iFrame. Setting it to 'false' or not setting it (default) will run Web as usual with all functionality enabled. See the text description for more details.`|``| +|`WEB_OPTION_EMBED_TARGET`| 1.0.0 |string|`Defines how Web is being integrated when running in 'embed' mode. Currently, the only supported options are '' (empty) and 'location'. With '' which is the default, Web will run regular as defined via the 'embed.enabled' config option. With 'location', Web will run embedded as location picker. Resource selection will be disabled and the selected resources array always includes the current folder as the only item. See the text description for more details.`|``| +|`WEB_OPTION_EMBED_MESSAGES_ORIGIN`| 1.0.0 |string|`Defines a URL under which Web can be integrated via iFrame in 'embed' mode. Note that setting this is mandatory when running Web in 'embed' mode. Use '*' as value to allow running the iFrame under any URL, although this is not recommended for security reasons. See the text description for more details.`|``| +|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION`| 1.0.0 |bool|`Defines whether Web should require authentication to be done by the parent application when running in 'embed' mode. If set to 'true' Web will not try to authenticate the user on its own but will require an access token coming from the parent application. Defaults to being unset.`|`false`| +|`WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN`| 1.0.0 |string|`Defines the host to validate the message event origin against when running Web in 'embed' mode with delegated authentication. Defaults to event message origin validation being omitted, which is only recommended for development setups.`|``| +|`WEB_OPTION_USER_LIST_REQUIRES_FILTER`| 1.0.0 |bool|`Defines whether one or more filters must be set in order to list users in the Web admin settings. Set this option to 'true' if running in an environment with a lot of users and listing all users could slow down performance. Defaults to 'false'.`|`false`| +|`WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS`| 1.0.0 |int|`Defines the maximum number of concurrent requests per file/folder/space batch action. Defaults to 4.`|`0`| +|`WEB_OPTION_CONCURRENT_REQUESTS_SSE`| 1.0.0 |int|`Defines the maximum number of concurrent requests in SSE event handlers. Defaults to 4.`|`0`| +|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE`| 1.0.0 |int|`Defines the maximum number of concurrent requests per sharing invite batch. Defaults to 4.`|`0`| +|`WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST`| 1.0.0 |int|`Defines the maximum number of concurrent requests when loading individual share information inside listings. Defaults to 2.`|`0`| +|`WEB_OPTION_DEFAULT_APP_ID`| 4.0.0 |string|`Defines the entrypoint for the web ui.`|``| +|`WEB_OPTION_OX_APP_SUITE_ENABLED`| next |bool|`Enables the OX App Suite. Defaults to false.`|`false`| +|`WEB_OPTION_OX_APP_SUITE_API_URL`| next |string|`The API URL for the OX App Suite. Defaults to an empty string.`|``| +|`OC_JWT_SECRET`
`WEB_JWT_SECRET`| 1.0.0 |string|`The secret to mint and validate jwt tokens.`|``| +|`WEB_GATEWAY_GRPC_ADDR`| 1.0.0 |string|`The bind address of the GRPC service.`|`eu.opencloud.api.gateway`| diff --git a/versioned_docs/version-7.x/_static/env-vars/web_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/web_deprecation.md new file mode 100644 index 000000000..48f99f261 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/web_deprecation.md @@ -0,0 +1,4 @@ + +:::danger +web has deprecated environment variables. Please refer to the table below for more information. +::: \ No newline at end of file diff --git a/versioned_docs/version-7.x/_static/env-vars/web_readme.md b/versioned_docs/version-7.x/_static/env-vars/web_readme.md new file mode 100755 index 000000000..d06ee4a6f --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/web_readme.md @@ -0,0 +1,196 @@ + + +## Abstract + + +The web service embeds and serves the static files for the [OpenCloud Web Client](https://github.com/opencloud-eu/web). +Note that clients will respond with a connection error if the web service is not available. + +The web service also provides a minimal API for branding functionality like changing the logo shown. + + +## Table of Contents + +* [Custom Compiled Web Assets](#custom-compiled-web-assets) +* [Web UI Configuration](#web-ui-configuration) + * [Web UI Options](#web-ui-options) + * [Web UI Config File](#web-ui-config-file) + * [Embedding Web](#embedding-web) +* [Web Apps](#web-apps) + * [Loading Themes](#loading-themes) + * [Loading Applications](#loading-applications) + * [Application Structure](#application-structure) + * [Application Configuration](#application-configuration) + * [Using Custom Assets](#using-custom-assets) +* [Miscellaneous](#miscellaneous) + +## Custom Compiled Web Assets + +If you want to use your custom compiled web client assets instead of the embedded ones, +then you can do that by setting the `WEB_ASSET_CORE_PATH` variable to point to your compiled files. +See [OpenCloud Web / Getting Started](https://docs.opencloud.eu/clients/web/getting-started/) for more details. + +## Web UI Configuration + +* Single configuration settings of the embedded web UI can be defined via `WEB_OPTION_xxx` environment variables. +* A json based configuration file can be used via the `WEB_UI_CONFIG_FILE` environment variable. +* If a json based configuration file is used, these configurations take precedence over single options set. + +### Web UI Options + +Besides theming, the behavior of the web UI can be configured via options. See the environment variables `WEB_OPTION_xxx` +for more details. + +### Web UI Config File + +When defined via the `WEB_UI_CONFIG_FILE` environment variable, the configuration of the web UI can be made +with a [json based](https://github.com/opencloud-eu/web/tree/master/config) file. + +### Embedding Web + +Web can be consumed by another application in a stripped down version called “Embed mode”. +This mode is supposed to be used in the context of selecting or sharing resources. + +For more details see the developer documentation [OpenCloud Web / Embed Mode](https://docs.opencloud.eu/docs/dev/web/embed-mode). +See the environment variables: `WEB_OPTION_MODE` and `WEB_OPTION_EMBED_TARGET` to configure the embedded mode. + +## Web Apps + +The administrator of the environment is capable of providing custom web applications to the users. +This feature is useful for organizations that want to provide third party or custom apps to their users. + +It's important to note that the feature at the moment is only capable of providing static (js, mjs, e.g.) web applications +and does not support injection of dynamic web applications (custom dynamic backends). + +### Loading Themes + +Web themes are loaded, if added in the OpenCloud source code, at build-time from +`
`WEBDAV_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`WEBDAV_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9119`| +|`WEBDAV_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`WEBDAV_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`WEBDAV_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`WEBDAV_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9115`| +|`WEBDAV_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`WEBDAV_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[*]`| +|`OC_CORS_ALLOW_METHODS`
`WEBDAV_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[GET POST PUT PATCH DELETE OPTIONS]`| +|`OC_CORS_ALLOW_HEADERS`
`WEBDAV_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Cache-Control]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`WEBDAV_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`true`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`OC_DISABLE_PREVIEWS`
`WEBDAV_DISABLE_PREVIEWS`| 1.0.0 |bool|`Set this option to 'true' to disable rendering of thumbnails triggered via webdav access. Note that when disabled, all access to preview related webdav paths will return a 404.`|`false`| +|`OC_URL`
`OC_PUBLIC_URL`| 1.0.0 |string|`URL, where OpenCloud is reachable for users.`|`https://localhost:9200`| +|`WEBDAV_WEBDAV_NAMESPACE`| 1.0.0 |string|`CS3 path layout to use when forwarding /webdav requests`|`/users/{{.Id.OpaqueId}}`| +|`OC_REVA_GATEWAY`| 1.0.0 |string|`CS3 gateway used to look up user metadata`|`eu.opencloud.api.gateway`| diff --git a/versioned_docs/version-7.x/_static/env-vars/webdav_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/webdav_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/webdav_readme.md b/versioned_docs/version-7.x/_static/env-vars/webdav_readme.md new file mode 100755 index 000000000..58bd0d4d3 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/webdav_readme.md @@ -0,0 +1,35 @@ + + +## Abstract + + +The webdav service, like the [frontend](../frontend) service, provides a HTTP API following the webdav protocol. It receives HTTP calls from requestors like clients and issues gRPC calls to other services executing these requests. After the called service has finished the request, the webdav service will render their responses in `xml` and sends them back to the requestor. + + +## Table of Contents + +* [Endpoints Overview](#endpoints-overview) + * [Thumbnails](#thumbnails) + * [Search](#search) +* [Scalability](#scalability) + +## Endpoints Overview + +Currently, the webdav service handles request for two functionalities, which are `Thumbnails` and `Search`. + +### Thumbnails + +The webdav service provides various `GET` endpoints to get the thumbnails of a file in authenticated and unauthenticated contexts. It also provides thumbnails for spaces on different endpoints. + +See the [thumbnail](https://github.com/opencloud-eu/opencloud/tree/main/services/thumbnails) service for more information about thumbnails. + +### Search + +The webdav service provides access to the search functionality. It offers multiple `REPORT` endpoints for getting search results. + +See the [search](https://github.com/opencloud-eu/opencloud/tree/main/services/search) service for more details about search functionality. + +## Scalability + +The webdav service does not persist any data and does not cache any information. Therefore multiple instances of this service can be spawned in a bigger deployment like when using container orchestration with Kubernetes, without any extra configuration. + diff --git a/versioned_docs/version-7.x/_static/env-vars/webfinger.yaml b/versioned_docs/version-7.x/_static/env-vars/webfinger.yaml new file mode 100644 index 000000000..afe7108c4 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/webfinger.yaml @@ -0,0 +1,58 @@ +# Autogenerated +# Filename: webfinger.yaml + +loglevel: error +debug: + addr: 127.0.0.1:9279 + token: "" + pprof: false + zpages: false +http: + addr: 127.0.0.1:9275 + root: / + cors: + allow_origins: + - https://localhost:9200 + allow_methods: [] + allow_headers: [] + allow_credentials: false + tls: + enabled: false + cert: "" + key: "" +instances: +- claim: sub + regex: .+ + href: '{{.OC_URL}}' + titles: + en: OpenCloud Instance + break: false +relations: +- http://openid.net/specs/connect/1.0/issuer +- http://webfinger.opencloud/rel/server-instance +idp: https://localhost:9200 +android_client_id: OpenCloudAndroid +android_client_scopes: +- openid +- profile +- email +- offline_access +desktop_client_id: OpenCloudDesktop +desktop_client_scopes: +- openid +- profile +- email +- offline_access +ios_client_id: OpenCloudIOS +ios_client_scopes: +- openid +- profile +- email +- offline_access +web_client_id: web +web_client_scopes: +- openid +- profile +- email +opencloud_url: https://localhost:9200 +insecure: false diff --git a/versioned_docs/version-7.x/_static/env-vars/webfinger_configvars.md b/versioned_docs/version-7.x/_static/env-vars/webfinger_configvars.md new file mode 100644 index 000000000..3f51e38e0 --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/webfinger_configvars.md @@ -0,0 +1,30 @@ +## Environment variables for the **webfinger** service + +| Name | Introduction Version | Type | Description | Default Value | +|---|---|---|---|:---| +|`OC_LOG_LEVEL`
`WEBFINGER_LOG_LEVEL`| 1.0.0 |string|`The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.`|`error`| +|`WEBFINGER_DEBUG_ADDR`| 1.0.0 |string|`Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.`|`127.0.0.1:9279`| +|`WEBFINGER_DEBUG_TOKEN`| 1.0.0 |string|`Token to secure the metrics endpoint.`|``| +|`WEBFINGER_DEBUG_PPROF`| 1.0.0 |bool|`Enables pprof, which can be used for profiling.`|`false`| +|`WEBFINGER_DEBUG_ZPAGES`| 1.0.0 |bool|`Enables zpages, which can be used for collecting and viewing in-memory traces.`|`false`| +|`WEBFINGER_HTTP_ADDR`| 1.0.0 |string|`The bind address of the HTTP service.`|`127.0.0.1:9275`| +|`WEBFINGER_HTTP_ROOT`| 1.0.0 |string|`Subdirectory that serves as the root for this HTTP service.`|`/`| +|`OC_CORS_ALLOW_ORIGINS`
`WEBFINGER_CORS_ALLOW_ORIGINS`| 1.0.0 |[]string|`A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.`|`[https://localhost:9200]`| +|`OC_CORS_ALLOW_METHODS`
`WEBFINGER_CORS_ALLOW_METHODS`| 1.0.0 |[]string|`A list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.`|`[]`| +|`OC_CORS_ALLOW_HEADERS`
`WEBFINGER_CORS_ALLOW_HEADERS`| 1.0.0 |[]string|`A list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.`|`[]`| +|`OC_CORS_ALLOW_CREDENTIALS`
`WEBFINGER_CORS_ALLOW_CREDENTIALS`| 1.0.0 |bool|`Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.`|`false`| +|`OC_HTTP_TLS_ENABLED`| 1.0.0 |bool|`Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.`|`false`| +|`OC_HTTP_TLS_CERTIFICATE`| 1.0.0 |string|`Path/File name of the TLS server certificate (in PEM format) for the http services.`|``| +|`OC_HTTP_TLS_KEY`| 1.0.0 |string|`Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.`|``| +|`WEBFINGER_RELATIONS`| 1.0.0 |[]string|`A list of relation URIs or registered relation types to add to webfinger responses. See the Environment Variable Types description for more details.`|`[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]`| +|`OC_URL`
`OC_OIDC_ISSUER`
`WEBFINGER_OIDC_ISSUER`| 1.0.0 |string|`The identity provider href for the openid-discovery relation.`|`https://localhost:9200`| +|`OC_OIDC_CLIENT_ID`
`WEBFINGER_ANDROID_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for Android app.`|`OpenCloudAndroid`| +|`OC_OIDC_CLIENT_SCOPES`
`WEBFINGER_ANDROID_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the Android app should request.`|`[openid profile email offline_access]`| +|`OC_OIDC_CLIENT_ID`
`WEBFINGER_DESKTOP_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud desktop application.`|`OpenCloudDesktop`| +|`OC_OIDC_CLIENT_SCOPES`
`WEBFINGER_DESKTOP_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud desktop application should request.`|`[openid profile email offline_access]`| +|`OC_OIDC_CLIENT_ID`
`WEBFINGER_IOS_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the IOS app.`|`OpenCloudIOS`| +|`OC_OIDC_CLIENT_SCOPES`
`WEBFINGER_IOS_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the IOS app should request.`|`[openid profile email offline_access]`| +|`OC_OIDC_CLIENT_ID`
`WEB_OIDC_CLIENT_ID`
`WEBFINGER_WEB_OIDC_CLIENT_ID`| 6.0.0 |string|`The OIDC client ID for the OpenCloud web client. The 'WEB_OIDC_CLIENT_ID' setting is only here for backwards compatibility and will be removed in a future release.`|`web`| +|`OC_OIDC_CLIENT_SCOPES`
`WEB_OIDC_SCOPE`
`WEBFINGER_WEB_OIDC_CLIENT_SCOPES`| 6.0.0 |[]string|`The OIDC client scopes the OpenCloud web client should request. The 'WEB_OIDC_SCOPE' setting is only here for backwards compatibility and will be removed in a future release.`|`[openid profile email]`| +|`OC_URL`
`WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL`| 1.0.0 |string|`The URL for the legacy OpenCloud server instance relation (not to be confused with the product OpenCloud Server). It defaults to the OC_URL but can be overridden to support some reverse proxy corner cases. To shard the deployment, multiple instances can be configured in the configuration file.`|`https://localhost:9200`| +|`OC_INSECURE`
`WEBFINGER_INSECURE`| 1.0.0 |bool|`Allow insecure connections to the WEBFINGER service.`|`false`| diff --git a/versioned_docs/version-7.x/_static/env-vars/webfinger_deprecation.md b/versioned_docs/version-7.x/_static/env-vars/webfinger_deprecation.md new file mode 100644 index 000000000..e69de29bb diff --git a/versioned_docs/version-7.x/_static/env-vars/webfinger_readme.md b/versioned_docs/version-7.x/_static/env-vars/webfinger_readme.md new file mode 100755 index 000000000..424ec264b --- /dev/null +++ b/versioned_docs/version-7.x/_static/env-vars/webfinger_readme.md @@ -0,0 +1,139 @@ + + +## Abstract + + +The webfinger service provides an RFC7033 WebFinger lookup of OpenCloud resources, relevant for a given user account at the /.well-known/webfinger enpoint. + +1. An [OpenID Connect Discovery](#openid-connect-discovery) for the IdP, based on the OpenCloud URL. +2. An [Authenticated Instance Discovery](#authenticated-instance-discovery), based on the user account. + +These two request are only needed for discovery. + + +## Table of Contents + +* [OpenID Connect Discovery](#openid-connect-discovery) +* [Authenticated Instance Discovery](#authenticated-instance-discovery) +* [Configure Different Instances Based on OpenidConnect UserInfo Claims](#configure-different-instances-based-on-openidconnect-userinfo-claims) + +## OpenID Connect Discovery + +Clients can make an unauthenticated `GET https://drive.opencloud.test/.well-known/webfinger?resource=https%3A%2F%2Fdrive.opencloud.test` request to discover the OpenID Connect Issuer in the `http://openid.net/specs/connect/1.0/issuer` relation: + +```json +{ + "subject": "https://drive.opencloud.test", + "links": [ + { + "rel": "http://openid.net/specs/connect/1.0/issuer", + "href": "https://sso.example.org/cas/oidc/" + } + ] +} +``` + +Here, the `resource` takes the instance domain URI, but an `acct:` URI works as well. + +## Authenticated Instance Discovery + +When using OpenID connect to authenticate requests, clients can look up the opencloud instances a user has access to. + +* Authentication is necessary to prevent leaking information about existing users. +* Basic auth is not supported. + +The default configuration will simply return the `OC_URL` and direct clients to that domain: + +```json +{ + "subject": "acct:alan@drive.opencloud.test", + "links": [ + { + "rel": "http://openid.net/specs/connect/1.0/issuer", + "href": "https://sso.example.org/cas/oidc/" + }, + { + "rel": "http://webfinger.opencloud/rel/server-instance", + "href": "https://abc.drive.example.org", + "titles": { + "en": "OpenCloud Instance" + } + } + ] +} +``` + +## Configure Different Instances Based on OpenidConnect UserInfo Claims + +A more complex example for configuring different instances could look like this: + +```yaml +webfinger: + instances: + - claim: email + regex: alan@example\.org + href: "https://{{.preferred_username}}.cloud.opencloud.test" + title: + "en": "OpenCloud Instance for Alan" + "de": "OpenCloud Instanz für Alan" + break: true + - claim: "email" + regex: mary@example\.org + href: "https://{{.preferred_username}}.cloud.opencloud.test" + title: + "en": "OpenCloud Instance for Mary" + "de": "OpenCloud Instanz für Mary" + break: false + - claim: "email" + regex: .+@example\.org + href: "https://example-org.cloud.opencloud.test" + title: + "en": "OpenCloud Instance for example.org" + "de": "OpenCloud Instanz für example.org" + break: true + - claim: "email" + regex: .+@example\.com + href: "https://example-com.cloud.opencloud.test" + title: + "en": "OpenCloud Instance for example.com" + "de": "OpenCloud Instanz für example.com" + break: true + - claim: "email" + regex: .+@.+\..+ + href: "https://cloud.opencloud.test" + title: + "en": "OpenCloud Instance" + "de": "OpenCloud Instanz" + break: true +``` + +Now, an authenticated webfinger request for `acct:me@example.org` (when logged in as mary) would return two instances, based on her `email` claim, the regex matches and break flags: + +```json +{ + "subject": "acct:mary@example.org", + "links": [ + { + "rel": "http://openid.net/specs/connect/1.0/issuer", + "href": "https://sso.example.org/cas/oidc/" + }, + { + "rel": "http://webfinger.opencloud/rel/server-instance", + "href": "https://mary.cloud.opencloud.test", + "titles": { + "en": "OpenCloud Instance for Mary", + "de": "OpenCloud Instanz für Mary" + } + }, + { + "rel": "http://webfinger.opencloud/rel/server-instance", + "href": "https://xyz.drive.example.org", + "titles": { + "en": "OpenCloud Instance for example.org", + "de": "OpenCloud Instanz für example.org" + } + } + ] +} +``` + diff --git a/versioned_docs/version-7.x/admin/configuration/_category_.json b/versioned_docs/version-7.x/admin/configuration/_category_.json new file mode 100644 index 000000000..1369e1162 --- /dev/null +++ b/versioned_docs/version-7.x/admin/configuration/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Configuration", + "position": 5 +} diff --git a/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/_category_.json b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/_category_.json new file mode 100644 index 000000000..ea73b4218 --- /dev/null +++ b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/_category_.json @@ -0,0 +1,4 @@ +{ + "label": "Authentication and Identity Management", + "position": 10 +} diff --git a/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/external-idp.md b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/external-idp.md new file mode 100644 index 000000000..b167652b6 --- /dev/null +++ b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/external-idp.md @@ -0,0 +1,197 @@ +--- +sidebar_position: 1 +id: external-idp +title: External OpenID Connect Identity Provider +description: Integrating external OpenID Connect Identity Providers +draft: false +--- + +# Integrating external OpenID Connect Identity Providers + +## Requirements + +OpenCloud is able to integrate with external OpenID Connect Identity Providers +(IDP). However the implementation is currently somewhat opinionated and has +certain requirements on the IDP. The project is working on loosening some +of the requirements in order to allow OpenCloud to work with a broader range of +identity providers. + +This is the list of minimal requirements that an IDP needs to fulfill in order +to work with OpenCloud: + +- All clients provided by OpenCloud ([Web](https://github.com/opencloud-eu/web/), + [Desktop](https://github.com/opencloud-eu/desktop/), [Android](https://github.com/opencloud-eu/android/) + and [iOS](https://github.com/opencloud-eu/ios/)), are implemented as public clients using the + authorization code flow with PKCE. Therefore the IDP needs to support this flow. +- All clients, except the Web client, use predefined client IDs. Therefore the IDP needs to + be able to create clients with predefined IDs. +- All clients, except the Web client, use a hardcoded list of scopes they request from the IDP. + As certain features of OpenCloud (especially the automatic role assignment) rely on specific claims + being present in the access token or the UserInfo response, the IDP needs to be able to provide + additional claims in the Tokens even if the client does not explicitly request them via scopes. + +## OpenCloud Configuration + +The following environment variables are relevant when connecting OpenCloud to +an external IDP. An example configuration for Keycloak is provided the +[Keycloak integration](./keycloak.md) documentation. + +- `OC_OIDC_ISSUER`: Set this to the issuer URL of the external Identity Provider +- `OC_EXCLUDE_RUN_SERVICES`: When using and external IDP the built-in Identity Provider + does not need to run. So add `idp` here to prevent the internal `idp` service from + starting. +- `PROXY_OIDC_REWRITE_WELLKNOWN`: Set this to `true` to expose the Identity + Provider's `.well-known/openid-configuration` endpoint via the OpenCloud base + urls. This helps the oidc clients, that do not yet support discovery via + webfinger to locate the Identity Provider's configuration. +- `PROXY_USER_OIDC_CLAIM` and `PROXY_USER_CS3_CLAIM`: These two variables + configure how the users mapped between the Identity Provider and OpenCloud. + `PROXY_USER_OIDC_CLAIM` defines the OIDC claim that OpenCloud uses to + uniquely identify a user. It is matched against the OpenCloud user attribute + defined in `PROXY_USER_CS3_CLAIM`. E.g. if `PROXY_USER_OIDC_CLAIM` is set to + `preferred_username` and `PROXY_USER_CS3_CLAIM` is set to `username` then an + OpenID Connect user, that has the `preferred_username` set to `alan` will map + to the OpenCloud user with username `alan`. +- `PROXY_AUTOPROVISION_ACCOUNTS` and `GRAPH_USERNAME_MATCH`: When + `PROXY_AUTOPROVISION_ACCOUNTS` is set to `true`, OpenCloud will create a new + user account in the LDAP Database for every user who logs in via OpenID + Connect for the first time. Enabling this requires access to a writable LDAP + server. For smaller setups this can be the built-in LDAP server provided by + the `idm` service. If set to `false` all users logging in must already be + existing in the LDAP server. (The mapping between the OIDC and LDAP users + happens based on the aforementioned `PROXY_USER_OIDC_CLAIM` and + `PROXY_USER_CS3_CLAIM` settings. Set `GRAPH_USERNAME_MATCH` to `none` when + `PROXY_AUTOPROVISION_ACCOUNTS` is set to `true` to disable OpenCloud's + default restrictions on allowed characters in usernames. +- `PROXY_ROLE_ASSIGNMENT_DRIVER` and `GRAPH_ASSIGN_DEFAULT_USER_ROLE`: For + details see below + +### Automatic Role Assignments + +:::note +As the OpenCloud clients currently only request a hardcoded list of `scopes`, +the automatic role-assignment currently requires the IDP to be able to provide +additional claims in the Access Token and the UserInfo endpoint independent of +the requested `scopes`. If your IDP does not support this, automatic role +assignment will not work. +::: + +When users login into OpenCloud, they get a user role assigned +automatically. The automatic role assignment can be configured in different +ways. The `PROXY_ROLE_ASSIGNMENT_DRIVER` environment variable (or the `driver` +setting in the `role_assignment` section of the configuration file) select which +mechanism to use for the automatic role assignment. + +When set to `default`, all users which do not have a role assigned at the time +of first login will get the role 'user' assigned. This is also the +default behavior if `PROXY_ROLE_ASSIGNMENT_DRIVER` is unset. + +When `PROXY_ROLE_ASSIGNMENT_DRIVER` is set to `oidc` the role assignment for a +user will happen based on the values of an OpenID Connect Claim of that user. +The name of the OpenID Connect Claim to be used for the role assignment can be +configured via the `PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM` environment variable. It +is also possible to define a mapping of claim values to role names defined in +OpenCloud via a `yaml` configuration. See the following `proxy.yaml` snippet +for an example. + +```yaml +role_assignment: + driver: oidc + oidc_role_mapper: + role_claim: opencloudRoles + role_mapping: + - role_name: admin + claim_value: myAdminRole + - role_name: spaceadmin + claim_value: mySpaceAdminRole + - role_name: user + claim_value: myUserRole + - role_name: user-light + claim_value: myGuestRole +``` + +This would assign the role `admin` to users with the value `myAdminRole` in the claim `opencloudRoles`. +The role `user` to users with the values `myUserRole` in the claims `opencloudRoles` and so on. + +Claim values that are not mapped to a specific OpenCloud role will be ignored. + +Note: An OpenCloud user can only have a single role assigned. If the configured +`role_mapping` and a user's claim values result in multiple possible roles for a user, the order in +which the role mappings are defined in the configuration is important. The first role in the +`role_mappings` where the `claim_value` matches a value from the user's roles claim will be assigned +to the user. So if e.g. a user's `opencloudRoles` claim has the values `myUserRole` and +`mySpaceAdminRole` that user will get the OpenCloud role `spaceadmin` assigned (because `spaceadmin` +appears before `user` in the above sample configuration). + +If a user's claim values don't match any of the configured role mappings an error will be logged and +the user will not be able to login. + +The default `role_claim` (or `PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM`) is `roles`. The default `role_mapping` is: + +```yaml +- role_name: admin + claim_value: opencloudAdmin +- role_name: spaceadmin + claim_value: opencloudSpaceAdmin +- role_name: user + claim_value: opencloudUser +- role_name: user-light + claim_value: opencloudGuest +``` + +:::note +When `PROXY_ROLE_ASSIGNMENT_DRIVER` is set to `oidc` it is recommended to set `GRAPH_ASSIGN_DEFAULT_USER_ROLE` to `false`. +::: + +## Client Configuration + +OpenCloud requires several OIDC clients to be configured in the Identity Provider. + +### Web Client + +The web client is used for browser-based access to OpenCloud: + +- Client ID: `web` +- Client Type: Public client +- Redirect URIs: + - `https://your-domain.example.com/` + - `https://your-domain.example.com/oidc-callback.html` + - `https://your-domain.example.com/oidc-silent-redirect.html` +- Post Logout Redirect URIs: + - `https://your-domain.example.com/` + +### Desktop Client + +The desktop client is used for the OpenCloud desktop application: + +- Client ID: `OpenCloudDesktop` +- Client Type: Public client +- Redirect URIs: + - `http://127.0.0.1` + - `http://localhost` + +### Mobile App Clients + +#### Android App + +- Client ID: `OpenCloudAndroid` +- Client Type: Public client +- Redirect URIs: `oc://android.opencloud.eu` +- Post Logout Redirect URIs: `oc://android.opencloud.eu` + +#### iOS App + +- Client ID: `OpenCloudIOS` +- Client Type: Public client +- Redirect URIs: `oc://ios.opencloud.eu` +- Post Logout Redirect URIs: `oc://ios.opencloud.eu` + +### Additional Clients + +#### Cyberduck File Transfer Client + +- Client ID: `Cyberduck` +- Client Type: Public client +- Redirect URIs: + - `x-cyberduck-action:oauth` + - `x-mountainduck-action:oauth` diff --git a/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/index.md b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/index.md new file mode 100644 index 000000000..b60a155d1 --- /dev/null +++ b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/index.md @@ -0,0 +1,64 @@ +--- +title: 'Internal and External IDP' +--- + +# Internal and External IDP + +OpenCloud offers two ways to handle user authentication and identity management: + +1. **Internal IDP**: + - Built into OpenCloud + - Targeted at smaller installations (up to 500 users) + - Designed for standalone or small deployments + +2. **External IDP**: + - Keycloak as the recommended OIDC provider for larger installations + - Support for Azure AD, EntraID, ADFS through Keycloak + - Enterprise-focused solution + +## Your Use Cases + +### Choose the internal IDP if you need + +- A simple, lightweight and minimal OpenID Connect Provider +- Small to medium deployments +- Minimal resource footprint +- Quick setup with basic features +- Ideal for development environment +- No Multifactor Authentication (MFA) and no migration path to other IDPs + +### Choose Keycloak if you need + +- Enterprise-grade IAM solution +- Complex authorization requirements +- Multifactor Authentication +- Advanced user federation +- Fine-grained permissions +- Multiple authentication methods +- Large-scale deployments +- Commercial support options + +### Bottom Line + +Keycloak is a comprehensive, enterprise-ready IAM platform with extensive features including SSO, user federation, and support for multiple protocols like OpenID Connect, OAuth 2.0, and SAML. It offers more features but requires more resources and expertise, which makes it a better fit for larger or more complex environments. + +## Authentication with Keycloak + +For production environments, we recommend using Keycloak with LDAP integration. This setup provides a robust authentication system that can scale to enterprise needs. + +OpenCloud now supports two authentication modes when using Keycloak with LDAP: + +### Shared User Directory Mode + +In this mode, LDAP serves as a central user directory for both Keycloak and OpenCloud. +This setup is suitable for scenarios where the LDAP server is not under the control of the OpenCloud admin and can be connected to KeyCloak and OpenCloud using standard attributes and a read-only bind user. + +For detailed configuration and setup instructions, see the [Keycloak Shared User Directory](./keycloak#shared-user-directory-mode) guide. + +### Autoprovisioning Mode + +In this mode, Keycloak is holding all users and OpenCloud autoprovisions new users during first login. +This mode is suitable in scenarios where the OpenIDConnect provider is external and not under control of the OpenCloud admin. To mitigate that lack of control, OpenCloud will use an LDAP server which is fully under the control of the OpenCloud admin to store the users and groups and additional attributes. +OpenCloud can disable users for login to actively prevent unwanted access to the system when the workflow with the external Identity Provider is slow or indirect. In this case, the LDAP server needs an OpenCloud Schema and write access for the LDAP bind user. + +For detailed configuration and setup instructions, see the [Keycloak with Autoprovisioning](./keycloak#autoprovisioning-mode) guide. diff --git a/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/keycloak-user.md b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/keycloak-user.md new file mode 100644 index 000000000..1e265dba6 --- /dev/null +++ b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/keycloak-user.md @@ -0,0 +1,106 @@ +--- +sidebar_position: 4 +id: keycloak-user +title: Adding user with Keycloak +description: Adding user with Keycloak +draft: false +--- + +# Creating New Users in Keycloak for OpenCloud + +This guide explains how to create new users in Keycloak for OpenCloud, including "User Light" without personal spaces. While OpenCloud currently does not have a built-in "invite external user" feature, this functionality can be replicated using Keycloak. + +## Background + +One of the most frequently requested features by administrators has been support for guest or external users. Previously, this was discussed as adding external users during the sharing process. These users were provisioned on the fly and received an invite link. + +Although OpenCloud does not natively support this method, similar functionality can be achieved using Keycloak for user management. + +## Assign Admin Permissions in Keycloak + +To manage users and groups for OpenCloud, you need a user with administrative privileges in the Keycloak realm. + +- Log in to Keycloak as an admin. +- Navigate to the OpenCloud realm +- Assign appropriate roles (such as `manage-user` and `view-users`) to the user you want to promote. + +Example: A user named `dennis` is assigned as a Realm Admin. + +
![Add admin roles to user]({require(".././img/keycloak/add-user/set-admin-roles.png").default})
+
+Once assigned, the user can log in as a Realm Administrator and access user and group management.
+
+## Add New User with standard rights (no Space)
+
+With admin permissions, you can now create users and groups:
+
+- Login in Keycloak OpenCloud Realm with the user who has admin rights under `https://keycloak.YOUR.DOMAIN/admin/openCloud/console/#/openCloud`
+
+- Navigate to the "Users" section in the Keycloak Admin Console
+
+- Click Add User
+ ![Add user]({require(".././img/keycloak/add-user/add-user.png").default})
+
+- Fill in the required user details (e.g., username, email)
+ ![Fill out user information]({require(".././img/keycloak/add-user/fill-out-userinfo.png").default})
+
+- Optionally assign the user to one or more groups.
+
+- Click on "Create"
+
+- Set an inital password
+
+![Set initial user password]({require(".././img/keycloak/add-user/set-password.png").default})
+
+:::note
+In the opencloud-compose setup, the default user role is `OpenCloudGuest`.
+This means new users will not receive a personal space by default.
+You can change the default role in "Realm Settings" under "User Registration" in the Keycloak admin console.
+
+## First Login Experience for the "User Light"
+
+When a "User Light" logs in for the first time, they will:
+
+- Be prompted to change their password
+- Update their profile (name, email, etc.)
+- Verify their email address
+
+if this was set before.
+
+After successful login, they will not receive a personal space — fulfilling the guest user requirement.
+
+![Guest login]({require(".././img/keycloak/add-user/guest-login.png").default})
+
+## Optional: Enable Self Registration
+
+You can allow users to register themselves without manual creation.
+
+To enable self-registration:
+
+- Log in to Keycloak as an admin.
+- Go to the Login settings in the OpenCloud realm.
+- Enable the User Registration option.
+
+![Enable self registration]({require(".././img/keycloak/add-user/enable-self-registration.png").default})
+
+### Self Registration Flow
+
+- Users see a Register option on the login screen.
+
+![Register Button]({require(".././img/keycloak/add-user/register-button.png").default})
+
+- They complete the registration form.
+
+![Fill out the registration form]({require(".././img/keycloak/add-user/fill-out-registration-form.png").default})
+
+After loggin in, the user has now the "User Light" Role with no personal Space.
+
+## Summary
+
+By leveraging Keycloak:
+
+- You can create and manage guest users for OpenCloud.
+- Guest users can log in without receiving a personal space.
+- You can streamline the process with self-registration.
+
+This setup provides a flexible and scalable way to manage external and lightweight users in OpenCloud through Keycloak.
diff --git a/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/keycloak.md b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/keycloak.md
new file mode 100644
index 000000000..a56b2ebcb
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/authentication-and-user-management/keycloak.md
@@ -0,0 +1,338 @@
+---
+sidebar_position: 3
+id: keycloak
+title: Keycloak Integration
+description: Keycloak Integration
+draft: false
+---
+
+# Keycloak Integration
+
+OpenCloud supports using Keycloak as an external identity provider, providing enterprise-grade identity management capabilities. This guide explains how to set up and configure Keycloak with OpenCloud.
+This guide is divided into three main sections:
+
+- [Keycloak Integration Overview](#opencloud-configuration-for-keycloak-general): A brief overview of the integration process.
+- [Shared User Directory Mode](#configuration-for-shared-directory-mode): Keycloak and OpenCloud share a common LDAP directory for user management.
+- [Autoprovisioning Mode](#configuration-for-autoprovisioning-mode): OpenCloud autoprovisions users in a separate LDAP directory managed by OpenCloud.
+
+## OpenCloud Configuration for Keycloak (General)
+
+When using Keycloak as the identity provider, you need to understand the general configuration settings if you want to configure your custom integration.
+
+You can also use one of our predefined Docker Compose setups, which are located in the `opencloud-compose` repository. These setups include all necessary configurations for Keycloak and OpenLDAP.
+
+### Server Configuration
+
+```env
+PROXY_AUTOPROVISION_ACCOUNTS=true|false # that depends on your setup
+PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
+OC_OIDC_ISSUER=https://your-domain.example.com/realms/openCloud
+WEB_OPTION_ACCOUNT_EDIT_LINK_HREF=https://your-domain.example.com/realms/openCloud/account
+PROXY_OIDC_REWRITE_WELLKNOWN=true
+PROXY_USER_OIDC_CLAIM=preferred_username|sub|uuid # this depends on your setup
+# admin and demo accounts must be created in Keycloak
+OC_ADMIN_USER_ID: ""
+SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: "false"
+GRAPH_ASSIGN_DEFAULT_USER_ROLE: "false"
+GRAPH_USERNAME_MATCH=none
+OC_EXCLUDE_RUN_SERVICES=idp,idm # it is not supported to run keycloak with the built-in idm
+```
+
+Look [OpenCloud external IDP configuration](./external-idp#opencloud-configuration) for some more details about these settings.
+
+### Client Configuration
+
+The [OIDC clients](./external-idp#client-configuration) required by OpenCloud are pre-configured in the Docker Compose setup and match the clients used by the built-in IdP.
+
+### Manual Client Configuration
+
+If you need to manually configure the clients in Keycloak:
+
+1. Log in to the Keycloak admin console
+2. Select the OpenCloud realm
+3. Navigate to Clients and click Create
+4. Configure each client according to the specifications above
+5. Ensure all clients have the appropriate scopes:
+ - web-origins
+ - profile
+ - roles
+ - groups
+ - basic
+ - email
+
+### Advanced Configuration
+
+#### Backchannel Logout
+
+OpenCloud supports Keycloak's backchannel logout feature, which allows Keycloak to notify OpenCloud when a user logs out. This ensures that all sessions are properly terminated:
+
+- Backchannel Logout URL: `https://your-domain.example.com/backchannel_logout`
+- Backchannel Logout Session Required: `true`
+
+## Shared User Directory Mode
+
+```mermaid
+graph TD
+ subgraph opencloud["OpenCloud Deployment"]
+ OpenCloud["OpenCloud Server"]
+ Keycloak("Keycloak(OIDC Provider)") + end + subgraph existing["Existing Infrastructure"] + LDAP[("LDAP Server
(Shared User Directory)")] + end + + OpenCloud -->|"User and Groups are looked up for sharing"| LDAP + OpenCloud -->|"Reads Roles from claims"| Keycloak + Keycloak -->|"Verify credentials"| LDAP + LDAP -->|"Import Users and Groups"| Keycloak + + classDef service fill:#3498db,stroke:#2c3e50,stroke-width:2px,rx:10px,ry:10px; + classDef storage fill:#2ecc71,stroke:#27ae60,stroke-width:2px,rx:10px,ry:10px; + classDef readonly fill:#87CEFA,stroke:#4682B4,stroke-width:3px,rx:10px,ry:10px; + classDef general stroke-width:2px,rx:10px,ry:10px; + + class OpenCloud,Keycloak service; + class LDAP storage; + class existing,directory readonly; + class opencloud general; +``` + +In this mode, a readable LDAP Directory with existing users serves as a central user directory for both Keycloak and OpenCloud. + +Key characteristics: + +- LDAP is the source of truth for user information +- The LDAP server uses standard attributes (uid, cn, sn, givenName, mail) +- A common unique identifier (e.g. `entryUUID` or `objectGUID`) guarantees stable user mapping even if users are changing +- Both Keycloak and OpenCloud read user data directly from LDAP +- User accounts must exist in LDAP before they can log in or receive shares +- LDAP is configured as read-only for OpenCloud +- OpenCloud can create custom groups only if a subtree of the read-only LDAP can be writable + +### LDAP Assumptions for Shared Directory Mode + +OpenCloud can work with any LDAP schema containing standard attributes: + +- User attributes: `uid`, `cn`, `sn`, `givenName`, `mail` +- Groups are stored in a dedicated organizational unit +- Default configuration sets LDAP as read-only + +Example LDAP Structure: + +```bash +dc=example,dc=org # Base DN +├── ou=users # User organizational unit +│ ├── uid=user1 # User entries +│ └── uid=user2 +└── ou=groups # Group organizational unit + ├── cn=admins # Group entries + ├── cn=users + └── ou=custom (optional) # Optional custom groups tree, writable by OpenCloud + ├── cn=teamA # Custom Group entries + └── cn=teamB +``` + +:::tip + +It is possible to use a writable subtree of the LDAP server for custom groups. This is useful if you want to create groups in OpenCloud that are not managed by Keycloak. + +This feature is optional and can be disabled by setting `GRAPH_LDAP_GROUP_CREATE_BASE_DN` to an empty string. + +::: + +### Configuration for Shared Directory Mode + +Keycloak and OpenCloud can be configured using environment variables: + +```bash +# Basic Keycloak configuration +KEYCLOAK_DOMAIN=keycloak.example.org +KEYCLOAK_REALM=openCloud + +# OpenCloud OIDC configuration +OC_OIDC_ISSUER=https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud} +WEB_OPTION_ACCOUNT_EDIT_LINK_HREF=https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}/account +PROXY_OIDC_REWRITE_WELLKNOWN=true +PROXY_USER_OIDC_CLAIM=uuid # this claim needs to be configured in the keycloak realm to use the keycloak user id +PROXY_USER_CS3_CLAIM=userid +# admin and demo accounts must be created in Keycloak +OC_ADMIN_USER_ID="" +SETTINGS_SETUP_DEFAULT_ASSIGNMENTS=false +GRAPH_ASSIGN_DEFAULT_USER_ROLE=false +GRAPH_USERNAME_MATCH=none + +# OpenCloud LDAP configuration +OC_LDAP_URI=ldaps://ldap-server:1636 +OC_LDAP_SERVER_WRITE_ENABLED=false # assuming the external ldap main tree is not writable +# Disable non writable attributes in the OpenCloud Admin UI +FRONTEND_READONLY_USER_ATTRIBUTES="user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.accountEnabled,user.appRoleAssignments" +OC_LDAP_INSECURE=true +OC_LDAP_BIND_DN=cn=admin,dc=opencloud,dc=eu +OC_LDAP_BIND_PASSWORD=admin-password +OC_LDAP_USER_BASE_DN=ou=users,dc=opencloud,dc=eu +OC_LDAP_USER_SCHEMA_ID=entryUUID +OC_LDAP_DISABLE_USER_MECHANISM=none +OC_LDAP_GROUP_BASE_DN=ou=groups,dc=opencloud,dc=eu +OC_LDAP_GROUP_SCHEMA_ID=entryUUID +# Custom groups feature when a writable subtree is available +GRAPH_LDAP_GROUP_CREATE_BASE_DN=ou=custom,ou=groups,dc=opencloud,dc=eu +GRAPH_LDAP_SERVER_UUID=true + +``` + +### Example Docker Compose Configuration - Shared Directory Mode + +OpenCloud provides complete example deployments using Docker Compose: + +1. Navigate to the `opencloud-compose` repository +2. Edit the `.env` file to enable the Shared Directory Mode: + +For Shared Directory Mode: + +```bash +# Enable services +COMPOSE_FILE=docker-compose.yml:idm/ldap-keycloak.yml:traefik/opencloud.yml:traefik/ldap-keycloak.yml +# Your public keycloak domain without protocol +KEYCLOAK_DOMAIN=your-keycloak-domain.example.com +# Admin user login name. Defaults to "kcadmin". +KEYCLOAK_ADMIN= +# Admin user login password. Defaults to "admin". +KEYCLOAK_ADMIN_PASSWORD= +``` + +The Docker Compose file `idm/ldap-keycloak.yml` contains the complete configuration for each component. + +Keycloak is configured during startup by importing the `keycloak-realm.dist.json` file. This file contains the configuration for the OpenCloud realm, including client settings, roles, and user federation. This file is located in the `config/keycloak` directory of the `opencloud-compose` repository. + +:::warning + +Keycloak can import the realm configuration file only once during the first startup. If you need to change the configuration, you must delete the Keycloak container and volume and restart it. This will reset Keycloak to its initial state. + +::: + +## Autoprovisioning Mode + +In this mode, Keycloak is holding all users and OpenCloud autoprovisions new users during first login. +This mode is suitable in scenarios where the OpenIDConnect provider is external and not under control of the OpenCloud admin. To mitigate that lack of control, OpenCloud will use an LDAP server which is fully under the control of the OpenCloud admin to store the users and groups and additional attributes. + +```mermaid +graph TD + subgraph opencloud["OpenCloud Deployment"] + LDAP[("`LDAP Server + - managed by opencloud + - custom schema`")] + OpenCloud["`OpenCloud Server`"] + Stop((("Block
disabled
Users"))) + end + subgraph existing["Existing Infrastructure"] + Keycloak("`Keycloak
(OIDC Provider)`") + UserDirectory[("`Federated Identity Provider + - Microsoft + - Google + - and others`")] + end + + OpenCloud -->|"User and Groups are created during first user login"| LDAP + OpenCloud <-->|"User and Groups are looked up for sharing"| LDAP + OpenCloud -- "Reads Users, Attributes, Group memberships and Roles from OIDC claims" --> Stop --> Keycloak + UserDirectory -->|"Import Users and Groups"| Keycloak + + classDef service fill:#3498db,stroke:#2c3e50,stroke-width:2px,rx:10px,ry:10px; + classDef storage fill:#2ecc71,stroke:#27ae60,stroke-width:2px,rx:10px,ry:10px; + classDef readonly fill:#87CEFA,stroke:#4682B4,stroke-width:3px,rx:10px,ry:10px; + classDef general stroke-width:2px,rx:10px,ry:10px; + + class OpenCloud,Keycloak service; + class LDAP storage; + class existing,directory readonly; + class opencloud general; +``` + +- Keycloak manages the users, groups, and roles +- The OpenCloud Clients and Sessions are configured in Keycloak +- Simplified user management with "just-in-time" provisioning +- Federation with external identity providers is supported (e.g., Google, GitHub, Facebook, Microsoft) +- In this case, we need to provide an LDAP server which is fully controlled by OpenCloud and needs a custom [LDAP Schema](https://github.com/opencloud-eu/opencloud-compose/blob/main/config/ldap/schemas/10_opencloud_schema.ldif). + +### Configuration for Autoprovisioning Mode + +Keycloak, OpenCloud and OpenLDAP can be configured using environment variables: + +```bash +# Basic Keycloak configuration +KEYCLOAK_DOMAIN=keycloak.example.org +KEYCLOAK_REALM=openCloud + +# OpenCloud OIDC configuration +OC_OIDC_ISSUER=https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud} +WEB_OPTION_ACCOUNT_EDIT_LINK_HREF=https://${KEYCLOAK_DOMAIN:-keycloak.opencloud.test}/realms/${KEYCLOAK_REALM:-openCloud}/account +PROXY_OIDC_REWRITE_WELLKNOWN=true +PROXY_USER_OIDC_CLAIM=sub +PROXY_AUTOPROVISION_CLAIM_USERNAME=sub +PROXY_USER_CS3_CLAIM=username +# admin and demo accounts must be created in Keycloak +OC_ADMIN_USER_ID="" +SETTINGS_SETUP_DEFAULT_ASSIGNMENTS=false +GRAPH_ASSIGN_DEFAULT_USER_ROLE=false +GRAPH_USERNAME_MATCH=none + +# OpenCloud LDAP configuration +OC_LDAP_URI=ldaps://ldap-server:1636 +OC_LDAP_SERVER_WRITE_ENABLED=true +# Disable non writable attributes in the OpenCloud Admin UI +FRONTEND_READONLY_USER_ATTRIBUTES="user.onPremisesSamAccountName,user.displayName,user.mail,user.passwordProfile,user.memberOf" +OC_LDAP_INSECURE=true +OC_LDAP_BIND_DN=cn=admin,dc=opencloud,dc=eu +OC_LDAP_BIND_PASSWORD=admin-password +OC_LDAP_USER_BASE_DN=ou=users,dc=opencloud,dc=eu +OC_LDAP_DISABLE_USER_MECHANISM=none +OC_LDAP_GROUP_BASE_DN=ou=groups,dc=opencloud,dc=eu +``` + +### Example Docker Compose Configuration - Autoprovisioning Mode + +OpenCloud provides complete example deployments using Docker Compose: + +1. Navigate to the `opencloud-compose` repository +2. Edit the `.env` file to enable the Autoprovisioning Mode: + +For Autoprovisioning Mode: + +```bash +# Enable services +COMPOSE_FILE=docker-compose.yml:idm/external-idp.yml:traefik/opencloud.yml +# Your public keycloak domain without protocol +IDP_DOMAIN=your-idp-domain.example.com +# The openCloud users need to be able to edit their account in the external IdP +IDP_ACCOUNT_URL=https://your-idp-domain.example.com/realms/openCloud/account +``` + +The Docker Compose file `idm/external-idp.yml` contains the complete configuration for each OpenCloud component. The file `10_opencloud_ldap_schema.ldif` contains the OpenCloud LDAP schema and is loaded during the startup of the OpenLdap container. In this mode, your IdP setup is not part of the OpenCloud Deployment. + +:::warning + +Your external IdP configuration must match the settings described in the [Client Configuration](#client-configuration) section above. + +Your external IdP must provide the required claims for user provisioning and role assignment. + +Claims: + +- `sub`: Unique identifier for the user (used as username in OpenCloud) +- `roles`: List of roles assigned to the user (used for role assignment in OpenCloud) +- `name`: User's full name (optional, used for display purposes) +- `preferred_username`: User's preferred username (optional, more intuitive during login) +- `email`: User's email address (optional, used for notifications) +- `groups`: List of groups the user belongs to (optional, used for group assignments in OpenCloud) + +::: + +## Troubleshooting + +Common issues and solutions: + +- User cannot log in: + - Check LDAP connectivity and user existence + - Check if each user has an OpenCloud Role assigned + - Verify that the client IDs and redirect URIs match exactly +- Groups not synchronized: Verify group mappings in Keycloak +- User creation fails (autoprovisioning mode): Ensure LDAP has write permissions in Autoprovisioning Mode diff --git a/versioned_docs/version-7.x/admin/configuration/collabora/_category_.json b/versioned_docs/version-7.x/admin/configuration/collabora/_category_.json new file mode 100644 index 000000000..d3a23ec15 --- /dev/null +++ b/versioned_docs/version-7.x/admin/configuration/collabora/_category_.json @@ -0,0 +1,8 @@ +{ + "label": "Collabora", + "position": 30, + "link": { + "type": "doc", + "id": "collabora" + } +} diff --git a/versioned_docs/version-7.x/admin/configuration/collabora/collabora-fonts.md b/versioned_docs/version-7.x/admin/configuration/collabora/collabora-fonts.md new file mode 100644 index 000000000..c175632df --- /dev/null +++ b/versioned_docs/version-7.x/admin/configuration/collabora/collabora-fonts.md @@ -0,0 +1,44 @@ +--- +sidebar_position: 10 +id: collabora-fonts +title: Collabora additional fonts +description: How to add additional fonts to Collabora +draft: false +--- + +# Installing Additional Fonts for Collabora + +By default, Collabora Online provides only a limited set of fonts. +To ensure proper document rendering — especially for Microsoft Office documents — you may want to install additional font packages such as `ttf-mscorefonts` or other TrueType/OpenType fonts on your server. + +## 1. Access the Server and Update System Packages + +Before installing new fonts, make sure your system packages are up to date: + +```bash +apt update +``` + +## 2. Install Microsoft Core Fonts + +Install the Microsoft Core Fonts package to add common fonts such as Arial or Comic Sans MS: + +```bash +apt install ttf-mscorefonts-installer +``` + +During the installation, you will be prompted to accept the EULA (End User License Agreement). + +
![Accept EULA]({require("../img/collabora/accept-eula.png").default})
+
+## 3. Restart Collabora
+
+After the installation is complete, restart your docker-compose setup to apply the changes:
+
+```bash
+docker compose restart
+```
+
+Once restarted, Collabora will recognize the newly installed fonts, and they will be available when editing documents.
+
+![New Fonts added]({require("../img/collabora/new-fonts.png").default})
diff --git a/versioned_docs/version-7.x/admin/configuration/collabora/collabora-ms-office-formats.md b/versioned_docs/version-7.x/admin/configuration/collabora/collabora-ms-office-formats.md
new file mode 100644
index 000000000..5f2ce7243
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/collabora/collabora-ms-office-formats.md
@@ -0,0 +1,110 @@
+---
+sidebar_position: 20
+id: collabora-ms-office-formats
+title: Enable MS-Office formats
+description: How to enable MS-Office formats
+draft: false
+---
+
+## Enable Microsoft file formats in the New menu
+
+:::note
+Starting with version 5.2.0, OpenCloud no longer enables Microsoft file formats as default creation options in the New menu. To make them available again, you must define them explicitly in `app-registry.yaml`.
+:::
+
+### Create the configuration file
+
+Create an `app-registry.yaml` file in your OpenCloud configuration directory.
+
+This change cannot be applied in setups that use internal Docker volumes only, because the config directory is not available directly on the host.
+
+For production deployments, bind-mounted volumes are recommended, as they provide a predictable host path for configuration, persistence, and backups.
+
+If your deployment uses a bind mount for the OpenCloud config directory, place the file in the mapped config directory on the host system. The exact path depends on your Docker Compose setup and may differ from `config/opencloud`.
+
+Example:
+
+````bash
+/path/to/your/opencloud/config/app-registry.yaml
+
+Insert following content:
+
+```yaml
+app_registry:
+ mimetypes:
+ - mime_type: application/pdf
+ extension: pdf
+ name: PDF
+ description: PDF document
+ icon: ''
+ default_app: ''
+ allow_creation: false
+ - mime_type: application/vnd.oasis.opendocument.text
+ extension: odt
+ name: Document
+ description: OpenDocument text document
+ icon: ''
+ default_app: Collabora
+ allow_creation: true
+ - mime_type: application/vnd.oasis.opendocument.spreadsheet
+ extension: ods
+ name: Spreadsheet
+ description: OpenDocument spreadsheet document
+ icon: ''
+ default_app: Collabora
+ allow_creation: true
+ - mime_type: application/vnd.oasis.opendocument.presentation
+ extension: odp
+ name: Presentation
+ description: OpenDocument presentation document
+ icon: ''
+ default_app: Collabora
+ allow_creation: true
+ - mime_type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
+ extension: docx
+ name: Microsoft Word
+ description: Microsoft Word document
+ icon: ''
+ default_app: Collabora
+ allow_creation: true
+ - mime_type: application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+ extension: xlsx
+ name: Microsoft Excel
+ description: Microsoft Excel document
+ icon: ''
+ default_app: Collabora
+ allow_creation: true
+ - mime_type: application/vnd.openxmlformats-officedocument.presentationml.presentation
+ extension: pptx
+ name: Microsoft PowerPoint
+ description: Microsoft PowerPoint document
+ icon: ''
+ default_app: Collabora
+ allow_creation: true
+````
+
+### Verify ownership and permissions
+
+:::important UID/GID and volume permissions
+Make sure that `app-registry.yaml` can be read by the user running the OpenCloud container. Incorrect ownership or permissions on mounted files can prevent OpenCloud from using the configuration.
+:::
+
+By default, OpenCloud uses:
+
+```bash
+UID=1000
+GID=1000
+```
+
+Adjust the file ownership and permissions if your container runs with different values.
+
+### Restart OpenCloud
+
+Restart your deployment after creating the file:
+
+```bash
+docker compose down
+docker compose up -d
+```
+
+After the restart, Microsoft formats such as Word, Excel, and PowerPoint are available again in the New menu.
diff --git a/versioned_docs/version-7.x/admin/configuration/collabora/index.md b/versioned_docs/version-7.x/admin/configuration/collabora/index.md
new file mode 100644
index 000000000..0674bb3bd
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/collabora/index.md
@@ -0,0 +1,22 @@
+---
+sidebar_position: 1
+id: collabora
+title: Collabora
+description: Configuration guides for Collabora integration in OpenCloud
+draft: false
+---
+
+# Collabora
+
+This section collects the most common Collabora configuration topics for OpenCloud.
+It is meant as a quick entry point for administrators who want to improve document compatibility and editing experience.
+
+## What you will find here
+
+- Add additional fonts so documents render more reliably across systems.
+- Enable Microsoft Office formats in the New menu when you want to create `.docx`, `.xlsx`, or `.pptx` files directly.
+
+## Guides
+
+- [Install additional fonts](./collabora-fonts)
+- [Enable MS-Office formats](./collabora-ms-office-formats)
diff --git a/versioned_docs/version-7.x/admin/configuration/default-language.md b/versioned_docs/version-7.x/admin/configuration/default-language.md
new file mode 100644
index 000000000..dceb9b419
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/default-language.md
@@ -0,0 +1,43 @@
+---
+sidebar_position: 100
+id: default-language
+title: Default Language
+description: Set the default language
+draft: false
+---
+
+# Set the default language
+
+By default, OpenCloud uses English (en) as its interface language, unless a different language is explicitly configured.
+OpenCloud relies on ISO 639-1 language codes for language selection.
+You can find the complete list of supported languages here: [Supported languages](../resources/faq#miscellaneous)
+
+## Edit the `.env` File
+
+Open the environment configuration file located in your `opencloud-compose` directory:
+
+```bash
+nano opencloud-compose/.env
+```
+
+Configure the default language using the following environment variable:
+
+```env
+# The default language used by services and the WebUI.
+# Uses ISO 639-1 language codes (e.g. "en", "de", "fr").
+# Defaults to English if not set.
+DEFAULT_LANGUAGE="language code"
+```
+
+## Restart Docker Services
+
+After saving the file, shut down and restart the Docker containers to apply the changes:
+
+```bash
+docker compose down
+docker compose up -d
+```
+
+## Result
+
+OpenCloud is now fully displayed in the language configured in the .env file.
diff --git a/versioned_docs/version-7.x/admin/configuration/frontend-update-check.md b/versioned_docs/version-7.x/admin/configuration/frontend-update-check.md
new file mode 100644
index 000000000..950e109cf
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/frontend-update-check.md
@@ -0,0 +1,49 @@
+---
+sidebar_position: 35
+id: frontend-check-updates
+title: Frontend Update check
+description: How to disable the frontend check for updates in OpenCloud.
+draft: false
+---
+
+# Disable frontend update check
+
+By default, OpenCloud performs a frontend check to verify if you are running the latest version.
+
+:::note
+
+When the frontend update check detects a security-critical upgrade, administrators may see a warning in the lower-left corner of the web interface. This warning indicates that the available upgrade should be reviewed and applied with priority.
+
+:::
+
+![check is true]({require("./img/frontend-update-check/check-true.png").default})
+![critical check is true]({require("./img/frontend-update-check/check-true-critical.png").default})
+
+## Edit the `.env` File
+
+Open the environment configuration file located in your `opencloud-compose` directory:
+
+```bash
+nano opencloud-compose/.env
+```
+
+Set the `FRONTEND_CHECK_FOR_UPDATES` environment variable to `false` to disable the frontend check for updates:
+
+```env
+FRONTEND_CHECK_FOR_UPDATES=false
+```
+
+## Restart Docker Services
+
+After saving the file, shut down and restart the Docker containers to apply the changes:
+
+```bash
+docker compose down
+docker compose up -d
+```
+
+## Result
+
+The frontend will no longer display a message about newer versions being available.
+
+![check is false]({require("./img/frontend-update-check/check-false.png").default})
diff --git a/versioned_docs/version-7.x/admin/configuration/img/app-store.png b/versioned_docs/version-7.x/admin/configuration/img/app-store.png
new file mode 100644
index 000000000..51b8c9de6
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/app-store.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/collabora/accept-eula.png b/versioned_docs/version-7.x/admin/configuration/img/collabora/accept-eula.png
new file mode 100644
index 000000000..772aa08b3
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/collabora/accept-eula.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/collabora/new-fonts.png b/versioned_docs/version-7.x/admin/configuration/img/collabora/new-fonts.png
new file mode 100644
index 000000000..3ababdbc6
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/collabora/new-fonts.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/decomposeds3-with-minio.png b/versioned_docs/version-7.x/admin/configuration/img/decomposeds3-with-minio.png
new file mode 100644
index 000000000..d53e7ff04
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/decomposeds3-with-minio.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-false.png b/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-false.png
new file mode 100644
index 000000000..daa2f160c
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-false.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-true-critical.png b/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-true-critical.png
new file mode 100644
index 000000000..9752ff5b9
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-true-critical.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-true.png b/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-true.png
new file mode 100644
index 000000000..4be5cf580
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/frontend-update-check/check-true.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/add-user.png b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/add-user.png
new file mode 100644
index 000000000..26d97b3c9
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/add-user.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/enable-self-registration.png b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/enable-self-registration.png
new file mode 100644
index 000000000..850919055
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/enable-self-registration.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/fill-out-registration-form.png b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/fill-out-registration-form.png
new file mode 100644
index 000000000..7b6a4b8d5
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/fill-out-registration-form.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/fill-out-userinfo.png b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/fill-out-userinfo.png
new file mode 100644
index 000000000..1cf5f03ff
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/fill-out-userinfo.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/guest-login.png b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/guest-login.png
new file mode 100644
index 000000000..1916c7a29
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/guest-login.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/register-button.png b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/register-button.png
new file mode 100644
index 000000000..a5056e759
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/register-button.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/set-admin-roles.png b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/set-admin-roles.png
new file mode 100644
index 000000000..9135e76d3
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/set-admin-roles.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/set-password.png b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/set-password.png
new file mode 100644
index 000000000..026944e24
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/keycloak/add-user/set-password.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/img/login-page.png b/versioned_docs/version-7.x/admin/configuration/img/login-page.png
new file mode 100644
index 000000000..0a8306f29
Binary files /dev/null and b/versioned_docs/version-7.x/admin/configuration/img/login-page.png differ
diff --git a/versioned_docs/version-7.x/admin/configuration/index.md b/versioned_docs/version-7.x/admin/configuration/index.md
new file mode 100644
index 000000000..06a6f016f
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/index.md
@@ -0,0 +1,24 @@
+---
+sidebar_position: 0
+id: admin-configuration
+title: Configuration
+description: Overview of OpenCloud administration configuration topics
+---
+
+# Configuration
+
+Use these guides to tune OpenCloud behavior, integrations, and default settings.
+
+## In this section
+
+- [Authentication and Identity Management](./authentication-and-user-management/) - Internal and external IDP setup
+- [Storage](./storage/) - Storage drivers and backend setup
+- [Collabora](./collabora/) - Collabora integration and document compatibility
+- [Default Language](./default-language.md)
+- [Frontend Update Check](./frontend-update-check.md)
+- [Link Password Policy](./link-password-policy.md)
+- [Logging](./logging.md)
+- [Mail Notifications](./mail-notifications.md)
+- [Radicale Integration](./radicale-integration.md)
+- [Set Default Quota](./set-default-quota.md)
+- [Web Applications](./web-applications.md)
diff --git a/versioned_docs/version-7.x/admin/configuration/link-password-policy.md b/versioned_docs/version-7.x/admin/configuration/link-password-policy.md
new file mode 100644
index 000000000..3b7212037
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/link-password-policy.md
@@ -0,0 +1,107 @@
+---
+sidebar_position: 90
+id: link-password-policy
+title: Public Links - Password Enforcement and Configuration
+description: Remove the password enforcement and configure the passwords requirements for public links
+draft: false
+---
+
+# Public Links: Password Enforcement and Policy
+
+OpenCloud provides two related controls for passwords on public links:
+
+1. Password enforcement for public links (whether a password is required at all).
+2. Password policy (how strong a password must be, if a password is used/required).
+
+This guide shows how to configure both via `opencloud-compose/.env`.
+
+## Configure Password Enforcement for Public Links
+
+By default, OpenCloud requires a password for public shares. You can disable that requirement globally and (optionally) still require passwords for writable public links.
+
+### Disable the password requirement for all public links
+
+```env
+OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD=false
+```
+
+Require a password for writable public links only
+
+```env
+OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD=true
+```
+
+This setting only applies when `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` is set to false.
+
+## Configure Password Policy for Public Link Passwords
+
+OpenCloud can enforce strong(er) passwords by requiring occurrences of characters across different classes. You can individually configure the minimum number of:
+
+- lower-case characters
+
+- upper-case characters
+
+- digits
+
+- special characters
+
+that must appear in a valid password (and also set a minimum length).
+
+Add or adjust these variables in your .env file:
+
+### Enable/disable password policy checks
+
+- true = policy disabled (no complexity requirements enforced)
+- false = policy enabled (requirements below are enforced)
+
+```env
+OC_PASSWORD_POLICY_DISABLED=false
+```
+
+### Minimum password length
+
+```env
+OC_PASSWORD_POLICY_MIN_CHARACTERS=8
+```
+
+### Minimum character-class requirements
+
+```env
+OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS=1
+OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS=1
+OC_PASSWORD_POLICY_MIN_DIGITS=1
+OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS=1
+```
+
+### Optional: Path to a 'banned passwords list' file
+
+```env
+OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST=""
+```
+
+The password policy only applies when a password is set/required for a public link.
+
+More information is available in the [developer documentation on password policy](../../dev/server/services/frontend/information#passwords).
+
+## Edit the .env File
+
+Open the environment configuration file located in your opencloud-compose directory:
+
+```bash
+nano opencloud-compose/.env
+```
+
+Add or modify the variables from the sections above as needed, then save the file.
+
+## Restart Docker Services
+
+After saving the file, shut down and restart the Docker containers to apply the changes:
+
+```bash
+docker compose down
+docker compose up -d
+```
+
+:::note
+This change applies globally to all public shares created after the restart.
+:::
diff --git a/versioned_docs/version-7.x/admin/configuration/logging.md b/versioned_docs/version-7.x/admin/configuration/logging.md
new file mode 100644
index 000000000..5d389bd99
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/logging.md
@@ -0,0 +1,51 @@
+---
+sidebar_position: 100
+id: logging
+title: Logging
+description: Logging in OpenCloud
+draft: false
+---
+
+# Logging in OpenCloud
+
+Logging helps monitor OpenCloud’s health and diagnose issues. Log output varies by level, from minimal to detailed. By default, logs are written to `stderr`. In Docker deployments, logs are accessible via `docker logs`.
+
+## Log Levels
+
+Set the global log level in your `.env` file using `LOG_LEVEL`, which maps to `OC_LOG_LEVEL`. The default is `error`.
+
+If you want to change the log level for individual services, define the corresponding service-specific variables in the `environment:` section of the relevant service in `docker-compose.yaml`, for example `PROXY_LOG_LEVEL=info` or `SHARING_LOG_LEVEL=info`.
+
+## The log levels are
+
+### FATAL
+
+Critical issues that cause the application to shut down — such as config errors or missing dependencies.
+
+### ERROR
+
+Severe problems that block proper operation and require admin attention.
+
+### WARN
+
+Unexpected conditions that don’t stop the app but may need investigation.
+
+### INFO
+
+Routine events that confirm expected behavior and operation.
+
+### DEBUG
+
+Highly detailed messages for diagnosing problems. Use cautiously in production due to verbosity.
+
+## Request Correlation
+
+### X-Request-ID
+
+OpenCloud supports tracing using the `X-Request-ID` header. Clients send a UUID v4 with each request, which is included in backend logs for correlation.
+
+To manually test with `curl`, add:
+
+```bash
+--header "X-Request-ID: ![Login Page]({require("./../img/login-page.png").default})
+
+![OpenCloud with decomposeds3 and MinIO]({require("./../img/decomposeds3-with-minio.png").default})
+
+## Troubleshooting
+
+If you run into any issues or errors, check the following resource:
+
+- [Common Issues & Help](../../resources/common-issues)
diff --git a/versioned_docs/version-7.x/admin/configuration/storage/index.md b/versioned_docs/version-7.x/admin/configuration/storage/index.md
new file mode 100644
index 000000000..5e06f6faa
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/storage/index.md
@@ -0,0 +1,16 @@
+---
+sidebar_position: 0
+id: storage
+title: Storage
+description: Overview of OpenCloud storage configuration options
+draft: false
+---
+
+# Storage
+
+Use these guides to configure the storage backend for your OpenCloud deployment.
+
+## In this section
+
+- [PosixFS](./posixfs.md) - Use a regular filesystem as the OpenCloud storage backend
+- [DecomposedS3](./decomposeds3.md) - Use S3-compatible object storage with MinIO
diff --git a/versioned_docs/version-7.x/admin/configuration/storage/posixfs.md b/versioned_docs/version-7.x/admin/configuration/storage/posixfs.md
new file mode 100644
index 000000000..6651acef1
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/storage/posixfs.md
@@ -0,0 +1,118 @@
+---
+sidebar_position: 1
+id: storage-posix
+title: 'PosixFS'
+description: PosixFX Storage Driver
+draft: false
+---
+
+# PosixFS Storage Driver
+
+PosixFS is a storage driver that saves OpenClouds files and folders in a folder structure how the user sees that in the web interface or other clients. That is a difference to the previously used driver DecomposedFS, which stores files in a technical folder structure that has limited meaning for admins.
+
+PosixFS Driver supports two different modes:
+
+- The _non collaborative mode_ where the filesystem tree in use is exclusively granted to OpenCloud
+- The _collaborative mode_ where modifications of the underlying file tree are permitted by other processes than OpenCloud
+
+## General Notes
+
+The following general notes apply to both modes of the driver.
+
+### Metadata
+
+To enable OpenCloud to operate without a database, additional metadata is stored using the extended file attributes of each file. If the total size of this metadata exceeds the limitations imposed by the underlying file system, it is automatically moved to a separate metadata file. In such cases, only a reference to this metadata file remains in the extended attributes. This entire process is handled transparently by OpenCloud.
+
+### Access Model
+
+To ensure reliable operation in _non-collaborative mode_, the underlying file system used by the PosixFS driver must not be modified while OpenCloud is running. The assigned file system tree must be exclusively reserved for access by OpenCloud.
+All files and directories must be owned by the same user and group under which the OpenCloud process is running. File and directory permissions must allow OpenCloud to read, write, and traverse the entire tree.
+
+These conditions are automatically fulfilled as long as the root directory of the assigned tree is writable.
+
+#### Assimilation
+
+When OpenCloud starts up, it scans the assigned file system tree for newly added or modified files and directories. During this process, metadata is updated and internal caches are built accordingly. This is referred to as the _assimilation_ of new resources.
+
+It is important to note that assimilation does not trigger post-upload checks, such as virus scanning. Since the files are already in their final location within the file system, such checks would be ineffective at this stage and are therefore skipped.
+
+However, indexing for the search service does take place for assimilated resources.
+
+### Startup
+
+When OpenCloud with PosixFS starts up, it is running over the entire file system to warm up the caches. This might take some time.
+
+### Backup
+
+With PosixFS backup and restore is easy. The entire OpenCloud filesystem tree can be snapshotted regularly and restored as needed. It depends on the filesystem type how that has to be done in detail.
+
+### Migration
+
+PosixFS in this so called _non collaborative mode_ is the default for new installations of OpenCloud. There is currently no way to migrate OpenCloud installations with DecomposedFS backend to PosixFS.
+
+If that is needed, data needs to be copied into a new installation of OpenCloud.
+
+## PosixFS Non Collaborative Mode
+
+This describes special aspects of the non collaborative mode.
+
+### External Access
+
+When OpenCloud is shut down, limited manipulation of the underlying file system tree is possible for certain administration tasks such as
+
+- adding files and folders
+- removing files and folders
+- renaming files and folders
+
+:::warning
+
+Whenever files are manipulated externally to OpenCloud, it is important to remember to
+
+- shut down OpenCloud before starting
+- do not lose the extended file attributes of individual files
+- set the file- and folder permissions correctly
+
+:::
+
+### Configuration
+
+The PosixFS storage driver is part of the default OpenCloud bundle.
+
+Involved configuration settings (environment variables) to enable PosixFS are:
+
+- `STORAGE_USERS_DRIVER` defaults to `posix` from version `2.0.0`, in older versions it needs to be explicitly set
+- `STORAGE_USERS_ID_CACHE_STORE` needs to be set to `nats-js-kv`
+- `STORAGE_USERS_POSIX_ROOT` can be omitted for default, or set the storage root directory
+
+## PosixFS Collaborative Mode
+
+This section describes the collaborative mode of the PosixFS driver, which allows the file system to be modified while OpenCloud is running. Changes made in this mode are reflected in real time in OpenCloud clients.
+
+### Usage
+
+Collaborative mode should always be used with caution. It is intended only for well-defined use cases that are carefully planned, configured, and tested. Operation must take place in a controlled environment.
+
+Compared to non-collaborative mode, collaborative mode requires significantly more system resources to monitor the file system. Server hardware must be appropriately sized to handle this increased load.
+
+### External Access
+
+External access to files is permitted under specific conditions. File changes are detected and assimilated in real time.
+
+The following guidelines are critical for smooth and reliable operation:
+
+- Creating new files and folders is the preferred method of external modification.
+- Do not use symbolic links.
+- Moving files across OpenCloud spaces is not supported and will not be detected as such.
+- Editing or deleting large numbers of files may cause errors in tree size calculation.
+- Continuously monitor server system resources to identify potential bottlenecks.
+- Carefully configure components such as Apache Tika to optimize indexing performance.
+
+It is essential to maintain correct file ownership and permissions when modifying the file system externally. Files must be created with the correct user and permissions from the outset. Retroactive changes are discouraged, as assimilation may already be in progress.
+
+### Configuration
+
+In addition to the configuration required for non-collaborative mode, the following setting must be enabled for local file systems such as XFS, ext4, and others:
+
+```env
+STORAGE_USERS_POSIX_WATCH_FS=true
+```
diff --git a/versioned_docs/version-7.x/admin/configuration/web-applications.md b/versioned_docs/version-7.x/admin/configuration/web-applications.md
new file mode 100644
index 000000000..d3d6783e4
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/configuration/web-applications.md
@@ -0,0 +1,66 @@
+---
+sidebar_position: 60
+id: web-applications
+title: Web Apps
+description: How to enable web applications in OpenCloud
+draft: false
+---
+
+# Web Applications
+
+Administrators have the ability to provide additional web applications to their users. This feature is especially useful for organizations that want to integrate third-party tools or provide internally developed apps within the OpenCloud environment.
+
+## Installing a Web Application
+
+You can install a web application in just a few steps:
+
+### Open the App Store
+
+Use the Application Switcher in the top navigation bar of OpenCloud and navigate to the App Store.
+
+![App Store]({require("./img/app-store.png").default})
+
+### Download the Application
+
+Find and download the application you want to install.
+
+### Extract and copy
+
+Unzip the downloaded archive and copy the extracted folder into the web application directory.
+By default, this path is:
+
+```bash
+opencloud-compose/config/opencloud/apps
+```
+
+:::note
+If you are adding an app to an already running system, verify whether the `/web/assets/apps` directory exists inside your `$OC_DATA_DIR`.
+If it does not exist, create it manually.
+:::
+
+### Restart OpenCloud
+
+Restart the OpenCloud stack using the following command:
+
+```bash
+docker compose restart
+```
+
+### Access in OpenCloud
+
+Once the app is copied to the correct location, it will automatically appear in the OpenCloud interface.
+
+## Configure a Web Application
+
+Some OpenCloud apps require additional configuration — for example, the External Sites app.
+
+This particular app can be configured by creating the file config.json in the web apps directory:
+
+```bash
+/web/assets/apps/external-sites/config.json
+```
+
+:::note
+Configuration details vary between apps.
+For specific setup instructions, please refer to the [official documentation](https://github.com/opencloud-eu/web-extensions/tree/main) of the respective app.
+:::
diff --git a/versioned_docs/version-7.x/admin/datasheet.md b/versioned_docs/version-7.x/admin/datasheet.md
new file mode 100644
index 000000000..192fbfeb1
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/datasheet.md
@@ -0,0 +1,72 @@
+---
+sidebar_position: 3
+id: datasheet
+title: Datasheet
+description: Datasheet
+draft: false
+---
+
+## Deployment Options
+
+| Category | Details |
+| :------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Types | - On-Premises
- Managed Service: Available through partners
- SaaS: Available through partners
- Docker Compose or Podman
- Kubernetes Helm Charts (available with a [enterprise subscription](https://opencloud.eu/en/product/service-and-support) )
- OpenCloud can run as a single binary. However, integrating additional services like Collabora, Apache Tika for search, or antivirus is not documented. Bare-metal deployments are not officially supported by OpenCloud. They are great for quick evaluation but are undocumented and have a minimalist feature set.
- Snapshots: Backups can be easily done solely through storage snapshots, eliminating the need for complex database backups.
- Transport Encryption: TLS
- Server-Side Encryption: S3 SSE
- RBAC (Role-Based Access Control)
- 2FA / MFA
- SSO (LDAP, SAML, OAuth)
- Detailed logs, audit trails, monitoring APIs
- Prevent upload of restricted filetypes based on a allow- or denylist.
- ClamAV (default)
- ICAP: Integrate 3rd party anti-virus scanner via Internet Content Adaptation Protocol (ICAP)
- Collabora Secure View
- Integrated user and group management (LibreIDM) for up to 500 users. Designed for standalone or small-sized deployments that do not rely on third-party identity services, usually for friends and family.
- OpenID Connect (OIDC): Integration of external identity providers via Keycloak.
- Integration of Azure AD, EntraID, ADFS
- Compliant
- Compliant. To prevent accessibility regressions, we treat any accessibility violation as a bug and continuously fix these issues as part of our daily software development lifecycle.
- Supported in clustered environments to ensure high availability and system reliability.
- Automatic failover mechanisms help minimize downtime in case of hardware or software failures.
- Web: Extension system for adding custom functionality.
- Server: Microservices architecture for modular and scalable server-side extensions
- Standard file API for remote file transfer over HTTP/HTTPS using TUS for resumable, interruption-tolerant transfers.
- Microsoft Graph API for managing cloud storage and collaboration spaces.
- High-performance RPC framework for microservice communication.
- API for programmatic file/folder sharing and management.
- Open Cloud Mesh API for federated file and folder sharing between different file cloud platforms like Cernbox, ownCloud, Nextcloud or Seafile .
- Server-sent event stream for real-time client notifications.
- Microsoft API for integrating Office apps with third-party storage, e.g., Collabora.
- Keyword Query Language (KQL) is a search language to perform advanced searches by filtering and querying structured data, metadata, and documents efficiently.
- Network protocol for offloading content scanning (e.g., antivirus).
![Certificate Details]({require("./../../img/docker-compose/certificate-details.png").default})
+
+Expand the certificate information to confirm it was issued by "Let's Encrypt Staging":
+
+![Certificate Details]({require("./../../img/docker-compose/certificate-viewer.png").default})
+
+![Certificate Details Subordinate CA]({require("./../../img/docker-compose/subordinate-ca's.png").default})
+
+:::success Staging Certificate Success
+If you see "Let's Encrypt Staging" as the issuer, the certificate generation is working correctly. You can now safely switch to production certificates.
+:::
+
+## Switch to Production Certificates
+
+Once the staging certificate works correctly, you can switch to production SSL certificates from Let's Encrypt.
+
+### Stop Docker Compose
+
+```bash
+docker compose down
+```
+
+### Remove old staging certificates
+
+Delete the previously generated staging certificates:
+
+```bash
+rm -r certs
+```
+
+:::warning
+If you changed volume names or paths in your `.env` file, adjust this command to match your certificate directory.
+:::
+
+### Disable staging mode in `.env`
+
+Open the environment file:
+
+```bash
+nano .env
+```
+
+Comment out or remove the staging server line:
+
+```bash
+# TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory
+```
+
+Save the file.
+
+### Restart OpenCloud with production certificates
+
+Start the containers again:
+
+```bash
+docker compose up -d
+```
+
+Traefik will now request trusted production certificates from Let's Encrypt.
+
+### Wait for certificate generation
+
+Certificate generation may take a few moments. Check the logs:
+
+```bash
+docker compose logs traefik
+```
+
+Look for messages indicating successful certificate generation.
+
+### Verify production certificates
+
+After a short moment, visiting your domain should show a secure HTTPS connection:
+
+![Secure Connection]({require("./../../img/docker-compose/status-secure.png").default})
+
+The lock icon should show "Secure" (green lock) with "Let's Encrypt Authority X3" or similar as the issuer.
+
+## Log into OpenCloud
+
+Once certificates are verified:
+
+1. Open your domain in a browser:
+
+```bash
+https://cloud.YOUR.DOMAIN
+```
+
+2. Log in with your admin credentials:
+ - Username: `admin`
+ - Password: (the password you configured in the `.env` file)
+
+![OpenCloud Login]({require("./../../img/docker-compose/login.png").default})
+
+## Further Configuration
+
+- [Volume Permissions](./volume-permissions.md) – Ownership, UID/GID mapping, and bind-mount permissions
+- [Production Setup Considerations](./production-considerations.md) – Persistent storage, backups, and production best practices
+- [Configure Keycloak](./keycloak-deployment.md) (optional) – Add Keycloak for enterprise identity management
+- [Configure Authentication](../../../configuration/authentication-and-user-management/) – User management and identity provider integration
+
+## Troubleshooting
+
+If you encounter issues:
+
+1. Check Docker logs: `docker compose logs`
+2. Verify domain DNS records point to your server
+3. Ensure firewall allows HTTP (80) and HTTPS (443)
+4. See [Common Issues & Help](../../../resources/common-issues.md)
diff --git a/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/docker-external-proxy.md b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/docker-external-proxy.md
new file mode 100644
index 000000000..9bf05a23f
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/docker-external-proxy.md
@@ -0,0 +1,293 @@
+---
+sidebar_position: 3
+id: external-proxy
+title: Behind External Proxy
+description: How to run OpenCloud behind an external Nginx proxy with Certbot (manual setup).
+draft: false
+---
+
+# Running OpenCloud Behind an External Proxy (Nginx + Certbot Setup)
+
+This guide walks you through setting up OpenCloud behind an external Nginx reverse proxy with Let's Encrypt certificates using `certbot certonly --webroot`.
+
+:::note Using Traefik Instead?
+If you don't have an existing reverse proxy or prefer to let Traefik manage certificates automatically, see [Docker Compose with Integrated Traefik](./docker-compose-base.md) instead.
+:::
+
+## Requirements
+
+- A public server with a static IP
+- Proper DNS records for your domain:
+ - `cloud.YOUR.DOMAIN`
+ - `collabora.YOUR.DOMAIN`
+ - `wopiserver.YOUR.DOMAIN`
+- Installed software:
+ - [Docker & Docker Compose](https://docs.docker.com/engine/install/)
+ - `nginx`
+ - `certbot`
+
+## Connect to Your Server
+
+Log into your server via SSH:
+
+```bash
+ssh root@YOUR.SERVER.IP
+```
+
+## Install Docker
+
+Update your system and install Docker.
+
+## Install Nginx & Certbot
+
+Now install Nginx & Certbot
+
+## Create a Webroot Directory for Certbot
+
+```bash
+sudo mkdir -p /var/www/certbot
+sudo chown -R www-data:www-data /var/www/certbot
+```
+
+## Temporary Nginx Config for HTTP Challenge
+
+Create a temporary config to allow HTTP validation:
+
+```bash
+sudo nano /etc/nginx/sites-available/certbot-challenge
+```
+
+Paste the following config and adjust the URLs:
+
+```nginx
+server {
+ listen 80;
+ server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN;
+
+ root /var/www/certbot;
+
+ location /.well-known/acme-challenge/ {
+ allow all;
+ try_files $uri =404;
+ }
+}
+```
+
+Enable and reload Nginx:
+
+```bash
+sudo ln -s /etc/nginx/sites-available/certbot-challenge /etc/nginx/sites-enabled/
+sudo nginx -t && sudo systemctl reload nginx
+```
+
+## Obtain SSL Certificates
+
+Use `certbot` to get your TLS certificates with adjusted URLs:
+
+```bash
+sudo certbot certonly --webroot \
+ -w /var/www/certbot \
+ -d cloud.YOUR.DOMAIN \
+ -d collabora.YOUR.DOMAIN \
+ -d wopiserver.YOUR.DOMAIN \
+ --email your@email.com \
+ --agree-tos \
+ --no-eff-email
+```
+
+Your certificates will be saved under:
+
+- `/etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem`
+- `/etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem`
+
+## Configure and start OpenCloud
+
+Clone the OpenCloud Compose repo and set your environment:
+
+```bash
+git clone https://github.com/opencloud-eu/opencloud-compose.git
+cd opencloud-compose
+cp .env.example .env
+nano .env
+```
+
+Set the following environment variables:
+
+```env
+# INSECURE=true
+
+COMPOSE_FILE=docker-compose.yml:weboffice/collabora.yml:external-proxy/opencloud.yml:external-proxy/collabora.yml
+
+OC_DOMAIN=cloud.YOUR.DOMAIN
+
+INITIAL_ADMIN_PASSWORD=YOUR.SECRET.PASSWORD
+
+COLLABORA_DOMAIN=collabora.YOUR.DOMAIN
+
+WOPISERVER_DOMAIN=wopiserver.YOUR.DOMAIN
+```
+
+The initial Admin password is mandatory for security reasons.
+
+Start the docker compose setup
+
+```bash
+docker compose up -d
+```
+
+## Further Configuration
+
+For production deployments, review [Production Considerations](./production-considerations.md) for:
+
+- Persistent volumes and data recovery
+- Using the appropriate stable branch
+- Permission and ownership best practices
+
+## Set Up the Final Nginx Reverse Proxy
+
+### Remove the temporary certbot config
+
+```bash
+sudo rm /etc/nginx/sites-enabled/certbot-challenge
+```
+
+### Create a new proxy config
+
+```bash
+sudo nano /etc/nginx/sites-available/opencloud
+```
+
+Paste the following configuration and adjust the URLs:
+
+```nginx
+# Redirect HTTP to HTTPS
+server {
+ listen 80;
+ server_name cloud.YOUR.DOMAIN collabora.YOUR.DOMAIN wopiserver.YOUR.DOMAIN;
+
+ location /.well-known/acme-challenge/ {
+ root /var/www/certbot;
+ }
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
+}
+
+# OpenCloud
+server {
+ listen 443 ssl http2;
+ server_name cloud.YOUR.DOMAIN;
+
+ ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+ # Increase max upload size (required for Tus — without this, uploads over 1 MB fail)
+ client_max_body_size 10M;
+
+ # Disable buffering - essential for SSE
+ proxy_buffering off;
+ proxy_request_buffering off;
+
+ # Extend timeouts for long connections
+ proxy_read_timeout 3600s;
+ proxy_send_timeout 3600s;
+ keepalive_requests 100000;
+ keepalive_timeout 5m;
+ http2_max_concurrent_streams 512;
+
+ # Prevent nginx from trying other upstreams
+ proxy_next_upstream off;
+
+ location / {
+ proxy_pass http://127.0.0.1:9200;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+
+# Collabora
+server {
+ listen 443 ssl http2;
+ server_name collabora.YOUR.DOMAIN;
+
+ ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+ # Increase max upload size to collabora editor
+ client_max_body_size 10M;
+
+ location / {
+ proxy_pass http://127.0.0.1:9980;
+ proxy_set_header Host $host;
+ }
+
+ location ~ ^/cool/(.*)/ws$ {
+ proxy_pass http://127.0.0.1:9980;
+ proxy_set_header Upgrade $http_upgrade;
+ proxy_set_header Connection "Upgrade";
+ proxy_set_header Host $host;
+ }
+
+}
+
+# WOPI Server
+server {
+ listen 443 ssl http2;
+ server_name wopiserver.YOUR.DOMAIN;
+
+ ssl_certificate /etc/letsencrypt/live/cloud.YOUR.DOMAIN/fullchain.pem;
+ ssl_certificate_key /etc/letsencrypt/live/cloud.YOUR.DOMAIN/privkey.pem;
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+
+ location / {
+ proxy_pass http://127.0.0.1:9300;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ }
+}
+```
+
+:::info Version Differences
+Starting from nginx 1.25.0, the `http2` directive syntax changed from: `listen 443 ssl http2;` to `listen 443 ssl; http2 on;`
+:::
+
+:::note
+We enabled HTTP/2 and increased keep-alive limits to prevent large syncs from failing and ensure stable client connections, since nginx closes connections after ~1,000 requests by default.
+:::
+
+Thanks to [mitexleo](https://github.com/mitexleo) for the Ngnix example configuration on GitHub and [zerox80](https://github.com/zerox80) for the adjustments
+
+Enable and reload Nginx:
+
+```bash
+sudo ln -s /etc/nginx/sites-available/opencloud /etc/nginx/sites-enabled/
+sudo nginx -t && sudo systemctl reload nginx
+```
+
+## Test Certificate Renewal
+
+```bash
+sudo certbot renew --dry-run
+```
+
+Your OpenCloud instance is now running securely behind a fully configured external Nginx reverse proxy with HTTPS.
+
+## Timeout Considerations
+
+When using a reverse proxy other than the documented Nginx example, make sure that request and response timeouts are configured for long-running uploads.
+
+Slow uploads or large file uploads can take longer than the default timeout of some reverse proxies. If the timeout is too low, uploads may fail with `502 Bad Gateway` after about 60 seconds.
+
+For custom reverse proxy setups, configure the equivalent of the relevant Nginx options, such as:
+
+- `proxy_read_timeout`
+- `proxy_send_timeout`
+- `proxy_request_buffering off`
+- `proxy_buffering off`
+
+The exact option names depend on the reverse proxy in use.
diff --git a/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/index.md b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/index.md
new file mode 100644
index 000000000..ae32f49c0
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/index.md
@@ -0,0 +1,46 @@
+---
+sidebar_position: 1
+id: docker-compose-overview
+title: Docker Compose Overview
+description: Choose your Docker Compose deployment architecture for OpenCloud
+---
+
+# Docker Compose Deployment
+
+This section guides you through deploying OpenCloud using Docker Compose. We support two main deployment architectures, suitable for different infrastructure scenarios.
+
+## Choose Your Deployment Path
+
+### 1. Integrated Traefik (Recommended for most users)
+
+Use the built-in Traefik reverse proxy and automatic Let's Encrypt SSL certificates. This is the standard, recommended path for new deployments.
+
+Best for:
+
+- Standalone servers
+- No existing reverse proxy infrastructure
+- Simple, self-contained setup
+
+[Get Started with Integrated Traefik →](./docker-compose-base.md)
+
+### 2. Behind External Proxy
+
+Use this setup if you want to run OpenCloud behind your own reverse proxy instead of the integrated Traefik setup.
+
+The guide includes the required OpenCloud settings and an example Nginx configuration.
+
+Best for:
+
+- Existing reverse proxy environments
+- Custom TLS handling
+- Separate proxy management
+
+[Deploy Behind External Proxy →](./docker-external-proxy.md)
+
+## Further Configuration
+
+After choosing and completing your deployment:
+
+- [Production Setup Considerations](./production-considerations.md) – Persistent storage, backups, image versions
+- [Verify TLS Certificates](./docker-compose-base.md#verify-tls-certificates) – Validate your SSL setup
+- [Configure Authentication](../../../configuration/authentication-and-user-management/) – Users, authentication, and optional Keycloak integration
diff --git a/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/keycloak-deployment.md b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/keycloak-deployment.md
new file mode 100644
index 000000000..a5af53dc1
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/keycloak-deployment.md
@@ -0,0 +1,151 @@
+---
+sidebar_position: 6
+id: docker-compose-keycloak-deployment
+title: Keycloak Integration
+description: Add Keycloak identity management to your Docker Compose OpenCloud deployment
+draft: false
+---
+
+# Keycloak Integration with Docker Compose
+
+This guide explains how to enable Keycloak as an identity provider (IdP) for your Docker Compose OpenCloud deployment. This provides enterprise-grade user and access management.
+
+:::note
+This page covers deployment setup only. For detailed Keycloak configuration, user management, and integration patterns, see the [Keycloak Configuration Guide](../../../configuration/authentication-and-user-management/keycloak.md).
+:::
+
+## Prerequisites
+
+- An existing OpenCloud Docker Compose deployment
+- Understanding of [Keycloak as an identity provider](../../../configuration/authentication-and-user-management/keycloak.md)
+
+## Enable Keycloak in `.env`
+
+Edit your environment configuration file:
+
+```bash
+cd opencloud-compose
+nano .env
+```
+
+Add or uncomment the following lines to enable Keycloak with integrated LDAP:
+
+```bash
+# Enable Keycloak + LDAP services
+COMPOSE_FILE=docker-compose.yml:idm/ldap-keycloak.yml:traefik/opencloud.yml:traefik/ldap-keycloak.yml
+
+# Keycloak domain (without https://)
+KEYCLOAK_DOMAIN=keycloak.YOUR.DOMAIN
+
+# Keycloak admin credentials
+KEYCLOAK_ADMIN=admin
+KEYCLOAK_ADMIN_PASSWORD=ChangeMeToASecurePassword
+```
+
+### Available Docker Compose configurations
+
+The `opencloud-compose` repository provides several idm (Identity Management) options:
+
+| Configuration | Use Case |
+| ----------------------- | -------------------------------------------------------------- |
+| `idm/ldap-keycloak.yml` | Keycloak with integrated OpenLDAP (recommended for new setups) |
+| `idm/keycloak.yml` | Keycloak standalone without LDAP |
+| `idm/openldap.yml` | OpenLDAP only (for external IdP integration) |
+
+Choose the configuration that matches your authentication infrastructure.
+
+## Start OpenCloud with Keycloak
+
+After updating `.env`, start the deployment:
+
+```bash
+docker compose up -d
+```
+
+Docker will pull and start the Keycloak container along with OpenCloud services.
+
+### Wait for services to initialize
+
+Keycloak may take a minute or two to start. Monitor the logs:
+
+```bash
+docker compose logs keycloak
+```
+
+Look for messages indicating Keycloak is ready to accept connections.
+
+## Access Keycloak
+
+Once running, access the Keycloak admin console:
+
+```bash
+https://keycloak.YOUR.DOMAIN
+```
+
+Log in with the credentials you set in `.env`:
+
+- Username: `admin` (or your `KEYCLOAK_ADMIN` value)
+- Password: Your `KEYCLOAK_ADMIN_PASSWORD`
+
+## Next Steps
+
+### 1. Configure Keycloak for OpenCloud
+
+The Docker Compose setup auto-imports a base configuration for OpenCloud via `keycloak-realm.dist.json`. However, you'll likely need to:
+
+- Create users and assign roles
+- Configure authentication flows
+- Set up LDAP federation (if using `ldap-keycloak.yml`)
+- Configure OIDC client settings
+
+See [Keycloak Configuration & Integration Guide](../../../configuration/authentication-and-user-management/keycloak.md) for detailed instructions.
+
+### 2. Create Users in Keycloak
+
+Follow the guide [Adding Users with Keycloak](../../../configuration/authentication-and-user-management/keycloak-user.md) to:
+
+- Assign admin roles
+- Create users with standard or guest permissions
+- Enable self-registration
+
+### 3. Update OpenCloud Configuration
+
+Configure OpenCloud to use Keycloak as the identity provider. This typically involves setting OIDC-related environment variables. See the [Keycloak Integration documentation](../../../configuration/authentication-and-user-management/keycloak.md) for details.
+
+## Troubleshooting
+
+### Keycloak won't start
+
+Check container logs:
+
+```bash
+docker compose logs keycloak
+```
+
+Common issues:
+
+- Insufficient disk space or memory
+- Port conflicts (Keycloak uses port 8080 internally)
+- Database connection issues
+
+### Can't access Keycloak admin console
+
+Verify:
+
+1. The domain `keycloak.YOUR.DOMAIN` resolves to your server
+2. Traefik has successfully assigned SSL certificates (check via `docker compose logs traefik`)
+3. Keycloak container is running: `docker compose ps keycloak`
+
+### LDAP federation issues
+
+If using `idm/ldap-keycloak.yml`:
+
+1. Verify OpenLDAP is running: `docker compose ps openldap`
+2. Check Keycloak logs for LDAP connection errors
+3. Verify LDAP user federation is configured correctly in Keycloak admin console
+
+## See Also
+
+- [Full Keycloak Integration Guide](../../../configuration/authentication-and-user-management/keycloak.md) – Configuration, modes, and advanced setup
+- [User Management with Keycloak](../../../configuration/authentication-and-user-management/keycloak-user.md) – Creating users and managing roles
+- [Production Considerations](./production-considerations.md) – Backup and production best practices
diff --git a/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/production-considerations.md b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/production-considerations.md
new file mode 100644
index 000000000..efe7f30ad
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/production-considerations.md
@@ -0,0 +1,84 @@
+---
+sidebar_position: 4
+id: docker-compose-production-considerations
+title: Production Considerations
+description: Best practices and recommendations for production OpenCloud deployments with Docker Compose
+---
+
+# Production Setup Considerations
+
+This guide outlines essential best practices and configurations for running OpenCloud in a production environment with Docker Compose.
+
+:::caution Production Setup Recommended
+By default, OpenCloud stores configuration and data inside internal Docker volumes.
+This works fine for local development or quick evaluations — but is not suitable for production environments.
+:::
+
+## Mount Persistent Volumes
+
+For production deployments, you should mount persistent local directories for configuration and data. This ensures:
+
+- Data durability – Configuration and data persist across container restarts
+- Easier backups and recovery – Access files directly from the host
+- Full control over storage location and permissions – Meet organizational compliance requirements
+
+### Update your `.env` file with custom paths
+
+Edit your environment configuration to specify local mount points:
+
+```bash
+nano .env
+```
+
+Add or uncomment these variables:
+
+```bash
+OC_CONFIG_DIR=/your/local/path/opencloud/config
+OC_DATA_DIR=/your/local/path/opencloud/data
+```
+
+Replace `/your/local/path/opencloud` with your desired location (e.g., `/opt/opencloud` or `/mnt/data/opencloud`).
+
+### Ensure proper folder ownership and permissions
+
+Create the directories and set correct ownership for the container user (UID/GID 1000:1000 by default):
+
+```bash
+sudo mkdir -p /your/local/path/opencloud/{config,data}
+sudo chown -R 1000:1000 /your/local/path/opencloud
+sudo chmod -R 0700 /your/local/path/opencloud
+```
+
+If these variables are not set, Docker will use internal volumes. These volumes may be removed when containers are deleted, which means your configuration and data may be lost. This setup is therefore not recommended for production use.
+
+:::caution Security Warning
+
+The user with UID 1000 on your host system will have full access to these mounted directories. This means that any local user account with this ID can read, modify, or delete OpenCloud config and data files.
+
+This can pose a security risk in shared or multi-user environments. Make sure to implement proper user and permission management and consider isolating access to these directories.
+
+For more details on volume permissions, see [Volume Permissions and UID/GID Management](./volume-permissions.md).
+
+:::
+
+## Use the appropriate repository branch
+
+By default, the `main` branch of the `opencloud-compose` repository tracks the rolling release.
+
+For production deployments, use the current `stable-*` branch instead, for example:
+
+```bash
+git checkout stable-4.0
+```
+
+Stable branch names change over time as new stable releases become available. Moving from one stable-\* branch to another is an update and should be handled accordingly.
+
+## Backup and Recovery Strategy
+
+With persistent volumes in place, you should implement a backup and recovery strategy for your OpenCloud deployment:
+
+- Regular backups of `OC_CONFIG_DIR` and `OC_DATA_DIR`
+- Off-site or remote storage for disaster recovery
+- Regular verification and testing of restore procedures
+
+For detailed backup guidance, see the [Backup documentation](../../../maintenance/backup.md).
diff --git a/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/volume-permissions.md b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/volume-permissions.md
new file mode 100644
index 000000000..25f240565
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/container/docker-compose/volume-permissions.md
@@ -0,0 +1,111 @@
+---
+sidebar_position: 7
+id: docker-compose-volume-permissions
+title: Volume Permissions
+description: Configure filesystem permissions for OpenCloud Docker volumes
+---
+
+# Volume Permissions
+
+OpenCloud runs as a non-root user inside the container and requires read and write access to the mounted configuration and data directories.
+
+When using bind mounts, ensure that the directories referenced by `OC_CONFIG_DIR` and `OC_DATA_DIR` are writable by the container user.
+
+## Recommended permissions
+
+Create the directories on the host and assign them to UID and GID `1000`:
+
+```bash
+sudo mkdir -p /your/local/path/opencloud/{config,data}
+sudo chown -R 1000:1000 /your/local/path/opencloud
+sudo chmod -R 0700 /your/local/path/opencloud
+```
+
+To verify the ownership on the host, run:
+
+```bash
+ls -ln /your/local/path/opencloud/
+```
+
+## Rootless Docker and UID Mapping
+
+When Docker runs in rootless mode, bind-mounted directories do not always use the same ownership mapping you see in a regular Docker setup.
+
+The OpenCloud container still runs as UID and GID `1000` inside the container, but rootless Docker maps that identity into the subordinate UID and GID range configured for your host user. As a result, a host directory owned by `1000:1000` may not be writable inside the container.
+
+### Check subordinate IDs
+
+You can inspect the subordinate UID and GID ranges on the host with:
+
+```bash
+grep "^$(whoami):" /etc/subuid
+grep "^$(whoami):" /etc/subgid
+```
+
+If the output looks like this:
+
+```text
+youruser:100000:65536
+youruser:100000:65536
+```
+
+then container UID `1000` maps to host UID `101000`.
+
+### Adjust ownership
+
+In that case, set the bind-mounted directories to the mapped host UID and GID:
+
+```bash
+sudo chown -R 101000:101000 /your/local/path/opencloud
+sudo chmod -R 0700 /your/local/path/opencloud
+```
+
+### Verify access inside the container
+
+Do not rely only on host-side ownership values in rootless mode. Verify that the OpenCloud container can actually read and write the mounted directories:
+
+```bash
+docker compose exec opencloud sh
+ls -la /etc/opencloud
+ls -la /var/lib/opencloud
+touch /var/lib/opencloud/.write-test
+```
+
+If those commands succeed, the permissions are configured correctly.
+
+### Prefer a simpler setup
+
+If you do not want to manage mapped host UID and GID values manually, consider using Docker named volumes instead of bind mounts for rootless setups.
+
+## Troubleshooting
+
+If OpenCloud reports permission errors, verify the mounted directories from both the host and the container.
+
+### Check on the host
+
+```bash
+ls -ln /your/local/path/opencloud/
+```
+
+### Check inside the container
+
+```bash
+docker compose exec opencloud ls -la /etc/opencloud
+docker compose exec opencloud ls -la /var/lib/opencloud
+```
+
+If needed, re-apply ownership and permissions on the host:
+
+```bash
+sudo chown -R 1000:1000 /your/local/path/opencloud
+sudo chmod -R 0700 /your/local/path/opencloud
+```
+
+## Further reading
+
+For more information about Docker storage, see the official Docker documentation:
+
+- [Volumes](https://docs.docker.com/storage/volumes/)
+- [Bind mounts](https://docs.docker.com/engine/storage/bind-mounts/)
+
+For backup recommendations, see [Backup and recovery](../../../maintenance/backup.md).
diff --git a/versioned_docs/version-7.x/admin/getting-started/container/docker.md b/versioned_docs/version-7.x/admin/getting-started/container/docker.md
new file mode 100644
index 000000000..45da011f8
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/container/docker.md
@@ -0,0 +1,79 @@
+---
+sidebar_position: 1
+id: docker
+title: Docker
+description: Classic docker setup.
+draft: false
+---
+
+# Docker
+
+Spin up a temporary local instance of OpenCloud using Docker
+
+## Prerequisites
+
+- Linux, Mac or Windows Subsystem for Linux [(WSL)](https://learn.microsoft.com/en-us/windows/wsl/install)
+- [Docker](https://docs.docker.com/compose/install/)
+
+## Create Required Directories for Bind Mounts
+
+```bash
+mkdir -p $HOME/opencloud/opencloud-config
+mkdir -p $HOME/opencloud/opencloud-data
+```
+
+## Pull OpenCloud Image
+
+```bash
+docker pull opencloudeu/opencloud-rolling:latest
+```
+
+## Initialize OpenCloud (First-time Setup)
+
+```bash
+docker run --rm -it \
+ -v $HOME/opencloud/opencloud-config:/etc/opencloud \
+ -v $HOME/opencloud/opencloud-data:/var/lib/opencloud \
+ -e IDM_ADMIN_PASSWORD=admin \
+ opencloudeu/opencloud-rolling:latest init
+```
+
+You can set your own password using `IDM_ADMIN_PASSWORD=your_password`. If not set, a password will be auto-generated
+
+![Admin general]({require("./../img/quick-guide/docker-opencloud-init.png").default})
+
+## Start OpenCloud
+
+```bash
+docker run \
+ --name opencloud \
+ --rm \
+ -d \
+ -p 9200:9200 \
+ -v $HOME/opencloud/opencloud-config:/etc/opencloud \
+ -v $HOME/opencloud/opencloud-data:/var/lib/opencloud \
+ -e OC_INSECURE=true \
+ -e PROXY_HTTP_ADDR=0.0.0.0:9200 \
+ -e OC_URL=https://localhost:9200 \
+ opencloudeu/opencloud-rolling:latest
+```
+
+## Login
+
+Login with your browser:
+
+- [https://localhost:9200](https://localhost:9200)
+- user: admin
+- password: admin
+
+![Admin general]({require("./../img/quick-guide/quick-login.png").default})
+
+## Conclusion
+
+Your OpenCloud server is now running and ready to use 🚀
+
+## Troubleshooting
+
+If you encounter any issues or errors, try finding a solution here:
+
+- [Common Issues & Help](../../resources/common-issues)
diff --git a/versioned_docs/version-7.x/admin/getting-started/container/index.md b/versioned_docs/version-7.x/admin/getting-started/container/index.md
new file mode 100644
index 000000000..80b87af5b
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/container/index.md
@@ -0,0 +1,15 @@
+---
+sidebar_position: 0
+id: admin-getting-started-container
+title: Container
+description: Overview of container-based OpenCloud deployment guides
+---
+
+# Container Deployments
+
+Use the container guides if you want to run OpenCloud with Docker or Docker Compose.
+
+## In this section
+
+- [Docker](./docker.md) - Run OpenCloud with a plain Docker setup
+- [Docker Compose](./docker-compose/index.md) - Use Docker Compose with Traefik or an external proxy
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/cd-opencloud-subdirectory.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/cd-opencloud-subdirectory.png
new file mode 100755
index 000000000..29c9ba457
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/cd-opencloud-subdirectory.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/cd-opencloud.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/cd-opencloud.png
new file mode 100755
index 000000000..b59d16119
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/cd-opencloud.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/corepack-enable.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/corepack-enable.png
new file mode 100755
index 000000000..3fd2cea92
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/corepack-enable.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/git-clone.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/git-clone.png
new file mode 100755
index 000000000..0eb9aaa0b
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/git-clone.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-corepack.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-corepack.png
new file mode 100755
index 000000000..98b728128
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-corepack.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-git.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-git.png
new file mode 100755
index 000000000..147d64ddc
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-git.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-golang.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-golang.png
new file mode 100755
index 000000000..62d92feea
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-golang.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-npm.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-npm.png
new file mode 100755
index 000000000..bd9cf3a2f
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/install-npm.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/localhost-warnung.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/localhost-warnung.png
new file mode 100755
index 000000000..ff8a45fb3
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/localhost-warnung.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/login.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/login.png
new file mode 100755
index 000000000..326d15d83
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/login.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/opencloud-init.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/opencloud-init.png
new file mode 100755
index 000000000..bc5740622
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/opencloud-init.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/opencloud-server.png b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/opencloud-server.png
new file mode 100755
index 000000000..5583b427d
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/bare-metal/opencloud-server.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/assign-role.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/assign-role.png
new file mode 100644
index 000000000..958157dab
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/assign-role.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/certificate-details.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/certificate-details.png
new file mode 100644
index 000000000..43a55d060
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/certificate-details.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/certificate-viewer.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/certificate-viewer.png
new file mode 100644
index 000000000..073b90d6c
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/certificate-viewer.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/credentials.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/credentials.png
new file mode 100644
index 000000000..bacb58deb
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/credentials.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/fill-in-userdata.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/fill-in-userdata.png
new file mode 100644
index 000000000..84ca42637
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/fill-in-userdata.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/filter-by-realm-roles.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/filter-by-realm-roles.png
new file mode 100644
index 000000000..385450362
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/filter-by-realm-roles.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/keycloak-dashboard.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/keycloak-dashboard.png
new file mode 100644
index 000000000..e57acb112
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/keycloak-dashboard.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/keycloak-login.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/keycloak-login.png
new file mode 100644
index 000000000..fa4c020f8
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/keycloak-login.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/login.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/login.png
new file mode 100644
index 000000000..0baae2580
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/login.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/realm-roles.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/realm-roles.png
new file mode 100644
index 000000000..f6e867be2
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/realm-roles.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/role-mapping.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/role-mapping.png
new file mode 100644
index 000000000..018e08d0a
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/role-mapping.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/set-password.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/set-password.png
new file mode 100644
index 000000000..382249f54
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/set-password.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/status-secure.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/status-secure.png
new file mode 100644
index 000000000..e0625c57c
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/status-secure.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/subordinate-ca's.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/subordinate-ca's.png
new file mode 100644
index 000000000..318c99ee7
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/subordinate-ca's.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/top-left-dropdown.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/top-left-dropdown.png
new file mode 100644
index 000000000..d8cdbd9a6
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/top-left-dropdown.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/users-section.png b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/users-section.png
new file mode 100644
index 000000000..7ee111639
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/docker-compose/users-section.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/collabora-accept-self-signed-cert.png b/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/collabora-accept-self-signed-cert.png
new file mode 100644
index 000000000..1faad6a7e
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/collabora-accept-self-signed-cert.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/docker-opencloud-init.png b/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/docker-opencloud-init.png
new file mode 100644
index 000000000..61e5b83ea
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/docker-opencloud-init.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/quick-docker-compose-up.png b/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/quick-docker-compose-up.png
new file mode 100644
index 000000000..44ba2bb7c
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/quick-docker-compose-up.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/quick-login.png b/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/quick-login.png
new file mode 100644
index 000000000..0baae2580
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/quick-guide/quick-login.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/change-env-for-storage.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/change-env-for-storage.png
new file mode 100644
index 000000000..adf3dc575
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/change-env-for-storage.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/docker-compose-check.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/docker-compose-check.png
new file mode 100644
index 000000000..8bb71e91b
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/docker-compose-check.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/docker-user-check.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/docker-user-check.png
new file mode 100644
index 000000000..1cca06867
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/docker-user-check.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/error-mounting.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/error-mounting.png
new file mode 100644
index 000000000..102f05fb6
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/error-mounting.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/find-external-hd.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/find-external-hd.png
new file mode 100644
index 000000000..d98d3d821
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/find-external-hd.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/format-drive.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/format-drive.png
new file mode 100644
index 000000000..3fc6190fe
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/format-drive.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/ip-router.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/ip-router.png
new file mode 100644
index 000000000..e3f74d769
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/ip-router.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/noip.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/noip.png
new file mode 100644
index 000000000..f27367b19
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/noip.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/oc-domain.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/oc-domain.png
new file mode 100644
index 000000000..abddfa643
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/oc-domain.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/portforwarding.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/portforwarding.png
new file mode 100644
index 000000000..a46f439b0
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/portforwarding.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/reachable-via-URL.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/reachable-via-URL.png
new file mode 100644
index 000000000..9fd80f336
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/reachable-via-URL.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/ssh-activate.png b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/ssh-activate.png
new file mode 100644
index 000000000..704ea0e1a
Binary files /dev/null and b/versioned_docs/version-7.x/admin/getting-started/img/raspberrypi/ssh-activate.png differ
diff --git a/versioned_docs/version-7.x/admin/getting-started/index.md b/versioned_docs/version-7.x/admin/getting-started/index.md
new file mode 100644
index 000000000..208537467
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/index.md
@@ -0,0 +1,16 @@
+---
+sidebar_position: 0
+id: admin-getting-started
+title: Getting Started
+description: Overview of the OpenCloud getting started guides for administrators
+---
+
+# Getting Started
+
+Use this section to install and deploy OpenCloud in the environment that fits your setup best.
+
+## In this section
+
+- [Requirements](./requirements.md) - Check prerequisites before you install OpenCloud
+- [Container Deployments](./container/index.md) - Run OpenCloud in Docker or Docker Compose
+- [Other Deployment Options](./other/index.md) - Bare metal and Raspberry Pi installations
diff --git a/versioned_docs/version-7.x/admin/getting-started/kubernetes.md b/versioned_docs/version-7.x/admin/getting-started/kubernetes.md
new file mode 100644
index 000000000..27b5b0209
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/kubernetes.md
@@ -0,0 +1,7 @@
+---
+sidebar_position: 8
+id: kubernetes
+title: Kubernetes
+description: Kubernetes
+draft: true
+---
diff --git a/versioned_docs/version-7.x/admin/getting-started/other/_category_.json b/versioned_docs/version-7.x/admin/getting-started/other/_category_.json
new file mode 100644
index 000000000..f82a569ef
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/other/_category_.json
@@ -0,0 +1,8 @@
+{
+ "label": "Other",
+ "position": 3,
+ "link": {
+ "type": "doc",
+ "id": "admin-getting-started-other"
+ }
+}
diff --git a/versioned_docs/version-7.x/admin/getting-started/other/bare-metal.md b/versioned_docs/version-7.x/admin/getting-started/other/bare-metal.md
new file mode 100644
index 000000000..0160169dd
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/other/bare-metal.md
@@ -0,0 +1,131 @@
+---
+sidebar_position: 5
+id: bare-metal
+title: Bare-Metal
+description: Manual, minimalist setup with essential features.
+draft: false
+---
+
+# Bare-Metal
+
+User Guide for Installing OpenCloud Bare-Metal
+
+Follow the steps below to install and configure OpenCloud on your system.+This example is on Linux Ubuntu 24.04 distribution! + +:::danger[Disclaimer] +Bare-metal deployments are not officially supported by OpenCloud. They are great for quick evaluation but are undocumented and have a minimalist feature set. If you choose this setup, you are on your own. With great power comes great responsibility. +::: + +## Install Git and clone the repository + +- Open a terminal. + +- Update your package list: + + ```bash + sudo apt update && apt upgrade + ``` + +- Install Git using the following command: + + ```bash + sudo apt install git + ``` + +
![install git]({require("./../img/bare-metal/install-git.png").default})
+
+- Clone the OpenCloud repository:
+
+ ```bash
+ git clone https://github.com/opencloud-eu/opencloud.git
+ ```
+
+ ![git clone]({require("./../img/bare-metal/git-clone.png").default})
+
+## Install the required packages
+
+- Download and install Go by following the official guide: 🔗[**go.dev/doc/install**](https://go.dev/doc/install)
+
+- Install npm (Node Package Manager):
+
+ ```bash
+ sudo apt install npm -y
+ ```
+
+ ![install npm]({require("./../img/bare-metal/install-npm.png").default})
+
+- Install corepack globally:
+
+ ```bash
+ sudo npm install -g corepack
+ ```
+
+ ![install corepack]({require("./../img/bare-metal/install-corepack.png").default})
+
+- Enable `pnpm` using corepack:
+
+ ```bash
+ corepack enable pnpm
+ ```
+
+ ![corepack enable]({require("./../img/bare-metal/corepack-enable.png").default})
+
+## Build process and OpenCloud initialization
+
+- Navigate to the OpenCloud directory:
+
+ ```bash
+ cd opencloud
+ ```
+
+ ![cd opencloud]({require("./../img/bare-metal/cd-opencloud.png").default})
+
+- Run the build generate process:
+
+ ```bash
+ make clean generate
+ make -C opencloud build
+ ```
+
+- Navigate into the opencloud subdirectory that was just built:
+
+ ```bash
+ cd opencloud
+ ```
+
+- Initialize OpenCloud with insecure configuration and set an admin password:
+
+ ```bash
+ ./bin/opencloud init --insecure true --admin-password admin
+ ```
+
+ ![opencloud init]({require("./../img/bare-metal/opencloud-init.png").default})
+
+- Start the OpenCloud server:
+
+ ```bash
+ ./bin/opencloud server
+ ```
+
+ ![opencloud server]({require("./../img/bare-metal/opencloud-server.png").default})
+
+## Login
+
+Login with your browser:
+
+- [https://localhost:9200](https://localhost:9200)
+- user: **admin**
+- password: **admin**
+
+![login]({require("./../img/bare-metal/login.png").default})
+
+## Conclusion
+
+Your OpenCloud server is now running and ready to use 🚀
+
+## Troubleshooting
+
+If you encounter any issues or errors, try finding a solution here
+
+- [Common Issues & Help](../../resources/common-issues)
diff --git a/versioned_docs/version-7.x/admin/getting-started/other/index.md b/versioned_docs/version-7.x/admin/getting-started/other/index.md
new file mode 100644
index 000000000..bbe4f07f7
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/other/index.md
@@ -0,0 +1,15 @@
+---
+sidebar_position: 0
+id: admin-getting-started-other
+title: Other
+description: Alternative OpenCloud deployment guides
+---
+
+# Other Deployment Options
+
+These guides cover deployments outside the standard container-based setup.
+
+## In this section
+
+- [Bare Metal](./bare-metal.md) - Install OpenCloud directly on a server (not officially supported)
+- [Raspberry Pi](./raspberry-pi.md) - Run OpenCloud on a Raspberry Pi
diff --git a/versioned_docs/version-7.x/admin/getting-started/other/raspberry-pi.md b/versioned_docs/version-7.x/admin/getting-started/other/raspberry-pi.md
new file mode 100644
index 000000000..615117c56
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/other/raspberry-pi.md
@@ -0,0 +1,282 @@
+---
+sidebar_position: 6
+id: raspberry-pi
+title: Raspberry Pi
+description: OpenCLoud on a Raspberry Pi
+draft: false
+---
+
+# OpenCloud on a Raspberry Pi
+
+:::note
+The installation of OpenCloud on a Raspberry Pi is intended for private or non-production use only.
+It is not recommended for enterprise or critical environments due to the hardware's limited resources and potential performance constraints.
+:::
+
+## Hardware requirements
+
+- Minimum Raspberry Pi 4B with at least 4 GB RAM connected via LAN or WLAN
+- Micro SD card with at least 32 GB storage space
+- External hard disk or USB stick (optional) for additional storage space
+
+## Install operating system
+
+- Install Raspberry Pi OS
+ A very detailed and understandable guide is available at:
+ [Raspberry Pi Getting Started](https://pimylifeup.com/raspberry-pi-getting-started/)
+
+- SSH must be enabled if you want to access the machine remotely.
+
+ This is usually required when your Raspberry Pi is running without a connected keyboard and display.
+
+- If the Raspberry Pi is to be connected to WLAN, the login data for the WLAN must be entered.
+
+## Connecting with SSH
+
+Start the Raspberry Pi with the SD card and connect via SSH.
+The IP for this can be viewed in your router.
+
+![find ip from raspberry-pi in router]({require("./../img/raspberrypi/ip-router.png").default})
+
+### Establish connection via SSH
+
+```bash
+ssh pi@YOUR-IP
+```
+
+After the first login, you should change the password for security reasons:
+
+```bash
+passwd
+```
+
+## Installing Docker and Docker Compose
+
+Detailed installation instructions for Docker can be found here:
+[Install Docker on Raspberry Pi](https://pimylifeup.com/raspberry-pi-docker/)
+
+- Perform update and upgrade:
+
+```bash
+sudo apt update && sudo apt upgrade -y
+```
+
+- Install Docker via script:
+
+```bash
+curl -fsSL test.docker.com -o get-docker.sh && sh get-docker.sh
+```
+
+- Add current user to the Docker group:
+
+```bash
+sudo usermod -aG docker ${USER}
+```
+
+- Check if it's working:
+
+```bash
+groups ${USER}
+```
+
+![Check docker user]({require("./../img/raspberrypi/docker-user-check.png").default})
+
+- Reboot the Raspberry Pi:
+
+```bash
+sudo shutdown -r now
+```
+
+## Clone OpenCloud repository
+
+```bash
+git clone https://github.com/opencloud-eu/opencloud-compose.git
+```
+
+## Start the Docker Compose setup
+
+```bash
+cd opencloud-compose
+```
+
+Copy the `.env.example` file:
+
+```bash
+cp .env.example .env
+```
+
+Edit the `.env` file:
+
+```bash
+nano .env
+```
+
+Activate the minimal OpenCloud setup by un-commenting this line:
+
+```bash
+COMPOSE_FILE=docker-compose.yml:traefik/opencloud.yml
+```
+
+Look for the following line and set here your admin password:
+
+```bash
+INITIAL_ADMIN_PASSWORD=YourSecurePassword
+```
+
+Then start Docker:
+
+```bash
+docker compose up
+```
+
+Now OpenCloud is running locally on your Raspberry Pi, and you can adjust it to your needs.
+
+We will describe how to mount an external disk or USB stick and make OpenCloud available outside the local network using No-IP.
+
+## Mount external hard disk or USB stick
+
+### Find your external drive
+
+```bash
+lsblk
+```
+
+![find the external hd]({require("./../img/raspberrypi/find-external-hd.png").default})
+
+### Format the drive to ext4
+
+```bash
+sudo mkfs.ext4 /dev/sda1 -L DATA
+```
+
+![format drive]({require("./../img/raspberrypi/format-drive.png").default})
+
+### Add fstab entry for auto-mounting
+
+Open `fstab`:
+
+```bash
+sudo nano /etc/fstab
+```
+
+Add this line:
+
+```bash
+LABEL=DATA /mnt/data ext4 auto,defaults 0 0
+```
+
+### Create the mount point and set permissions
+
+```bash
+sudo mkdir -p /mnt/data
+sudo chown -R 1000:1000 /mnt/data
+```
+
+### Mount the drive
+
+```bash
+sudo mount -a
+```
+
+If an error occurs:
+
+![error mounting]({require("./../img/raspberrypi/error-mounting.png").default})
+
+Run:
+
+```bash
+systemctl daemon-reload
+```
+
+And try mounting again.
+
+## Mount external storage in Docker
+
+Stop Docker:
+
+```bash
+docker compose down
+```
+
+Open the `.env` file:
+
+```bash
+cd opencloud-compose
+nano .env
+```
+
+Set the `OC_DATA_DIR` variable to your mounted storage path, e.g.:
+
+```env
+OC_DATA_DIR=/mnt/data
+```
+
+![change env for storage]({require("./../img/raspberrypi/change-env-for-storage.png").default})
+
+Restart Docker:
+
+```bash
+docker compose up
+```
+
+## Make OpenCloud externally available
+
+### Create DynDNS hostname
+
+Register at [No-IP](https://www.noip.com/) and create a hostname, e.g. `opencloud.webhop.me`.
+
+![noip hostname input]({require("./../img/raspberrypi/noip.png").default})
+
+### Configure DynDNS in your router
+
+Use your router’s web interface to:
+
+- Locate the Dynamic DNS settings
+- Select **No-IP** as provider
+- Enter your No-IP credentials
+- Use the created hostname (e.g. `opencloud.webhop.me`)
+- Save and test the settings
+
+More help: [No-IP Support](https://www.noip.com/support/knowledgebase/how-to-configure-ddns-in-router)
+
+### Configure port forwarding
+
+1. Ensure your Raspberry Pi always has the same IP address:
+ - Either via static IP or DHCP assignment in the router
+
+2. In your router settings, look for **Port Forwarding**, **NAT**, or **Port Sharing**
+
+3. Forward the following ports to your Raspberry Pi:
+
+- TCP Port 80 (HTTP)
+- TCP Port 443 (HTTPS)
+
+![portforwarding in router]({require("./../img/raspberrypi/portforwarding.png").default})
+
+### Update OC_DOMAIN
+
+SSH into your Pi and update the domain:
+
+```bash
+cd opencloud-compose
+docker compose down
+nano .env
+```
+
+Edit the `OC_DOMAIN` value:
+
+```env
+OC_DOMAIN=opencloud.webhop.me
+```
+
+![change the OC_DOMAIN variable]({require("./../img/raspberrypi/oc-domain.png").default})
+
+Restart Docker:
+
+```bash
+docker compose up
+```
+
+Now your OpenCloud should be reachable via your URL.
+
+![reachable-via-URL]({require("./../img/raspberrypi/reachable-via-URL.png").default})
diff --git a/versioned_docs/version-7.x/admin/getting-started/requirements.md b/versioned_docs/version-7.x/admin/getting-started/requirements.md
new file mode 100644
index 000000000..02d5e84ed
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/getting-started/requirements.md
@@ -0,0 +1,14 @@
+---
+sidebar_position: 1
+id: requirements
+title: Requirements
+description: Runs on anything from a Raspberry Pi to a data center.
+draft: false
+---
+
+| Category | Details |
+| :---------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Server Operating System | - Production: Linux
- Testing and development: MacOS or Windows WSL
- None (OpenCloud stores files exclusively on the storage to minimize complexity and ensure maximum reliability)
- The `posix` and `decomposed` storage drivers require:
- a fully POSIX compliant filesystem
- local e.g. ext4, XFS, ZFS
- network e.g. CephFS, GPFS, NFS v4.2 or later
- atomic read after write consistency for directory metadata (NFS mount option `noac`)
- a fully POSIX compliant filesystem
- `decomposeds3` additionally requires an S3 bucket
- `posix` requires extended attributes (offloading metadata >1KB into dedicated files)
- eg. Raspberry Pi 3
- 1 GHz (Single-core)
- 512 MB Ram
- Storage: depends on data usage
- 2 GHz (Dual-core)
- 8 GB Ram
- Storage: depends on data usage
- Disk Performance (IOPS): Input/output operations per second (IOPS) should be unrestricted for maintaining optimal performance.
- The server requirements vary based on load factors such as requests per second, number of client devices per user, file volume, post-processing tasks, and additional apps like Collabora. Proper sizing depends on these variables and should be adjusted accordingly.
![init -diff]({require("../img/init-diff.png").default})
+
+In that case, [exit the temporary container](#exit-the-temporary-container) and start OpenCloud.
+
+Otherwise, update your `opencloud.yaml` file accordingly and [apply the patch](#apply-the-configuration-patch).
+
+Example output:
+
+```diff
+diff -u /etc/opencloud/opencloud.yaml /etc/opencloud/opencloud.yaml.tmp
+--- /etc/opencloud/opencloud.yaml
++++ /etc/opencloud/opencloud.yaml.tmp
+@@ -90,6 +90,9 @@
+ sharing:
+ events:
+ tls_insecure: false
++service_account:
++ service_account_id: 00000000-0000-0000-0000-000000000000
++ service_account_secret: example-service-account-secret
+ storage_users:
+ events:
+ tls_insecure: false
+
+diff written to /etc/opencloud/opencloud.config.patch
+```
+
+The command creates the following patch file:
+
+```bash
+/etc/opencloud/opencloud.config.patch
+```
+
+### Apply the Configuration Patch
+
+Change to the configuration directory:
+
+```bash
+cd /etc/opencloud
+```
+
+Verify that the patch file was created:
+
+```bash
+ls
+```
+
+Example output:
+
+```bash
+banned-password-list.txt
+csp.yaml
+opencloud.config.patch
+opencloud.yaml
+opencloud.yaml.2026-05-19-15-45-44.backup
+```
+
+Test the patch before applying it:
+
+```bash
+patch --dry-run opencloud.yaml < opencloud.config.patch
+```
+
+Expected output:
+
+```bash
+checking file opencloud.yaml
+```
+
+Apply the patch:
+
+```bash
+patch opencloud.yaml < opencloud.config.patch
+```
+
+Expected output:
+
+```bash
+patching file opencloud.yaml
+```
+
+Verify that the following configuration entries exist in `opencloud.yaml`:
+
+```yaml
+service_account:
+ service_account_id: 00000000-0000-0000-0000-000000000000
+ service_account_secret: example-service-account-secret
+```
+
+### Exit the Temporary Container
+
+Exit the temporary container after applying the configuration patch.
+
+```bash
+exit
+```
+
+## Start OpenCloud with updated image
+
+![Admin general]({require("./img/common-issues/quick-docker-running.png").default})
+
+Several containers should be listed here, e.g., for opencloud, traefik, etc.
+
+## Accept Self-Signed Certificates
+
+As the local environment is self-signed, you must accept the security risk in your browser.
+
+For Firefox:
+
+You need to click on Advanced
+
+![Admin general]({require("./img/common-issues/quick-advanced.png").default})
+
+Confirm the risk with Accept the risk and Continue
+
+![Admin general]({require("./img/common-issues/quick-accept-security-risk.png").default})
+
+## Docker Permission Issues
+
+If your Docker Compose setup fails to start and the logs contain messages such as `permission denied`, it's likely due to incorrect ownership of local directories used by the containers.
+
+Example log output:
+
+```bash
+opencloud-1 | {"level":"fatal","service":"nats","time":"2025-04-08T09:59:59Z","line":"github.com/opencloud-eu/opencloud/services/nats/pkg/logging/nats.go:33","message":"Can't start JetStream: could not create storage directory - mkdir /var/lib/opencloud/nats: permission denied"}
+```
+
+This error typically occurs when the mounted directories are owned by the wrong user, such as `root`, instead of the standard Docker user (`UID 1000`).
+
+Incorrect directory ownership:
+
+```bash
+drwxr-xr-x 3 root root 4096 Apr 8 09:59 opencloud-data
+```
+
+Correct ownership should be:
+
+```bash
+drwxr-xr-x 9 1000 1000 4096 Apr 7 07:57 opencloud-data
+```
+
+To resolve this issue, adjust the ownership of the directory using the `chown` command:
+
+```bash
+chown -R 1000:1000 opencloud-data
+```
+
+:::caution
+Security Warning
+
+The user with UID 1000 on your host system will have full access to these mounted directories. This means that any local user account with this ID can read, modify, or delete OpenCloud config and data files.
+
+This can pose a security risk in shared or multi-user environments. Make sure to implement proper user and permission management and consider isolating access to these directories.
+
+:::
+
+Ensure you apply this to all relevant folders that are mounted into your containers. This will grant the Docker container the necessary permissions to access and write to these directories.
+
+## Change Admin Password Set in `.env`
+
+If you initially set the OpenCloud admin password using the `.env` file, please note:
+
+:::caution
+You cannot simply change the password again by editing the `.env` file.
+Once the container is running, password changes must be made via the Web UI or terminal.
+:::
+
+### Option 1: Change via Web UI
+
+If the current admin password is known:
+
+1. Log in to the OpenCloud Web Interface.
+2. Navigate to Settings > Security.
+3. Enter your current password and choose a new one.
+
+> If the admin password is forgotten or you prefer command-line tools, use the terminal method below.
+
+### Option 2: Change via Terminal
+
+If the admin password is forgotten or needs to be changed via the terminal:
+
+#### Stop the Docker container
+
+First, stop your OpenCloud container:
+
+```bash
+docker compose stop opencloud
+```
+
+#### Run the password reset command
+
+Use the following command to reset the password:
+
+```bash
+sudo docker run -it --rm -v ![Dennis Ritchie]({require("./img/demo-user/dennis-ritchie.png").default})
+
+- Studied physics and applied mathematics at Harvard University
+- Worked at Bell Labs from 1967, where he developed the first version of the Unix operating system
+- Died in 2011, but his influence on modern software development remains immeasurable
+
+## Margaret Hamilton
+
+OpenCloud Username: margaret
+
+Role: Space Admin
+
+Software pioneer & NASA developer
+
+![Margaret Hamilton]({require("./img/demo-user/margaret-hamilton.png").default})
+
+- Studied mathematics at Earlham College
+- Developed the on-board flight software for NASA as a software engineer at MIT
+- Her work was crucial to the success of the Apollo 11 mission in 1969
+- From 1976 to 1984, she was the Managing Director of Higher Order Software (HOS)
+
+## Alan Turing
+
+OpenCloud Username: alan
+
+Role: User
+
+Father of modern computer science & codebreaker in the Second World War
+
+![Alan Turing]({require("./img/demo-user/alan-turing.png").default})
+
+- British logician, mathematician, and computer scientist
+- Developed the theoretical foundations of modern computer technology
+- Made a decisive contribution to the decryption of the German Enigma cipher
+- Was discriminated against and persecuted because of his homosexuality
+
+## Lynn Conway
+
+OpenCloud Username: lynn
+
+Role: User
+
+Computer scientist & microchip design pioneer
+
+![Lynn Conway]({require("./img/demo-user/lynn-conway.png").default})
+
+- Studied electrical engineering at Columbia University
+- Developed VLSI design methodology, revolutionizing microchip development
+- Worked at IBM, but was dismissed after gender transition; later contributed at Xerox PARC
+- Professor of electrical engineering and computer science at the University of Michigan
+- Advocate for transgender rights and diversity in STEM fields
+
+## Mary Kenneth Keller
+
+OpenCloud Username: mary
+
+Role: User
+
+First woman with a PhD in computer science
+
+![Mary Kenneth Keller]({require("./img/demo-user/mary-kenneth-keller.png").default})
+
+- Was a nun and studied mathematics (Bachelor & Master of Science)
+- First woman to work at Dartmouth College's Computer Science Center
+- Founded and chaired the first computer science department at Clarke University, Iowa, for over 20 years
diff --git a/versioned_docs/version-7.x/admin/resources/faq.md b/versioned_docs/version-7.x/admin/resources/faq.md
new file mode 100644
index 000000000..35ba2b575
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/resources/faq.md
@@ -0,0 +1,342 @@
+---
+sidebar_position: 1
+id: faq
+title: FAQ
+description: Frequently asked questions FAQ
+draft: false
+---
+
+# FAQ
+
+Welcome to the frequently asked questions (FAQ). Here you will find answers to the most common questions.
+
+## General Questions
+
+
+
+
+What problem does OpenCloud solve for me?
+ +### Simplified Administration + +OpenCloud is designed to be straightforward to set up and manage, allowing administrators to handle the system with minimal effort and without unnecessary complexity. + +### Independent File-sharing + +OpenCloud is designed to give you a privacy-focused alternative to mainstream platforms like Microsoft OneDrive or Google Drive, freeing you from reliance on big tech services and their data-collection practices. + +
+
+
+How does OpenCloud differ from other open source file sharing applications?
+ +OpenCloud is simpler and more reliable than existing PHP-based solutions. OpenCloud stands out by offering a radically simplified architecture compared to other open-source file-sharing solutions. While many alternatives require maintaining complex stacks involving multiple components like PHP, MySQL, Redis, and Apache — creating a web of dependencies and potential security risks—OpenCloud avoids this entirely. It writes data directly to disk instead of relying on a dedicated database, making it much easier to maintain and far more reliable. With OpenCloud, you can focus on your files without worrying about intricate setups or data loss risks. + +
+
+
+## Cost and Licensing
+
+Is OpenCloud 100% open source?
+ +Yes. The source code of OpenCloud is licenced under the Apache 2 licence. + +
+
+
+Is OpenCloud free to use?
+ +Yes, please! + +
+
+
+Can I use it for commercial purposes?
+ +Absolutely! + +
+
+
+If OpenCloud is free, how are the employees paid?
+ +We're glad you asked. +We provide a paid support subscription, see [https://opencloud.eu/en/product/service-and-support](https://opencloud.eu/en/product/service-and-support). With a support subscription you’ll be the first to know about security vulnerabilities and receive detailed instructions on how to address them or how to integrate OpenCloud into your existing systems and storage. We also provide Long-Term-Support if you don't want to upgrade your system so frequently. + +
+
+
+## Privacy and Security
+
+Are there educational or non-profit discounts or support plans?
+ +Please contact sales for such inquiries and we'll find a good solution. + +
+
+
+## Features and Functionality
+
+Does OpenCloud comply with privacy regulations such as GDPR or HIPAA?
+ +Yes, of course! + +
+
+
+What types of files can I store and share with OpenCloud?
+ +No restrictions. You can store and share any filetype. If necessary, you can restrict the upload of certain filetypes like .exe or documents with macros like xlsm. + +
+
+
+Is there an upload file size limit in OpenCloud?
+ +Nope. + +
+
+
+Does OpenCloud support real-time collaboration and editing?
+ +Yes. We use the WOPI standard for realtime collaboration in the web office application Collabora. + +
+
+
+Can I create and manage user accounts and permissions?
+ +Yes, you can either use the built-in user management system or integrate OpenCloud with your existing identity management. + +
+
+
+Are there mobile apps, and do they offer the same features as the desktop version?
+ +We provide apps for Windows, MacOS, Linux, iOS and Android. Please refer to the roadmap to see when the apps will be available: [https://opencloud.eu/roadmap](https://opencloud.eu/roadmap) + +
+
+
+## Deployment and Installation
+
+Does OpenCloud support versioning?
+ +Yes. In case you made a mistake, you can always jump back to older versions of a file. We got your back! + +
+
+
+Can I self-host OpenCloud on my own server?
+ +Yes and we encourage you to do so! (We do not provide a SaaS service that stores your files on our servers, like Google Drive or Microsoft OneDrive do.) + +
+
+
+What are the system requirements for hosting OpenCloud?
+ +The system requirements for hosting OpenCloud depend heavily on the number of concurrent users and the workload they generate, such as the frequency of their requests. OpenCloud is versatile—it can run on anything from a Raspberry Pi to a large data center setup. + +For example, a Raspberry Pi 4 can support hundreds of registered users, but the key factor is the number of users actively using the system at the same time. Concurrent users, especially those using desktop or mobile clients (which frequently check for updates), require more resources. Additional features like the web office integration Collabora or antivirus scanning also impact performance. + +For a minimal setup, OpenCloud can comfortably support 20 concurrent users browsing files via the web interface. As your user base or workload increases, scaling the hardware accordingly will ensure smooth performance. A factor to scale performance is just to add storage, as OpenCloud needs storage IOPS for performance. + +Key Factors for Optimal Performance: + +- Storage IOPS: The performance of OpenCloud highly relies on the amount of IOPS of your storage - the more, the better. +- Network throughput: Another factor for enhancing the performance of OpenCloud is network throughput in distributed storage. + +
+
+
+How difficult is it to set up, and is technical expertise required?
+ +One of our goals is to make the deployment of OpenCloud as simple as possible. Depending on your experience, it's possible to set up a basic OpenCloud instance in less than 1 minute. See [the Quick Start](https://docs.opencloud.eu/docs/admin) + +
+
+
+## Customization and Extensibility
+
+Can it be deployed in a Docker or Kubernetes environment?
+ +Yes. + +- Docker Compose: The docker compose files are maintained and tested by us. +- Community HELM charts: Feel free to contribute! + +
+
+
+## Collaboration and Sharing
+
+Can I add modifications like add-ons or extensions?
+ +Yes, OpenCloud allows you customizations: + +- Wordings: You can replace specific terms, such as changing the word “Spaces” to “Datarooms” to better fit your terminology. +- Extensions: The web UI also supports custom web extensions. Check out our developer documentation [here] to learn how to get started with creating and adding your own extensions and find existing extensions [here]. + +
+
+
+How does file sharing work within OpenCloud?
+ +OpenCloud offers three main ways to share files, making it easy to collaborate and manage access: + +### Personal Share + +Share files with registered users within your organization. You can assign permissions such as view, edit, or download, providing flexible control over file access. + +### Share via Link + +Share files with anyone, even outside your organization, by generating a link. No account is required for accessing the file. + +### Spaces + +Spaces are user-independent datarooms that belong to the organization rather than an individual. This ensures files remain within the organization, even if users leave. Examples of Spaces include school classes, collaborative projects, or organizational units like Marketing, Sales, or Finance. Spaces are easier for admins to manage, as they can be self-managed by designated users. + +### Special Feature: Secret File Drop + +The Secret File Drop allows anonymous users to securely upload files (e.g., homework, photos or even whistleblower material) without needing an account. + +
+
+
+Can I share files with external users?
+ +Yes. You can share files with anyone, even outside your organization, by generating a link. No account is required for accessing the file. Link sharing can be disabled if needed. + +
+
+
+Does it support federated sharing between different instances?
+ +Yes, federated sharing is possible via Open Cloud Mesh (OCM). This feature allows you to securely share files and collaborate across different instances, even if they are hosted by different organizations. + +For example, a company with multiple branches in different regions could use OCM to share files between instances, enabling collaboration across teams while maintaining control over local data. + +
+
+
+## Data Management
+
+Are there limits on the number of users or size of files shared?
+ +No. + +
+
+
+Where is my data stored, and can I choose the storage location?
+ +OpenCloud is a fully self-hosted (on-premise) solution, meaning you have complete control over where your data is stored. You can choose the server and country where OpenCloud will be installed. Unlike SaaS services like Google Drive or Microsoft OneDrive, which store your files on their servers, OpenCloud gives you full control over your data, ensuring privacy and security on your terms. + +
+
+
+## Support and Community
+
+Does it support integration with third-party storage solutions like S3 Storage?
+ +Yes, the following storage can be used: + +- Posix Storage +- S3ng +- Ceph + +
+
+
+## Migration
+
+How often is OpenCloud updated, and how are updates delivered?
+ +Download updates on download.opencloud.eu or via docker hub. + +OpenCloud is released in three different release types: Production, Rolling and Daily. Each of them is targeted to a specific use case and audience group. + +
+
+
+## Compliance and Legal
+
+Can I migrate from ownCloud or Nextcloud?
+ +Yes, there will be a migration available in 2025. + +
+
+
+Is OpenCloud compliant with GDPR (DSGVO) or HIPAA?
+ +Yes, of course! + +
+
+
+Is the OpenCloud Web UI accessible according to EN 301 549 / WCAG / BITV 2.0?
+ +Yes, the OpenCloud Web UI is accessible according to EN 301 549, WCAG, and BITV 2.0. We believe that accessibility is important for everyone, not just for individuals with disabilities, as it benefits all users at some point in their lives. + +As we release new features every 3 weeks, we ensure that accessibility is integrated into the feature development lifecycle. While we strive to maintain high accessibility standards, we’re only human and occasional mistakes may happen. If a new feature unintentionally impacts accessibility, we treat it as a bug and address it in the next release. + +If you encounter any accessibility violations, please let us know so we can promptly resolve the issue. + +
+
+
+Can access controls and permissions be configured to meet regulatory requirements?
+ +Yes, OpenCloud offers robust access control and permission settings that can be fully configured to meet various regulatory requirements. You can define user roles, assign specific permissions, and set up granular access controls to ensure compliance with industry standards and regulations such as GDPR, HIPAA, and others. With OpenCloud, you have the flexibility to control who accesses your data, what actions they can perform, and how data is shared, ensuring that your system remains secure and compliant with the required regulations. + +
+
+
+## Miscellaneous
+
+How does it handle requests for data access or deletion under GDPR?
+ +OpenCloud provides users with the ability to trigger a GDPR Export in a self-service manner. This export generates a detailed report of all personal data stored in the context of OpenCloud, excluding the user’s own files. The report includes relevant data related to the user’s account and activity within the system, ensuring transparency and compliance with GDPR requirements. For the deletion of personal files, users have full control to manage and remove their own data as needed. + +
+
diff --git a/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-accept-security-risk.png b/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-accept-security-risk.png
new file mode 100644
index 000000000..696068732
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-accept-security-risk.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-advanced.png b/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-advanced.png
new file mode 100644
index 000000000..ce4ef77f2
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-advanced.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-docker-running.png b/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-docker-running.png
new file mode 100644
index 000000000..5e0cde78b
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/common-issues/quick-docker-running.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/demo-user/admin.png b/versioned_docs/version-7.x/admin/resources/img/demo-user/admin.png
new file mode 100644
index 000000000..6c6a319d5
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/demo-user/admin.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/demo-user/alan-turing.png b/versioned_docs/version-7.x/admin/resources/img/demo-user/alan-turing.png
new file mode 100644
index 000000000..7adc97d2d
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/demo-user/alan-turing.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/demo-user/dennis-ritchie.png b/versioned_docs/version-7.x/admin/resources/img/demo-user/dennis-ritchie.png
new file mode 100644
index 000000000..baa33575b
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/demo-user/dennis-ritchie.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/demo-user/lynn-conway.png b/versioned_docs/version-7.x/admin/resources/img/demo-user/lynn-conway.png
new file mode 100644
index 000000000..dc0892b14
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/demo-user/lynn-conway.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/demo-user/margaret-hamilton.png b/versioned_docs/version-7.x/admin/resources/img/demo-user/margaret-hamilton.png
new file mode 100644
index 000000000..023748be3
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/demo-user/margaret-hamilton.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/demo-user/mary-kenneth-keller.png b/versioned_docs/version-7.x/admin/resources/img/demo-user/mary-kenneth-keller.png
new file mode 100644
index 000000000..699ac4962
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/demo-user/mary-kenneth-keller.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/lifecycle/Release Cycle OpenCloud.png b/versioned_docs/version-7.x/admin/resources/img/lifecycle/Release Cycle OpenCloud.png
new file mode 100644
index 000000000..9b950d111
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/lifecycle/Release Cycle OpenCloud.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/img/lifecycle/semver.png b/versioned_docs/version-7.x/admin/resources/img/lifecycle/semver.png
new file mode 100644
index 000000000..c8181a00d
Binary files /dev/null and b/versioned_docs/version-7.x/admin/resources/img/lifecycle/semver.png differ
diff --git a/versioned_docs/version-7.x/admin/resources/index.md b/versioned_docs/version-7.x/admin/resources/index.md
new file mode 100644
index 000000000..7f0ac6336
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/resources/index.md
@@ -0,0 +1,18 @@
+---
+sidebar_position: 0
+id: admin-resources
+title: Resources
+description: Helpful resources for OpenCloud administrators
+---
+
+# Resources
+
+Use this section for troubleshooting, lifecycle information, and general admin help.
+
+## In this section
+
+- [FAQ](./faq.md)
+- [What's New](./whats-new.md)
+- [Release Lifecycle](./lifecycle.md)
+- [Common Issues & Help](./common-issues.md)
+- [Demo User](./demo-user.md)
diff --git a/versioned_docs/version-7.x/admin/resources/lifecycle.md b/versioned_docs/version-7.x/admin/resources/lifecycle.md
new file mode 100644
index 000000000..6e3b91f58
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/resources/lifecycle.md
@@ -0,0 +1,88 @@
+---
+sidebar_position: 2
+id: lifecycle
+title: Release Lifecycle
+description: Release Lifecycle
+draft: false
+---
+
+import Tabs from '@theme/Tabs';
+import TabItem from '@theme/TabItem';
+
+## Release Types
+
+OpenCloud offers three release types to suit different needs: Rolling, Production, and LTS. For most users, Rolling is ideal, providing the latest features every few weeks. Production focuses on stability. LTS (Long-Term Support Release) is designed specifically for businesses that need longevity and extended backports.
+
+Does OpenCloud offer multi-language support?
+ +Yes, OpenCloud fully maintains both English and German languages. Additionally, the web UI offers support for other languages, which are listed below. Please note that these languages are not 100% translated and are maintained by the community on a best-effort basis. We appreciate the contributions from our community to help improve the language support over time. + +Community maintained languages: + +- Albanian +- Afrikaans +- Arabic +- Bosnian +- Bulgarian +- Chinese +- Croatian +- Czech +- Estonian +- French +- Galician +- Georgian +- Greek +- Hebrew +- Indonesian +- Italian +- Japanese +- Korean +- Dutch +- Polish +- Portuguese +- Romanian +- Russian +- Serbian +- Sinhala +- Slovak +- Spanish +- Swedish +- Turkish +- Ukrainian + +![Release types]({require("./img/lifecycle/Release)
+
+### Advantage of the LTS Releases
+
+With LTS, businesses can continue using an older production release without needing to upgrade to the latest version, while still receiving critical security patches and critical stability fixes. This makes LTS the perfect choice for organizations seeking a stable long-term solution. LTS is available exclusively to customers with a service and support entitlement through a enterprise license.
+
+| Rolling | Production | LTS |
+| :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| - For enthusiasts
- Contains latest features
- Every 3 weeks
- Automated quality assurance
- Community supported
- Documentation on best effort
- For production
- Focus on stability
- About every 6 months
- Full quality assurance
- Professional support
- Documented
- For production
- Focus on longevity
- Backports for 2 years
- Full quality assurance
- Professional support
- Documented
![Semantic Versioning]({require("./img/lifecycle/semver.png").default})
diff --git a/versioned_docs/version-7.x/admin/resources/whats-new.md b/versioned_docs/version-7.x/admin/resources/whats-new.md
new file mode 100644
index 000000000..a8e6f7343
--- /dev/null
+++ b/versioned_docs/version-7.x/admin/resources/whats-new.md
@@ -0,0 +1,11 @@
+---
+sidebar_position: 1
+id: whats-new
+title: What's New
+description: Release notes
+draft: false
+---
+
+# Release notes
+
+Please find the [Release notes on Github](https://github.com/opencloud-eu/opencloud/releases/latest).
diff --git a/versioned_docs/version-7.x/dev/cdperf.md b/versioned_docs/version-7.x/dev/cdperf.md
new file mode 100644
index 000000000..a13c70c32
--- /dev/null
+++ b/versioned_docs/version-7.x/dev/cdperf.md
@@ -0,0 +1,7 @@
+---
+id: cdperf
+title: cdPerf
+custom_edit_url: https://github.com/opencloud-eu/opencloud/edit/main/docs/cdperf.md
+---
+
+The cdPerf documentation can be found here.
diff --git a/versioned_docs/version-7.x/dev/index.md b/versioned_docs/version-7.x/dev/index.md
new file mode 100644
index 000000000..42e8fff52
--- /dev/null
+++ b/versioned_docs/version-7.x/dev/index.md
@@ -0,0 +1,15 @@
+---
+sidebar_position: 1
+title: Welcome
+custom_edit_url: https://github.com/opencloud-eu/opencloud/edit/main/docs/intro.md
+---
+
+# Welcome
+
+Welcome to the OpenCloud Developer Documentation.
+
+Please be patient, we are working on the content.
+
+If you want to contribute to the dev docs, please visit [OpenCloud on Github](https://github.com/opencloud-eu/).
+
+Contents will be transferred during the build process.
diff --git a/versioned_docs/version-7.x/dev/server/_category_.json b/versioned_docs/version-7.x/dev/server/_category_.json
new file mode 100644
index 000000000..2d1556d73
--- /dev/null
+++ b/versioned_docs/version-7.x/dev/server/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Server",
+ "position": 2
+}
diff --git a/versioned_docs/version-7.x/dev/server/apis/_category_.json b/versioned_docs/version-7.x/dev/server/apis/_category_.json
new file mode 100644
index 000000000..c345e05a4
--- /dev/null
+++ b/versioned_docs/version-7.x/dev/server/apis/_category_.json
@@ -0,0 +1,4 @@
+{
+ "label": "Apis",
+ "position": 1
+}
\ No newline at end of file
diff --git a/versioned_docs/version-7.x/dev/server/apis/grpc_apis/index.md b/versioned_docs/version-7.x/dev/server/apis/grpc_apis/index.md
new file mode 100644
index 000000000..5b6aa07e8
--- /dev/null
+++ b/versioned_docs/version-7.x/dev/server/apis/grpc_apis/index.md
@@ -0,0 +1,52 @@
+---
+title: gRPC
+sidebar_position: 2
+---
+
+## **R**emote **P**rocedure **C**alls
+
+[gRPC](https://grpc.io) is a modern open source high performance Remote Procedure Call (RPC) framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services.
+
+## Advantages of gRPC
+
+### 🚀 Performance
+
+gRPC uses http/2 by default and is faster than REST. When using protocol buffers for encoding, the information comes on and off the wire much faster than JSON. Latency is an important factor in distributed systems. JSON encoding creates a noticeable factor of latency. For distributed systems and high data loads, gRPC can actually make an important difference. Other than that, gRPC supports multiple calls via the same channel and the connections are bidirectional. A single connection can transmit requests and responses at the same time. gRPC keeps connections open to reuse the same connection again which prevents latency and saves bandwidth.
+
+### 🛡️ Robustness
+
+gRPC empowers better relationships between clients and servers. The rules of communication are strictly enforced. That is not the case in REST calls, where the client and the server can send and receive anything they like and hopefully the other end understands what to do with it. In gRPC, to make changes to the communication, both client and server need to change accordingly. This prevents mistakes specially in microservice architectures.
+
+### 🔍 Debuggability
+
+gRPC requests are re-using the same context and can be tracked or traced across multiple service boundaries.
+This helps to identify slow calls and see what is causing delays. It is possible to cancel requests which cancels
+them on all involved services.
+
+### 📦 Microservices
+
+gRPC has been evolving and has become the best option for communication between microservices because of its unmatched
+performance and its polyglot nature. One of the biggest strengths of microservices is the freedom of programming
+languages and technologies. By using gRPC we can leverage all the advantages of strictly enforced communication
+standards combined with freedom of choice between different programming languages - whichever would fit best.
+
+:::info gRPC Advantages
+
+- http/2
+- protocol buffers
+- reusable connections
+- multi language support
+
+:::
+
+## CS3 APIs
+
+
+
+The [CS3 APIs](https://github.com/cs3org/cs3apis) connect storages and application providers.
+
+The CS3 APIs follow Google and Uber API design guidelines, specially on error handling and naming convention. You can read more about these
+guidelines at [Google Api Design](https://cloud.google.com/apis/design) and [Uber Protocol](https://github.com/uber/prototool/blob/dev/style/README.md).
+
+The CS3 APIs use [Protocol Buffers version 3 (proto3)](https://github.com/protocolbuffers/protobuf) as their
+Interface Definition Language (IDL) to define the API interface and the structure of the payload messages.
diff --git a/versioned_docs/version-7.x/dev/server/apis/http/authorization.md b/versioned_docs/version-7.x/dev/server/apis/http/authorization.md
new file mode 100644
index 000000000..d215dadf0
--- /dev/null
+++ b/versioned_docs/version-7.x/dev/server/apis/http/authorization.md
@@ -0,0 +1,142 @@
+---
+title: Authorization
+sidebar_position: 40
+---
+
+In its default configuration, OpenCloud supports three authentication methods as outlined on the [OIDC official site](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3):
+
+1. Authorization Code Flow
+2. Implicit Flow
+3. Hybrid Flow
+
+For detailed information on OpenCloud's support for OpenID Connect (OIDC), please consult the [Official Documentation](../../../../admin/configuration/authentication-and-user-management/).
+
+While selecting an OpenCloud client for authentication, take note of specific limitations such as the `Redirect URI`:
+
+| Source | Redirect URI |
+| ------- | -------------------------------------------- |
+| Android | oc://android.opencloud.eu |
+| iOS | oc://ios.opencloud.eu |
+| Desktop | `http://127.0.0.1` `http://localhost` | + +In this example, the desktop app's `client_id` are being used. + +```bash +client_id=OpenCloudDesktop +``` + +## Authorization Code Flow + +1. Requesting authorization + + To initiate the OIDC Code Flow, you can use tools like curl and a web browser. + The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard): + + ```plaintext + https://cloud.opencloud.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=code&redirect_uri=http://path-to-redirect-uri + ``` + + After a successful authentication, the browser will redirect to a URL that looks like this: + + ```plaintext + http://path-to-redirect-uri?code=mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw&scope=openid%20profile%20email%20offline_access&session_state=32b08dd...&state= + ``` + + For the next step extract the code from the URL. + + In the above example, + the code is `mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw` + +2. Requesting an access token + + The next step in the OIDC Code Flow involves an HTTP POST request + to the token endpoint of the **OpenCloud Identity Server**. + + ```bash + curl -vk -X POST https://cloud.opencloud.test/konnect/v1/token \ + -d "grant_type=authorization_code" \ + -d "code=3a3PTcO-WWXfN3l1mDN4u7G5PzWFxatU" \ + -d "redirect_uri=http:path-to-redirect-uri" \ + -d "client_id=client_id" + ``` + + Response looks like this: + + ```json + { + "access_token": "eyJhbGciOid...", + "token_type": "Bearer", + "id_token": "eyJhbGciOi...", + "refresh_token": "eyJhbGciOiJ...", + "expires_in": 300 + } + ``` + +3. Refreshing an access token + + If the access token has expired, you can get a new one using the refresh token. + + ```bash + curl -vk -X POST https://cloud.opencloud.test/konnect/v1/token \ + -d "grant_type=refresh_token" \ + -d "refresh_token=eyJhbGciOiJ..." \ + -d "redirect_uri=http://path-to-redirect-uri" \ + -d "client_id=client_id" + ``` + + Response looks like this: + + ```json + { + "access_token": "eyJhbGciOi...", + "token_type": "Bearer", + "expires_in": 300 + } + ``` + +## Implicit Code Flow + +When using the implicit flow, tokens are provided in a URI fragment of the redirect URL. +Valid values for the `response_type` request parameter are: + +- token +- id_token token + +:::warning Important Warning +If you are using the implicit flow, `nonce` parameter is required in the initial `/authorize` request. +`nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18=` + +bash command to generate cryptographically random value + +```bash +openssl rand -base64 32 +``` + +::: +The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard): + +```bash +https://cloud.opencloud.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=id_token+token&redirect_uri=http://path-to-redirect-uri&nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18= +``` + +After a successful authentication, the browser will redirect to a URL that looks like this: + +```bash +http://path-to-redirect-uri#access_token=eyJhbGciOiJQUzI...&expires_in=300&id_token=eyJhbGciOiJ...&scope=email%20openid%20profile&session_state=c8a1019f5e054d...&state=&token_type=Bearer +``` + +For the next step, extract the access_token from the URL. + +```bash +access_token = 'eyJhbGciOiJQ...' +``` + +## Hybrid Flow + +The Hybrid Flow in OpenID Connect melds features from both the Implicit and Authorization Code flows. It allows clients to directly retrieve certain tokens from the Authorization Endpoint, yet also offers the option to acquire additional tokens from the Token Endpoint. + +The Authorization Server redirects back to the client with appropriate parameters in the response, based on the value of the response_type request parameter: + +- code token +- code id_token +- code id_token token diff --git a/versioned_docs/version-7.x/dev/server/apis/http/graph/groups.md b/versioned_docs/version-7.x/dev/server/apis/http/graph/groups.md new file mode 100644 index 000000000..e2b16100f --- /dev/null +++ b/versioned_docs/version-7.x/dev/server/apis/http/graph/groups.md @@ -0,0 +1,269 @@ +--- +title: Groups +sidebar_position: 40 +--- + +## Groups API + +The Groups API is implementing a subset of the functionality of the +[MS Graph Group resource](https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0) +The JSON representation of a Group as handled by the Groups API looks like this: + +```json +{ + "displayName": "group", + "id": "f0d97060-da16-4b0d-9fa4-d1ec43afc5f1" +} +``` + +Our implementation currently supports two Attributes for a Group: + +| Attribute | Description | +| ----------- | --------------------------------------------------------------------------------------------------------------------------- | +| displayName | The groups name | +| id | An unique, stable readonly identifier for the group that stays the same for the whole lifetime of the Group, usually a UUID | + +### Reading groups + +#### `GET /groups` + +Returns a list of all groups + +Example: + +```bash +curl -k 'https://localhost:9200/graph/v1.0/groups' -u user:password + +``` + +Response: + +```json +{ + "value": [ + { + "displayName": "group", + "id": "38580a2e-7018-42ed-aff6-b2af0b4e9790" + }, + { + "displayName": "Example Users", + "id": "7a20f238-8a22-4458-902d-47674c317e5f" + } + ] +} +``` + +#### `GET /groups?$expand=members` + +Returns a list of all groups including its members + +Example: + +```bash +curl -k 'https://localhost:9200/graph/v1.0/groups?$expand=members' -u user:password + +``` + +Response: + +```json +{ + "value": [ + { + "displayName": "group", + "id": "38580a2e-7018-42ed-aff6-b2af0b4e9790", + "members": [ + { + "displayName": "user1", + "id": "2e7b7e23-6c42-4d34-81b0-2bed34e51983", + "mail": "user1@example.org", + "onPremisesSamAccountName": "user1" + }, + { + "displayName": "user2", + "id": "b45c9e35-0d95-4165-96bc-68bff4a316ed", + "mail": "user2@example.org", + "onPremisesSamAccountName": "user2" + } + ] + }, + { + "displayName": "Example Users", + "id": "7a20f238-8a22-4458-902d-47674c317e5f", + "members": [ + { + "displayName": "user3", + "id": "026fbfef-79ef-4f5d-887b-9eaf42777239", + "mail": "user3@example.org", + "onPremisesSamAccountName": "user3" + } + ] + } + ] +} +``` + +#### `GET /groups/{groupid}` + +Example: + +```bash +curl -k 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f' -u user:password +``` + +Response: + +```json +{ + "displayName": "Example Users", + "id": "7a20f238-8a22-4458-902d-47674c317e5f" +} +``` + +#### `GET /groups/{groupid}?$expand=members` + +Example: + +```bash +curl -k 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f?$expand=members' -u user:password +``` + +Response: + +```json +{ + "displayName": "Example Users", + "id": "7a20f238-8a22-4458-902d-47674c317e5f", + "members": [ + { + "displayName": "user3", + "id": "026fbfef-79ef-4f5d-887b-9eaf42777239", + "mail": "user3@example.org", + "onPremisesSamAccountName": "user3" + } + ] +} +``` + +### Getting Group Members + +#### `GET /groups/{groupid}/members` + +Returns a list of User objects that are members of a group. + +Example: + +```bash +curl -k 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f/members' -u user:password + +``` + +Response: + +```json +[ + { + "displayName": "Test User", + "id": "c54b0588-7157-4521-bb52-c1c8ca84ea71", + "mail": "example@example.org", + "onPremisesSamAccountName": "example" + }, + { + "displayName": "Dennis Ritchie", + "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", + "mail": "dennis@example.org", + "onPremisesSamAccountName": "dennis" + } +] +``` + +### Creating / Updating Groups + +#### `POST /groups` + +Use this to create a new group. + +##### Request Body + +Note the missing `"id"` Attribute. It will be generated by the server: + +```json +{ + "displayName": "Example Users" +} +``` + +##### Response + +When successful, the response will return the new group including the newly allocated `"id"`: + +```json +{ + "displayName": "Example Users", + "id": "7a20f238-8a22-4458-902d-47674c317e5f" +} +``` + +#### `DELETE /groups/{id}` + +Example: + +```bash +curl -k --request DELETE 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f' -u user:password +``` + +When successful the API returns no response body and the HTTP status code 204 (No Content) + +#### `PATCH /groups/\{id\}` + +Updating attributes of a single group is supposed to be done with a patch request. This is however currently not fully +implemented for our write-enabled backends. The PATCH request can however be used to add multiple members to a group at once. +See below. + +### Adding a single member to a group + +#### `POST /groups/{id}/members/$ref` + +The request body contains a single attribute "`@odata.id`" referencing the new member of the group by URI. Example: + +```bash +curl -k --header "Content-Type: application/json" \ + --request POST --data \ + '{ "@odata.id": "https://localhost:9200/graph/v1.0/users/4c510ada-c86b-4815-8820-42cdf82c3d51" }' \ + 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f/members/$ref' -u user:password + +``` + +When successful the API returns no response body and the HTTP status code 204 (No Content) + +### Adding multiple members in a single request + +#### `PATCH /groups/\{id\}` + +The request body contains the attribute `members@odata.bind` holding a list of URI references for the new members. +Example: + +```json +{ + "members@odata.bind": [ + "https://localhost:9200/graph/v1.0/users/4c510ada-c86b-4815-8820-42cdf82c3d51", + "https://localhost:9200/graph/v1.0/users/c54b0588-7157-4521-bb52-c1c8ca84ea71" + ] +} +``` + +When successful the API returns no response body and the HTTP status code 204 (No Content) + +### Removing a member + +#### `DELETE /groups/{groupid}/members/{id}/$ref` + +Example + +```bash +curl -k --request DELETE \ + 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f/members/4c510ada-c86b-4815-8820-42cdf82c3d51/$ref' \ + -u user:password +``` + +When successful the API returns no response body and the HTTP status code 204 (No Content) diff --git a/versioned_docs/version-7.x/dev/server/apis/http/graph/index.md b/versioned_docs/version-7.x/dev/server/apis/http/graph/index.md new file mode 100644 index 000000000..1ec976e1a --- /dev/null +++ b/versioned_docs/version-7.x/dev/server/apis/http/graph/index.md @@ -0,0 +1,78 @@ +--- +title: LibreGraph +sidebar_position: 1 +--- + +The LibreGraph API is a REST Api which is inspired by the [Microsoft Graph API](https://developer.microsoft.com/en-us/graph). It tries to stay compliant with the Microsoft Graph API and aims to be the Next Generation Api in OpenCloud where we want to support most of the features of the platform. +The [API specification](https://github.com/opencloud-eu/libre-graph-api) is available in the OpenApi 3 standard and there are generated client and server [SDKs](https://github.com/opencloud-eu/libre-graph-api#clients) available. You can browse the API with the [Swagger UI](https://docs.opencloud.eu/swagger/libre-graph-api/). + +## Calling the LibreGraph API + +```sh +{HTTP method} https://cloud.opencloud.test/graph/{version}/{resource}?{query-parameters} +``` + +The request component consists of: + +| Component | Description | +| -------------------- | ----------------------------------------------------------------------- | +| `{HTTP method}` | The HTTP method which is used in the request. | +| `{version}` | The version of the LibreGraph API used by the client. | +| `{resource}` | The LibreGraph Resource which the client is referencing in the request. | +| `{query-parameters}` | Optional parameters for the request to customize the response. | + +### HTTP methods + +| Method | Description | +| ------ | ----------------------------- | +| GET | Read data from a resource. | +| POST | Create a new resource. | +| PATCH | Update an existing resource. | +| PUT | Replace an existing resource. | +| DELETE | Delete an existing resource. | + +The methods `GET` and `DELETE` need no request body. The methods `POST`, `PATCH` and `PUT` require a request body, normally in JSON format to provide the needed values. + +### Version + +OpenCloud currently provides the version `v1.0`. + +### Resource + +A resource could be an entity or a complex type and is usually defined by properties. Entities are always recognizable by an `Id` property. The URL contains the resource which you are interacting with e.g. `/me/drives` or `/groups/{group-id}`. + +Each resource could possibly require different permissions. Usually you need permissions on a higher level for creating or updating an existing resource than for reading. + +### Query parameters + +Query parameters can be OData system query options, or other strings that a method accepts to customize its response. + +You can use optional OData system query options to include more or fewer properties than the default response, filter the response for items that match a custom query, or provide additional parameters for a method. + +For example, adding the following filter parameter restricts the drives returned to only those with the driveType property of `project`. + +```shell +GET https://cloud.opencloud.test/graph/v1.0/drives?$filter=driveType eq 'project' +``` + +For more information about OData query options please check the [API specification](https://github.com/opencloud-eu/libre-graph-api) and the provided examples. + +### Authorization + +For development purposes the examples in the developer documentation use Basic Auth. It is disabled by default and should only be enabled by setting `PROXY_ENABLE_BASIC_AUTH` in [the proxy](../../../services/proxy/env-vars.mdx) for development or test instances. + +To authenticate with a Bearer token or OpenID Connect access token replace the `-u user:password` Basic Auth option of curl with a `-H 'Authorization: Bearer
`SHA1:1c68ea370b40c06fcaf7f26c8b1dba9d9caf5dea MD5:2205e48de5f93c784733ffcca841d2b5 ADLER32:058801ab`
`
time of the file to the server in unixtime format. The server applies this mtime to the resource rather than the actual time. | +| `OC-Checksum` | Provide the checksum of the
file content to the server.
This is used to prevent corrupted data transfers. | +| `If-Match` | The If-Match request-header field is used with a method to make it
conditional. A client that has one or more entities previously
obtained from the resource can verify that one of those entities is
current by including a list of their associated entity tags in the
If-Match header field. | + +
+
+:::
+
+### Installing Dependencies
+
+After cloning the source code, install the dependencies via `pnpm install`.
+
+### Starting the Server
+
+You can start the OpenCloud server by running `docker compose up opencloud -d`. If you want to run the full stack, you can run `docker compose up -d` instead. This will also start the wopi service and an instance of Collabora.
+
+### Building and Accessing Web
+
+After starting the docker containers, you can build Web by running `pnpm build:w`. This command compiles the project and includes support for hot-reloading, allowing you to see changes as you make them. However, note that the rebuild process may take some time.
+
+For a faster development experience, consider enabling instant hot-reloading. Details on how to set this up are provided below.
+
+Now you can access Web via [https://host.docker.internal:9200](https://host.docker.internal:9200).
+
+### Using Instant Hot-Reload via Vite
+
+To work with instant hot-reloading, you can also build Web by running `pnpm vite`. The port to access Web is slightly different then: [https://host.docker.internal:9201](https://host.docker.internal:9201). Also note that the initial page load may take a bit longer than usual. This is normal and to be expected.
+
+:::note
+Make sure that you ran `pnpm build` once before starting the server with `pnpm vite`. Also, you need to accept the self-signed certificate in your browser for [https://host.docker.internal:9200](https://host.docker.internal:9200) _and_ [https://host.docker.internal:9201](https://host.docker.internal:9201).
+:::
diff --git a/versioned_docs/version-7.x/dev/web/embed-mode.md b/versioned_docs/version-7.x/dev/web/embed-mode.md
new file mode 100644
index 000000000..ad0b32832
--- /dev/null
+++ b/versioned_docs/version-7.x/dev/web/embed-mode.md
@@ -0,0 +1,149 @@
+---
+title: 'Embed Mode'
+sidebar_position: 4
+---
+
+The OpenCloud Web can be consumed by another application in a stripped down version called "Embed mode". This mode is supposed to be used in the context of selecting or sharing resources.
+
+## Getting started
+
+To integrate OpenCloud Web into your application, add an iframe element pointing to your OpenCloud Web deployed instance with additional query parameter `embed=true`.
+
+```html
+
+```
+
+## Communication
+
+To establish seamless cross-origin communication between the embedded instance and the parent application, our approach involves emitting events using the `postMessage` method. These events can be conveniently captured by utilizing the standard `window.addEventListener('message', listener)` pattern.
+
+### Target origin
+
+By default, the `postMessage` method does not specify the `targetOrigin` parameter. However, it is recommended best practice to explicitly pass in the URI of the iframe origin (not the parent application). To enhance security, you can specify this value by modifying the config option `options.embed.messagesOrigin`.
+
+### Events
+
+To maintain uniformity and ease of handling, each event encapsulates the same structure within its payload: `{ name: string, data: any }`.
+
+| Name | Data | Description |
+| ------------------------------- | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| **opencloud-embed:select** | `Resource[]` | Gets emitted when user selects resources or location via the select action |
+| **opencloud-embed:share-links** | `Array<{ url: string, password?: string }>` | Gets emitted when user shares resources via the "Share links" action. Includes passwords when applicable. |
+| **opencloud-embed:share** | `string[]` | **(Deprecated)** Gets emitted when user shares resources. Use `opencloud-embed:share-links` for password support. |
+| **opencloud-embed:cancel** | `null` | Gets emitted when user attempts to close the embedded instance via "Cancel" action |
+
+### Example
+
+```html
+
+
+
+```
+
+## Location picker
+
+By default, the Embed mode allows users to select resources. In certain cases (e.g. uploading a file), this needs to be changed to allow selecting a location. This can be achieved by running the embed mode with additional parameter `embed-target=location`. With this parameter, resource selection is disabled and the selected resources array always includes the current folder as the only item.
+In special scenarios you also want the user to set a file name, this can be achieved by adding the `embed-choose-file-name=true` parameter, or if you also want to set a default file name, you can use `embed-choose-file-name-suggestion=my file.text`.
+
+### Example
+
+```html
+
+
+
+```
+
+## File picker
+
+The File Picker mode in OpenCloud Web is designed for embedding an interface that allows users to pick a single file.
+This mode can be configured to restrict the file types that users can select. To enable the File Picker mode, you need
+to include the embed-target=file query parameter in the iframe URL. Furthermore, you can specify allowed file types
+using the embed-file-types parameter. The file types can be specified using file extensions, MIME types, or a
+combination of both. If the embed-file-types parameter is not provided, all file types will be selectable by default.
+
+### Example
+
+```html
+
+
+
+```
+
+## Delegate authentication
+
+If you already have a valid `access_token` that can be used to call the API from within the Embed mode and do not want to force the user to authenticate again, you can delegate the authentication. Delegating authentication will disable internal login form in OpenCloud Web and will instead use events to obtain the token and update it.
+
+### Configuration
+
+To allow authentication delegation, you need to set the config option `options.embed.delegateAuthentication` to `true`. This can be achieved via query parameter `embed-delegate-authentication=true`. Because we are using the `postMessage` method to communicate across different origins, it is best practice to verify that the event originated from a known origin and not from some malicious site. We highly recommend to allow this check in production environments. You can enable it by setting the config option `options.embed.delegateAuthenticationOrigin` via query parameter `embed-delegate-authentication-origin=my-origin`. The value of this parameter will be compared against the `MessageEvent.origin` value and if they do not match, the token will be rejected.
+
+### Events
+
+#### Opening Embed mode
+
+As already mentioned, we're using the `postMessage` method to allow communication between the Embed mode and the parent application. When the Embed mode is opened for the first time, the user gets redirected to the `/web-oidc-callback` page where a message with payload `{ name: 'opencloud-embed:request-token', data: undefined }` is sent to request the `access_token` from the parent application. The parent application should set an event listener before opening the Embed mode and once received, it should send a message with payload `{ name: 'opencloud-embed:update-token', data: { access_token: '