diff --git a/connect/rstudio-connect.gcfg b/connect/rstudio-connect.gcfg index 183041b..bd76db6 100644 --- a/connect/rstudio-connect.gcfg +++ b/connect/rstudio-connect.gcfg @@ -1,343 +1,278 @@ -;RStudio Connect Configuration File +;Posit Connect Configuration File ; -; Configuration Options URL: https://docs.posit.co/connect/admin/appendix/configuration +; Full Configuration Reference: https://docs.posit.co/connect/admin/appendix/configuration -[Server] +; -------------- High-Level Server Configuration -------------- ; +; +; https://docs.posit.co/connect/admin/appendix/configuration/#Server +; The Server section contains core configuration options for Posit Connect including +; the public URL, email settings, and security options. Address is required and must +; be configured to enable features like email links and proper redirects. -; Address is a public URL for this RStudio Connect server. Must be configured -; to enable features like including links to your content in emails. If -; Connect is deployed behind an HTTP proxy, this should be the URL for Connect -; in terms of that proxy. +[Server] +; Address is the public URL for this Posit Connect server. Must be configured to enable +; features like including links to your content in emails. If Connect is deployed behind +; an HTTP proxy, this should be the URL for Connect in terms of that proxy. ; https://docs.posit.co/connect/admin/appendix/configuration/#Server.Address -Address = "http://posit-connect.example.com" -;https://docs.posit.co/connect/admin/directories/#variable-data -DataDir = /path/to/application/storage - - -; -------------- Server Email Configuration -------------- ; +Address = {{ REPLACEME }} -;https://docs.posit.co/connect/admin/email/ - -; SenderEmail is an email address used by RStudio Connect to send outbound -; email. The system will not be able to send administrative email until this -; setting is configured. - -SenderEmail = "donotreply-connect@example.com" - -; The following email settings can be used to customize the look and feel of -; email messages that Connect generates and the "EmailTo" option changes the -; default from sending email to users to BCCing them for security in the event -; that an email is inadvertently forwarded externally to your organization. +; SenderEmail is an email address used by Posit Connect to send outbound email. The system +; will not be able to send administrative email until this setting is configured. +; https://docs.posit.co/connect/admin/email/ +SenderEmail = {{ REPLACEME }} +; EmailTo changes the default from sending email to users to BCCing them for security +; in the event that an email is inadvertently forwarded externally to your organization. ; https://docs.posit.co/connect/admin/appendix/configuration/#Server.EmailTo ;EmailTo = no-reply@example.org + +; Email branding customization options ; https://docs.posit.co/connect/admin/appendix/branding/#custom-branding-emails ;EmailSubjectPrefix = [PositConnect] ;SenderEmailDisplayName = "Posit Connect" -; Uncomment one of the following definitions to enable email-related features. +; Uncomment one of the following definitions to enable email-related features ;EmailProvider = "SMTP" ;EmailProvider = "sendmail" -;https://docs.posit.co/connect/admin/appendix/configuration/#Server.MailAll +; MailAll controls whether scheduled reports can send email to all users +; https://docs.posit.co/connect/admin/appendix/configuration/#Server.MailAll ;MailAll = false -; ---------------- Branding Configuration ---------------- ; -; Branding options allow you to make Connect feel more familiar to your users -; as well as allow you to potentially communication important information -; about the security or environment of the platform. eg. "PROD vs DEV" -; -; https://docs.posit.co/connect/admin/appendix/branding/ -[Branding] -Enabled = true -Logo = /path/to/logo.png -Favicon = /path/to/favicon.ico -DisplayName = "SuperPowers Inc." - - - -; -------------- Viewer Permissions Request Configuration -------------- ; +; ServerName customizes the server name displayed in the UI and headers +; https://docs.posit.co/connect/admin/appendix/configuration/#Server.ServerName +;ServerName = "Posit Connect" -;https://docs.posit.co/connect/admin/appendix/configuration/#Server.ViewerKiosk +; HideVersion suppresses version information in the UI for security hardening +; https://docs.posit.co/connect/admin/appendix/configuration/#Server.HideVersion +;HideVersion = true -;ViewerKiosk = true +; CustomHeader allows adding custom HTTP response headers (e.g., Content-Security-Policy) +; https://docs.posit.co/connect/admin/security/index.html#content-security-policy +;CustomHeader = "Content-Security-Policy: script-src 'self'" ; -------------- Package Source Configuration -------------- ; -; This option allows you to set repositories to use your specific -; internal version of Package Manager or use Posit Public Package -; Manager to pull binary packages which install much more quickly -; Note: This will override your data scientists CRAN repository, -; but generally results in a much smoother Connect experience +; ; https://docs.posit.co/connect/admin/appendix/configuration/#RPackageRepository +; This option allows you to set repositories to use your internal Package Manager or +; Posit Public Package Manager to pull binary packages which install much more quickly. +; Note: This will override your data scientists' CRAN repository, but generally results +; in a much smoother Connect experience with faster package installations. [RPackageRepository "CRAN"] -URL = "https://packagemanager.posit.co/cran/__linux__/centos8/latest" +URL = "{{ REPLACEME }}" ; -------------- SMTP Email Configuration -------------- ; -; Email configuration options for SMTP, which is the most common -; email provider for most organizations +; ; https://docs.posit.co/connect/admin/email/#configuring-an-email-provider +; Email configuration options for SMTP, which is the most common email provider +; for most organizations. Configure host, port, and authentication details here. + [SMTP] -Host = "smtp.example.com" +Host = "{{ REPLACEME }}" Port = 25 SSL = false StartTLS = "detect" -;User = "no-reply@example.com" -;Password = "secret" - -; -------------- WebServer Configuration -------------- ; +;User = "{{ REPLACEME }}" +;Password = "{{ REPLACEME }}" -; Set the arguments to enable Connect to listen on an unsecured port -; like 3939, which is the default Connect port, or port 80 if you need to -; run without https and allow users to directly connect. NoWarning removes the -; user facing warning when your organization needs Connect to run insecurely. +; -------------- HTTP Redirect Configuration -------------- ; ; -; https://docs.posit.co/connect/admin/appendix/configuration/#HTTP +; https://docs.posit.co/connect/admin/security/index.html#guaranteeing-https +; Automatically redirects HTTP traffic to HTTPS when Permanent is enabled below. -;[HTTP] -;Listen = :3939 -;NoWarning = true +[HTTPRedirect] +Listen = :80 -[HTTPS] +; -------------- HTTPS / TLS Configuration -------------- ; +; ; https://docs.posit.co/connect/admin/appendix/configuration/#HTTPS -; RStudio Connect will listen on this network address for HTTPS connections. +; HTTPS configuration including certificates, TLS versions, and secure cookie settings. +; Permanent=true enables HSTS (HTTP Strict Transport Security) which forces browsers to +; always use HTTPS, even if users type http:// in the address bar. -Listen = :443 +[HTTPS] -;Path to a PEM encoded TLS certificate file. If the certificate is signed by a certificate authority, -;the certificate file should be the concatenation of the server's certificate followed by the CA's certificate +; Posit Connect will listen on this network address for HTTPS connections +Listen = :443 -Certificate = /path/to/certificate/connect.crt +; Path to a PEM encoded TLS certificate file. If the certificate is signed by a certificate +; authority, the certificate file should be the concatenation of the server's certificate +; followed by the CA's certificate +Certificate = {{ REPLACEME }} -;Path to a PEM encoded private key file corresponding to the certificate specified with +; Path to a PEM encoded private key file corresponding to the certificate specified above +Key = {{ REPLACEME }} -Key = /path/to/key/connect.key -; Force HTTPS -; https://docs.posit.co/connect/admin/security/#guaranteeing-https +; Permanent enables HSTS (HTTP Strict Transport Security) and sets secure flag on cookies +; WARNING: Setting this to true will force HTTPS permanently in browsers +; https://docs.posit.co/connect/admin/security/index.html#guaranteeing-https +Permanent = true -;Permanent = True +; MinimumTLS restricts to TLS 1.2 and above for security hardening +; https://docs.posit.co/connect/admin/security/index.html#strong-https MinimumTLS = 1.2 -; -------------- Supported Content Types Configuration -------------- ; - -; When determining the list of R/Python versions to be referenced/installed on your -; Connect instance, make sure to consult with your data science team and determine -; what version(s) they use and also what version(s) of R/Python are installed on your -; Workbench server if applicable. +; -------------- R Configuration -------------- ; +; +; https://docs.posit.co/connect/admin/r/#r-versions +; Multiple R versions can coexist in Posit Connect. List R executable paths here. +; When determining the list of R versions to install, consult with your data science +; team and match versions used on your Workbench server if applicable. Use version +; matching strategy to control compatibility (nearest, major-minor, or exact). -;https://docs.posit.co/connect/admin/r/#r-versions [R] -Executable = /opt/R/4.2.2/bin/R -Executable = /opt/R/3.6.3/bin/R +Executable = {{ REPLACEME }} +Executable = {{ REPLACEME }} + +; -------------- Python Configuration -------------- ; +; +; https://docs.posit.co/connect/admin/python/ +; Python package source configuration via pip.conf. Multiple Python versions can +; be configured. Ensure versions match those used by your data science teams. +; https://docs.posit.co/connect/admin/python/package-management/#using-pip -;https://docs.posit.co/connect/admin/python/ -;Python package source configuration via pip.conf -;https://docs.posit.co/connect/admin/python/package-management/#configuring-pip [Python] Enabled = true -Executable = /opt/python/3.10.7/bin/python -Executable = /opt/python/3.7.7/bin/python +Executable = {{ REPLACEME }} +Executable = {{ REPLACEME }} + +; -------------- Quarto Configuration -------------- ; +; +; https://docs.posit.co/connect/admin/quarto/ +; Quarto enables publishing of Quarto documents and websites. Multiple Quarto versions +; can be configured to support different content requirements. Requires server restart +; after configuration changes. -;https://docs.posit.co/connect/admin/quarto/ [Quarto] Enabled = true -Executable = "/opt/quarto/1.2.313/bin/quarto" -Executable = "/opt/quarto/v1.1.251/bin/quarto" +Executable = {{ REPLACEME }} +Executable = {{ REPLACEME }} ; -------------- Logging Configuration -------------- ; +; +; https://docs.posit.co/connect/admin/logging/ +; Access and Service logs enable you to gain a better understanding of the function +; of Connect. This configuration uses JSON format, which is more accessible to +; programmatic log ingestion and is still human readable. Logs rotate automatically +; using logrotate (daily retention: 30 days for access/service, 12 months for audit). -; Access and Service logs enable you to gain a better understanding -; of the function of Connect and the format options are detailed on the page -; linked below. This configuration uses JSON, as it's more accessible to -; programmatic log ingestion and is still human readable. -; https://docs.posit.co/connect/admin/logging/#logging [Logging] AccessLogFormat = JSON ServiceLogFormat = JSON -; All Connect logs rotate using logrotate and do so on the schedule at the link below: -; https://docs.posit.co/connect/admin/logging/#logrotate - -; -------------- Permissions/Authorization Configuration -------------- ; - -;https://docs.posit.co/connect/admin/appendix/configuration/#Authorization.Settings +; -------------- Authorization / Permissions Configuration -------------- ; +; +; https://docs.posit.co/connect/admin/appendix/configuration/#Authorization +; Controls user visibility, role mapping, and permission defaults. ViewersCanOnlySeeThemselves +; enhances security by preventing viewers from discovering other users on the system. +; Group-based role mapping automatically assigns Connect roles based on authentication +; provider group memberships. -;[Authorization] +[Authorization] -; This setting prevents users from seeing other Connect users -; +; Prevents viewers from seeing other Connect users (security hardening) ; https://docs.posit.co/connect/admin/appendix/branding/#viewer-authorization-restrictions - ViewersCanOnlySeeThemselves = true -;https://docs.posit.co/connect/admin/appendix/configuration/#Authorization.UserRoleMapping -; Detailed configuration example for AD/LDAP: -; https://docs.posit.co/connect/admin/authentication/ldap-based/active-directory-double-bind/#using-user-profile-roles -;UserRoleMapping = true - -; These settings enable automatically mapping incoming users to Connect roles based on their -; group membership. -; See here for LDAP: https://docs.posit.co/connect/admin/authentication/ldap-based/active-directory-double-bind/#using-group-memberships -; See here for SAML: https://docs.posit.co/connect/admin/authentication/saml-based/saml/#using-group-memberships -; See here for OIDC: https://docs.posit.co/connect/admin/authentication/oauth2-openid-based/openid-connect/#using-group-memberships +; Automatically map incoming users to Connect roles based on group membership +; For SAML: https://docs.posit.co/connect/admin/authentication/saml-based/saml/#using-group-memberships +; For OIDC: https://docs.posit.co/connect/admin/authentication/oauth2-openid-based/openid-connect/#using-group-memberships ;UserRoleGroupMapping = true -;ViewerRoleMapping = "The values or DN that should map to the viewer role." -;PublisherRoleMapping = "The values or DN that should map to the publisher role." -;AdministratorRoleMapping = "The values or DN that should map to the administrator role." - -; --------------Server Authentication Options-------------- ; -; This Authentication Controls at a high level the behaviors of Connect -; when it authenticates users to either individual content items or the main -; dashboard. +;ViewerRoleMapping = "{{ REPLACEME }}" +;PublisherRoleMapping = "{{ REPLACEME }}" +;AdministratorRoleMapping = "{{ REPLACEME }}" + +; -------------- Authentication Configuration -------------- ; +; ; https://docs.posit.co/connect/admin/appendix/configuration/#Authentication +; Controls high-level authentication behaviors including session lifetime, inactivity +; timeouts, and API key authentication. Shorter session lifetimes and inactivity timeouts +; improve security at the cost of requiring more frequent re-authentication. [Authentication] -Provider = ldap -; Provider = saml -Lifetime = 12h -Inactivity = 8h -APIKeyAuth = true -;Enable Captcha -;https://docs.posit.co/connect/admin/appendix/configuration/#Authentication.ChallengeResponseEnabled -;ChallengeResponseEnabled = true - - -; This configuration file includes EXAMPLE configurations for authenticating -; using the following models: -; 1. Active Directory with Service Credentials -; 2. LDAP Configuration With Service Credentials -; 3. SAML IDP - -; --------------Active Directory Authentication-------------- ; - -; https://docs.posit.co/connect/admin/authentication/ldap-based/active-directory-double-bind/ - - -[LDAP "Active Directory with Service Credentials"] - -; For legacy SSL (ldaps) use these: -ServerAddress = ldaps.company.com:636 -TLS = true -; Or for TLS (StartTLS extension) use these: -; ServerAddress = ldap.company.com:389 -; StartTLS = true - -TLSCACertificate= /etc/ssl/cert/ca.pem -; For TLS/SSL testing purposes only: -; ServerTLSInsecure = true - -; Service credentials (recommended): -BindDN = "EXAMPLE\\admin" -BindPassword = "XXXXXXXX" -; Or anonymous bind (less secure): -; AnonymousBind = true - -; Users -UserSearchBaseDN = "OU=Users,DC=example,DC=com" -UserObjectClass = "user" -UniqueIdAttribute = "objectGUID" -UsernameAttribute = "sAMAccountName" -UserEmailAttribute = "mail" -UserFirstNameAttribute = "givenName" -UserLastNameAttribute = "sn" - -; Groups -GroupSearchBaseDN = "OU=Users,DC=example,DC=com" -GroupObjectClass = "group" -GroupUniqueIdAttribute = "objectGUID" -GroupNameAttribute = "sAMAccountName" -; Enable this for a better user experience, unless -; managing a large number of groups is a concern: -;GroupsAutoProvision = true - -; Use this argument to restrict login to particular groups -; There can be multiple entries for permitted login information -;PermittedLoginGroup = cn=admins,ou=group,dc=company,dc=com -;PermittedLoginGroup = cn=scientists,ou=group,dc=company,dc=com - - -; When attempting to troubleshoot a problem relating to LDAP, -; you can enable more verbose logging by enabling the following line -;Logging = true -; -------------- LDAP Authentication-------------- ; +; Authentication provider - uncomment one (saml, oauth2, password, pam, ldap, proxy) +;Provider = saml +;Provider = oauth2 -; https://docs.posit.co/connect/admin/authentication/ldap-based/ldap-double-bind/ +; Lifetime controls maximum session duration before requiring re-authentication +; https://docs.posit.co/connect/admin/security/index.html#limiting-session-lifetime +Lifetime = 12h -[LDAP "LDAP Configuration With Service Credentials"] +; Inactivity controls idle timeout before requiring re-authentication +Inactivity = 8h -; For legacy SSL (ldaps) use these: -ServerAddress = ldaps.company.com:636 -TLS = true +; APIKeyAuth enables API key authentication for programmatic access +APIKeyAuth = true -; Or for TLS (StartTLS extension) use these: -; ServerAddress = ldap.company.com:389 -; StartTLS = true +; -------------- SAML Authentication Configuration -------------- ; +; +; https://docs.posit.co/connect/admin/authentication/saml-based/saml/ +; SAML Single Sign-On configuration. Requires either IdPMetaDataURL (for systems +; with outbound internet access) or IdPMetaDataPath (for air-gapped systems). +; GroupsAutoProvision automatically creates groups based on SAML assertions. -TLSCACertificate= /etc/ssl/cert/ca.pem +[SAML] -; For TLS/SSL testing purposes only: -; ServerTLSInsecure = true +; IdP Metadata - use URL for internet-connected systems or Path for air-gapped +;IdPMetaDataURL = {{ REPLACEME }} +;IdPMetaDataPath = {{ REPLACEME }} -; Service credentials (recommended): -BindDN = "uid=admin,OU=users,DC=example,DC=com" -BindPassword = "XXXXXXXX" +; Post binding is required for many IDPs, most commonly for Azure +IdPSingleSignOnPostBinding = true -; Or anonymous bind (less secure): -; AnonymousBind = true +; SAML attribute mapping - adjust these based on your IdP's SAML assertions +UniqueIDAttribute = NameID +NameIDFormat = unspecified +UsernameAttribute = Username +FirstNameAttribute = FirstName +LastNameAttribute = LastName +EmailAttribute = Email -; Users (OpenLDAP example) -UserSearchBaseDN = "OU=Users,DC=example,DC=com" -UserObjectClass = "posixAccount" -; UniqueIdAttribute - vendor-specific object attribute -; Please refer to your LDAP vendor documentation for the correct value. -; (OpenLDAP) UniqueIdAttribute = "entryUUID" -; (Oracle OID) UniqueIdAttribute = "orclGuid" -; (IBM RACF) UniqueIdAttribute = "ibm-entryUUID" -; (Novell eDirectory) UniqueIdAttribute = "GUID" -; (389 Directory Server) UniqueIdAttribute = "nsUniqueID" -UniqueIdAttribute = "entryUUID" -UsernameAttribute = "uid" -UserEmailAttribute = "mail" -UserFirstNameAttribute = "givenName" -UserLastNameAttribute = "sn" +; Group membership management +; https://docs.posit.co/connect/admin/authentication/saml-based/saml/#saml-groups +GroupsAttribute = Groups +GroupsAutoProvision = true -; Groups (OpenLDAP example) -GroupSearchBaseDN = "OU=Users,DC=example,DC=com" -GroupObjectClass = "posixGroup" +; Enable verbose SAML logging for troubleshooting authentication issues +;Logging = true -; GroupUniqueIdAttribute - vendor-specific object attribute, same as the user one -GroupUniqueIdAttribute = "entryUUID" -GroupNameAttribute = "cn" +; -------------- OAuth2 / OpenID Connect Configuration -------------- ; +; +; https://docs.posit.co/connect/admin/authentication/oauth2-openid-based/openid-connect/ +; OpenID Connect authentication configuration. Supports group-based auto-provisioning +; and can restrict access by domain or email address. RegisterOnFirstLogin=false +; requires API-based user provisioning for tighter access control. -; Enable this for a better user experience, unless -; managing a large number of groups is a concern: -;GroupsAutoProvision = true +[OAuth2] -; When attempting to troubleshoot a problem relating to LDAP, -; you can enable more verbose logging by enabling the following line -;Logging = true +ClientId = "{{ REPLACEME }}" +ClientSecret = "{{ REPLACEME }}" +OpenIDConnectIssuer = "{{ REPLACEME }}" -; -------------- SAML Authentication-------------- ; +; Require username claim in tokens (recommended) +RequireUsernameClaim = true -;https://docs.posit.co/connect/admin/authentication/saml-based/saml/ +; Automatically create groups from OAuth2/OIDC claims +; https://docs.posit.co/connect/admin/authentication/oauth2-openid-based/openid-connect/#using-group-memberships +GroupsAutoProvision = true -[SAML] +; Restrict login to specific groups (recommended for access control) +; https://docs.posit.co/connect/admin/authentication/oauth2-openid-based/openid-connect/#user-provisioning +;PermittedLoginGroup = "connect-users" +;PermittedLoginGroup = "data-science-team" -IdPMetaDataPath = /path/to/IDPmetadata/IDP.xml +; Restrict login to specific email domains +;AllowedDomain = "company.com" -IdPSingleSignOnPostBinding = true -UniqueIDAttribute = NameID -NameIDFormat = unspecified -UsernameAttribute = Username -FirstNameAttribute = FirstName -LastNameAttribute = LastName -EmailAttribute = Email -GroupsAttribute = Groups -GroupsAutoProvision = true +; Restrict login to specific email addresses +;AllowedEmail = "user@company.com" + +; Disable automatic user registration (requires API-based provisioning) +;RegisterOnFirstLogin = false -; When attempting to troubleshoot a problem relating to SAML, -; you can enable more verbose logging by enabling the following line +; Enable verbose OAuth2 logging for troubleshooting authentication issues ;Logging = true diff --git a/packagemanager/rstudio-pm.gcfg b/packagemanager/rstudio-pm.gcfg index 53bd734..ad4228d 100644 --- a/packagemanager/rstudio-pm.gcfg +++ b/packagemanager/rstudio-pm.gcfg @@ -1,123 +1,132 @@ -; RStudio Package Manager configuration file +; Posit Package Manager Configuration File +; +; Full Configuration Reference: https://docs.posit.co/rspm/admin/appendix/configuration -[Server] -; Address is a public URL for this RStudio Package Manager server. If Package Manager -; is deployed behind an HTTP proxy, this should be the URL for Package Manager in -; terms of that proxy. It must be configured if RSPM is served from a subdirectory like -; `/rspm` to facilitate generating URLs for the `rspm url create` command, Swagger docs, -; and PyPI simple index pages. +; -------------- Server Configuration -------------- ; +; +; https://docs.posit.co/rspm/admin/appendix/configuration.html#Server.Settings +; Core server settings including the public URL, data directories, and logging options. +; Server.Address is required if Package Manager is served from a subdirectory, uses +; OpenID Connect authentication, or needs correct URLs for PyPI index pages and API docs. -Address = https://packagemanager.posit.co/ +[Server] +; Public URL for this Posit Package Manager server. If Package Manager is deployed +; behind an HTTP proxy, this should be the URL in terms of that proxy. Required if +; served from a subdirectory (e.g., /rspm) to facilitate generating URLs for rspm CLI, +; Swagger docs, and PyPI simple index pages. +; https://docs.posit.co/rspm/admin/appendix/configuration.html#Server.Settings +Address = {{ REPLACEME }} +; DataDir is the directory where Package Manager stores variable data (SQLite DB, cache, +; packages, etc.). Change this if you want data on another volume (e.g. larger disk, NFS). +; Default: /var/lib/rstudio-pm +;DataDir = /var/lib/rstudio-pm -; Git sources require a configured R installation. R is often installed at `/usr/lib/R` -; or `/usr/lib64/R`. +; TempDir for temporary files; must not be a subdirectory of DataDir. +; If unset, uses $TMPDIR or /tmp +;TempDir = /tmp -RVersion = /opt/R/#.#.# +; R and Python paths (if you don't want Package Manager to auto-detect them) +;RVersion = /opt/R/4.4.1/bin/R +;PythonVersion = /usr/bin/python3 +; -------------- Logging Configuration -------------- ; +; +; https://docs.posit.co/rspm/admin/logging.html +; Access logs track HTTP requests; Service logs track package serving activity. +; Default access log: /var/log/rstudio/rstudio-pm/rstudio-pm.access.log (combined format). -; Customize the data directory if necessary. This is where all packages and metadata are -; stored by default. Refer to Admin Guide for details. -;https://docs.posit.co/rspm/admin/appendix/configuration/#Server.DataDir +; Optional service log for package downloads (source/binary) +;ServiceLog = /var/log/rstudio/rstudio-pm/rstudio-pm.service.log -DataDir = /mnt/rspm/data +; Access log path and format (default: combined format to rstudio-pm.access.log) +;AccessLog = /var/log/rstudio/rstudio-pm/rstudio-pm.access.log +;AccessLogFormat = combined -;[HTTP] -; RStudio Package Manager will listen on this network address for HTTP connections. -;Listen = +; -------------- HTTPS / TLS Configuration -------------- ; +; +; https://docs.posit.co/rspm/admin/appendix/configuration.html#https +; HTTPS configuration including certificates, network binding, and secure cookie settings. +; Permanent=true enables HSTS (HTTP Strict Transport Security) and sets secure flag on +; cookies, forcing browsers to always use HTTPS. [HTTPS] -; Path to a TLS certificate file. If the certificate is signed by a certificate authority, the -; certificate file should be the concatenation of the server's certificate followed by the CA's -; certificate. Must be paired with `HTTPS.Key`. -;https://docs.posit.co/rspm/admin/appendix/configuration/#HTTPS.Settings - -Certificate = "/path/to/certificate/file" -; Path to a private key file corresponding to the certificate specified with `HTTPS.Certificate`. -; Required when `HTTPS.Certificate` is specified. +; Path to a TLS certificate file. If the certificate is signed by a certificate authority, +; the certificate file should be the concatenation of the server's certificate followed +; by the CA's certificate. Must be paired with HTTPS.Key. +; https://docs.posit.co/rspm/admin/networking.html#configuring-ssl-certificates +Certificate = {{ REPLACEME }} -Key = "/path/to/key" - -;RStudio Package Manager will listen on this network address for HTTPS connections. -;The network address can be of the form :443 or 192.168.0.1:443. -;Either HTTP.Listen or HTTPS.Listen is required. +; Path to a private key file corresponding to the certificate specified with HTTPS.Certificate +; Required when HTTPS.Certificate is specified +Key = {{ REPLACEME }} +; Posit Package Manager will listen on this network address for HTTPS connections. +; The network address can be of the form :443 or 192.168.0.1:443. +; Either HTTP.Listen or HTTPS.Listen is required. Listen = ":443" -;Advertises to all visitors that this server should only ever be hosted securely via HTTPS. -;WARNING: if this is set to true -- even temporarily -- visitors may be permanently denied -;access to your server over an unsecured (non-HTTPS) protocol. This sets the secure flag on all -;session cookies and adds a Strict-Transport-Security HTTP header with a value of 30 days. -;https://docs.posit.co/rspm/admin/appendix/configuration/#HTTPS.Permanent +; Permanent advertises to all visitors that this server should only ever be hosted +; securely via HTTPS. WARNING: if this is set to true -- even temporarily -- visitors +; may be permanently denied access to your server over an unsecured (non-HTTPS) protocol. +; This sets the secure flag on all session cookies and adds a Strict-Transport-Security +; HTTP header with a value of 30 days. +; https://docs.posit.co/rspm/admin/security/server.html#security +Permanent = true -;Permanent = true +; MinimumTLS restricts to TLS 1.2 and above for security hardening +MinimumTLS = 1.2 -[HttpRedirect] +; -------------- HTTP Redirect Configuration -------------- ; +; +; https://docs.posit.co/rspm/admin/networking.html#configuring-ssl-certificates +; Automatically redirects HTTP traffic to HTTPS when HTTPS.Permanent is enabled above. +[HttpRedirect] Listen = ":80" -[CRAN] -; Customize the default schedule for CRAN sync. -;SyncSchedule = "0 0 * * *" +; -------------- Database Configuration -------------- ; +; +; https://docs.posit.co/rspm/admin/database.html +; Package Manager can use SQLite (default) or PostgreSQL. PostgreSQL is recommended +; for production and high-availability deployments. -[Bioconductor] -; Customize the default schedule for Bioconductor syncs. -;SyncSchedule = "0 2 * * *" +; SQLite (default) - suitable for single-server deployments +[SQLite] +;Dir = /var/lib/rstudio-pm -[PyPI] -; Customize the default schedule for PyPI syncs. -;SyncSchedule = "0 1 * * *" +; PostgreSQL - recommended for HA and production deployments +; Uncomment and configure for PostgreSQL +;[Postgres] +;URL = "postgres://username:password@hostname:5432/database_name?sslmode=require" -; Configure Git if you are intending to build and share packages stored in Git repositories. -;https://docs.posit.co/rspm/admin/appendix/configuration/#git -[Git] -; The amount of time to wait between polling git repos to look for package changes. -;PollInterval = 5m +; -------------- Proxy Configuration -------------- ; ; -; The maximum number of times to attempt building a git package when the build fails. -;BuildRetries = 3 - -;https://docs.posit.co/rspm/admin/appendix/configuration/#binaries -[Binaries] -Distributions = "all" +; https://docs.posit.co/rspm/admin/proxy.html +; Configure outbound proxy for accessing external repositories (CRAN, PyPI, etc.). +; Required if Package Manager cannot directly access the internet. -[Authentication] -APITokenAuth = true +[Proxy] +;URL = http://proxy.company.com:3128 +;User = {{ REPLACEME }} +;Password = {{ REPLACEME }} -;[Manifest] -;URL = file:///opt/efs/ - -[Database] -Provider = postgres +; -------------- Git Sources Configuration -------------- ; +; +; https://docs.posit.co/rspm/admin/package-sources.html +; Git integration for package sources. Configure Git credentials and build settings. [Git] -BuilderDir = /tmp/git - -[Postgres] -<<<<<<< Updated upstream -;https://docs.posit.co/rspm/admin/database/#usage-data -;https://docs.posit.co/rspm/admin/appendix/encryption/ -URL = postgres://username@postgres_url.com/db -Password = encrypted_password -UsageDataURL = postgres://username@postgres_url/data_usage_db -UsageDataPassword = encrypted_password - - -======= -;https://docs.posit.co/rspm/admin/appendix/encryption/ -;https://docs.posit.co/rspm/admin/database/#usage-data -URL = postgres://username@postgres_url.com/db -Password = encrypted_password -UsageDataURL = postgres://username@postgres_url.com/data_usage_db -UsageDataPassword = encrypted_password - - - ->>>>>>> Stashed changes - -[Metrics] -Enabled = true +; Poll interval for checking Git repositories for updates +;PollInterval = 5m +; -------------- Air-Gapped / Offline Configuration -------------- ; +; +; https://docs.posit.co/rspm/admin/appendix/airgapped-installs.html#configuring-package-manager +; Configuration for air-gapped deployments where Package Manager cannot access external +; repositories. Requires offline data files to be downloaded separately. +[Manifest] +;URL = file:///path/to/offline/data diff --git a/workbench/jupyter.conf b/workbench/jupyter.conf index b1c7453..fa04a9e 100644 --- a/workbench/jupyter.conf +++ b/workbench/jupyter.conf @@ -1,8 +1,26 @@ -# Jupyter Lab Configuration Settings +# Posit Workbench Jupyter Configuration File # -#https://docs.posit.co/ide/server-pro/jupyter_sessions/configuration.html -jupyter-exe=/usr/local/bin/jupyter -notebooks-enabled=1 +# Full Configuration Reference: https://docs.posit.co/ide/server-pro/admin/jupyter_sessions/configuration.html + +#-----------------------------------------------------------------------------------------# +# Jupyter Lab Configuration +# +# https://docs.posit.co/ide/server-pro/admin/jupyter_sessions/configuration.html +# Enable Jupyter Lab sessions in Workbench. Requires Jupyter to be installed on the system +# or in a location accessible by the jupyter-exe path. labs-enabled controls whether Jupyter +# sessions are available to users. default-session-cluster specifies which Job Launcher +# cluster to use for Jupyter sessions (typically "Local" for local execution or a Kubernetes/ +# Slurm cluster name for distributed execution). +#-----------------------------------------------------------------------------------------# +jupyter-exe=/opt/python/{{ REPLACEME }}/bin/python labs-enabled=1 default-session-cluster=Local -session-cull-minutes=240 \ No newline at end of file + +#-----------------------------------------------------------------------------------------# +# Session Timeout Configuration +# +# https://docs.posit.co/ide/server-pro/admin/jupyter_sessions/configuration.html +# session-cull-minutes controls automatic termination of idle Jupyter sessions. +# Default is 240 minutes (4 hours). Set to 0 to disable automatic culling. +#-----------------------------------------------------------------------------------------# +session-cull-minutes=240 diff --git a/workbench/launcher-env b/workbench/launcher-env index cf46211..6e790a3 100644 --- a/workbench/launcher-env +++ b/workbench/launcher-env @@ -1,16 +1,14 @@ #Launcher Environment Configuration #https://docs.posit.co/ide/server-pro/job_launcher/configuration.html#launcher-environment -#JobType: session -#Environment: IS_LAUNCHER_SESSION=1 -# IS_ADHOC_JOB=0 -# USER_HOME=/home/{USER} +JobType: any +Workbench: any -#JobType: adhoc -#Environment: IS_LAUNCHER_SESSION=0 -# IS_ADHOC_JOB=1 -# USER_HOME=/home/{USER} +# RHEL Environment setting to make Python use the system certificate store +# {{ REPLACEME }} +#Environment: REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -#JobType: any -#Cluster: Kubernetes -#ENVIRONMENT: IS_KUBERNETES=1 \ No newline at end of file + +# Ubuntu/Deb Environment setting to make Python use the system certificate store +# {{ REPLACEME }} +#Environment: REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt \ No newline at end of file diff --git a/workbench/launcher.conf b/workbench/launcher.conf index 8a13544..a42ac73 100644 --- a/workbench/launcher.conf +++ b/workbench/launcher.conf @@ -1,36 +1,57 @@ -# Job Launcher Configuration +# Posit Workbench Job Launcher Configuration File # -# There are two section types, [server] and [cluster]. There should be one [server] section for the config, -# and one [cluster] section for each cluster you want the Job Launcher to connect to. +# Full Configuration Reference: https://docs.posit.co/ide/server-pro/admin/job_launcher/configuration.html # -# https://docs.posit.co/ide/server-pro/job_launcher/configuration.html +# There are two section types: [server] and [cluster]. There should be one [server] +# section for the config, and one [cluster] section for each cluster you want the +# Job Launcher to connect to. + +#-----------------------------------------------------------------------------------------# +# Server Configuration +# +# https://docs.posit.co/ide/server-pro/admin/job_launcher/configuration.html#server-options +# Core Job Launcher server settings including network binding, user/group configuration, +# and logging options. The address and port must match the launcher configuration in +# rserver.conf (launcher-address and launcher-port). #-----------------------------------------------------------------------------------------# [server] address=127.0.0.1 port=5559 -server-user=posit-server -admin-group=posit-server -authorization-enabled=1 -enable-debug-logging=1 -#scratch-path=/var/lib/rstudio-launcher -#logging-dir=/var/log/rstudio/launcher + +# User and group the launcher runs as (defaults to rstudio-server) +;server-user=rstudio-server +;admin-group=rstudio-server + +# Enable authorization checks (recommended for production) +;authorization-enabled=1 + +# Enable debug logging for troubleshooting +;enable-debug-logging=1 + +# Paths for launcher data and logs +;scratch-path=/var/lib/rstudio-launcher +;logging-dir=/var/log/rstudio/launcher + #-----------------------------------------------------------------------------------------# # Launcher Encryption Configuration -# End to end encryption settings for launcher. Not required in most cases unless there is a requirement -# for end to end encryption. # -# https://docs.posit.co/ide/server-pro/job_launcher/configuration.html#ssl-considerations -#enable-ssl=0 -#certificate-file=/path/to/certificate_chain -#certificate-key-file=/path/to/private_key +# https://docs.posit.co/ide/server-pro/admin/job_launcher/configuration.html#ssl-considerations +# End-to-end encryption settings for launcher. Not required in most cases unless there is +# a requirement for encryption between Workbench and the launcher (e.g., when launcher +# runs on a separate host or in security-sensitive environments). #-----------------------------------------------------------------------------------------# -# Cluster Level Configuration +;enable-ssl=0 +;certificate-file=/path/to/certificate_chain +;certificate-key-file=/path/to/private_key + +#-----------------------------------------------------------------------------------------# +# Cluster Configuration - Local Execution # -# https://docs.posit.co/ide/server-pro/job_launcher/configuration.html#cluster-options -[cluster1] +# https://docs.posit.co/ide/server-pro/admin/job_launcher/configuration.html#cluster-options +# Local cluster runs sessions directly on the Workbench server without container or HPC +# integration. This is the default and simplest configuration. Additional clusters can be +# added below for Kubernetes, Slurm, or other execution backends. +#-----------------------------------------------------------------------------------------# +[cluster] name=Local type=Local -#allowed-groups=devs,admins -[cluster2] -name=Kubernetes -type=Kubernetes \ No newline at end of file diff --git a/workbench/launcher.kubernetes.conf b/workbench/launcher.kubernetes.conf deleted file mode 100644 index f6f8eab..0000000 --- a/workbench/launcher.kubernetes.conf +++ /dev/null @@ -1,10 +0,0 @@ -3.1.1 Kubernetes Container Auto Configuration -If you are running the Launcher within a Kubernetes container, a few configuration variables can be inferred automatically by using Kubernetes-injected environment variables and files. These values are automatically added by Kubernetes when a container is launched. Therefore, it is not required to configure these options when running the Launcher within Kubernetes. - -Config Option Obtained From -api-url https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT} -auth-token /var/run/secrets/kubernetes.io/serviceaccount/token -certificate-authority Base64-encoded value of /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - -kubernetes-namespace=rstudio -use-templating=0 \ No newline at end of file diff --git a/workbench/launcher.kubernetes.profiles.conf b/workbench/launcher.kubernetes.profiles.conf deleted file mode 100644 index 8a7e48f..0000000 --- a/workbench/launcher.kubernetes.profiles.conf +++ /dev/null @@ -1,14 +0,0 @@ -[*] -allow-unknown-images=1 -container-images=075258722956.dkr.ecr.us-east-1.amazonaws.com/sol-eng-demo-server:2022.07.2-576.pro12-202210,container2, container3 -cpu-request-ratio=0.1 -default-container-image=075258722956.dkr.ecr.us-east-1.amazonaws.com/sol-eng-demo-server:2022.07.2-576.pro12-202210 -default-cpus=1.0 -default-mem-mb=2048 -job-json-overrides="/spec/template/spec/volumes/-":"/mnt/job-json-overrides-new/defaultSessionVolume.json","/spec/templa -te/spec/containers/0/volumeMounts/-":"/mnt/job-json-overrides-new/defaultSessionVolumeMount.json","/spec/template/spec/v -olumes/-":"/mnt/job-json-overrides-new/defaultSessionSecretVolume.json","/spec/template/spec/containers/0/volumeMounts/- -":"/mnt/job-json-overrides-new/defaultSessionSecretVolumeMount.json" -max-cpus=3.0 -max-mem-mb=8192 -memory-request-ratio=0.2 \ No newline at end of file diff --git a/workbench/launcher.local.profiles.conf b/workbench/launcher.local.profiles.conf new file mode 100644 index 0000000..f93477b --- /dev/null +++ b/workbench/launcher.local.profiles.conf @@ -0,0 +1,54 @@ +# Posit Workbench Job Launcher - Local Plugin User and Group Profiles +# +# https://docs.posit.co/ide/server-pro/admin/job_launcher/local_plugin.html#local-profiles +# +# This file defines per-user and per-group resource limits and access controls for the +# Local Job Launcher plugin. Sections are processed top-to-bottom, with later matching +# sections overriding earlier ones. Section types: [*] (all users), [@groupname] (Unix +# groups), [username] (individual users). Resource profiles referenced here are defined +# in launcher.local.resources.conf. + +#-----------------------------------------------------------------------------------------# +# Global Defaults +# +# https://docs.posit.co/ide/server-pro/admin/job_launcher/local_plugin.html#local-profiles +# Apply conservative defaults for all users unless overridden by group or user sections. +#-----------------------------------------------------------------------------------------# +[*] +max-cpus=4.0 +max-mem-mb=8192 +resource-profiles=default,small,medium +allow-custom-resources=0 + +#-----------------------------------------------------------------------------------------# +# Group-Based Profiles +# +# https://docs.posit.co/ide/server-pro/admin/job_launcher/local_plugin.html#local-profiles +# Grant different resource tiers to different teams. +#-----------------------------------------------------------------------------------------# + +# Data science team with moderate resources +[@data-science] +max-cpus=8.0 +max-mem-mb=16384 +resource-profiles=default,small,medium,large +allow-custom-resources=1 + +# Power users with full profile access and custom resources +[@posit-admins] +resource-profiles=default,small,medium,large +allow-custom-resources=1 + +#-----------------------------------------------------------------------------------------# +# Individual User Profiles +# +# https://docs.posit.co/ide/server-pro/admin/job_launcher/local_plugin.html#local-profiles +# Override settings for specific users. +#-----------------------------------------------------------------------------------------# + +# Example individual user override +;[jsmith] +;max-cpus=4.0 +;max-mem-mb=16384 +;resource-profiles=default,medium +;allow-custom-resources=0 diff --git a/workbench/launcher.local.resources.conf b/workbench/launcher.local.resources.conf new file mode 100644 index 0000000..88387b5 --- /dev/null +++ b/workbench/launcher.local.resources.conf @@ -0,0 +1,28 @@ +# Posit Workbench Job Launcher - Local Plugin Resource Profiles +# +# https://docs.posit.co/ide/server-pro/admin/job_launcher/local_plugin.html#local-resource-profiles +# +# This file defines named resource profiles (CPU + memory bundles) that users can select +# when launching sessions via the Local Job Launcher. Each section defines a resource +# profile with specific CPU and memory allocations. Access to these profiles is controlled +# via launcher.local.profiles.conf. + +[small] +name = "Small (1 CPU, 2GB RAM)" +cpus=1 +mem-mb=2048 + +[default] +name = "Default (2 CPUs, 4GB RAM)" +cpus=2 +mem-mb=4096 + +[medium] +name = "Medium (4 CPUs, 8GB RAM)" +cpus=4 +mem-mb=8192 + +[large] +name = "Large (8 CPUs, 16GB RAM)" +cpus=8 +mem-mb=16384 diff --git a/workbench/openid-client-secret b/workbench/openid-client-secret new file mode 100644 index 0000000..bee346e --- /dev/null +++ b/workbench/openid-client-secret @@ -0,0 +1,7 @@ +#-----------------------------------------------------------------------------------------# +# Authentication - OIDC +# +# https://docs.posit.co/ide/server-pro/admin/authenticating_users/openid_connect_authentication.html +# Ensure the file permissions are 600 and run rstudio-server encrypt-password and pass in the client-secret to encrypt it +client-id={{ REPLACEME }} +client-secret={{ REPLACEME }} \ No newline at end of file diff --git a/workbench/positron-enforced-settings.json b/workbench/positron-enforced-settings.json new file mode 100644 index 0000000..45c7af1 --- /dev/null +++ b/workbench/positron-enforced-settings.json @@ -0,0 +1,9 @@ +{ + "_comment": "Positron Enforced Settings - /etc/rstudio/positron-enforced-settings.json", + "_documentation": "https://docs.posit.co/ide/server-pro/admin/positron_sessions/user_settings.html#enforced-settings", + "_note": "These settings are ENFORCED and users CANNOT override them. Register this file in /etc/rstudio/profiles using 'positron-enforced-settings = /etc/rstudio/positron-enforced-settings.json' under the [*] section. Restart Workbench after changes: sudo rstudio-server restart", + + "extensions.autoUpdate": false, + "extensions.autoCheckUpdates": false, + "telemetry.telemetryLevel": "off" +} diff --git a/workbench/positron-user-settings.json b/workbench/positron-user-settings.json new file mode 100644 index 0000000..69f2d5a --- /dev/null +++ b/workbench/positron-user-settings.json @@ -0,0 +1,22 @@ +{ + "_comment": "Positron Default User Settings Template - /etc/rstudio/positron-user-settings.json", + "_documentation": "https://docs.posit.co/ide/server-pro/admin/positron_sessions/user_settings.html", + "_note": "These settings are merged into each user's Positron settings.json on first launch. Users CAN override these after initial merge. For truly enforced settings that users cannot change, use positron-enforced-settings.json and register it in the profiles file.", + + "terminal.integrated.defaultProfile.linux": "bash", + "extensions.autoUpdate": false, + "extensions.autoCheckUpdates": false, + "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto", + "python.interpreters.exclude": [ + "/usr/bin", + "/bin" + ], + "python.environmentProviders.enable": { + "Conda": false + }, + "files.autoSave": "afterDelay", + "files.autoSaveDelay": 1000, + "editor.formatOnSave": true, + "editor.tabSize": 2, + "workbench.colorTheme": "Default Dark+" +} diff --git a/workbench/positron.conf b/workbench/positron.conf new file mode 100644 index 0000000..fe6a805 --- /dev/null +++ b/workbench/positron.conf @@ -0,0 +1,25 @@ +# Posit Workbench Positron Configuration File +# +# Full Configuration Reference: https://docs.posit.co/ide/server-pro/admin/positron_sessions/configuration.html + +#-----------------------------------------------------------------------------------------# +# Positron Sessions +# +# https://docs.posit.co/ide/server-pro/admin/positron_sessions/configuration.html +# Enable Positron IDE sessions in Workbench. Positron is a next-generation data science IDE +# built on VS Code with native support for R and Python. Requires Positron to be installed +# and configured. session-timeout-kill-hours controls forcible termination of suspended +# sessions (0 = never kill, keep suspended indefinitely). +#-----------------------------------------------------------------------------------------# +enabled=1 + +# Forcibly terminate suspended sessions after specified hours (0 = never) +;session-timeout-kill-hours=0 + +#-----------------------------------------------------------------------------------------# +# Default Cluster Configuration +# +# https://docs.posit.co/ide/server-pro/admin/positron_sessions/configuration.html +# Specify which Job Launcher cluster to use for Positron sessions. +#-----------------------------------------------------------------------------------------# +;default-session-cluster=Local diff --git a/workbench/profiles b/workbench/profiles new file mode 100644 index 0000000..c0ee4cc --- /dev/null +++ b/workbench/profiles @@ -0,0 +1,33 @@ +# Posit Workbench Profiles Configuration File +# +# Full Configuration Reference: https://docs.posit.co/ide/server-pro/admin/positron_sessions/user_settings.html#enforced-settings + +#-----------------------------------------------------------------------------------------# +# Global Positron Enforced Settings +# +# https://docs.posit.co/ide/server-pro/admin/positron_sessions/user_settings.html#enforced-settings +# Register the positron-enforced-settings.json file to apply enforced settings that users +# cannot override. The [*] section applies to all users. You can also create per-group +# sections [@groupname] or per-user sections [username] with different enforced settings. +# After modifying this file, restart Workbench: sudo rstudio-server restart +#-----------------------------------------------------------------------------------------# +[*] +positron-enforced-settings = /etc/rstudio/positron-enforced-settings.json + +#-----------------------------------------------------------------------------------------# +# Group-Based Enforced Settings (Example) +# +# https://docs.posit.co/ide/server-pro/admin/positron_sessions/user_settings.html#enforced-settings +# You can create different enforced settings for specific Unix groups. +#-----------------------------------------------------------------------------------------# +;[@data-science] +;positron-enforced-settings = /etc/rstudio/data-science-enforced-settings.json + +#-----------------------------------------------------------------------------------------# +# User-Based Enforced Settings (Example) +# +# https://docs.posit.co/ide/server-pro/admin/positron_sessions/user_settings.html#enforced-settings +# You can create different enforced settings for specific users. +#-----------------------------------------------------------------------------------------# +;[jsmith] +;positron-enforced-settings = /etc/rstudio/jsmith-enforced-settings.json diff --git a/workbench/python.sh b/workbench/python.sh new file mode 100644 index 0000000..d7e4316 --- /dev/null +++ b/workbench/python.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# This script modifies the users PATH to place the latest version of python onto their PATH + +export PATH=/opt/python/{{ REPLACEME }}/bin:$PATH \ No newline at end of file diff --git a/workbench/repos.conf b/workbench/repos.conf index 85e4355..cf659fd 100644 --- a/workbench/repos.conf +++ b/workbench/repos.conf @@ -1,3 +1,33 @@ -# Settings for default R/CRAN repositories for rsessions -#https://solutions.posit.co/data-science-admin/packages/rsw_defaults/ -CRAN=https:////latest \ No newline at end of file +# Posit Workbench R Package Repository Configuration +# +# https://solutions.posit.co/envs-pkgs/rsw_defaults/ +# +# This file sets the default R/CRAN repositories for R sessions in Workbench. These settings +# are applied to all R sessions and override the default CRAN mirror. This is particularly +# useful for pointing to an internal Posit Package Manager instance or Posit Public Package +# Manager for faster binary package installations. +# +# Format: CRAN= +# +# For Package Manager binary repositories, use the __linux__ placeholder which Package +# Manager automatically resolves to the correct Linux distribution binary path: +# https://packagemanager.posit.co/cran/__linux__///latest +# +# Supported distributions: centos7, centos8, rhel9, ubuntu18, ubuntu20, ubuntu22, ubuntu24, +# opensuse15, opensuse42, debian11, debian12 + +# Posit Public Package Manager (replace {{ REPLACEME }} with your Linux distro/version) +# Examples: +# - ubuntu22 for Ubuntu 22.04 +# - rhel9 for RHEL 9 +# - centos7 for CentOS 7 +CRAN=https://packagemanager.posit.co/cran/__linux__/{{ REPLACEME }}/latest + +# Internal Package Manager (if you have your own instance) +# Replace with your internal Package Manager URL +;CRAN=https://packagemanager.company.com/cran/__linux__/ubuntu22/latest + +# Bioconductor repository (optional, for bioinformatics packages) +;BioCsoft=https://packagemanager.posit.co/bioconductor/__linux__/{{ REPLACEME }}/latest +;BioCann=https://packagemanager.posit.co/bioconductor/__linux__/{{ REPLACEME }}/latest +;BioCexp=https://packagemanager.posit.co/bioconductor/__linux__/{{ REPLACEME }}/latest diff --git a/workbench/rserver.conf b/workbench/rserver.conf index 84087ed..470191d 100644 --- a/workbench/rserver.conf +++ b/workbench/rserver.conf @@ -1,128 +1,227 @@ -# RStudio Server Configuration File +# Posit Workbench Server Configuration File +# +# Full Configuration Reference: https://docs.posit.co/ide/server-pro/admin/reference/rserver_conf.html -# Port configuration for non-HTTPS configurations -#www-port=8787 #-----------------------------------------------------------------------------------------# -# HTTPS Configuration Section +# HTTPS / TLS Configuration # -# The certificate key should be owned by rstudio and have perms: sudo chmod 600 /var/certs/rstudio.key -# Unfortunately at this time, RStudio doesn't support a passphrase on the SSL cert. +# https://docs.posit.co/ide/server-pro/admin/access_and_security/secure_sockets.html +# Configure SSL/TLS for encrypted connections. The certificate key should be owned by +# the rstudio-server user with permissions 600 (chmod 600). Workbench does not support +# passphrase-protected SSL certificates. Restrict to modern TLS versions (1.2, 1.3) for +# security hardening. +#-----------------------------------------------------------------------------------------# ssl-enabled=1 -ssl-certificate-key=/path/to/key/posit.key ssl-certificate=/path/to/certificate/posit.crt +ssl-certificate-key=/path/to/key/posit.key + +# Restrict to modern TLS protocols only (security hardening) +# https://docs.posit.co/ide/server-pro/admin/access_and_security/secure_sockets.html#restrict-tls-versions ssl-protocols=TLSv1.2 TLSv1.3 #-----------------------------------------------------------------------------------------# -# Launcher Config +# Launcher Configuration # -# https://docs.posit.co/ide/server-pro/job_launcher/configuration.html#server-options +# https://docs.posit.co/ide/server-pro/admin/job_launcher/configuration.html#server-options +# Job Launcher enables running sessions in containers, on HPC clusters (Slurm, Kubernetes), +# or on remote compute nodes. Required for Jupyter, VS Code, and distributed computing +# workloads. launcher-sessions-callback-address must be accessible from compute nodes. +#-----------------------------------------------------------------------------------------# launcher-sessions-enabled=1 launcher-address=127.0.0.1 launcher-port=5559 launcher-default-cluster=Local -launcher-sessions-callback-address=https:/// -#launcher-sessions-callback-verify-ssl-certs=1 -#launcher-use-ssl=1 +launcher-sessions-callback-address=https://{{ REPLACEME }}/ -#-----------------------------------------------------------------------------------------# -# Project Sharing Configuration -# -# https://docs.posit.co/ide/server-pro/r_sessions/project_sharing.html -server-shared-storage-path=/shared/rstudio-server/shared-storage +# Enable SSL for launcher communication (recommended for HA and security) +# https://docs.posit.co/ide/server-pro/admin/hardening/example_secure_configuration.html +;launcher-use-ssl=1 #-----------------------------------------------------------------------------------------# # Admin Dashboard Configuration # -# https://docs.posit.co/ide/server-pro/server_management/administrative_dashboard.html -# The Admin Dashboard is not enabled by default (http:///admin) -# Admin-superuser-group can: 1.Suspend or terminate active sessions, 2.Assume control of active sessions -# (e.g. for troubleshooting), and 3.Login to RStudio as any other server user +# https://docs.posit.co/ide/server-pro/admin/server_management/administrative_dashboard.html +# The Admin Dashboard is not enabled by default (accessible at http:///admin). +# admin-superuser-group members can: 1) Suspend or terminate active sessions, 2) Assume +# control of active sessions (e.g., for troubleshooting), and 3) Login as any server user. +# admin-monitor-log-use-server-time-zone displays log times in server timezone vs UTC. +#-----------------------------------------------------------------------------------------# admin-enabled=1 -admin-group=cua -#admin-superuser-group=posit_superuser +admin-group=posit-admins +admin-superuser-group=posit-super-admin admin-monitor-log-use-server-time-zone=1 #-----------------------------------------------------------------------------------------# -# Authentication - SAML - IDP +# Health Check Endpoint +# +# https://docs.posit.co/ide/server-pro/admin/auditing_and_monitoring/server_health_checks.html +# Non-authenticated health check endpoint for monitoring and load balancer health checks. +# Accessible at http:///health-check when enabled. Returns JSON +# with system status, license validity, and resource availability. +#-----------------------------------------------------------------------------------------# +server-health-check-enabled=1 + +#-----------------------------------------------------------------------------------------# +# Authentication - SAML Single Sign-On # -# https://docs.posit.co/ide/server-pro/latest/authenticating_users/saml_sso.html#service-provider-metadata-setup -#auth-saml=1 -#auth-saml-metadata-url=https://idp.example.com/saml/metadata +# https://docs.posit.co/ide/server-pro/admin/authenticating_users/saml_sso.html +# SAML SSO configuration for enterprise identity providers. Post binding is required for +# many IDPs, most commonly Azure AD. Use auth-saml-metadata-url for internet-connected +# systems or auth-saml-metadata-path for air-gapped deployments. +#-----------------------------------------------------------------------------------------# +;auth-saml=1 +;auth-saml-sp-attribute-username=NameID + +# Post binding is required for many customer IDPs, most commonly for Azure +;auth-saml-idp-post-binding=1 + +# For Workbench instances with outbound internet access to the IDP +;auth-saml-metadata-url={{ REPLACEME }} + +# For Workbench instances restricted from outbound connections to the IDP +;auth-saml-metadata-path=/etc/rstudio/metadata.xml -# Authentication - SAML - SP +#-----------------------------------------------------------------------------------------# +# Authentication - OpenID Connect (OIDC) # -# https://docs.posit.co/ide/server-pro/latest/authenticating_users/saml_sso.html#service-provider-metadata-setup -# SAML SP metadata URL - https://server.example.com/saml/metadata +# https://docs.posit.co/ide/server-pro/admin/authenticating_users/openid_connect_authentication.html +# OpenID Connect authentication for modern OAuth 2.0 identity providers. Requires +# auth-openid-issuer to be set to the IdP's discovery endpoint. The username claim +# (e.g., preferred_username, email) must be specified and match the IdP's token format. +#-----------------------------------------------------------------------------------------# +auth-openid=1 +auth-openid-issuer={{ REPLACEME }} +auth-openid-username-claim=preferred_username #-----------------------------------------------------------------------------------------# # PAM Session Configuration # -# https://docs.posit.co/ide/server-pro/r_sessions/pam_sessions.html#pam-sessions-with-the-job-launcher +# https://docs.posit.co/ide/server-pro/admin/access_and_security/pam_sessions.html +# PAM sessions provide authentication and session management for user logins. When using +# the Job Launcher, PAM sessions start on both the server node and potentially on compute +# nodes. If you need PAM sessions for Kerberos or pam_mount, enable +# auth-pam-sessions-use-password to forward credentials to the session. +#-----------------------------------------------------------------------------------------# auth-pam-sessions-enabled=1 auth-pam-sessions-profile=rstudio -# If you need to also ensure that PAM sessions are created when actual sessions are started -# (e.g., for Kerberos or pam_mount), you will need to enable auth-pam-sessions-use-password -# to forward the user’s PAM credentials to the session. -#auth-pam-sessions-use-password=1 + +# Forward PAM credentials to sessions (required for Kerberos, pam_mount) +;auth-pam-sessions-use-password=1 #-----------------------------------------------------------------------------------------# -# General Audit Settings +# Auditing Configuration # -# https://docs.posit.co/ide/server-pro/auditing_and_monitoring/auditing_configuration.html +# https://docs.posit.co/ide/server-pro/admin/auditing_and_monitoring/auditing_configuration.html +# Comprehensive auditing of R sessions and console activity. R session auditing logs +# session start/stop/suspend events. R console auditing can log all commands (input) or +# all commands and output (all). JSON format is recommended for structured log processing. +# Logs are stored in audit-data-path with automatic rotation and retention limits. +#-----------------------------------------------------------------------------------------# + +# General audit settings audit-data-path=/var/lib/rstudio-server/audit/ -#-----------------------------------------------------------------------------------------# -# R-Session Audit Settings +# R Session auditing (session lifecycle events) audit-r-sessions=1 audit-r-sessions-format=json audit-r-sessions-limit-mb=2048 audit-r-sessions-limit-months=13 -#-----------------------------------------------------------------------------------------# -# Audit Settings for r-console -# -#audit-r-console=all -#audit-r-console-format=json +# R Console auditing (command and output logging) +# Options: "input" (commands only) or "all" (commands and output) +;audit-r-console=all +;audit-r-console-format=json +;audit-r-console-user-limit-mb=100 #-----------------------------------------------------------------------------------------# -# Session Diagnostic Options +# Python Package Index Configuration # -# https://docs.posit.co/ide/server-pro/rstudio_server_configuration/rserver_conf.html?q=/tm#rsession-diagnostics-dir -#rsession-diagnostics-dir=/var/log/rstudio -#rsession-diagnostics-enabled=1 -#rsession-diagnostics-strace-enabled=1 +# https://docs.posit.co/ide/server-pro/admin/python/package_installation.html +# Configure the default Python package index (PyPI repository) for Workbench sessions. +# This value is injected into sessions as PIP_INDEX_URL and UV_INDEX_URL, so both pip +# and uv use this repository by default. Useful for pointing to internal Package Manager +# instances or Posit Public Package Manager for faster binary package installations. +#-----------------------------------------------------------------------------------------# +;session-python-index-url=https://packagemanager.posit.co/pypi/latest/simple + +# Internal Package Manager (if you have your own instance) +;session-python-index-url=https://packagemanager.company.com/pypi/latest/simple #-----------------------------------------------------------------------------------------# -# Server health check endpoint configuration (Non-authenticated) +# Session Diagnostics # -# https://docs.posit.co/ide/server-pro/auditing_and_monitoring/server_health_checks.html -# -# http:///health-check -#server-health-check-enabled=1 +# https://docs.posit.co/ide/server-pro/admin/reference/rserver_conf.html#rsession-settings +# Session diagnostics collect detailed debugging information for troubleshooting session +# startup issues. rsession-diagnostics-strace-enabled adds system call tracing (strace) +# for deep debugging. Enable these temporarily when troubleshooting, as they generate +# significant log data. +#-----------------------------------------------------------------------------------------# +;rsession-diagnostics-dir=/var/log/rstudio +;rsession-diagnostics-enabled=1 +;rsession-diagnostics-strace-enabled=1 #-----------------------------------------------------------------------------------------# -# Secure Configuration Settings -# -#https://docs.posit.co/ide/server-pro/hardening/example_secure_configuration.html -# Limit access to those users to whom it's been explicitly granted via group membership -#auth-required-user-group=posit-users -# -# Sign users out after 20 minutes of inactivity (default is 60) -#auth-timeout-minutes=20 -# -# Increase HTTP Strict Transport Security to 1 year and include subdomains -#ssl-hsts-max-age=31536000 -#ssl-hsts-include-subdomains=1 +# Security Hardening Settings # +# https://docs.posit.co/ide/server-pro/admin/hardening/example_secure_configuration.html +# Recommended security hardening options to restrict access, enforce timeouts, enable +# origin checks (CSRF defense), and prevent clickjacking. These settings align with +# security best practices for enterprise deployments. Adjust www-allow-origin to match +# your Workbench domain. +#-----------------------------------------------------------------------------------------# + +# Limit access to specific Unix group membership (recommended) +;auth-required-user-group=posit-users + +# Shorter idle timeout (default is 60 minutes, 20 minutes is more secure) +;auth-timeout-minutes=20 + +# HTTP Strict Transport Security (HSTS) settings for 1 year with subdomains +# https://docs.posit.co/ide/server-pro/admin/access_and_security/secure_sockets.html#use-http-strict-transport-security-hsts +;ssl-hsts-max-age=31536000 +;ssl-hsts-include-subdomains=1 + # Enable origin checks on all HTTP requests (CSRF defense) -#www-enable-origin-check=1 -# -# Ensure that the domain on which RStudio is hosted is permitted as an origin -#www-allow-origin=mysubdomain.mydomain.com +# https://docs.posit.co/ide/server-pro/admin/hardening/browser_security.html +;www-enable-origin-check=1 + +# Ensure the domain on which Workbench is hosted is permitted as an origin +;www-allow-origin=mysubdomain.mydomain.com + +# Set SameSite attribute on all cookies (lax or strict) +;www-same-site=lax + +# Prevent embedding Workbench in iframes on other pages (clickjacking defense) +;www-frame-origin=none + +#-----------------------------------------------------------------------------------------# +# Load Balancing / High Availability Configuration # -# Ensure the SameSite attribute is set on all cookies -#www-same-site=lax +# https://docs.posit.co/ide/server-pro/admin/load_balancing/configuration.html +# Multi-node Workbench deployment settings. Requires PostgreSQL database and shared +# storage (NFS or similar). All nodes must have identical /etc/rstudio configs (except +# node-specific settings like www-address), shared user accounts/home directories, and +# synchronized clocks. Load balancing enables session resilience and horizontal scaling. +#-----------------------------------------------------------------------------------------# + +# Enable load balancing for multi-node deployments +;load-balancing-enabled=1 + +#-----------------------------------------------------------------------------------------# +# Network Binding Configuration # -# Disallow embedding on other pages -#www-frame-origin=none +# https://docs.posit.co/ide/server-pro/admin/access_and_security/running_with_a_proxy.html +# Network interface and port binding. For single-server behind a local proxy, bind to +# localhost (127.0.0.1). For load-balanced or externally accessible servers, bind to +# 0.0.0.0 or a specific IP. Leave www-port empty to use default (443 if SSL enabled, +# 8787 otherwise). #-----------------------------------------------------------------------------------------# + +# Bind to all interfaces (required for load balancing or external access) +;www-address=0.0.0.0 + +# Bind to localhost only (for single-server behind local proxy) +;www-address=127.0.0.1 + +# Port binding (leave empty for default: 443 with SSL, 8787 without) +;www-port= diff --git a/workbench/rsession.conf b/workbench/rsession.conf index 667d3ca..1268be5 100644 --- a/workbench/rsession.conf +++ b/workbench/rsession.conf @@ -1,28 +1,74 @@ -# R Session Configuration File +# Posit Workbench R Session Configuration File # -# https://docs.posit.co/ide/server-pro/rstudio_server_configuration/rsession_conf.html +# Full Configuration Reference: https://docs.posit.co/ide/server-pro/admin/reference/rsession_conf.html -default-rsconnect-server=https://colorado.rstudio.com/rsc/connect/ #-----------------------------------------------------------------------------------------# -# Session Timeout Settings +# Session Timeout Configuration # -#session-timeout-minutes=120 -#session-timeout-kill-hours=0 +# https://docs.posit.co/ide/server-pro/admin/reference/rsession_conf.html#rsession-settings +# Controls automatic session termination. session-timeout-minutes suspends inactive +# sessions (default: 120 minutes). session-timeout-kill-hours forcibly terminates +# suspended sessions after the specified time (0 = never kill, keep suspended indefinitely). #-----------------------------------------------------------------------------------------# -# Session Default options +session-timeout-minutes=120 +session-timeout-kill-hours=0 + +#-----------------------------------------------------------------------------------------# +# Session Defaults and User Experience # -#session-default-new-project-dir=~/projects -#session-first-project-template-path= +# https://docs.posit.co/ide/server-pro/admin/reference/rsession_conf.html#rsession-settings +# Default locations and templates for new R sessions. session-default-new-project-dir sets +# the default directory when users create new projects. session-first-project-template-path +# can point to a template project that will be copied for first-time users. +#-----------------------------------------------------------------------------------------# +session-default-new-project-dir=~/projects + +# Template project for new users (optional) +;session-first-project-template-path=/opt/templates/default-project + +#-----------------------------------------------------------------------------------------# +# Posit Connect Integration +# +# https://docs.posit.co/ide/server-pro/admin/reference/rsession_conf.html#rsconnect-settings +# Configure default Posit Connect server for content publishing. Not required for +# single-product server deployments if users will configure their own Connect servers, +# but simplifies publishing workflows by pre-configuring the target Connect URL. +#-----------------------------------------------------------------------------------------# +default-rsconnect-server={{ REPLACEME }} + #-----------------------------------------------------------------------------------------# -# Secure Configuration Settings +# Package Repository Configuration # -# Disable publishing to RPubs and shinyapps.io -#allow-external-publish=0 +# https://docs.posit.co/ide/server-pro/admin/reference/rsession_conf.html#r-settings +# Controls whether users can change their CRAN repository from the Workbench UI. +# When set to 0, users can still change repositories from the R console but not +# through the GUI. Use this to enforce use of Package Manager or internal mirrors. +#-----------------------------------------------------------------------------------------# +;allow-r-cran-repos-edit=0 + +#-----------------------------------------------------------------------------------------# +# Security Hardening Settings # -# Prevent exploration of system directories -#restrict-directory-view=1 +# https://docs.posit.co/ide/server-pro/admin/hardening/r_session_security.html +# Security options to restrict user capabilities and reduce attack surface. #-----------------------------------------------------------------------------------------# -# Disable the ability to change CRAN Repo from the Workbench UI, users can still change repo -# from the R Console + +# Disable publishing to external services (RPubs, shinyapps.io) +# https://docs.posit.co/ide/server-pro/admin/reference/rsession_conf.html#rsconnect-settings +;allow-external-publish=0 + +# Restrict directory view to prevent exploration of system directories +# When enabled, users cannot browse directories outside their home directory and +# shared project directories +# https://docs.posit.co/ide/server-pro/admin/reference/rsession_conf.html#rsession-settings +;restrict-directory-view=1 + +#-----------------------------------------------------------------------------------------# +# R Version and Package Settings # -#allow-r-cran-repos-edit=0 \ No newline at end of file +# https://docs.posit.co/ide/server-pro/admin/reference/rsession_conf.html#r-settings +# R interpreter settings and package management options. +#-----------------------------------------------------------------------------------------# + +# R library paths (colon-separated, like standard R_LIBS) +;r-libs-user=~/R/library diff --git a/workbench/vscode-user-settings.json b/workbench/vscode-user-settings.json index 565b04a..d4d2f1f 100644 --- a/workbench/vscode-user-settings.json +++ b/workbench/vscode-user-settings.json @@ -1,5 +1,15 @@ { - "terminal.integrated.shell.linux": "/bin/bash", + "_comment": "VS Code Default User Settings Template - /etc/rstudio/vscode-user-settings.json", + "_documentation": "https://docs.posit.co/ide/server-pro/admin/vscode_sessions/user_settings.html", + "_note": "These settings are merged into each user's VS Code settings.json on first launch. Users CAN override these after initial merge. For truly enforced settings, use OS-level controls (not available via Workbench configuration). See positron-enforced-settings.json for Positron's enforced settings capability.", + + "terminal.integrated.defaultProfile.linux": "bash", "extensions.autoUpdate": false, - "extensions.autoCheckUpdates": false -} \ No newline at end of file + "extensions.autoCheckUpdates": false, + "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto", + "files.autoSave": "afterDelay", + "files.autoSaveDelay": 1000, + "editor.formatOnSave": true, + "editor.tabSize": 2, + "workbench.colorTheme": "Default Dark+" +} diff --git a/workbench/vscode.conf b/workbench/vscode.conf index dbf7f57..04fc9db 100644 --- a/workbench/vscode.conf +++ b/workbench/vscode.conf @@ -1,11 +1,42 @@ -#VSCode Configuration File -#https://docs.posit.co/ide/server-pro/vscode_sessions/configuration.html +# Posit Workbench VS Code Session Configuration File +# +# Full Configuration Reference: https://docs.posit.co/ide/server-pro/admin/vscode_sessions/configuration.html + +#-----------------------------------------------------------------------------------------# +# VS Code Session Configuration +# +# https://docs.posit.co/ide/server-pro/admin/vscode_sessions/configuration.html +# Configure how VS Code sessions run in Workbench. The exe path points to the bundled +# code-server binary. args can specify additional command-line flags for code-server. +# user-data-dir controls where user settings and extensions are stored (defaults to +# ~/.vscode-server). enabled controls whether VS Code sessions are available to users. +#-----------------------------------------------------------------------------------------# +exe=/usr/lib/rstudio-server/bin/pwb-code-server/bin/code-server enabled=1 -exe=/opt/code-server/bin/code-server -#Arguments to be passed to the code-server launch command. -#You can supply an –extensions-dir= to point to previously -#installed extensions via this parameter. If no –host argument -#is supplied, a default of –host=0.0.0.0 will be assumed. -args=--host=0.0.0.0 --verbose --disable-telemetry -#https://docs.posit.co/ide/server-pro/vscode_sessions/configuration.html#vs-code-user-settings -#user-data-dir=~/.local/share/code-server \ No newline at end of file +args=--host=0.0.0.0 +user-data-dir=~/.vscode-server + +#-----------------------------------------------------------------------------------------# +# Session Timeout Configuration +# +# https://docs.posit.co/ide/server-pro/admin/vscode_sessions/configuration.html +# session-cull-minutes controls automatic termination of idle VS Code sessions. +# Default is 240 minutes (4 hours). Set to 0 to disable automatic culling. +#-----------------------------------------------------------------------------------------# +session-cull-minutes=240 + +#-----------------------------------------------------------------------------------------# +# Default Cluster Configuration +# +# https://docs.posit.co/ide/server-pro/admin/vscode_sessions/configuration.html +# Specify which Job Launcher cluster to use for VS Code sessions. +#-----------------------------------------------------------------------------------------# +default-session-cluster=Local + +#-----------------------------------------------------------------------------------------# +# Container Image Configuration (for containerized deployments) +# +# https://docs.posit.co/ide/server-pro/admin/vscode_sessions/configuration.html +# Specify default container image for VS Code sessions when using Kubernetes or Docker. +#-----------------------------------------------------------------------------------------# +;default-session-container-image=rstudio:vscode-session