################################################################################
## Intro
################################################################################
#
# This file contains the bulk of detail on configuring your
# Enterprise Nucleus Server stack, right next to configuration parameters
# described. It needs to be carefully studied in it's entirety to guarantee
# a working deployment.
#
# A lot of parameters available here can be left with their defaults, but
# some need explicit configuration. Please study the file carefully.
#
# Depending on if using SSL or not, you will need to use one of the
# following compose files to deploy your stack:
#
#    * nucleus-stack-no-ssl.yml -- or --
#    * nucleus-stack-ssl.yml
#
################################################################################
## End-User License Agreement (EULA)
################################################################################

# Uncomment to indicate your acceptance of EULA
# You can review EULA at: https://docs.omniverse.nvidia.com/eula

ACCEPT_EULA={ACCEPT_EULA}

################################################################################
## Security and implications of insecure configurations
################################################################################
#
# There are some aspects of securing your Nucleus instance one must consider:
#
# - Authentication: if not using SSO, the only accounts you will be
#   able to create will be login/password based accounts, stored locally
#   on disk in the Authentication Service's database (passwords are
#   not stored plain text, however, this is still sub-optimal).
#
#   We recommend relying on a SAML SSO provider for your authentication needs.
#
# - Transport: if not configuring SSL, all traffic between your Clients
#   and this Nucleus instance will be plain text, potentially making
#   it visible to anyone on the network. This includes passwords transmitted
#   as plain text for non-SSO accounts.
#
#   To be flexible and lower the barrier for entry, we allow you to configure
#   this stack however you please, including not enforcing security.  For example,
#   there are situations where an easy setup is preferable for quick tests.
#
#   Please review your security posture carefully, and uncomment the
#   following to indicate your understanding of security implications of
#   your deployment, however you have configured it.
#
SECURITY_REVIEWED={SECURITY_REVIEWED}

################################################################################
## Required endpoints configuration
################################################################################
#
# You MUST set SERVER_IP_OR_HOST.
#
# General caveats and gotchas:
# ----------------------------
#
#   * DO NOT use 127.0.0.1
#
#   * DO NOT use any IP from the reserved loopback range (127.0.0.0/8)
#
#   * If using hostname, make sure it does NOT resolve to a
#     loopback IP
#
#   * If using hostname, make sure it correctly resolves from ALL
#     intended clients of this server.
#
#
# For basic deployments without SSL, set this to (preferably) a hostname or
# an IP address of the server that will be used by users to access it,
# and use nucleus-stack-no-ssl.yml to stand up your stack.
#     ----------------------------
#
# If setting up an SSL stack, SERVER_IP_OR_HOST will serve as an internal
# (port-based) endpoint and must be valid for all internal clients of Nucleus,
# including Nucleus itself and your Ingress Router.
#
# Note that Ingress Router to terminate SSL is not provided with this stack.
# It is required for SSL. Configuring and deploying this stack with SSL
# will enable it to be served over SSL via an Ingress Router, but will not
# stand up the Router itself. You will have to configure it separately.

# See more documentation on the topic of SSL at
# https://docs.omniverse.nvidia.com/nucleus/ssl.

# For SSL deployments, use nucleus-stack-ssl.yml to stand up your stack.
#                      -------------------------

SERVER_IP_OR_HOST={SERVER_IP_OR_HOST}

# SSL Ingress hostname. Ignore if not using SSL. If using SSL, set this to
# hostname and port of your Ingress Router. Note that hostname must be
# the same one as used in the SSL cert of the Ingress Router.
SSL_INGRESS_HOST={REVERSE_PROXY_DOMAIN}
SSL_INGRESS_PORT=443

################################################################################
## Name your instance
################################################################################

# Instance name
INSTANCE_NAME={INSTANCE_NAME}

################################################################################
## Required passwords configuration
################################################################################

# !!!!!!!!!!!!!
# !! WARNING !!
# !!!!!!!!!!!!!
#
# Your installation will be as secure as the items below are. Please
# secure them accordingly.
#
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !!! REVIEW AND UNDERSTAND EVERY VALUE BELOW !!!
# !!! EXPOSURE OF ANY ONE OF THEM CAN LEAD    !!!
# !!! TO YOUR AUTHENTICATION SETUP            !!!
# !!! BEING COMPROMISED                       !!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
# Master superuser ('omniverse') user's password
#
# This is the initial setting and you can change this password
# later.
#
# If you change this password using the UI, you will NOT be able to
# reset it from here. The only way to recover it would be to
# delete your accounts' db (that will delete ALL accounts),
# located in ${DATA_ROOT}/local-accounts-db/

MASTER_PASSWORD={MASTER_PASSWORD}

# Password for built-in service accounts for all services
# shipped with this stack.
#
# Authentication DB will be initialized with this password, and
# all the services will be configured to use it. Our recommendation is
# to configure this once, and not touch it.
#
# If you desire to change service accounts' password,
# use your Superuser (`omniverse`), change
# service accounts' passwords for **all** `*_service` accounts to be
# the same new password, update the value below, and restart your stack.

SERVICE_PASSWORD={SERVICE_PASSWORD}

################################################################################
## Required secrets
################################################################################

# !!!!!!!!!!!!!
# !! WARNING !!
# !!!!!!!!!!!!!
#
# Your installation will be as secure as the items below are. Please
# secure them accordingly.
#
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !!! REVIEW AND UNDERSTAND EVERY VALUE BELOW !!!
# !!! EXPOSURE OF ANY ONE OF THEM CAN LEAD    !!!
# !!! TO YOUR AUTHENTICATION SETUP            !!!
# !!! BEING COMPROMISED                       !!!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
#
#
# ALL of the below secrets are required, and values provided
# are not DEFAULTS.
#
# For a quick !>INSECURE<! evaluation, a simple shell script generating these
# values is provided along with this stack,
#
# generate-sample-insecure-secrets.sh
# -----------------------------------
#
# Feel free to use it to arrive at a quick sample set;
# but MAKE SURE YOU UNDERSTAND THAT THE SAMPLE SET IS INSECURE.
#
# For any real environment, we recommend reviewing what
# generate-sample-insecure-secrets.sh does, and provisioning the same
# *type* of secrets in whichever manner is appropriate for your environment.
#
# --

# A Public-Private Keypair used for signing and validation of
# short-term session authentication tokens

AUTH_ROOT_OF_TRUST_PUB=./secrets/auth_root_of_trust.pub
AUTH_ROOT_OF_TRUST_PRI=./secrets/auth_root_of_trust.pem

# A Public-Private Keypair used for signing and validation of
# of long-term authentication and refresh tokens

AUTH_ROOT_OF_TRUST_LONG_TERM_PUB=./secrets/auth_root_of_trust_lt.pub
AUTH_ROOT_OF_TRUST_LONG_TERM_PRI=./secrets/auth_root_of_trust_lt.pem

# Salt to use when hashing passwords for built-in accounts
# in the auth service

PWD_SALT=./secrets/pwd_salt

# This token is used by other services to register with Nucleus Discovery
# service (which is later used to locate those services).
#
# Think of it as a symmetric (shared) root of trust, or just
# as a symmetric key.

DISCOVERY_REGISTRATION_TOKEN=./secrets/svc_reg_token

################################################################################
## SAML / SSO Options
################################################################################

# Only configure this section if SSO Integration is required.
# See https://docs.omniverse.nvidia.com/nucleus/sso for more details.

# Set to 1 to enable SAML SSO
USE_SAML_SSO=0

# Set this to the address of the SSO gateway you have deployed
# Port 443 can be omitted if SSO gateway is listening on it
# This will be used as SAML "SSO Issuer" parameter
SSO_GW_ADDRESS=https://my-sso-gateway.my-company.com:443/

# Metadata file for SAML SSO ("Federation Metadata XML")
# In Azure, download from Azure's Application Single Sign On Integration panel
FEDERATION_META_FILE=./saml/federation.meta.blank.xml

# Set this to "Login URL" of the SAML IDP.
# In Azure, it's copied from Azure's Application Single Sign On
# Integration panel
SAML_LOGIN_URL=

# SAML Assertion Consumer Service URL - generally, will be set to
# your full SSO gateway redirect URL
# (ie, https://my-sso-gateway.my-company.com:443/result) only if required.
#
# Leave empty by default
SAML_SSO_ACS_URL=

# SAML SSO Destination - some IDPs require that. Leave empty if not required.
#
SAML_SSO_DESTINATION=

# Adjust SAML SSO's response format here, if required
SAML_SSO_NAMEID_FORMAT=

# Name for this authentication method (to use on the Nucleus "Login" button)
SAML_SSO_NAME="My SAML SSO"

# Optional URL to an icon to be displayed on the Nucleus "Login" button
#
# If custom icon is desired, in addition to setting this variable,
# uncomment SAML_SSO_IMAGE environment variable for `nucleus-auth`
# container in your Compose file.
SAML_SSO_IMAGE=

# With SSO, it might be desireable to disable login/password fields for
# "basic", built-in, accounts, so that users won't get confused and won't
# punch in their SAML IDP credentials into login / password fields.
#
# Set this variable to False to disable those fields.
#
# Note: l/p based login window will still be accessible by replacing
# `.../login` URL of Navigator with `.../admin` when signing in.
#
CREDENTIAL_UI_VISIBLE=True


# Controls maximum size of IDP response that will be passed via bounceback
# URL to Authentication Service.
#
# Only modify this if having issues with SAML IDP integration and
# after being instructed to do so by your NVIDIA representative.
#
SAML_SSO_MAX_BOUNCEBACK_URL_LENGTH=16380

################################################################################
## Data
################################################################################

# Set this variable to where you want Nucleus Data to be.
# Make sure the right kind of disk and adequate amount of disk space is
# available.
#
# It will contain the actual data, as well as logs. File and dir names
# should be self-explanatory.
#
# If running on top of data from an older version of Nucleus, data upgrade
# may be required. Use `nucleus-upgrade-db.yml` stack
# along with this .env file to perform the upgrade.
#
# To validate internal consistency of data, use `nucleus-verify-db.yml`
# along with this .env file to run the verifier tool.
#
# IMPORTANT: Nucleus Stack must be stopped to perform verification and/or
# IMPORTANT: upgrade.

DATA_ROOT={DATA_ROOT}

################################################################################
## Backups
################################################################################

# Backups require enabling of an extra endpoint - Service API - and a sidecar
# called `nucleus-meta-dumper`.  To do so, edit the stack's .yml file
# and un-comment SERVICE_API_PORT endpoint of `nucleus-api` service, and
# `nucleus-meta-dumper` service sections.

# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
# !!! DO MAKE SURE TO PROTECT META-DUMPER's AND      !!
# !!! SERVICE API'S ENDPOINTS - THEY ARE AN          !!
# !!! ADMINISTRATIVE INTERFACE AND ARE NOT INTENDED  !!
# !!! TO BE EXPOSED TO REGULAR USERS.                !!
# !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

################################################################################
## Transport settings
################################################################################


# Enable compression of HTTP traffic from Nucleus's Large File Transfer
# (LFT) service.
#
#  * If most clients' latency to Nucleus is high, generally enabling will help
#  * Otherwise, generally disabling it will be more optimal.
#
#  If unsure, we recommend testing download speeds with compression both on and
#  off.

LFT_COMPRESSION=1

################################################################################
## Ports, network settings
################################################################################

# Nucleus API port. All Clients assume 3009. Do NOT change.
API_PORT=3009

# This port is going to be open and required only if setting up SSL.
# This will be routed to from your Ingress Router - note that you can NOT
# route requests from Ingress Router to API_PORT.
API_PORT_2=3019

# Nucleus Meta Dumper and Service API ports - required for backup tooling only
# These endpoints disabled by default, and require manual enabling in the .yml
# file of this stack. Do make sure that these ports are NOT ACCESSIBLE by anyone
# but your administrative hosts. DO NOT change their values.
META_DUMP_PORT=5555
SERVICE_API_PORT=3006

# Large File Transfer Service Port.
LFT_PORT=3030

# Web UI Port
#
# If setting up with SSL, we recommend changing this to something else
# (ie, 8080) to avoid confusion with port 80 open on the Ingress Router
WEB_PORT=8080

# Discovery Service Port. Do NOT change.
DISCOVERY_PORT=3333

# Authentication Service Ports
AUTH_PORT=3100
AUTH_LOGIN_FORM_PORT=3180

# Search Service Port
SEARCH_PORT=3400

# Tagging Service Port
TAGGING_PORT=3020

# Prometheus Metrics
METRICS_PORT=3010

# Default "internal" network for containers.
# Modify this if it conflicts with your environment.
CONTAINER_SUBNET=192.168.2.0/26

################################################################################
## Registry for containers
################################################################################

# Registry root URL
REGISTRY=nvcr.io/nvidia/omniverse

################################################################################
## Feature Flags
################################################################################

# Enables File Versioning features in Nucleus
ENABLE_VERSIONING=1

################################################################################
## Internal - do not change!
################################################################################

CORE_VERSION=113.6
DISCOVERY_VERSION=1.4.2
AUTH_VERSION=1.4.0
WEB2_VERSION=2.4.4
SEARCH_VERSION=3.0.0
THUMBNAILING_VERSION=1.4.4
TAGGING_VERSION=3.0.1