OxiCloud

Appearance

Environment Variables

Most runtime variables use the OXICLOUD_ prefix. A few build-time or allocator variables do not.

Server

VariableDefaultDescription
OXICLOUD_STORAGE_PATH./storageRoot storage directory
OXICLOUD_STATIC_PATH./staticStatic files directory
OXICLOUD_SERVER_PORT8086Server port
OXICLOUD_SERVER_HOST127.0.0.1Server bind address (IPv4 or IPv6 allowed)
OXICLOUD_BASE_URL(auto)Public base URL for share links; defaults to http://{host}:{port}
OXICLOUD_MAX_UPLOAD_SIZE10737418240Whole-file size ceiling, in bytes (10 GB on 64-bit, 1 GB on 32-bit). Applies to BOTH direct PUTs (per-request body) and chunked uploads (declared total_size, checked upfront at session creation).
OXICLOUD_DIRECT_PUT_MAX_BYTES1073741824Per-request cap for non-chunked PUT bodies, in bytes (1 GiB). Set below OXICLOUD_MAX_UPLOAD_SIZE so larger files are pushed onto the chunked protocol (resumable on failure). See Storage Fine Tuning.
OXICLOUD_CHUNK_MAX_BYTES104857600Maximum size of a single chunked-upload PUT in bytes (100 MB). Per-chunk cap, independent of OXICLOUD_MAX_UPLOAD_SIZE (whole-file cap). See Storage Fine Tuning.
OXICLOUD_CHUNK_DIR{STORAGE_PATH}/.uploadsRoot directory for chunked-upload sessions (REST + NextCloud). Direct (non-chunked) uploads stream straight into the blob store and need no spool directory. Placement guidance: see Storage Fine Tuning.
OXICLOUD_REUSE_PORTfalseEnable SO_REUSEPORT so multiple processes can share the same port. Disabled by default — a second accidental instance will fail with "address already in use". Enable only for deliberate multi-worker setups (process supervisor, rolling restart). Not supported on Windows.

Database

VariableDefaultDescription
OXICLOUD_DB_CONNECTION_STRINGpostgres://postgres:postgres@localhost:5432/oxicloudPostgreSQL connection string
OXICLOUD_DB_MAX_CONNECTIONS20Max pool connections
OXICLOUD_DB_MIN_CONNECTIONS5Min pool connections
OXICLOUD_DB_MAINTENANCE_MAX_CONNECTIONS5Max connections in the isolated maintenance pool
OXICLOUD_DB_MAINTENANCE_MIN_CONNECTIONS1Min connections in the isolated maintenance pool

Build-Time SQLx

VariableDefaultDescription
DATABASE_URLBuild-time database URL for SQLx compile-time checks

Authentication

VariableDefaultDescription
OXICLOUD_JWT_SECRET(auto-generated)JWT signing secret; auto-persisted to <STORAGE_PATH>/.jwt_secret if unset
OXICLOUD_ACCESS_TOKEN_EXPIRY_SECS3600Access token lifetime (1 hour)
OXICLOUD_REFRESH_TOKEN_EXPIRY_SECS604800Refresh token lifetime (7 days); active sessions auto-renew on use
OXICLOUD_HASH_MEMORY_COST65536Argon2id memory cost in KiB (64 MiB)
OXICLOUD_HASH_TIME_COST3Argon2id iteration count
OXICLOUD_HASH_PARALLELISM2Argon2id parallelism lanes
OXICLOUD_DISABLE_REGISTRATIONfalseDisable registration of new user accounts

Rate Limiting & Account Lockout

VariableDefaultDescription
OXICLOUD_RATE_LIMIT_LOGIN_MAX10Max login attempts per IP per window
OXICLOUD_RATE_LIMIT_LOGIN_WINDOW_SECS60Login rate-limit window (seconds)
OXICLOUD_RATE_LIMIT_REGISTER_MAX5Max registration attempts per IP per window
OXICLOUD_RATE_LIMIT_REGISTER_WINDOW_SECS3600Registration rate-limit window (seconds)
OXICLOUD_RATE_LIMIT_REFRESH_MAX20Max token refresh attempts per IP per window
OXICLOUD_RATE_LIMIT_REFRESH_WINDOW_SECS60Refresh rate-limit window (seconds)
OXICLOUD_LOCKOUT_MAX_FAILURES5Consecutive failed logins before account lockout
OXICLOUD_LOCKOUT_DURATION_SECS900Account lockout duration (15 minutes)

Feature Flags

VariableDefaultDescription
OXICLOUD_ENABLE_AUTHtrueEnable authentication
OXICLOUD_ENABLE_USER_STORAGE_QUOTASfalsePer-user storage quotas
OXICLOUD_ENABLE_FILE_SHARINGtrueFile/folder sharing
OXICLOUD_ENABLE_TRASHtrueTrash / recycle bin
OXICLOUD_ENABLE_SEARCHtrueFull-text and metadata search
OXICLOUD_ENABLE_MUSICtrueMusic playlists and audio metadata
OXICLOUD_EXPOSE_SYSTEM_USERStrueExpose other OxiCloud users as a read-only address book at GET /api/address-books

Storage Backend

VariableDefaultDescription
OXICLOUD_STORAGE_BACKENDlocalBlob storage backend: local, s3, or azure

S3-Compatible (AWS S3, Backblaze B2, Cloudflare R2, MinIO)

Used when OXICLOUD_STORAGE_BACKEND=s3.

VariableDefaultDescription
OXICLOUD_S3_BUCKETS3 bucket name (required)
OXICLOUD_S3_REGIONus-east-1AWS region
OXICLOUD_S3_ACCESS_KEYAccess key ID
OXICLOUD_S3_SECRET_KEYSecret access key
OXICLOUD_S3_ENDPOINT_URLCustom endpoint for non-AWS providers (e.g. https://s3.example.com)
OXICLOUD_S3_FORCE_PATH_STYLEfalseForce path-style URLs (required for MinIO, R2)

Azure Blob Storage

Used when OXICLOUD_STORAGE_BACKEND=azure.

VariableDefaultDescription
OXICLOUD_AZURE_ACCOUNT_NAMEStorage account name (required)
OXICLOUD_AZURE_ACCOUNT_KEYStorage account key
OXICLOUD_AZURE_CONTAINERBlob container name (required)
OXICLOUD_AZURE_SAS_TOKENSAS token (alternative to account key)

Local Disk Cache for Remote Backends

A least-recently-used disk cache that can speed up repeated reads from S3 or Azure.

VariableDefaultDescription
OXICLOUD_STORAGE_CACHE_ENABLEDfalseEnable LRU disk cache
OXICLOUD_STORAGE_CACHE_MAX_SIZE53687091200Max cache size in bytes (50 GB)
OXICLOUD_STORAGE_CACHE_PATH{STORAGE_PATH}/.blob-cacheCache directory

Client-Side Encryption

AES-256-GCM encryption applied to blobs before they are written to any backend.

VariableDefaultDescription
OXICLOUD_STORAGE_ENCRYPTION_ENABLEDfalseEnable at-rest blob encryption
OXICLOUD_STORAGE_ENCRYPTION_KEYBase64-encoded 32-byte encryption key; generate with openssl rand -base64 32

Retry Policy (Remote Backends)

Exponential backoff retries for transient errors on S3 and Azure.

VariableDefaultDescription
OXICLOUD_STORAGE_RETRY_ENABLEDtrueEnable retry with exponential backoff
OXICLOUD_STORAGE_RETRY_MAX_RETRIES3Maximum retry attempts
OXICLOUD_STORAGE_RETRY_INITIAL_BACKOFF_MS100Initial backoff in milliseconds
OXICLOUD_STORAGE_RETRY_MAX_BACKOFF_MS10000Maximum backoff cap in milliseconds
OXICLOUD_STORAGE_RETRY_BACKOFF_MULTIPLIER2.0Backoff multiplier per retry

OIDC / SSO

See the OIDC configuration guide for details.

VariableDefaultDescription
OXICLOUD_OIDC_ENABLEDfalseEnable OIDC
OXICLOUD_OIDC_ISSUER_URLOIDC issuer URL
OXICLOUD_OIDC_CLIENT_IDClient ID
OXICLOUD_OIDC_CLIENT_SECRETClient secret
OXICLOUD_OIDC_REDIRECT_URIhttp://localhost:8086/api/auth/oidc/callbackCallback URL (must match IdP config)
OXICLOUD_OIDC_SCOPESopenid profile emailRequested scopes
OXICLOUD_OIDC_FRONTEND_URLhttp://localhost:8086Frontend URL to redirect to after login
OXICLOUD_OIDC_AUTO_PROVISIONtrueAuto-create users on first SSO login (JIT provisioning)
OXICLOUD_OIDC_ADMIN_GROUPSComma-separated OIDC groups that grant admin role
OXICLOUD_OIDC_DISABLE_PASSWORD_LOGINfalseHide password form when OIDC is active
OXICLOUD_OIDC_PROVIDER_NAMESSODisplay name for the provider shown in UI

WOPI (Office Editing)

See the WOPI configuration guide for details.

VariableDefaultDescription
OXICLOUD_WOPI_ENABLEDfalseEnable WOPI
OXICLOUD_WOPI_DISCOVERY_URLCollabora/OnlyOffice discovery URL
OXICLOUD_WOPI_BASE_URLOXICLOUD_BASE_URLURL the editor uses to call OxiCloud's /wopi/* endpoints
OXICLOUD_WOPI_PUBLIC_BASE_URLOXICLOUD_WOPI_BASE_URLURL the browser uses to open OxiCloud's WOPI host page
OXICLOUD_WOPI_SECRET(JWT secret)WOPI token signing key
OXICLOUD_WOPI_TOKEN_TTL_SECS86400Token lifetime (24 hours)
OXICLOUD_WOPI_LOCK_TTL_SECS1800Lock expiration (30 minutes)

When Collabora or OnlyOffice runs on a different hostname, set OXICLOUD_WOPI_PUBLIC_BASE_URL to the public OxiCloud URL that the browser can reach. If the editor reaches OxiCloud through a different internal URL, also set OXICLOUD_WOPI_BASE_URL for those callbacks.

Nextcloud Compatibility

Enables the Nextcloud-compatible API layer (/remote.php/, /ocs/, /status.php, Login Flow v2) for clients that use the Nextcloud protocol.

VariableDefaultDescription
OXICLOUD_NEXTCLOUD_ENABLEDfalseEnable Nextcloud compatibility layer
OXICLOUD_NEXTCLOUD_INSTANCE_IDocncaInstance ID suffix used in oc:id formatting
OXICLOUD_NEXTCLOUD_VERSION28.0.4Emulated Nextcloud version reported to clients (format: major.minor.patch)

Outbound Email (SMTP)

Used by the magic-link invitation flow and the login-via-email flow. When OXICLOUD_SMTP_HOST is empty (the default), the feature is disabled and any endpoint that needs email returns 503.

VariableDefaultDescription
OXICLOUD_SMTP_HOSTSMTP server hostname or IP. Empty disables the feature.
OXICLOUD_SMTP_PORT587Submission port (587 STARTTLS, 465 implicit TLS, 25 plain)
OXICLOUD_SMTP_USERSASL username. Leave empty for anonymous relay.
OXICLOUD_SMTP_PASSSASL password
OXICLOUD_SMTP_FROMFrom: mailbox; bare address or RFC 5322 name-address (OxiCloud <noreply@example.com>)
OXICLOUD_SMTP_TLSstarttlsTransport encryption: starttls, tls, or none (emits startup WARN)

There is also OXICLOUD_SMTP_MOCK (false by default), this is for test purpose only, do not activate it

Reliability and retries

OxiCloud does not spool mail. Each send() is a single attempt: if the remote SMTP server is unreachable, slow, or temporarily refusing the message, the send fails and the error is logged — there is no in-process retry, queue, or dead-letter handling. This keeps the HTTP path fast and the binary small at the cost of durability guarantees during a relay outage.

For production deployments where you cannot afford to drop invitation mail during a brief relay outage, point OxiCloud at a local MTA configured as a smarthost (Postfix, OpenSMTPD, exim, or msmtp-mta/nullmailer for minimal setups). The local MTA owns the durable queue: it accepts the message from OxiCloud in milliseconds over the loopback, then retries with its own exponential backoff against your real upstream relay until the message is delivered or the queue lifetime expires.

Typical local-relay config:

env
OXICLOUD_SMTP_HOST=127.0.0.1
OXICLOUD_SMTP_PORT=25
OXICLOUD_SMTP_TLS=none           # loopback only — never over the network
OXICLOUD_SMTP_FROM=OxiCloud <noreply@example.com>
# OXICLOUD_SMTP_USER / _PASS unset — local MTA accepts loopback unauthenticated

Then configure the local MTA's smarthost / relayhost to your upstream provider (SendGrid, Amazon SES, your corporate relay, etc.). Verify durability by stopping the upstream relay, sending an invitation, restarting the relay, and confirming the mail eventually arrives.

If you point OXICLOUD_SMTP_HOST directly at a remote SMTP server, treat the absence of retries as a documented constraint: a brief network glitch during invitation flow is a lost invite, and the recipient will need to be re-invited.

Configures the invite-by-email and login-via-email flows. Both require SMTP to be configured above.

VariableDefaultDescription
OXICLOUD_MAGIC_LINK_TTL_HOURS24Lifetime of a freshly-minted magic-link token, in hours
OXICLOUD_ALLOW_EXTERNAL_USERStrueKill switch for the whole flow. false makes POST /api/grants reject subject.type = "email" for unknown addresses and POST /api/auth/magic-link/send return its uniform stub without issuing a token.
OXICLOUD_EXTERNAL_EMAIL_DOMAINSComma-separated allowlist of email domains accepted when minting a new external user (case-insensitive, exact match on the post-@ part). Empty = any domain is allowed, subject to OXICLOUD_ALLOW_EXTERNAL_USERS. Subdomains must be listed explicitly: partner.com does NOT match eng.partner.com. Example: partner-a.com,partner-b.io.
OXICLOUD_NOTIFY_INTERNAL_USERS_ON_SHAREtrueOperator-level kill switch for the plain-notification email arm — the "Alice shared 'Project Alpha' with you" mail that fires when the recipient is a password user or OIDC user (i.e. not magic-link eligible). false suppresses the arm entirely; internal users discover new shares only at next login. A coarser knob than the per-user auth.users.notify_on_share column; when this is false the user-level opt-in does not matter. External-user magic-link first-invitations are unaffected and always send.

Internationalization (server-rendered surfaces)

Server-rendered HTML pages (magic-link landing, error pages) and outbound transactional emails go through the backend i18n layer. The set of available locales is discovered at boot by listing static/locales/*.json — no rebuild needed to add a 17th locale.

VariableDefaultDescription
OXICLOUD_DEFAULT_LOCALEenFallback locale used when no stronger signal is available. Must match one of the locales under static/locales/; startup fails fast if you set it to a code with no corresponding JSON file.

The resolution priority differs by surface:

  • HTML pages (anonymous, e.g. magic-link landing)?lang=xx query override, then the browser's Accept-Language header (q-weighted, with primary-tag fallback so fr-FR resolves to fr when no fr-FR.json is shipped), then this default.
  • Emails to a known user — the user's preferred_locale column (set via OIDC locale claim at JIT or via the UI language switcher), then this default.
  • Emails to a brand-new external user being invited — the inviter's preferred_locale (inheritance at row-creation), then this default.

Today's shipped locales: ar, de, en, es, fa, fr, hi, it, ja, ko, nl, pl, pt, ru, zh, zh-TW. Missing translations on a non-English locale automatically fall back to English at the key level — adding a new locale with even a few translated keys works without manual gap-filling.

Trusted Proxy

VariableDefaultDescription
OXICLOUD_TRUST_PROXY_CIDRComma-separated list of trusted proxy CIDRs; enables X-Forwarded-For / X-Real-IP extraction for those source IPs
OXICLOUD_TRUST_PROXY_HEADERSDeprecated. Use OXICLOUD_TRUST_PROXY_CIDR instead

Example: OXICLOUD_TRUST_PROXY_CIDR=127.0.0.1/32,10.0.0.0/8,172.16.0.0/12

Allocator Tuning

These variables are read directly by mimalloc, not by OxiCloud's config parser.

VariableDefaultDescription
MIMALLOC_PURGE_DELAY0Delay in ms before freed memory is returned to the OS (0 = immediately, recommended for Docker)
MIMALLOC_ALLOW_LARGE_OS_PAGES0Enable 2 MiB huge pages (0 = off, recommended for Docker to avoid THP RSS inflation)

Internal Defaults (not configurable via env)

ParameterDefault
File cache TTL60 s
Directory cache TTL120 s
Max cache entries10 000
Large file threshold100 MB
Streaming chunk size1 MB
Max parallel chunks8
Trash retention30 days
Argon2id memory cost64 MiB
Argon2id time cost3 iterations
Nextcloud Login Flow v2 TTL600 s

Released under the MIT License.

Copyright © 2025-present DioCrafts