Update docs

docs/_static/env-vars/frontend_configvars.md

@@ -1,5 +1,5 @@
 
-2026-04-29-00-06-15
+2026-05-05-00-05-20
 
 ## Deprecation Notice
 

docs/_static/env-vars/global_configvars.md

@@ -2,7 +2,7 @@
 
 | Name | Introduction Version | Type | Description | Default Value |
 |---|---|---|---|---|
-| `IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | The default role assignments the demo users should be setup. | false |
+| `IDM_CREATE_DEMO_USERS` | 1.0.0 | bool | Flag to enable or disable the creation of the demo users. | false |
 | `OC_ADMIN_USER_ID` | 1.0.0 | string | ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand. |  |
 | `OC_ASYNC_UPLOADS` | 1.0.0 | bool | Enable asynchronous file uploads. | true |
 | `OC_CACHE_AUTH_PASSWORD` | 1.0.0 | string | The password to use for authentication. Only applies when store type 'nats-js-kv' is configured. |  |
@@ -22,22 +22,22 @@
 | `OC_ENABLE_OCM` | 1.0.0 | bool | Include OCM sharees when listing users. | false |
 | `OC_EVENTS_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. |  |
 | `OC_EVENTS_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. |  |
-| `OC_EVENTS_CLUSTER` | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | opencloud-cluster |
+| `OC_EVENTS_CLUSTER` | 1.0.0 | string | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. | opencloud-cluster |
 | `OC_EVENTS_ENABLE_TLS` | 1.0.0 | bool | Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services. | false |
-| `OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. | 127.0.0.1:9233 |
+| `OC_EVENTS_ENDPOINT` | 1.0.0 | string | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | 127.0.0.1:9233 |
 | `OC_EVENTS_TLS_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
-| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false. |  |
+| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` | 1.0.0 | string | The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. |  |
 | `OC_GATEWAY_GRPC_ADDR` | 1.0.0 | string | The bind address of the GRPC service. | 127.0.0.1:9142 |
 | `OC_GRPC_CLIENT_TLS_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |  |
 | `OC_GRPC_CLIENT_TLS_MODE` | 1.0.0 | string | TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |  |
 | `OC_GRPC_PROTOCOL` | 1.0.0 | string | The transport protocol of the GRPC service. | tcp |
 | `OC_HTTP_TLS_CERTIFICATE` | 1.0.0 | string | Path/File name of the TLS server certificate (in PEM format) for the http services. |  |
 | `OC_HTTP_TLS_ENABLED` | 1.0.0 | bool | Activates TLS for the http based services using the server certifcate and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. | false |
 | `OC_HTTP_TLS_KEY` | 1.0.0 | string | Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |  |
-| `OC_INSECURE` | 1.0.0 | bool | Disable TLS certificate validation for connections to the IDP. Note that this is not recommended for production environments. | false |
+| `OC_INSECURE` | 1.0.0 | bool | Whether to verify the server TLS certificates. | false |
 | `OC_JWT_SECRET` | 1.0.0 | string | The secret to mint and validate jwt tokens. |  |
 | `OC_KEYCLOAK_BASE_PATH` | 1.0.0 | string | The URL to access keycloak. |  |
-| `OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client id to authenticate with keycloak. |  |
+| `OC_KEYCLOAK_CLIENT_ID` | 1.0.0 | string | The client ID to authenticate with keycloak. |  |
 | `OC_KEYCLOAK_CLIENT_REALM` | 1.0.0 | string | The realm the client is defined in. |  |
 | `OC_KEYCLOAK_CLIENT_SECRET` | 1.0.0 | string | The client secret to use in authentication. |  |
 | `OC_KEYCLOAK_INSECURE_SKIP_VERIFY` | 1.0.0 | bool | Disable TLS certificate validation for Keycloak connections. Do not set this in production environments. | false |
@@ -46,51 +46,51 @@
 | `OC_LDAP_BIND_PASSWORD` | 1.0.0 | string | Password to use for authenticating the 'bind_dn'. |  |
 | `OC_LDAP_CACERT` | 1.0.0 | string | Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idm. | /var/lib/opencloud/idm/ldap.crt |
 | `OC_LDAP_DISABLED_USERS_GROUP_DN` | 1.0.0 | string | The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. | cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
-| `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'. | attribute |
+| `OC_LDAP_DISABLE_USER_MECHANISM` | 1.0.0 | string | An option to control the behavior for disabling users. Valid options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. | attribute |
 | `OC_LDAP_GROUP_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP groups. | ou=groups,o=libregraph-idm |
 | `OC_LDAP_GROUP_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for group searches. |  |
 | `OC_LDAP_GROUP_OBJECTCLASS` | 1.0.0 | string | The object class to use for groups in the default group search filter ('groupOfNames'). | groupOfNames |
 | `OC_LDAP_GROUP_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of groups (often the same as groupname attribute). | cn |
 | `OC_LDAP_GROUP_SCHEMA_GROUPNAME` | 1.0.0 | string | LDAP Attribute to use for the name of groups. | cn |
-| `OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. | openCloudUUID |
-| `OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group ID's. | false |
+| `OC_LDAP_GROUP_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for groups. This should be a stable globally unique id (e.g. a UUID). | openCloudUUID |
+| `OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'id' attribute for groups is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the group IDs. | false |
 | `OC_LDAP_GROUP_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of groups (can be empty). | mail |
 | `OC_LDAP_GROUP_SCHEMA_MEMBER` | 1.0.0 | string | LDAP Attribute that is used for group members. | member |
-| `OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'. | sub |
+| `OC_LDAP_GROUP_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up groups. Supported values are 'base', 'one' and 'sub'. | sub |
 | `OC_LDAP_INSECURE` | 1.0.0 | bool | Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. | false |
 | `OC_LDAP_SERVER_WRITE_ENABLED` | 1.0.0 | bool | Allow creating, modifying and deleting LDAP users via the GRAPH API. This can only be set to 'true' when keeping default settings for the LDAP user and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* variables). | true |
 | `OC_LDAP_URI` | 1.0.0 | string | URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' | ldaps://localhost:9235 |
 | `OC_LDAP_USER_BASE_DN` | 1.0.0 | string | Search base DN for looking up LDAP users. | ou=users,o=libregraph-idm |
-| `OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP Attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled |
+| `OC_LDAP_USER_ENABLED_ATTRIBUTE` | 1.0.0 | string | LDAP attribute to use as a flag telling if the user is enabled or disabled. | openCloudUserEnabled |
 | `OC_LDAP_USER_FILTER` | 1.0.0 | string | LDAP filter to add to the default filters for user search like '(objectclass=openCloudUser)'. |  |
 | `OC_LDAP_USER_OBJECTCLASS` | 1.0.0 | string | The object class to use for users in the default user search filter ('inetOrgPerson'). | inetOrgPerson |
 | `OC_LDAP_USER_SCHEMA_DISPLAYNAME` | 1.0.0 | string | LDAP Attribute to use for the displayname of users. | displayname |
-| `OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. | openCloudUUID |
-| `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's. | false |
+| `OC_LDAP_USER_SCHEMA_ID` | 1.0.0 | string | LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. | openCloudUUID |
+| `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | 1.0.0 | bool | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user IDs. | false |
 | `OC_LDAP_USER_SCHEMA_MAIL` | 1.0.0 | string | LDAP Attribute to use for the email address of users. | mail |
 | `OC_LDAP_USER_SCHEMA_TENANT_ID` | 4.0.0 | string | LDAP Attribute to use for the tenant ID of users. This is used to identify the tenant of a user in a multi-tenant environment. |  |
 | `OC_LDAP_USER_SCHEMA_USERNAME` | 1.0.0 | string | LDAP Attribute to use for username of users. | uid |
 | `OC_LDAP_USER_SCHEMA_USER_TYPE` | 1.0.0 | string | LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'openCloudUserType'. | openCloudUserType |
-| `OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. | sub |
+| `OC_LDAP_USER_SCOPE` | 1.0.0 | string | LDAP search scope to use when looking up users. Supported values are 'base', 'one' and 'sub'. | sub |
 | `OC_LOG_LEVEL` | 1.0.0 | string | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. | error |
-| `OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | Machine auth API key used to validate internal requests necessary to access resources from other services. |  |
+| `OC_MACHINE_AUTH_API_KEY` | 1.0.0 | string | The machine auth API key used to validate internal requests necessary to access resources from other services. |  |
 | `OC_MAX_CONCURRENCY` | 1.0.0 | int | Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. | 1 |
 | `OC_OIDC_CLIENT_ID` | 1.0.0 | string | The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP. | web |
 | `OC_OIDC_CLIENT_SCOPES` | 6.0.0 | []string | The OIDC client scopes the Android app should request. | [openid profile email offline_access] |
-| `OC_OIDC_ISSUER` | 1.0.0 | string | The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider. | https://localhost:9200 |
+| `OC_OIDC_ISSUER` | 1.0.0 | string | URL of the OIDC issuer. It defaults to URL of the builtin IDP. | https://localhost:9200 |
 | `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` | 1.0.0 | string | Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details. |  |
 | `OC_PASSWORD_POLICY_DISABLED` | 1.0.0 | bool | Disable the password policy. Defaults to false if not set. | false |
 | `OC_PASSWORD_POLICY_MIN_CHARACTERS` | 1.0.0 | int | Define the minimum password length. Defaults to 8 if not set. | 8 |
 | `OC_PASSWORD_POLICY_MIN_DIGITS` | 1.0.0 | int | Define the minimum number of digits. Defaults to 1 if not set. | 1 |
 | `OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` | 1.0.0 | int | Define the minimum number of uppercase letters. Defaults to 1 if not set. | 1 |
 | `OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` | 1.0.0 | int | Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set. | 1 |
 | `OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` | 1.0.0 | int | Define the minimum number of lowercase letters. Defaults to 1 if not set. | 1 |
-| `OC_PERSISTENT_STORE` | 1.0.0 | string | The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. | memory |
+| `OC_PERSISTENT_STORE` | 1.0.0 | string | The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. | nats-js-kv |
 | `OC_PERSISTENT_STORE_AUTH_PASSWORD` | 1.0.0 | string | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |  |
 | `OC_PERSISTENT_STORE_AUTH_USERNAME` | 1.0.0 | string | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. |  |
-| `OC_PERSISTENT_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [] |
-| `OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. | 336h0m0s |
-| `OC_REVA_GATEWAY` | 1.0.0 | string | The CS3 gateway endpoint. | eu.opencloud.api.gateway |
+| `OC_PERSISTENT_STORE_NODES` | 1.0.0 | []string | A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | [127.0.0.1:9233] |
+| `OC_PERSISTENT_STORE_TTL` | 1.0.0 | Duration | Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details. | 30m0s |
+| `OC_REVA_GATEWAY` | 1.0.0 | string | CS3 gateway used to look up user metadata. | eu.opencloud.api.gateway |
 | `OC_SERVICE_ACCOUNT_ID` | 1.0.0 | string | The ID of the service account the service should use. See the 'auth-service' service description for more details. |  |
 | `OC_SERVICE_ACCOUNT_SECRET` | 1.0.0 | string | The service account secret. |  |
 | `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` | 1.0.0 | bool | Set this to true if you want to enforce passwords on all public shares. | true |
@@ -102,12 +102,12 @@
 | `OC_SYSTEM_USER_IDP` | 4.0.0 | string | IDP of the OpenCloud STORAGE-SYSTEM system user. | internal |
 | `OC_TRANSFER_SECRET` | 1.0.0 | string | The storage transfer secret. |  |
 | `OC_TRANSLATION_PATH` | 1.0.0 | string | (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. |  |
-| `OC_URL` | 1.0.0 | string | The public facing URL of the OpenCloud frontend. | https://localhost:9200 |
+| `OC_URL` | 1.0.0 | string | The public facing URL of the OpenCloud Web UI, used e.g. when sending notification eMails | https://localhost:9200 |
 | `OC_WOPI_DISABLE_CHAT` | 1.0.0 | bool | Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. | false |
 | `SEARCH_EVENTS_ACK_WAIT` | 4.0.0 | Duration | The time to wait for an ack before the message is redelivered. This is used to ensure that messages are not lost if the consumer crashes. | 1m0s |
 | `SEARCH_EVENTS_MAX_ACK_PENDING` | 4.0.0 | int | The maximum number of unacknowledged messages. This is used to limit the number of messages that can be in flight at the same time. | 1000 |
-| `STORAGE_GATEWAY_GRPC_ADDR` | 4.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
-| `STORAGE_GRPC_ADDR` | 4.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
+| `STORAGE_GATEWAY_GRPC_ADDR` | 1.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
+| `STORAGE_GRPC_ADDR` | 1.0.0 | string | GRPC address of the STORAGE-SYSTEM service. | eu.opencloud.api.storage-system |
 | `STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY` | 1.0.0 | Duration | The delay between a change made to a tree and the propagation start on treesize and treetime. Multiple propagations are computed to a single one. See the Environment Variable Types description for more details. | 0s |
 | `STORAGE_USERS_PERMISSION_ENDPOINT` | 1.0.0 | string | Endpoint of the permissions service. The endpoints can differ for 'decomposed' and 'decomposeds3'. | eu.opencloud.api.settings |
 | `WEB_OIDC_CLIENT_ID` | 1.0.0 | string | The OIDC client ID which OpenCloud Web uses. This client needs to be set up in your IDP. Note that this setting has no effect when using the builtin IDP. | web |

docs/_static/env-vars/storage-users_configvars.md

@@ -1,11 +1,11 @@
 
-2026-04-29-00-06-14
+2026-05-05-00-05-20
 
 ## Deprecation Notice
 
 | Deprecation Info | Deprecation Version | Removal Version | Deprecation Replacement |
 |---|---|---|:---|
-|`STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS` is deprecated and will be removed in a future version. Please use `STORAGE_USERS_POSIX_WATCH_NOTIFICATION_BROKERS` instead. | 4.0.0 |  |  |
+|  | 4.0.0 |  |  |
 
 ## Environment variables for the **storage-users** service
 

docs/_static/env-vars/web_configvars.md

@@ -1,5 +1,5 @@
 
-2026-04-29-00-06-14
+2026-05-05-00-05-20
 
 ## Deprecation Notice