# These values are sourced by the zrok-share.service. Search for "MUST" to identify the values that need to be changed. # ## ZROK ENVIRONMENT # # You MUST enable a zrok environment by setting the environment enable token here. This file must be readable by # 'other'. Obtain the enable token from the zrok console after accepting your invitation and creating a password. # # WARNING: changing these values has no effect if /var/lib/zrok-share/.zrok/environment.json exists. Remove that file to # enable a new environment and /var/lib/zrok-share/.zrok/reserved.json to provision a new frontend URL for the specified # target. # ZROK_ENABLE_TOKEN="" # # You MAY customize the environment name that appears in the zrok console. # ZROK_ENVIRONMENT_NAME="" # You MUST set this if not using the default API endpoint #ZROK_API_ENDPOINT="https://api.zrok.io" # ## ZROK BACKEND MODE AND TARGET # # You MUST define the backend target and mode. The frontend URL will be provisioned when the service starts. You MAY # change ZROK_TARGET and frontend URL will remain the same after a restart as long as the backend mode and frontend # authentication options are the same. Options that require provisioning a new frontend URL when changed are marked with # WARNING. You may delete /var/lib/zrok-share/.zrok/reserved.json and restart the service to provision a new frontend URL. # ## BACKEND MODES THAT WORK WITH PUBLIC AND PRIVATE HTTP SHARES # # backend-mode "proxy" (default): share a backend web server URL that's reachable by this host; must begin with 'http://' or # 'https://'; must accept the HOST header of the proxy frontend. Check out backend mode "caddy" if you need more control. ZROK_BACKEND_MODE="proxy" ZROK_TARGET="" # e.g., http://127.0.0.1:3000 # if defined, an https share's backend server certificate will not be verified with backend-mode 'proxy' # NOTE: changing this value does not require provisioning a new frontend URL #ZROK_INSECURE="--insecure" # backend-mode "web": run a web server and share a static HTML directory that's present on this host. Must be an # absolute path to a directory that is readable by 'other' #ZROK_BACKEND_MODE="web" #ZROK_TARGET="/var/www/html" # backend-mode "drive": run a WebDAV file server sharing a directory that's present on this host. Must be an absolute # path to a directory that is readable by 'other' #ZROK_BACKEND_MODE="drive" #ZROK_TARGET="/usr/share/doc" # backend-mode "caddy": run an embedded Caddy server configured by the supplied Caddyfile. Must be an absolute path that # is readable by 'other'. #ZROK_BACKEND_MODE="caddy" #ZROK_TARGET="/opt/openziti/etc/zrok/multiple_upstream.Caddyfile" # ## BACKEND MODES THAT ONLY WORK WITH PRIVATE SHARES # # you MUST set ZROK_FRONTEND_MODE to 'reserved-private' or 'temp-private' to use private share backend modes #ZROK_BACKEND_MODE="tcpTunnel" #ZROK_TARGET="127.0.0.1:25565" #ZROK_BACKEND_MODE="udpTunnel" #ZROK_TARGET="127.0.0.1:53" # you MUST grant NET_ADMIN capability to the service to enable vpn mode, e.g., run these two commands: # sed -Ei 's/.*AmbientCapabilities=CAP_NET_ADMIN/AmbientCapabilities=CAP_NET_ADMIN/' /etc/systemd/system/zrok-share.service.d/override.conf # systemctl daemon-reload #ZROK_BACKEND_MODE="vpn" #ZROK_TARGET="172.16.0.1/12" # there is no target for socks mode because the share is only a dynamic exit for the proxy client #ZROK_BACKEND_MODE="socks" #ZROK_TARGET="" # ## ZROK FRONTEND # # you MAY customize the share token that is used to construct the reserved subdomain; if not set a random # subdomain is reserved # WARNING: changes take effect the next time the frontend URL is reserved #ZROK_UNIQUE_NAME="" # you MAY set one OAuth2/OIDC provider; "google" and "github" are valid for the default instance api.zrok.io # WARNING: changes take effect the next time the frontend URL is reserved # NOTE: basic auth and oauth are mutually exclusive #ZROK_OAUTH_PROVIDER="google" # you MAY restrict access to one or more email addresses or domains; must be a space-separate list # WARNING: changes take effect the next time the frontend URL is reserved #ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com" # you MAY require a password with HTTP basic authentication # WARNING: changes take effect the next time the frontend URL is reserved # NOTE: basic auth and oauth are mutually exclusive #ZROK_BASIC_AUTH="" # set if self-hosting zrok and not using only the default frontend name 'public'; must be a space-separated list # WARNING: changes take effect the next time the frontend URL is reserved #ZROK_FRONTENDS="public" # you MAY set to change the frontend mode: reserved-public (default), reserved-private, temp-public, temp-private #ZROK_FRONTEND_MODE="reserved-public" # you MAY restrict access to a private share allowing only your own zrok account #ZROK_PERMISSION_MODE=closed # if permission mode "closed" - space-separated list of additional zrok account emails to grant access with the share token #ZROK_ACCESS_GRANTS="" # ## OPTIONS # # DEBUG log level # NOTE: changing this value does not require provisioning a new frontend URL #ZROK_VERBOSE="--verbose" # you MAY set additional command-line options for the share; see "zrok reserve public --help" for hints ZROK_SHARE_OPTS=""