gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fbcd2416e6c26c438dfeaa2db6260a211ee0a40a
home-server/komodo/s3/versitygw/.env.sample

57 lines
3.1 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Versity S3 Gateway — root credentials for the flat-file IAM backend.
# https://github.com/versity/versitygw/wiki/Quickstart
#
# Local: copy to `.env` next to compose.yaml (or set `run_directory` to this folder
# in Komodo) so `docker compose` can interpolate `${ROOT_ACCESS_KEY}` etc.
#
# Komodo: Stack Environment is written to `<run_directory>/.env` and passed as
# `--env-file` — that drives `${VAR}` in compose.yaml. Set **one** pair using exact
# names (leave the other pair unset / empty):
# ROOT_ACCESS_KEY + ROOT_SECRET_KEY
# ROOT_ACCESS_KEY_ID + ROOT_SECRET_ACCESS_KEY (Helm-style)
ROOT_ACCESS_KEY=
ROOT_SECRET_KEY=
# ROOT_ACCESS_KEY_ID=
# ROOT_SECRET_ACCESS_KEY=
# Host port mapped to the gateway (container listens on 10000).
VERSITYGW_PORT=10000
# WebUI (container listens on 8080). In Pangolin, create a *second* HTTP resource for this
# port — do not point the UI hostname at :10000 (that is S3 API only; `/` is not the SPA).
VERSITYGW_WEBUI_PORT=8080
# HTTPS URL of the *S3 API* (Pangolin resource → host :10000). **Not** the WebUI URL.
# No trailing slash. Wrong value → WebUI calls the wrong host and bucket create can 404.
# VGW_WEBUI_GATEWAYS=https://s3.example.com
VGW_WEBUI_GATEWAYS=
# Public origin of the **browser app** that calls the S3 API (no path, no trailing slash).
# Use this when the UI is on a different hostname than the API — e.g. third-party S3 consoles,
# or the built-in WebUI behind Pangolin on another host than :10000.
# Example: VGW_CORS_ALLOW_ORIGIN=https://s3-ui.pcenicni.dev
#
# VersityGW maps the browsers preflight Access-Control-Request-Headers into
# Access-Control-Allow-Headers (Authorization, X-Amz-Date, X-Amz-Content-Sha256, Content-Type, …)
# when there is **no** per-bucket CORS configuration. You do not set those headers separately here.
#
# If you used PutBucketCors on a bucket, that config replaces this fallback for that bucket: add
# the same Origin and AllowedHeader entries (or *) there, or delete bucket CORS to rely on this.
# VGW_CORS_ALLOW_ORIGIN=https://s3-ui.example.com
VGW_CORS_ALLOW_ORIGIN=
# --- Pangolin (edge) vs Versity CORS ---
# If VGW_CORS_ALLOW_ORIGIN is correct but the browser still says CORS failed, the edge often
# never returns Versitys Access-Control-* headers: Pangolin can answer OPTIONS / block preflight
# before Newt reaches :10000. S3 clients send OPTIONS without SigV4 auth; Pangolin SSO or
# “authorization” on the HTTP resource can reject that (see https://github.com/fosrl/pangolin/issues/2369 ).
# Mitigations: make the **S3 API** hostname resource public (no Pangolin auth on that resource),
# or add a rule that allows OPTIONS to pass through when Pangolin supports method-based rules;
# confirm with: curl -sv -X OPTIONS -H "Origin: https://your-s3-ui" -H "Access-Control-Request-Method: PUT" \
# -H "Access-Control-Request-Headers: authorization,content-type" "https://your-s3-api-host/" 2>&1 | head -40
# NFS: object metadata defaults to xattrs; most NFS mounts need sidecar mode
# (compose.yaml uses --sidecar /data/sidecar). Create the host path, e.g.
# mkdir -p /mnt/nfs/versity/sidecar
# Or use NFSv4.2 with xattr support and remove --sidecar from compose if you prefer.
Reference in New Issue View Git Blame Copy Permalink