version: 1

# GLOBAL CONFIGURATION

auth-server: # Common authentication client settings for all services
  url: https://anaconda.example.com/auth
  realm: AnacondaPlatform
  realm-key: ''

auth-escrow: # Common authentication client settings for all services
  url: https://anaconda.example.com/platform/auth-escrow/api/v1

db: # Database client configuration
  drivername: postgresql # Database driver (default postgresql, which is currently the only driver supported)
  host: anaconda-enterprise-postgres # Database hostname
  port: 5432
  username: postgres
  password: ''

# volumes:
#   myvolume:
#     # will be mounted at /data/myvolume
#     nfs:
#       # Use real NFS server address here.
#       server: ###.###.###
#       # Use real NFS server export directory.
#       path: "/"
#       readOnly: true
#   volume2:
#     # will be mounted at /data/volume2
#     nfs:
#       # Use real NFS server address here.
#       server: ###.###.###
#       # Use real NFS server export directory.
#       path: "/"
#       readOnly: true

https: # Common HTTPS client and server settings for all services
  certificate-authority: /etc/secrets/certs/rootca.crt # Path to Certificate Authority bundle for private CA or self-signed certificates
  # certificate-authority: /etc/ssl/certs/DST_Root_CA_X3.pem  # For lets encrypt

resource-profiles:

  default:
    description: 'Default resource profile'
    user_visible: true
    resources:
      limits:
        cpu: '2'
        memory: '4096Mi'
  system_job:
    description: 'System job resource profile'
    user_visible: false
    resources:
      limits:
        cpu: '2'
        memory: '4096Mi'

kubernetes:
  server: https://kubernetes.default.svc.cluster.local
  use_service_account: true
  max_cores_per_app: 2
  max_ram_mb_per_app: 2048

license:
  # number: PASTE_LICENSE_CODE_OR_CLIENT_ID_HERE
  # key: PASTE_OFFLINE_KEY_HERE_FOR_OFFLINE_ACTIVATION
  working-directory: /tmp/anaconda
  security:
    x: 207
    y: 705
    z: 278
  analytics:
    enabled: true

admin:
  users:
    # Any user matching the users, group affiliations, or roles (in the auth service)
    # described below is a platform-wide administrator.
    users: []
    groups: []
    roles:
      - ae-admin

# PER-SERVICE CONFIGURATION

auth: # Authentication server configuration
  port: 9080
  db:
    database: anaconda_auth
  https: # HTTPS configuration
    keystore: /etc/secrets/certs/keystore.jks # Name of server keystore in Java keystore (.jks) format
    keystore-password: anaconda # Keystore password defined when generating the Java keystore
    key-alias: auth # Name of the key in the keystore
    # truststore: null # (optional) Path to the trust store to use for outgoing HTTPS requests (e.g. for LDAPS)
    # truststore-password: null # (optional) Truststore password defined when generating the Java keystore
  debug: False # If true, enable use of a pregenerated SSL key for testing. DO NOT SET TO TRUE IN PRODUCTION.
  import-file: /etc/secrets/keycloak/keycloak.json
  api: # Service settings for auth-api
    port: 9090
    limit: 12
    prefix: '/platform/auth-api'
    https:
      key: /etc/secrets/certs/tls.key
      certificate: /etc/secrets/certs/tls.crt
  escrow: # Service settings for auth-escrow
    port: 9091
    db:
      database: anaconda_auth_escrow
    hosts: # List of hosts (host:port pairs) to allow in API request headers
      - anaconda.example.com
    prefix: '/platform/auth-escrow'
    https:
      key: /etc/secrets/certs/tls.key
      certificate: /etc/secrets/certs/tls.crt
    auth-server:
      client-secret: REDACTED
      client-id: anaconda-platform

deploy: # Deployment server configuration
  port: 8081
  prefix: '/platform/deploy' # URL prefix
  url: https://anaconda.example.com/platform/deploy # Deployment server URL
  https:
    key: /etc/secrets/certs/tls.key
    certificate: /etc/secrets/certs/tls.crt
  hosts: # List of hosts (host:port pairs) to allow in API request headers
    - anaconda.example.com
  db:
    database: anaconda_deploy
  users: '*' # Users/groups who have permission to access deployed apps
  deployers: # Users/groups who have permission to deploy here
    users: []
    groups: []
    roles:
      - ae-deployer
  superusers: # Users/groups who have unrestricted access
    users: []
    groups: []
    roles:
      - ae-admin
  auth-server:
    client-id: anaconda-deploy
  apps-host: anaconda.example.com # Hostname where apps are deployed, if different from the one in kubernetes.server
  apps-port: 443
  auth-proxy: # Settings for deployed app proxy
    client-id: anaconda-deploy-proxy # Client ID of the proxy, as registered in the auth service
    dns-server: kube-dns.kube-system.svc.cluster.local # Address of DNS server used by the app proxy. Default is the internal kubernetes resolver.
    https:
      key: /etc/secrets/certs/wildcard.key
      certificate: /etc/secrets/certs/wildcard.crt

  debug: False # If true, enable debugging. DO NOT SET TO TRUE IN PRODUCTION.

workspace: # Workspace server configuration
  port: 8090
  prefix: '/platform/workspace' # URL prefix
  url: https://anaconda.example.com/platform/workspace # Workspace server URL
  https:
    key: /etc/secrets/certs/tls.key
    certificate: /etc/secrets/certs/tls.crt
  hosts: # List of hosts (host:port pairs) to allow in API request headers
    - anaconda.example.com
  db:
    database: anaconda_workspace
    # increased pool size to accommodate for Kubernetes slowness
    pool:
      size: 10
      overflow: 20
      timeout: 60

  users: '*' # Users/groups who have permission to create workspace sessions
  superusers: # Users/groups who have unrestricted access
    users: []
    groups: []
    roles:
      - ae-admin

  auth-server:
    client-id: anaconda-workspace-api
  email-domain: anaconda.example.com # Domain name for generating email addresses if not set in auth service
  workspace-host: anaconda.example.com # Hostname where workspace sessions are hosted, if different from the one in kubernetes.server
  workspace-port: 443
  auth-proxy: # Settings for workspace access control proxy
    client-id: anaconda-workspace # Client ID of the proxy, as registered in the auth service
    dns-server: kube-dns.kube-system.svc.cluster.local # Address of DNS server used by the app proxy. Default is the internal kubernetes resolver.
    https:
      key: /etc/secrets/certs/wildcard.key
      certificate: /etc/secrets/certs/wildcard.crt

  debug: False # If true, enable debugging. DO NOT SET TO TRUE IN PRODUCTION.

storage: # Storage server configuration
  host: anaconda.example.com # full hostname of the storage server
  port: 8086
  prefix: '/platform/storage' # URL prefix
  hosts: # List of hosts (host:port pairs) to allow in API request headers
    - anaconda.example.com
  url: https://anaconda.example.com/platform/storage # Base URL of storage server
  db:
    database: anaconda_storage
  https:
    key: /etc/secrets/certs/tls.key
    certificate: /etc/secrets/certs/tls.crt
  git:
    default:
      name: Example.com Anaconda Enterprise Server # human-readable name of this git server
      type: internal # server type. There is support for "internal" and planned support for "github" and "gitlab".
      # use 127.0.0.1 for all network connections including hairpin
      url: https://127.0.0.1:8088/ # URL of git server
      repository: '{owner}-{id}' # Template for repository names; use {name}, {id}, and {owner} as placeholders.
      auth-header: Anaconda-User # Name of HTTP header for proxy authentication (internal server type only)
      username: anaconda # Username of git service account
      # no password needed when using auth-header
      proxy:
        url: https://anaconda.example.com/platform/git # URL of git proxy
        client-id: anaconda-git-proxy # Auth client ID of this proxy
        dns-server: kube-dns.kube-system.svc.cluster.local # IP address of DNS server used by the git proxy.
        run-as-user: www-data # System user account to run the proxy under
        api-key: REDACTED # secret api key to allow storage service API calls through the proxy. Should be uniquely generated for each installation.
        port: 8095
        probe-port: 8096
        https:
          key: /etc/secrets/certs/tls.key
          certificate: /etc/secrets/certs/tls.crt
  objects:
    projects: # storage location for objects in projects. You may use placeholders {name} {owner} and {id} for project name, project owner and project ID.
      bucket: anaconda-projects
      path: projects/{owner}-{id}
    global: # storage location for global objects (available to all logged-in users)
      bucket: anaconda-objects
      path: 'global/'
    public: # storage location for public objects (available to everyone without logging in)
      bucket: anaconda-objects
      path: 'public/'
    staging: # storage location for temporary objects
      bucket: anaconda-objects
      path: 'staging/'
  users: '*' # Users/groups who can create projects
  creators: # Users/groups who can create new projects
    users: []
    groups: []
    roles:
      - ae-creator
  superusers: # Users/groups who have unrestricted access
    users: []
    groups: []
    roles:
      - ae-admin

repository: # Repository server configuration
  url: https://anaconda.example.com/repository
  port: 8089
  hosts: # List of hosts (host:port pairs) to allow in API request headers
    - anaconda.example.com
    - 127.0.0.1:8089
  prefix: '/repository' # URL prefix
  db:
    database: anaconda_repository
  https:
    key: /etc/secrets/certs/tls.key
    certificate: /etc/secrets/certs/tls.crt
  users: '*' # Users/groups who can access the repository
  uploaders: # Users/groups who can create and upload packages
    users: []
    groups: []
    roles:
      - ae-uploader
  superusers: # Users/groups who have unrestricted access
    users: []
    groups: []
    roles:
      - ae-admin
  bucket: anaconda-repository # S3/object storage bucket to store repository files
  cleanup-upload-seconds: 3600 # How long an unfinished upload will be kept before being cleaned up
  cleanup-period-seconds: 73 # How frequently the server will check for files that should be removed from disk
  index-update-cooldown-seconds: 7 # How much time without new uploads is required before index will be rebuilt
  index-update-period-seconds: 23 # How frequently the server will check for channels that require rebuilding of index information (repodata.json)

s3: # configuration for the object-storage service
  host: 0.0.0.0 # full hostname of the object store server S3 API
  port: 8087
  https:
    key: /etc/secrets/certs/tls.key
    certificate: /etc/secrets/certs/tls.crt
  access-key: REDACTED
  secret-key: REDACTED
  directory: /export

s3-client: # configuration for clients to the object storage service
  endpoint-url: https://anaconda.example.com # AWS endpoint URL
  access-key: REDACTED
  secret-key: REDACTED
  region-name: 'us-east-1' # the AWS region where your S3 bucket is located

git:
  url: https://anaconda.example.com/platform/git # externally visible URL of the git server
  host: anaconda.example.com # full hostname of the git server
  port: 8088
  https:
    key: /etc/secrets/certs/tls.key
    certificate: /etc/secrets/certs/tls.crt
  db:
    database: anaconda_git
  directory: /export # directory where git server will store its data
  username: anaconda # OS username that the git server should run under
  lfs-secret: REDACTED # LFS authentication token secret. Should be uniquely generated for each installation.
  secret-key: REDACTED # git server secret key. Should be uniquely generated for each installation.

# when installing in airgap replace channel: defaults with the following
# - https://anaconda.example.com/repository/conda/anaconda
conda: # Common conda settings for editing sessions and deployments
  channels:
    - defaults
  default-channels: [] # List of channels that should be used for channel 'defaults'
  channel-alias: https://anaconda.example.com/repository/conda # Default conda URL prefix for channels given by name only

sync:
  lfs-threshold: 1000000000000
  prefix: ''
  hosts: []
  port: 8093
  project-dir: ''

offline_docs:
  url: https://anaconda.example.com/docs # Docs server URL
  hosts: # List of hosts (host:port pairs) to allow in API request headers
    - anaconda.example.com
  port: 8091
  https:
    key: /etc/secrets/certs/tls.key
    certificate: /etc/secrets/certs/tls.crt
  directory: docs/_build/ # The path relative to the base directory of the static docs.
  prefix: '/docs' # URL prefix

ui: # Anaconda Platform UI server configuration
  base-url: / # URL prefix
  cookie-secret: REDACTED # secret key used to sign session cookies
  cookie-session:
    name: anaconda-platform-ui-session-v1
    expiration-hours: 9
  cookie-next:
    name: anaconda-platform-ui-next-v1
  db:
    database: anaconda_ui
  debug: False # If true, enable debugging. DO NOT SET TO TRUE IN PRODUCTION.
  host: anaconda.example.com # full hostname of the UI server
  public-url: https://anaconda.example.com/ # User-facing URL of site, if different than host/port
  https:
    key: /etc/secrets/certs/tls.key
    certificate: /etc/secrets/certs/tls.crt
  port: 6990
  auth-server:
    client-secret: REDACTED
    client-id: anaconda-platform
  services:
    anaconda-storage:
      storage:
        icon: fa-anaconda
        label: Storage
        url: https://anaconda.example.com/platform/storage/api/v1
    anaconda-deploy:
      deploy:
        icon: fa-anaconda
        label: Deploy
        url: https://anaconda.example.com/platform/deploy/api/v1
    anaconda-workspace:
      workspace:
        icon: fa-anaconda
        label: workspace
        url: https://anaconda.example.com/platform/workspace/api/v1
        options:
          workspace:
            tools:
              notebook:
                default: true
                label: Jupyter Notebook
                packages: [notebook]
              jupyterlab:
                label: JupyterLab
                packages: [jupyterlab]
              anaconda-platform-sync:
                label: Anaconda Project Sync
                packages: [anaconda-platform-sync]

    anaconda-repo5:
      repo:
        html-url: https://anaconda.example.com/repository
        icon: fa-anaconda
        label: Repo Service
        url: https://anaconda.example.com/repository/api

    auth-api:
      auth-api:
        icon: fa-anaconda
        label: Auth API
        url: https://anaconda.example.com/platform/auth-api/api/v1
    anaconda-enterprise-notebooks:
      aen:
        html-url: https://notebooks.example.com
        icon: fa-anaconda
        label: Enterprise Notebooks
        disabled: true
    documentation:
      offline_docs:
        html-url: https://anaconda.example.com/docs/
        icon: fa-anaconda
        label: Documentation
        url: https://anaconda.example.com/docs/
    github:
      github_com:
        html-url: https://github.com
        icon: fa-github
        label: GitHub
        url: https://api.github.com
        disabled: true
  admin-links:
    admin:
      label: Admin Console
      external: true
      href: https://anaconda.example.com/auth/admin/
      position: 1
      acl:
        users: []
        groups: []
        roles:
          - ae-admin
  help:
    docs:
      label: Anaconda Documentation - Home
      external: true
      href: https://anaconda.example.com/docs/
      position: 0
    started:
      label: Getting Started with Anaconda Enterprise
      external: true
      href: https://anaconda.example.com/docs/user-guide/getting-started/
      position: 1
    release:
      label: Release Notes
      external: true
      href: https://anaconda.example.com/docs/release-notes.html
      position: 2
    support:
      label: Support
      external: true
      href: https://anaconda.example.com/docs/help-support.html
      position: 3
    feedback:
      label: Feedback
      external: true
      href: https://continuum.typeform.com/to/TnHsme
      position: 4

postgresql: # PostgreSQL server configuration
  port: 7080
