add tls support for all nats connections

Signed-off-by: Jörn Friedrich Dreyer <jfd@butonic.de>

.woodpecker.star

@@ -307,8 +307,8 @@ config = {
                 "ANTIVIRUS_CLAMAV_SOCKET": "tcp://clamav:3310",
                 "OC_ASYNC_UPLOADS": True,
                 "OC_ADD_RUN_SERVICES": "antivirus",
+                "STORAGE_USERS_DRIVER": "decomposed",
             },
-            "storages": ["decomposed"],
         },
         "multiTenancy": {
             "suites": [
@@ -345,29 +345,16 @@ config = {
             },
         },
     },
-    "coreApiTests": {
+    "apiTests": {
         "numberOfParts": 7,
         "skip": False,
         "skipExceptParts": [],
-        "storages": ["posix"],
     },
     "e2eTests": {
         "part": {
             "skip": False,
             "totalParts": 4,  # divide and run all suites in parts (divide pipelines)
-            # suites to skip
-            "xsuites": [
-                "search",
-                "app-provider",
-                "app-provider-onlyOffice",
-                "app-store",
-                "keycloak",
-                "oidc",
-                "ocm",
-                "a11y",
-                "mobile-view",
-                "navigation",
-            ],
+            "xsuites": ["search", "app-provider", "app-provider-onlyOffice", "app-store", "keycloak", "oidc", "ocm", "a11y", "mobile-view", "navigation"],  # suites to skip
         },
         "search": {
             "skip": False,
@@ -622,9 +609,16 @@ def testPipelines(ctx):
         pipelines.append(wopiValidatorTests(ctx, storage, "cs3", "default"))
 
     pipelines += localApiTestPipeline(ctx)
-    pipelines += coreApiTestPipeline(ctx)
-    pipelines += e2eTestPipeline(ctx)
-    pipelines += multiServiceE2ePipeline(ctx)
+
+    if "skip" not in config["apiTests"] or not config["apiTests"]["skip"]:
+        pipelines += apiTests(ctx)
+
+    enable_watch_fs = [False]
+    if ctx.build.event == "cron":
+        enable_watch_fs.append(True)
+
+    for run_with_watch_fs_enabled in enable_watch_fs:
+        pipelines += e2eTestPipeline(ctx, run_with_watch_fs_enabled) + multiServiceE2ePipeline(ctx, run_with_watch_fs_enabled)
 
     if ("skip" not in config["k6LoadTests"] or not config["k6LoadTests"]["skip"]) and ("k6-test" in ctx.build.title.lower() or ctx.build.event == "cron"):
         pipelines += k6LoadTests(ctx)
@@ -1001,6 +995,124 @@ def codestyle(ctx):
 
     return pipelines
 
+def localApiTestPipeline(ctx):
+    pipelines = []
+
+    with_remote_php = [True]
+    enable_watch_fs = [False]
+    if ctx.build.event == "cron":
+        with_remote_php.append(False)
+        enable_watch_fs.append(True)
+
+    storages = ["posix"]
+    if "[decomposed]" in ctx.build.title.lower():
+        storages = ["decomposed"]
+
+    defaults = {
+        "suites": {},
+        "skip": False,
+        "extraTestEnvironment": {},
+        "extraServerEnvironment": {},
+        "storages": storages,
+        "accounts_hash_difficulty": 4,
+        "emailNeeded": False,
+        "antivirusNeeded": False,
+        "tikaNeeded": False,
+        "federationServer": False,
+        "collaborationServiceNeeded": False,
+        "extraCollaborationEnvironment": {},
+        "withRemotePhp": with_remote_php,
+        "enableWatchFs": enable_watch_fs,
+        "ldapNeeded": False,
+        "generateVirusFiles": False,
+    }
+
+    if "localApiTests" in config:
+        for name, matrix in config["localApiTests"].items():
+            if "skip" not in matrix or not matrix["skip"]:
+                params = {}
+                for item in defaults:
+                    params[item] = matrix[item] if item in matrix else defaults[item]
+                for storage in params["storages"]:
+                    for run_with_remote_php in params["withRemotePhp"]:
+                        for run_with_watch_fs_enabled in params["enableWatchFs"]:
+                            pipeline = {
+                                "name": "%s-%s%s-%s%s" % ("CLI" if name.startswith("cli") else "API", name, "-withoutRemotePhp" if not run_with_remote_php else "", "decomposed" if name.startswith("cli") else storage, "-watchfs" if run_with_watch_fs_enabled else ""),
+                                "steps": restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBinPath"]) +
+                                         (tikaService() if params["tikaNeeded"] else []) +
+                                         (waitForServices("online-offices", ["collabora:9980", "onlyoffice:443", "fakeoffice:8080"]) if params["collaborationServiceNeeded"] else []) +
+                                         (waitForClamavService() if params["antivirusNeeded"] else []) +
+                                         (waitForEmailService() if params["emailNeeded"] else []) +
+                                         (ldapService() if params["ldapNeeded"] else []) +
+                                         (waitForLdapService() if params["ldapNeeded"] else []) +
+                                         opencloudServer(storage, params["accounts_hash_difficulty"], extra_server_environment = params["extraServerEnvironment"], with_wrapper = True, tika_enabled = params["tikaNeeded"], watch_fs_enabled = run_with_watch_fs_enabled) +
+                                         (opencloudServer(storage, params["accounts_hash_difficulty"], deploy_type = "federation", extra_server_environment = params["extraServerEnvironment"], watch_fs_enabled = run_with_watch_fs_enabled) if params["federationServer"] else []) +
+                                         ((wopiCollaborationService("fakeoffice") + wopiCollaborationService("collabora") + wopiCollaborationService("onlyoffice")) if params["collaborationServiceNeeded"] else []) +
+                                         (openCloudHealthCheck("wopi", ["wopi-collabora:9304", "wopi-onlyoffice:9304", "wopi-fakeoffice:9304"]) if params["collaborationServiceNeeded"] else []) +
+                                         localApiTests(name, params["suites"], storage, params["extraTestEnvironment"], run_with_remote_php, params["generateVirusFiles"]) +
+                                         logRequests(),
+                                "services": (emailService() if params["emailNeeded"] else []) +
+                                            (clamavService() if params["antivirusNeeded"] else []) +
+                                            ((fakeOffice() + collaboraService() + onlyofficeService()) if params["collaborationServiceNeeded"] else []),
+                                "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
+                                "when": [
+                                    event["base"],
+                                    event["cron"],
+                                    {
+                                        "event": "pull_request",
+                                        "path": {
+                                            "exclude": skipIfUnchanged(ctx, "acceptance-tests"),
+                                        },
+                                    },
+                                ],
+                            }
+                        pipelines.append(pipeline)
+    return pipelines
+
+def localApiTests(name, suites, storage = "decomposed", extra_environment = {}, with_remote_php = False, generate_virus_files = False):
+    test_dir = "%s/tests/acceptance" % dirs["base"]
+    expected_failures_file = "%s/expected-failures-localAPI-on-%s-storage.md" % (test_dir, storage)
+
+    environment = {
+        "TEST_SERVER_URL": OC_URL,
+        "TEST_SERVER_FED_URL": OC_FED_URL,
+        "SEND_SCENARIO_LINE_REFERENCES": True,
+        "STORAGE_DRIVER": storage,
+        "BEHAT_SUITES": ",".join(suites),
+        "BEHAT_FILTER_TAGS": "~@skip&&~@skipOnOpencloud-%s-Storage" % storage,
+        "EXPECTED_FAILURES_FILE": expected_failures_file,
+        "UPLOAD_DELETE_WAIT_TIME": "1" if storage == "owncloud" else 0,
+        "OC_WRAPPER_URL": "http://%s:5200" % OC_SERVER_NAME,
+        "WITH_REMOTE_PHP": with_remote_php,
+        "COLLABORATION_SERVICE_URL": "http://wopi-fakeoffice:9300",
+        "OC_STORAGE_PATH": "$HOME/.opencloud/storage/users",
+        "USE_BEARER_TOKEN": True,
+    }
+
+    for item in extra_environment:
+        environment[item] = extra_environment[item]
+
+    commands = []
+
+    # Generate EICAR virus test files if needed
+    if generate_virus_files:
+        commands.append("chmod +x %s/tests/acceptance/scripts/generate-virus-files.sh" % dirs["base"])
+        commands.append("bash %s/tests/acceptance/scripts/generate-virus-files.sh" % dirs["base"])
+
+    # Merge expected failures
+    if not with_remote_php:
+        commands.append("cat %s/expected-failures-without-remotephp.md >> %s" % (test_dir, expected_failures_file))
+
+    # Run tests
+    commands.append("make -C %s test-acceptance-api" % (dirs["base"]))
+
+    return [{
+        "name": "localApiTests-%s" % name,
+        "image": OC_CI_PHP % DEFAULT_PHP_VERSION,
+        "environment": environment,
+        "commands": commands,
+    }]
+
 def cs3ApiTests(ctx, storage, accounts_hash_difficulty = 4):
     return {
         "name": "cs3ApiTests-%s" % storage,
@@ -1145,8 +1257,62 @@ def wopiValidatorTests(ctx, storage, wopiServerType, accounts_hash_difficulty =
         ],
     }
 
-def localApiTestPipeline(ctx):
+def coreApiTests(ctx, part_number = 1, number_of_parts = 1, with_remote_php = False, accounts_hash_difficulty = 4, watch_fs_enabled = False):
+    storage = "posix"
+    if "[decomposed]" in ctx.build.title.lower():
+        storage = "decomposed"
+    filterTags = "~@skipOnOpencloud-%s-Storage" % storage
+    test_dir = "%s/tests/acceptance" % dirs["base"]
+    expected_failures_file = "%s/expected-failures-API-on-%s-storage.md" % (test_dir, storage)
+
+    return {
+        "name": "Core-API-Tests-%s%s-%s%s" % (part_number, "-withoutRemotePhp" if not with_remote_php else "", storage, "-watchfs" if watch_fs_enabled else ""),
+        "steps": restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBinPath"]) +
+                 opencloudServer(storage, accounts_hash_difficulty, with_wrapper = True, watch_fs_enabled = watch_fs_enabled) +
+                 [
+                     {
+                         "name": "oC10ApiTests-%s" % part_number,
+                         "image": OC_CI_PHP % DEFAULT_PHP_VERSION,
+                         "environment": {
+                             "TEST_SERVER_URL": OC_URL,
+                             "OC_REVA_DATA_ROOT": "%s" % (dirs["opencloudRevaDataRoot"] if storage == "owncloud" else ""),
+                             "SEND_SCENARIO_LINE_REFERENCES": True,
+                             "STORAGE_DRIVER": storage,
+                             "BEHAT_FILTER_TAGS": filterTags,
+                             "DIVIDE_INTO_NUM_PARTS": number_of_parts,
+                             "RUN_PART": part_number,
+                             "ACCEPTANCE_TEST_TYPE": "core-api",
+                             "EXPECTED_FAILURES_FILE": expected_failures_file,
+                             "UPLOAD_DELETE_WAIT_TIME": "1" if storage == "owncloud" else 0,
+                             "OC_WRAPPER_URL": "http://%s:5200" % OC_SERVER_NAME,
+                             "WITH_REMOTE_PHP": with_remote_php,
+                         },
+                         "commands": [
+                             # merge the expected failures
+                             "" if with_remote_php else "cat %s/expected-failures-without-remotephp.md >> %s" % (test_dir, expected_failures_file),
+                             "make -C %s test-acceptance-api" % (dirs["base"]),
+                         ],
+                     },
+                 ] +
+                 logRequests(),
+        "services": redisForOCStorage(storage),
+        "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
+        "when": [
+            event["base"],
+            event["cron"],
+            {
+                "event": "pull_request",
+                "path": {
+                    "exclude": skipIfUnchanged(ctx, "acceptance-tests"),
+                },
+            },
+        ],
+    }
+
+def apiTests(ctx):
     pipelines = []
+    debugParts = config["apiTests"]["skipExceptParts"]
+    debugPartsEnabled = (len(debugParts) != 0)
 
     with_remote_php = [True]
     enable_watch_fs = [False]
@@ -1155,239 +1321,19 @@ def localApiTestPipeline(ctx):
         enable_watch_fs.append(True)
 
     defaults = {
-        "suites": {},
-        "skip": False,
-        "extraTestEnvironment": {},
-        "extraServerEnvironment": {},
-        "storages": ["posix"],
-        "accounts_hash_difficulty": 4,
-        "emailNeeded": False,
-        "antivirusNeeded": False,
-        "tikaNeeded": False,
-        "federationServer": False,
-        "collaborationServiceNeeded": False,
-        "extraCollaborationEnvironment": {},
         "withRemotePhp": with_remote_php,
         "enableWatchFs": enable_watch_fs,
-        "ldapNeeded": False,
-        "generateVirusFiles": False,
     }
 
-    if "localApiTests" in config:
-        for name, matrix in config["localApiTests"].items():
-            if "skip" not in matrix or not matrix["skip"]:
-                params = {}
-                for item in defaults:
-                    params[item] = matrix[item] if item in matrix else defaults[item]
+    for runPart in range(1, config["apiTests"]["numberOfParts"] + 1):
+        for run_with_remote_php in defaults["withRemotePhp"]:
+            for run_with_watch_fs_enabled in defaults["enableWatchFs"]:
+                if not debugPartsEnabled or (debugPartsEnabled and runPart in debugParts):
+                    pipelines.append(coreApiTests(ctx, runPart, config["apiTests"]["numberOfParts"], run_with_remote_php, watch_fs_enabled = run_with_watch_fs_enabled))
 
-                # use decomposed storage if specified in the PR title
-                # run CLI tests only with decomposed storage
-                if "[decomposed]" in ctx.build.title.lower() or name.startswith("cli"):
-                    params["storages"] = ["decomposed"]
-
-                for storage in params["storages"]:
-                    for run_with_remote_php in params["withRemotePhp"]:
-                        for run_with_watch_fs_enabled in params["enableWatchFs"]:
-                            pipeline_name = "API"
-                            if name.startswith("cli"):
-                                pipeline_name = "CLI"
-                            pipeline_name += "-%s" % name
-                            if not run_with_remote_php:
-                                pipeline_name += "-withoutRemotePhp"
-                            pipeline_name += "-%s" % storage
-                            if run_with_watch_fs_enabled:
-                                pipeline_name += "-watchfs"
-
-                            pipeline = {
-                                "name": pipeline_name,
-                                "steps": restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBinPath"]) +
-                                         (tikaService() if params["tikaNeeded"] else []) +
-                                         (waitForServices("online-offices", ["collabora:9980", "onlyoffice:443", "fakeoffice:8080"]) if params["collaborationServiceNeeded"] else []) +
-                                         (waitForClamavService() if params["antivirusNeeded"] else []) +
-                                         (waitForEmailService() if params["emailNeeded"] else []) +
-                                         (ldapService() if params["ldapNeeded"] else []) +
-                                         (waitForLdapService() if params["ldapNeeded"] else []) +
-                                         opencloudServer(
-                                             storage,
-                                             params["accounts_hash_difficulty"],
-                                             extra_server_environment = params["extraServerEnvironment"],
-                                             with_wrapper = True,
-                                             tika_enabled = params["tikaNeeded"],
-                                             watch_fs_enabled = run_with_watch_fs_enabled,
-                                         ) +
-                                         (opencloudServer(storage, params["accounts_hash_difficulty"], deploy_type = "federation", extra_server_environment = params["extraServerEnvironment"], watch_fs_enabled = run_with_watch_fs_enabled) if params["federationServer"] else []) +
-                                         ((wopiCollaborationService("fakeoffice") + wopiCollaborationService("collabora") + wopiCollaborationService("onlyoffice")) if params["collaborationServiceNeeded"] else []) +
-                                         (openCloudHealthCheck("wopi", ["wopi-collabora:9304", "wopi-onlyoffice:9304", "wopi-fakeoffice:9304"]) if params["collaborationServiceNeeded"] else []) +
-                                         localApiTest(params["suites"], storage, params["extraTestEnvironment"], run_with_remote_php, params["generateVirusFiles"]) +
-                                         logRequests(),
-                                "services": (emailService() if params["emailNeeded"] else []) +
-                                            (clamavService() if params["antivirusNeeded"] else []) +
-                                            ((fakeOffice() + collaboraService() + onlyofficeService()) if params["collaborationServiceNeeded"] else []),
-                                "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
-                                "when": [
-                                    event["base"],
-                                    event["cron"],
-                                    {
-                                        "event": "pull_request",
-                                        "path": {
-                                            "exclude": skipIfUnchanged(ctx, "acceptance-tests"),
-                                        },
-                                    },
-                                ],
-                            }
-                            pipelines.append(pipeline)
     return pipelines
 
-def localApiTest(suites, storage = "decomposed", extra_environment = {}, with_remote_php = False, generate_virus_files = False):
-    test_dir = "%s/tests/acceptance" % dirs["base"]
-    expected_failures_file = "%s/expected-failures-localAPI-on-%s-storage.md" % (test_dir, storage)
-
-    environment = {
-        "TEST_SERVER_URL": OC_URL,
-        "TEST_SERVER_FED_URL": OC_FED_URL,
-        "SEND_SCENARIO_LINE_REFERENCES": True,
-        "STORAGE_DRIVER": storage,
-        "BEHAT_SUITES": ",".join(suites),
-        "BEHAT_FILTER_TAGS": "~@skip&&~@skipOnOpencloud-%s-Storage" % storage,
-        "EXPECTED_FAILURES_FILE": expected_failures_file,
-        "UPLOAD_DELETE_WAIT_TIME": "1" if storage == "owncloud" else 0,
-        "OC_WRAPPER_URL": "http://%s:5200" % OC_SERVER_NAME,
-        "WITH_REMOTE_PHP": with_remote_php,
-        "COLLABORATION_SERVICE_URL": "http://wopi-fakeoffice:9300",
-        "OC_STORAGE_PATH": "$HOME/.opencloud/storage/users",
-        "USE_BEARER_TOKEN": True,
-    }
-
-    for item in extra_environment:
-        environment[item] = extra_environment[item]
-
-    commands = []
-
-    # Generate EICAR virus test files if needed
-    if generate_virus_files:
-        commands.append("chmod +x %s/tests/acceptance/scripts/generate-virus-files.sh" % dirs["base"])
-        commands.append("bash %s/tests/acceptance/scripts/generate-virus-files.sh" % dirs["base"])
-
-    # Merge expected failures
-    if not with_remote_php:
-        commands.append("cat %s/expected-failures-without-remotephp.md >> %s" % (test_dir, expected_failures_file))
-
-    # Run tests
-    commands.append("make -C %s test-acceptance-api" % (dirs["base"]))
-
-    return [{
-        "name": "api-tests",
-        "image": OC_CI_PHP % DEFAULT_PHP_VERSION,
-        "environment": environment,
-        "commands": commands,
-    }]
-
-def coreApiTestPipeline(ctx):
-    defaults = {
-        "withRemotePhp": [True],
-        "enableWatchFs": [False],
-        "storages": ["posix"],
-        "numberOfParts": 7,
-        "skipExceptParts": [],
-        "skip": False,
-        "accounts_hash_difficulty": 4,
-    }
-
-    pipelines = []
-    if "coreApiTests" in config:
-        matrix = config["coreApiTests"]
-        if matrix["skip"]:
-            return pipelines
-
-        params = {}
-        for item in defaults:
-            params[item] = matrix[item] if item in matrix else defaults[item]
-
-        # use decomposed storage if specified in the PR title
-        if "[decomposed]" in ctx.build.title.lower():
-            params["storages"] = ["decomposed"]
-
-        if ctx.build.event == "cron":
-            params["withRemotePhp"] = [True, False]
-            params["enableWatchFs"] = [True, False]
-
-        debugParts = params["skipExceptParts"]
-        debugPartsEnabled = (len(debugParts) != 0)
-
-        for storage in params["storages"]:
-            for runPart in range(1, params["numberOfParts"] + 1):
-                for run_with_remote_php in params["withRemotePhp"]:
-                    for run_with_watch_fs_enabled in params["enableWatchFs"]:
-                        if not debugPartsEnabled or (debugPartsEnabled and runPart in debugParts):
-                            pipeline_name = "Core-API-%s" % runPart
-                            if not run_with_remote_php:
-                                pipeline_name += "-withoutRemotePhp"
-                            pipeline_name += "-%s" % storage
-                            if run_with_watch_fs_enabled:
-                                pipeline_name += "-watchfs"
-
-                            pipeline = {
-                                "name": pipeline_name,
-                                "steps": restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBinPath"]) +
-                                         opencloudServer(
-                                             storage,
-                                             params["accounts_hash_difficulty"],
-                                             with_wrapper = True,
-                                             watch_fs_enabled = run_with_watch_fs_enabled,
-                                         ) +
-                                         coreApiTest(
-                                             runPart,
-                                             params["numberOfParts"],
-                                             run_with_remote_php,
-                                             storage,
-                                         ) +
-                                         logRequests(),
-                                "services": redisForOCStorage(storage),
-                                "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx)),
-                                "when": [
-                                    event["base"],
-                                    event["cron"],
-                                    {
-                                        "event": "pull_request",
-                                        "path": {
-                                            "exclude": skipIfUnchanged(ctx, "acceptance-tests"),
-                                        },
-                                    },
-                                ],
-                            }
-                            pipelines.append(pipeline)
-    return pipelines
-
-def coreApiTest(part_number = 1, number_of_parts = 1, with_remote_php = False, storage = "posix"):
-    filterTags = "~@skipOnOpencloud-%s-Storage" % storage
-    test_dir = "%s/tests/acceptance" % dirs["base"]
-    expected_failures_file = "%s/expected-failures-API-on-%s-storage.md" % (test_dir, storage)
-
-    return [{
-        "name": "api-tests",
-        "image": OC_CI_PHP % DEFAULT_PHP_VERSION,
-        "environment": {
-            "TEST_SERVER_URL": OC_URL,
-            "OC_REVA_DATA_ROOT": "%s" % (dirs["opencloudRevaDataRoot"] if storage == "owncloud" else ""),
-            "SEND_SCENARIO_LINE_REFERENCES": True,
-            "STORAGE_DRIVER": storage,
-            "BEHAT_FILTER_TAGS": filterTags,
-            "DIVIDE_INTO_NUM_PARTS": number_of_parts,
-            "RUN_PART": part_number,
-            "ACCEPTANCE_TEST_TYPE": "core-api",
-            "EXPECTED_FAILURES_FILE": expected_failures_file,
-            "UPLOAD_DELETE_WAIT_TIME": "1" if storage == "owncloud" else 0,
-            "OC_WRAPPER_URL": "http://%s:5200" % OC_SERVER_NAME,
-            "WITH_REMOTE_PHP": with_remote_php,
-        },
-        "commands": [
-            # merge the expected failures
-            "" if with_remote_php else "cat %s/expected-failures-without-remotephp.md >> %s" % (test_dir, expected_failures_file),
-            "make -C %s test-acceptance-api" % (dirs["base"]),
-        ],
-    }]
-
-def e2eTestPipeline(ctx):
+def e2eTestPipeline(ctx, watch_fs_enabled = False):
     defaults = {
         "skip": False,
         "suites": [],
@@ -1395,8 +1341,6 @@ def e2eTestPipeline(ctx):
         "totalParts": 0,
         "tikaNeeded": False,
         "reportTracing": False,
-        "enableWatchFs": [False],
-        "storages": ["posix"],
     }
 
     extra_server_environment = {
@@ -1429,6 +1373,10 @@ def e2eTestPipeline(ctx):
     if ctx.build.event == "tag":
         return pipelines
 
+    storage = "posix"
+    if "[decomposed]" in ctx.build.title.lower():
+        storage = "decomposed"
+
     for name, suite in config["e2eTests"].items():
         if "skip" in suite and suite["skip"]:
             continue
@@ -1437,12 +1385,6 @@ def e2eTestPipeline(ctx):
         for item in defaults:
             params[item] = suite[item] if item in suite else defaults[item]
 
-        if ctx.build.event == "cron":
-            params["enableWatchFs"] = [False, True]
-
-        if "[decomposed]" in ctx.build.title.lower():
-            params["storages"] = ["decomposed"]
-
         e2e_args = ""
         if params["totalParts"] > 0:
             e2e_args = "--total-parts %d" % params["totalParts"]
@@ -1456,67 +1398,61 @@ def e2eTestPipeline(ctx):
         if "with-tracing" in ctx.build.title.lower():
             params["reportTracing"] = True
 
-        for storage in params["storages"]:
-            for watch_fs_enabled in params["enableWatchFs"]:
-                steps_before = \
-                    restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBin"]) + \
-                    restoreWebCache() + \
-                    restoreWebPnpmCache() + \
-                    restoreBrowsersCache() + \
-                    (tikaService() if params["tikaNeeded"] else []) + \
-                    opencloudServer(
-                        storage,
-                        extra_server_environment = extra_server_environment,
-                        tika_enabled = params["tikaNeeded"],
-                        watch_fs_enabled = watch_fs_enabled,
-                    )
+        steps_before = \
+            restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBin"]) + \
+            restoreWebCache() + \
+            restoreWebPnpmCache() + \
+            restoreBrowsersCache() + \
+            (tikaService() if params["tikaNeeded"] else []) + \
+            opencloudServer(storage, extra_server_environment = extra_server_environment, tika_enabled = params["tikaNeeded"], watch_fs_enabled = watch_fs_enabled)
 
-                step_e2e = {
-                    "name": "e2e-tests",
-                    "image": OC_CI_NODEJS % DEFAULT_NODEJS_VERSION,
-                    "environment": {
-                        "OC_BASE_URL": OC_DOMAIN,
-                        "HEADLESS": True,
-                        "RETRY": "1",
-                        "WEB_UI_CONFIG_FILE": "%s/%s" % (dirs["base"], dirs["opencloudConfig"]),
-                        "LOCAL_UPLOAD_DIR": "/uploads",
-                        "PLAYWRIGHT_BROWSERS_PATH": "%s/%s" % (dirs["base"], ".playwright"),
-                        "BROWSER": "chromium",
-                        "REPORT_TRACING": params["reportTracing"],
-                    },
-                    "commands": [
-                        "cd %s/tests/e2e" % dirs["web"],
-                    ],
-                }
+        step_e2e = {
+            "name": "e2e-tests",
+            "image": OC_CI_NODEJS % DEFAULT_NODEJS_VERSION,
+            "environment": {
+                "OC_BASE_URL": OC_DOMAIN,
+                "HEADLESS": True,
+                "RETRY": "1",
+                "WEB_UI_CONFIG_FILE": "%s/%s" % (dirs["base"], dirs["opencloudConfig"]),
+                "LOCAL_UPLOAD_DIR": "/uploads",
+                "PLAYWRIGHT_BROWSERS_PATH": "%s/%s" % (dirs["base"], ".playwright"),
+                "BROWSER": "chromium",
+                "REPORT_TRACING": params["reportTracing"],
+            },
+            "commands": [
+                "cd %s/tests/e2e" % dirs["web"],
+            ],
+        }
 
-                steps_after = uploadTracingResult(ctx)
+        steps_after = uploadTracingResult(ctx)
+
+        if params["totalParts"]:
+            for index in range(params["totalParts"]):
+                run_part = index + 1
+                run_e2e = {}
+                run_e2e.update(step_e2e)
+                run_e2e["commands"] = [
+                    "cd %s/tests/e2e" % dirs["web"],
+                    "bash run-e2e.sh %s --run-part %d" % (e2e_args, run_part),
+                ]
+                pipelines.append({
+                    "name": "e2e-tests-%s-%s-%s%s" % (name, run_part, storage, "-watchfs" if watch_fs_enabled else ""),
+                    "steps": steps_before + [run_e2e] + steps_after,
+                    "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx) + buildWebCache(ctx)),
+                    "when": e2e_trigger,
+                })
+        else:
+            step_e2e["commands"].append("bash run-e2e.sh %s" % e2e_args)
+            pipelines.append({
+                "name": "e2e-tests-%s-%s%s" % (name, storage, "-watchfs" if watch_fs_enabled else ""),
+                "steps": steps_before + [step_e2e] + steps_after,
+                "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx) + buildWebCache(ctx)),
+                "when": e2e_trigger,
+            })
 
-                if params["totalParts"]:
-                    for index in range(params["totalParts"]):
-                        run_part = index + 1
-                        run_e2e = {}
-                        run_e2e.update(step_e2e)
-                        run_e2e["commands"] = [
-                            "cd %s/tests/e2e" % dirs["web"],
-                            "bash run-e2e.sh %s --run-part %d" % (e2e_args, run_part),
-                        ]
-                        pipelines.append({
-                            "name": "e2e-tests-%s-%s-%s%s" % (name, run_part, storage, "-watchfs" if watch_fs_enabled else ""),
-                            "steps": steps_before + [run_e2e] + steps_after,
-                            "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx) + buildWebCache(ctx)),
-                            "when": e2e_trigger,
-                        })
-                else:
-                    step_e2e["commands"].append("bash run-e2e.sh %s" % e2e_args)
-                    pipelines.append({
-                        "name": "e2e-tests-%s-%s%s" % (name, storage, "-watchfs" if watch_fs_enabled else ""),
-                        "steps": steps_before + [step_e2e] + steps_after,
-                        "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx) + buildWebCache(ctx)),
-                        "when": e2e_trigger,
-                    })
     return pipelines
 
-def multiServiceE2ePipeline(ctx):
+def multiServiceE2ePipeline(ctx, watch_fs_enabled = False):
     pipelines = []
 
     defaults = {
@@ -1525,8 +1461,6 @@ def multiServiceE2ePipeline(ctx):
         "xsuites": [],
         "tikaNeeded": False,
         "reportTracing": False,
-        "enableWatchFs": [False],
-        "storages": ["posix"],
     }
 
     e2e_trigger = [
@@ -1547,6 +1481,10 @@ def multiServiceE2ePipeline(ctx):
     if not "full-ci" in ctx.build.title.lower() and ctx.build.event != "cron":
         return pipelines
 
+    storage = "posix"
+    if "[decomposed]" in ctx.build.title.lower():
+        storage = "decomposed"
+
     extra_server_environment = {
         "OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST": "%s" % dirs["bannedPasswordList"],
         "OC_JWT_SECRET": "some-opencloud-jwt-secret",
@@ -1561,6 +1499,9 @@ def multiServiceE2ePipeline(ctx):
         "GRAPH_AVAILABLE_ROLES": "%s" % GRAPH_AVAILABLE_ROLES,
     }
 
+    if watch_fs_enabled:
+        extra_server_environment["STORAGE_USERS_POSIX_WATCH_FS"] = True
+
     storage_users_environment = {
         "OC_CORS_ALLOW_ORIGINS": "%s,https://%s:9201" % (OC_URL, OC_SERVER_NAME),
         "STORAGE_USERS_JWT_SECRET": "some-opencloud-jwt-secret",
@@ -1605,12 +1546,6 @@ def multiServiceE2ePipeline(ctx):
         for item in defaults:
             params[item] = suite[item] if item in suite else defaults[item]
 
-        if ctx.build.event == "cron":
-            params["enableWatchFs"] = [False, True]
-
-        if "[decomposed]" in ctx.build.title.lower():
-            params["storages"] = ["decomposed"]
-
         e2e_args = ""
         if params["suites"]:
             e2e_args = "--suites %s" % ",".join(params["suites"])
@@ -1622,43 +1557,38 @@ def multiServiceE2ePipeline(ctx):
         if "with-tracing" in ctx.build.title.lower():
             params["reportTracing"] = True
 
-        for storage in params["storages"]:
-            for watch_fs_enabled in params["enableWatchFs"]:
-                if watch_fs_enabled:
-                    extra_server_environment["STORAGE_USERS_POSIX_WATCH_FS"] = True
+        steps = \
+            restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBin"]) + \
+            restoreWebCache() + \
+            restoreWebPnpmCache() + \
+            restoreBrowsersCache() + \
+            tikaService() + \
+            opencloudServer(storage, extra_server_environment = extra_server_environment, tika_enabled = params["tikaNeeded"]) + \
+            storage_users_services + \
+            [{
+                "name": "e2e-tests",
+                "image": OC_CI_NODEJS % DEFAULT_NODEJS_VERSION,
+                "environment": {
+                    "OC_BASE_URL": OC_DOMAIN,
+                    "HEADLESS": True,
+                    "RETRY": "1",
+                    "REPORT_TRACING": params["reportTracing"],
+                    "PLAYWRIGHT_BROWSERS_PATH": "%s/%s" % (dirs["base"], ".playwright"),
+                    "BROWSER": "chromium",
+                },
+                "commands": [
+                    "cd %s/tests/e2e" % dirs["web"],
+                    "bash run-e2e.sh %s" % e2e_args,
+                ],
+            }] + \
+            uploadTracingResult(ctx)
 
-                steps = \
-                    restoreBuildArtifactCache(ctx, dirs["opencloudBinArtifact"], dirs["opencloudBin"]) + \
-                    restoreWebCache() + \
-                    restoreWebPnpmCache() + \
-                    restoreBrowsersCache() + \
-                    tikaService() + \
-                    opencloudServer(storage, extra_server_environment = extra_server_environment, tika_enabled = params["tikaNeeded"]) + \
-                    storage_users_services + \
-                    [{
-                        "name": "e2e-tests",
-                        "image": OC_CI_NODEJS % DEFAULT_NODEJS_VERSION,
-                        "environment": {
-                            "OC_BASE_URL": OC_DOMAIN,
-                            "HEADLESS": True,
-                            "RETRY": "1",
-                            "REPORT_TRACING": params["reportTracing"],
-                            "PLAYWRIGHT_BROWSERS_PATH": "%s/%s" % (dirs["base"], ".playwright"),
-                            "BROWSER": "chromium",
-                        },
-                        "commands": [
-                            "cd %s/tests/e2e" % dirs["web"],
-                            "bash run-e2e.sh %s" % e2e_args,
-                        ],
-                    }] + \
-                    uploadTracingResult(ctx)
-
-                pipelines.append({
-                    "name": "e2e-tests-multi-service%s" % ("-watchfs" if watch_fs_enabled else ""),
-                    "steps": steps,
-                    "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx) + buildWebCache(ctx)),
-                    "when": e2e_trigger,
-                })
+        pipelines.append({
+            "name": "e2e-tests-multi-service%s" % ("-watchfs" if watch_fs_enabled else ""),
+            "steps": steps,
+            "depends_on": getPipelineNames(buildOpencloudBinaryForTesting(ctx) + buildWebCache(ctx)),
+            "when": e2e_trigger,
+        })
     return pipelines
 
 def uploadTracingResult(ctx):

CHANGELOG.md

@@ -1,38 +1,5 @@
 # Changelog
 
-## [4.2.0](https://github.com/opencloud-eu/opencloud/releases/tag/v4.2.0) - 2026-01-03
-
-### ❤️ Thanks to all contributors! ❤️
-
-@ScharfViktor, @butonic, @dragonchaser, @fschade, @micbar, @rhafer, @saw-jan
-
-### 🐛 Bug Fixes
-
-- fix(thumbnailer): missing font panic [[#2097](https://github.com/opencloud-eu/opencloud/pull/2097)]
-- Remove sub-service binary entrypoints and fix antivirus only server cmd [[#2043](https://github.com/opencloud-eu/opencloud/pull/2043)]
-- fix(thumbnailer): respect image boundaries and text wrappings [[#2062](https://github.com/opencloud-eu/opencloud/pull/2062)]
-- fix: cobra viper flags and env [[#2047](https://github.com/opencloud-eu/opencloud/pull/2047)]
-- fix service name in suture logs [[#2052](https://github.com/opencloud-eu/opencloud/pull/2052)]
-
-### ✅ Tests
-
-- [tests-only] test: wait post-processing to finish for MKCOL requests [[#2092](https://github.com/opencloud-eu/opencloud/pull/2092)]
-- [tests-only] test: fix API tests [[#2087](https://github.com/opencloud-eu/opencloud/pull/2087)]
-- [full-ci] use graph api in the enforcePasswordPublicLink.feature [[#2050](https://github.com/opencloud-eu/opencloud/pull/2050)]
-- [full-ci][tests-only] test: check last email content with retries as emails can be delayed [[#2038](https://github.com/opencloud-eu/opencloud/pull/2038)]
-- skip collaborativePosix tests in CI [[#2039](https://github.com/opencloud-eu/opencloud/pull/2039)]
-
-### 📈 Enhancement
-
-- allow http2 connections to proxy [[#2040](https://github.com/opencloud-eu/opencloud/pull/2040)]
-- migrate from urfave/cli to spf13/cobra [[#1954](https://github.com/opencloud-eu/opencloud/pull/1954)]
-
-### 📦️ Dependencies
-
-- build(deps): bump github.com/testcontainers/testcontainers-go/modules/opensearch from 0.39.0 to 0.40.0 [[#1967](https://github.com/opencloud-eu/opencloud/pull/1967)]
-- build(deps): bump golang.org/x/net from 0.47.0 to 0.48.0 [[#2061](https://github.com/opencloud-eu/opencloud/pull/2061)]
-- build(deps): bump github.com/open-policy-agent/opa from 1.10.1 to 1.11.0 [[#1930](https://github.com/opencloud-eu/opencloud/pull/1930)]
-
 ## [4.1.0](https://github.com/opencloud-eu/opencloud/releases/tag/v4.1.0) - 2025-12-15
 
 ### ❤️ Thanks to all contributors! ❤️

go.mod

@@ -83,7 +83,7 @@ require (
 	github.com/stretchr/testify v1.11.1
 	github.com/test-go/testify v1.1.4
 	github.com/testcontainers/testcontainers-go v0.40.0
-	github.com/testcontainers/testcontainers-go/modules/opensearch v0.40.0
+	github.com/testcontainers/testcontainers-go/modules/opensearch v0.39.0
 	github.com/theckman/yacspin v0.13.12
 	github.com/thejerf/suture/v4 v4.0.6
 	github.com/tidwall/gjson v1.18.0
@@ -102,14 +102,14 @@ require (
 	go.opentelemetry.io/otel/exporters/stdout/stdouttrace v1.38.0
 	go.opentelemetry.io/otel/sdk v1.38.0
 	go.opentelemetry.io/otel/trace v1.38.0
-	golang.org/x/crypto v0.46.0
+	golang.org/x/crypto v0.45.0
 	golang.org/x/exp v0.0.0-20250210185358-939b2ce775ac
 	golang.org/x/image v0.33.0
-	golang.org/x/net v0.48.0
+	golang.org/x/net v0.47.0
 	golang.org/x/oauth2 v0.33.0
-	golang.org/x/sync v0.19.0
-	golang.org/x/term v0.38.0
-	golang.org/x/text v0.32.0
+	golang.org/x/sync v0.18.0
+	golang.org/x/term v0.37.0
+	golang.org/x/text v0.31.0
 	google.golang.org/genproto/googleapis/api v0.0.0-20251022142026-3a174f9686a8
 	google.golang.org/grpc v1.77.0
 	google.golang.org/protobuf v1.36.10
@@ -390,10 +390,10 @@ require (
 	go.uber.org/zap v1.27.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.30.0 // indirect
-	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
-	golang.org/x/tools v0.39.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/genproto v0.0.0-20250303144028-a0af3efb3deb // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20251022142026-3a174f9686a8 // indirect
 	gopkg.in/cenkalti/backoff.v1 v1.1.0 // indirect

go.sum

@@ -1206,8 +1206,8 @@ github.com/test-go/testify v1.1.4 h1:Tf9lntrKUMHiXQ07qBScBTSA0dhYQlu83hswqelv1iE
 github.com/test-go/testify v1.1.4/go.mod h1:rH7cfJo/47vWGdi4GPj16x3/t1xGOj2YxzmNQzk2ghU=
 github.com/testcontainers/testcontainers-go v0.40.0 h1:pSdJYLOVgLE8YdUY2FHQ1Fxu+aMnb6JfVz1mxk7OeMU=
 github.com/testcontainers/testcontainers-go v0.40.0/go.mod h1:FSXV5KQtX2HAMlm7U3APNyLkkap35zNLxukw9oBi/MY=
-github.com/testcontainers/testcontainers-go/modules/opensearch v0.40.0 h1:3TIrGk0zXyO9CG2N6APo7auwWIwAvhkwE1reISif8LM=
-github.com/testcontainers/testcontainers-go/modules/opensearch v0.40.0/go.mod h1:VA0UCTPu+Gcs7MzdzBnSl0qDnxquuphv3ngSGdX97Xs=
+github.com/testcontainers/testcontainers-go/modules/opensearch v0.39.0 h1:IkJUhR8AigQxv7qHZho/OtTU6JtiSdBGVh76o175JGo=
+github.com/testcontainers/testcontainers-go/modules/opensearch v0.39.0/go.mod h1:B7AhrDmQ4QbpzA0BeWvqzaJ8vbwcdEQDzybr35sBRfw=
 github.com/thanhpk/randstr v1.0.6 h1:psAOktJFD4vV9NEVb3qkhRSMvYh4ORRaj1+w/hn4B+o=
 github.com/thanhpk/randstr v1.0.6/go.mod h1:M/H2P1eNLZzlDwAzpkkkUvoyNNMbzRGhESZuEQk3r0U=
 github.com/theckman/yacspin v0.13.12 h1:CdZ57+n0U6JMuh2xqjnjRq5Haj6v1ner2djtLQRzJr4=
@@ -1375,8 +1375,8 @@ golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1418,8 +1418,8 @@ golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
-golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1473,8 +1473,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
-golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1501,8 +1501,8 @@ golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180622082034-63fc586f45fe/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1586,8 +1586,8 @@ golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
@@ -1599,8 +1599,8 @@ golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1615,8 +1615,8 @@ golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1679,8 +1679,8 @@ golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
-golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/tools/godoc v0.1.0-deprecated h1:o+aZ1BOj6Hsx/GBdJO/s815sqftjSnrZZwyYTHODvtk=
 golang.org/x/tools/godoc v0.1.0-deprecated/go.mod h1:qM63CriJ961IHWmnWa9CjZnBndniPt4a3CK0PVB9bIg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

opencloud/docker/Dockerfile.multiarch

@@ -3,7 +3,7 @@ ARG TARGETOS
 ARG TARGETARCH
 ARG VERSION
 ARG STRING
-ARG EDITION="dev"
+ARG EDITION
 
 RUN apk add bash make git curl gcc musl-dev libc-dev binutils-gold inotify-tools vips-dev
 

opencloud/pkg/command/init.go

@@ -23,7 +23,7 @@ func InitCommand(_ *config.Config) *cobra.Command {
 		Short:   "initialise an OpenCloud config",
 		GroupID: CommandGroupServer,
 		RunE: func(cmd *cobra.Command, args []string) error {
-			insecureFlag := viper.GetString("insecure")
+			insecureFlag, _ := cmd.Flags().GetString("insecure")
 			insecure := false
 			if insecureFlag == "ask" {
 				answer := strings.ToLower(stringPrompt("Do you want to configure OpenCloud with certificate checking disabled?\n This is not recommended for public instances! [yes | no = default]"))
@@ -33,10 +33,10 @@ func InitCommand(_ *config.Config) *cobra.Command {
 			} else if insecureFlag == strings.ToLower("true") || insecureFlag == strings.ToLower("yes") || insecureFlag == strings.ToLower("y") {
 				insecure = true
 			}
-			forceOverwriteFlag := viper.GetBool("force-overwrite")
-			diffFlag, _ := cmd.Flags().GetBool("diff")
-			configPathFlag := viper.GetString("config-path")
-			adminPasswordFlag := viper.GetString("admin-password")
+			forceOverwriteFlag, _ := cmd.Flags().GetBool("force-overwrite")
+			diffFlag, _ := cmd.Flags().GetBool("force-overwrite")
+			configPathFlag, _ := cmd.Flags().GetString("config-path")
+			adminPasswordFlag, _ := cmd.Flags().GetString("admin-password")
 			err := ocinit.CreateConfig(insecure, forceOverwriteFlag, diffFlag, configPathFlag, adminPasswordFlag)
 			if err != nil {
 				log.Fatalf("Could not create config: %s", err)
@@ -74,7 +74,7 @@ func stringPrompt(label string) string {
 	input := ""
 	reader := bufio.NewReader(os.Stdin)
 	for {
-		_, _ = fmt.Fprint(os.Stderr, label+" ")
+		fmt.Fprint(os.Stderr, label+" ")
 		input, _ = reader.ReadString('\n')
 		if input != "" {
 			break

opencloud/pkg/command/list.go

@@ -8,8 +8,6 @@ import (
 
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
-	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
-	"github.com/opencloud-eu/opencloud/pkg/config/parser"
 
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
@@ -20,14 +18,8 @@ func ListCommand(cfg *config.Config) *cobra.Command {
 	listCmd := &cobra.Command{
 		Use:   "list",
 		Short: "list OpenCloud services running in the runtime (supervised mode)",
-		PersistentPreRunE: func(cmd *cobra.Command, args []string) error {
-			return configlog.ReturnError(parser.ParseConfig(cfg, true))
-		},
 		RunE: func(cmd *cobra.Command, args []string) error {
-			host := viper.GetString("hostname")
-			port := viper.GetString("port")
-
-			client, err := rpc.DialHTTP("tcp", net.JoinHostPort(host, port))
+			client, err := rpc.DialHTTP("tcp", net.JoinHostPort(cfg.Runtime.Host, cfg.Runtime.Port))
 			if err != nil {
 				log.Fatalf("Failed to connect to the runtime. Has the runtime been started and did you configure the right runtime address (\"%s\")", cfg.Runtime.Host+":"+cfg.Runtime.Port)
 			}
@@ -43,7 +35,6 @@ func ListCommand(cfg *config.Config) *cobra.Command {
 			return nil
 		},
 	}
-
 	listCmd.Flags().String("hostname", "localhost", "hostname of the runtime")
 	_ = viper.BindEnv("hostname", "OC_RUNTIME_HOST")
 	_ = viper.BindPFlag("hostname", listCmd.Flags().Lookup("hostname"))

opencloud/pkg/command/services.go

@@ -61,7 +61,7 @@ var serviceCommands = []register.Command{
 	},
 	func(cfg *config.Config) *cobra.Command {
 		return ServiceCommand(cfg, cfg.Antivirus.Service.Name, antivirus.GetCommands(cfg.Antivirus), func(c *config.Config) {
-			cfg.Antivirus.Commons = cfg.Commons
+			// cfg.Antivirus.Commons = cfg.Commons // antivirus needs no commons atm
 		})
 	},
 	func(cfg *config.Config) *cobra.Command {

opencloud/pkg/command/shares.go

@@ -3,8 +3,6 @@ package command
 import (
 	"errors"
 
-	"github.com/spf13/viper"
-
 	"github.com/opencloud-eu/opencloud/opencloud/pkg/register"
 	"github.com/opencloud-eu/opencloud/pkg/config"
 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
@@ -17,6 +15,7 @@ import (
 	"github.com/opencloud-eu/reva/v2/pkg/share/manager/jsoncs3"
 	"github.com/opencloud-eu/reva/v2/pkg/share/manager/registry"
 	"github.com/opencloud-eu/reva/v2/pkg/utils"
+	"github.com/spf13/viper"
 
 	"github.com/rs/zerolog"
 	"github.com/spf13/cobra"
@@ -78,7 +77,7 @@ func cleanupCmd(cfg *config.Config) *cobra.Command {
 	return cleanCmd
 }
 
-func cleanup(_ *cobra.Command, cfg *config.Config) error {
+func cleanup(cmd *cobra.Command, cfg *config.Config) error {
 	driver := cfg.Sharing.UserSharingDriver
 	// cleanup is only implemented for the jsoncs3 share manager
 	if driver != "jsoncs3" {
@@ -109,8 +108,8 @@ func cleanup(_ *cobra.Command, cfg *config.Config) error {
 		return configlog.ReturnError(err)
 	}
 
-	serviceAccountIDFlag := viper.GetString("service-account-id")
-	serviceAccountSecretFlag := viper.GetString("service-account-secret")
+	serviceAccountIDFlag, _ := cmd.Flags().GetString("service-account-id")
+	serviceAccountSecretFlag, _ := cmd.Flags().GetString("service-account-secret")
 	serviceUserCtx, err := utils.GetServiceUserContext(serviceAccountIDFlag, client, serviceAccountSecretFlag)
 	if err != nil {
 		return configlog.ReturnError(err)
@@ -168,6 +167,39 @@ func revaShareConfig(cfg *sharing.Config) map[string]interface{} {
 	}
 }
 
+func revaPublicShareConfig(cfg *sharing.Config) map[string]interface{} {
+	return map[string]interface{}{
+		"json": map[string]interface{}{
+			"file":         cfg.PublicSharingDrivers.JSON.File,
+			"gateway_addr": cfg.Reva.Address,
+		},
+		"jsoncs3": map[string]interface{}{
+			"gateway_addr":        cfg.Reva.Address,
+			"provider_addr":       cfg.PublicSharingDrivers.JSONCS3.ProviderAddr,
+			"service_user_id":     cfg.PublicSharingDrivers.JSONCS3.SystemUserID,
+			"service_user_idp":    cfg.PublicSharingDrivers.JSONCS3.SystemUserIDP,
+			"machine_auth_apikey": cfg.PublicSharingDrivers.JSONCS3.SystemUserAPIKey,
+		},
+		"sql": map[string]interface{}{
+			"db_username":                   cfg.PublicSharingDrivers.SQL.DBUsername,
+			"db_password":                   cfg.PublicSharingDrivers.SQL.DBPassword,
+			"db_host":                       cfg.PublicSharingDrivers.SQL.DBHost,
+			"db_port":                       cfg.PublicSharingDrivers.SQL.DBPort,
+			"db_name":                       cfg.PublicSharingDrivers.SQL.DBName,
+			"password_hash_cost":            cfg.PublicSharingDrivers.SQL.PasswordHashCost,
+			"enable_expired_shares_cleanup": cfg.PublicSharingDrivers.SQL.EnableExpiredSharesCleanup,
+			"janitor_run_interval":          cfg.PublicSharingDrivers.SQL.JanitorRunInterval,
+		},
+		"cs3": map[string]interface{}{
+			"gateway_addr":        cfg.PublicSharingDrivers.CS3.ProviderAddr,
+			"provider_addr":       cfg.PublicSharingDrivers.CS3.ProviderAddr,
+			"service_user_id":     cfg.PublicSharingDrivers.CS3.SystemUserID,
+			"service_user_idp":    cfg.PublicSharingDrivers.CS3.SystemUserIDP,
+			"machine_auth_apikey": cfg.PublicSharingDrivers.CS3.SystemUserAPIKey,
+		},
+	}
+}
+
 func logger() *zerolog.Logger {
 	log := oclog.NewLogger(
 		oclog.Name("migrate"),

pkg/nats/options.go

@@ -0,0 +1,20 @@
+package nats
+
+import (
+	"crypto/tls"
+
+	"github.com/nats-io/nats.go"
+)
+
+func Secure(enableTLS, insecure bool, rootCA string) nats.Option {
+	if enableTLS {
+		if rootCA != "" {
+			return nats.RootCAs(rootCA)
+		}
+		return nats.Secure(&tls.Config{
+			MinVersion:         tls.VersionTLS12,
+			InsecureSkipVerify: insecure,
+		})
+	}
+	return nil
+}

pkg/shared/shared_types.go

@@ -48,14 +48,17 @@ type HTTPServiceTLS struct {
 }
 
 type Cache struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"`
-	Database           string        `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table              string        `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OC_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
 
 // Commons holds configuration that are common to all extensions. Each extension can then decide whether

pkg/version/version.go

@@ -34,7 +34,7 @@ var (
 	// LatestTag is the latest released version plus the dev meta version.
 	// Will be overwritten by the release pipeline
 	// Needs a manual change for every tagged release
-	LatestTag = "4.1.0+dev"
+	LatestTag = "4.0.0-rc.3+dev"
 
 	// Date indicates the build date.
 	// This has been removed, it looks like you can only replace static strings with recent go versions
@@ -79,11 +79,8 @@ func initEdition() error {
 		_, err := semver.NewVersion(editionParts[1])
 		return err == nil
 	}) {
-		defer func() {
-			Edition = Dev
-		}()
-
-		return fmt.Errorf(`unknown edition channel '%s'`, Edition)
+		Edition = Dev
+		return fmt.Errorf(`unknown edition channel "%s"`, Edition)
 	}
 
 	return nil

pkg/version/version_test.go

@@ -2,7 +2,6 @@ package version_test
 
 import (
 	"fmt"
-	"strings"
 	"testing"
 
 	"github.com/opencloud-eu/opencloud/pkg/version"
@@ -60,8 +59,6 @@ func TestChannel(t *testing.T) {
 				fallthrough
 			case test.valid != (err == nil):
 				t.Fatalf("invalid edition: %s", version.Edition)
-			case !test.valid && !strings.Contains(err.Error(), "'"+test.got+"'"):
-				t.Fatalf("no mention of invalid edition '%s' in error: %s", test.got, err.Error())
 			}
 		})
 	}

services/activitylog/cmd/activitylog/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/activitylog/pkg/command/server.go

@@ -8,9 +8,7 @@ import (
 	"github.com/opencloud-eu/reva/v2/pkg/events"
 	"github.com/opencloud-eu/reva/v2/pkg/events/stream"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
-	"github.com/opencloud-eu/reva/v2/pkg/store"
 	"github.com/spf13/cobra"
-	microstore "go-micro.dev/v4/store"
 
 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
 	"github.com/opencloud-eu/opencloud/pkg/generators"
@@ -77,15 +75,6 @@ func Server(cfg *config.Config) *cobra.Command {
 				return err
 			}
 
-			evStore := store.Create(
-				store.Store(cfg.Store.Store),
-				store.TTL(cfg.Store.TTL),
-				microstore.Nodes(cfg.Store.Nodes...),
-				microstore.Database(cfg.Store.Database),
-				microstore.Table(cfg.Store.Table),
-				store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
-			)
-
 			tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode)
 			if err != nil {
 				logger.Error().Err(err).Msg("Failed to parse tls mode")
@@ -120,7 +109,6 @@ func Server(cfg *config.Config) *cobra.Command {
 					http.Context(ctx), // NOTE: not passing this "option" leads to a panic in go-micro
 					http.TraceProvider(tracerProvider),
 					http.Stream(evStream),
-					http.Store(evStore),
 					http.GatewaySelector(gatewaySelector),
 					http.HistoryClient(hClient),
 					http.ValueClient(vClient),

services/activitylog/pkg/config/config.go

@@ -49,13 +49,15 @@ type Events struct {
 
 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"ACTIVITYLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;ACTIVITYLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;ACTIVITYLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;ACTIVITYLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
 
 // ServiceAccount is the configuration for the used service account

services/activitylog/pkg/config/defaults/defaultconfig.go

@@ -37,7 +37,6 @@ func DefaultConfig() *config.Config {
 			Store:    "nats-js-kv",
 			Nodes:    []string{"127.0.0.1:9233"},
 			Database: "activitylog",
-			Table:    "",
 		},
 		RevaGateway:     shared.DefaultRevaConfig().Address,
 		DefaultLanguage: "en",

services/activitylog/pkg/server/debug/server.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("http reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr))
 
+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))
 
 	return debug.NewService(
 		debug.Logger(options.Logger),

services/activitylog/pkg/server/http/server.go

@@ -81,7 +81,6 @@ func Server(opts ...Option) (http.Service, error) {
 		svc.Logger(options.Logger),
 		svc.Stream(options.Stream),
 		svc.Mux(mux),
-		svc.Store(options.Store),
 		svc.Config(options.Config),
 		svc.GatewaySelector(options.GatewaySelector),
 		svc.TraceProvider(options.TraceProvider),

services/activitylog/pkg/service/l10n/locale/ca/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Ivan Fustero, 2025\n"
 "Language-Team: Catalan (https://app.transifex.com/opencloud-eu/teams/204053/ca/)\n"

services/activitylog/pkg/service/l10n/locale/de/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Jörn Friedrich Dreyer <jfd@butonic.de>, 2025\n"
 "Language-Team: German (https://app.transifex.com/opencloud-eu/teams/204053/de/)\n"

services/activitylog/pkg/service/l10n/locale/es/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Elías Martín, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/opencloud-eu/teams/204053/es/)\n"

services/activitylog/pkg/service/l10n/locale/fr/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: eric_G <junk.eg@free.fr>, 2025\n"
 "Language-Team: French (https://app.transifex.com/opencloud-eu/teams/204053/fr/)\n"

services/activitylog/pkg/service/l10n/locale/it/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Simone Broglia, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/opencloud-eu/teams/204053/it/)\n"

services/activitylog/pkg/service/l10n/locale/ko/LC_MESSAGES/activitylog.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Junghyuk Kwon <kwon@junghy.uk>, 2025\n"
 "Language-Team: Korean (https://app.transifex.com/opencloud-eu/teams/204053/ko/)\n"

services/activitylog/pkg/service/l10n/locale/nl/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-23 00:05+0000\n"
+"POT-Creation-Date: 2025-12-03 00:01+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Stephan Paternotte <stephan@paternottes.net>, 2025\n"
 "Language-Team: Dutch (https://app.transifex.com/opencloud-eu/teams/204053/nl/)\n"

services/activitylog/pkg/service/l10n/locale/pt/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Mário Machado, 2025\n"
 "Language-Team: Portuguese (https://app.transifex.com/opencloud-eu/teams/204053/pt/)\n"

services/activitylog/pkg/service/l10n/locale/ru/LC_MESSAGES/activitylog.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-23 00:05+0000\n"
+"POT-Creation-Date: 2025-12-03 00:01+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Lulufox, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/opencloud-eu/teams/204053/ru/)\n"

services/activitylog/pkg/service/l10n/locale/sv/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-19 00:05+0000\n"
+"POT-Creation-Date: 2025-11-29 00:01+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Daniel Nylander <po@danielnylander.se>, 2025\n"
 "Language-Team: Swedish (https://app.transifex.com/opencloud-eu/teams/204053/sv/)\n"

services/activitylog/pkg/service/l10n/locale/zh/LC_MESSAGES/activitylog.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: YQS Yang, 2025\n"
 "Language-Team: Chinese (https://app.transifex.com/opencloud-eu/teams/204053/zh/)\n"

services/activitylog/pkg/service/options.go

@@ -11,7 +11,6 @@ import (
 	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config"
 	"github.com/opencloud-eu/reva/v2/pkg/events"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
-	microstore "go-micro.dev/v4/store"
 	"go.opentelemetry.io/otel/trace"
 )
 
@@ -25,7 +24,6 @@ type Options struct {
 	TraceProvider       trace.TracerProvider
 	Stream              events.Stream
 	RegisteredEvents    []events.Unmarshaller
-	Store               microstore.Store
 	GatewaySelector     pool.Selectable[gateway.GatewayAPIClient]
 	Mux                 *chi.Mux
 	HistoryClient       ehsvc.EventHistoryService
@@ -69,13 +67,6 @@ func RegisteredEvents(e []events.Unmarshaller) Option {
 	}
 }
 
-// Store configures the store to use
-func Store(store microstore.Store) Option {
-	return func(o *Options) {
-		o.Store = store
-	}
-}
-
 // GatewaySelector adds a grpc client selector for the gateway service
 func GatewaySelector(gatewaySelector pool.Selectable[gateway.GatewayAPIClient]) Option {
 	return func(o *Options) {

services/activitylog/pkg/service/service.go

@@ -2,6 +2,7 @@ package service
 
 import (
 	"context"
+	"crypto/tls"
 	"encoding/base32"
 	"encoding/json"
 	"fmt"
@@ -166,6 +167,18 @@ func New(opts ...Option) (*ActivitylogService, error) {
 	natsOptions := nats.Options{
 		Servers: o.Config.Store.Nodes,
 	}
+	if o.Config.Store.EnableTLS {
+		if o.Config.Store.TLSRootCACertificate != "" {
+			// when root ca is configured use it. an insecure flag is ignored.
+			nats.RootCAs(o.Config.Store.TLSRootCACertificate)(&natsOptions)
+		} else {
+			// enable tls and use insecure flag
+			nats.Secure(&tls.Config{MinVersion: tls.VersionTLS12, InsecureSkipVerify: o.Config.Store.TLSInsecure})(&natsOptions)
+		}
+	}
+	if o.Config.Store.AuthUsername != "" && o.Config.Store.AuthPassword != "" {
+		nats.UserInfo(o.Config.Store.AuthUsername, o.Config.Store.AuthPassword)(&natsOptions)
+	}
 	conn, err := natsOptions.Connect()
 	if err != nil {
 		return nil, err

services/antivirus/cmd/antivirus/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/antivirus/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/antivirus/pkg/server/debug/server.go

@@ -10,6 +10,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -18,9 +19,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)
 
+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)).
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)).
 		WithCheck("antivirus reachability", func(ctx context.Context) error {
 			cfg := options.Config
 			switch cfg.Scanner.Type {

services/app-provider/cmd/app-provider/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/app-provider/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/app-registry/cmd/app-registry/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/app-registry/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/audit/cmd/audit/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/audit/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/audit/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/audit/pkg/server/debug/server.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -13,9 +14,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)
 
+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))
 
 	return debug.NewService(
 		debug.Logger(options.Logger),

services/auth-app/cmd/auth-app/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/auth-app/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/auth-app/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/auth-basic/cmd/auth-basic/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/auth-basic/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/auth-basic/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/auth-bearer/cmd/auth-bearer/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/auth-bearer/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/auth-bearer/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/auth-machine/cmd/auth-machine/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/auth-machine/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/auth-machine/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/auth-service/cmd/auth-service/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/auth-service/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/auth-service/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/clientlog/cmd/clientlog/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/clientlog/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/clientlog/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/clientlog/pkg/server/debug/server.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -13,9 +14,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)
 
+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))
 
 	return debug.NewService(
 		debug.Logger(options.Logger),

services/collaboration/cmd/collaboration/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/collaboration/pkg/command/server.go

@@ -100,6 +100,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Database(cfg.Store.Database),
 				microstore.Table(cfg.Store.Table),
 				store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
+				store.TLSEnabled(cfg.Store.EnableTLS),
+				store.TLSInsecure(cfg.Store.TLSInsecure),
+				store.TLSRootCA(cfg.Store.TLSRootCACertificate),
 			)
 
 			gr := runner.NewGroup()

services/collaboration/pkg/config/store.go

@@ -4,11 +4,14 @@ import "time"
 
 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;COLLABORATION_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;COLLABORATION_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;COLLABORATION_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

services/eventhistory/cmd/eventhistory/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/eventhistory/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/eventhistory/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/eventhistory/pkg/command/server.go

@@ -71,6 +71,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Database(cfg.Store.Database),
 				microstore.Table(cfg.Store.Table),
 				store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
+				store.TLSEnabled(cfg.Store.EnableTLS),
+				store.TLSInsecure(cfg.Store.TLSInsecure),
+				store.TLSRootCA(cfg.Store.TLSRootCACertificate),
 			)
 
 			service := grpc.NewService(

services/eventhistory/pkg/config/config.go

@@ -36,13 +36,16 @@ type GRPCConfig struct {
 
 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;EVENTHISTORY_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;EVENTHISTORY_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;EVENTHISTORY_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
 
 // Events combines the configuration options for the event bus.

services/eventhistory/pkg/server/debug/server.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr))
 
+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))
 
 	return debug.NewService(
 		debug.Logger(options.Logger),

services/frontend/cmd/frontend/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/frontend/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/frontend/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/frontend/pkg/config/config.go

@@ -129,18 +129,21 @@ type DataGateway struct {
 }
 
 type OCS struct {
-	Prefix                      string        `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	SharePrefix                 string        `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	HomeNamespace               string        `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	AdditionalInfoAttribute     string        `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	StatCacheType               string        `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheNodes              []string      `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheDatabase           string        `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	StatCacheTable              string        `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	StatCacheTTL                time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheDisablePersistence bool          `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheAuthUsername       string        `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheAuthPassword       string        `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""`
+	Prefix                        string        `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	SharePrefix                   string        `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	HomeNamespace                 string        `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	AdditionalInfoAttribute       string        `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	StatCacheType                 string        `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheNodes                []string      `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheDatabase             string        `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	StatCacheTable                string        `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	StatCacheTTL                  time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheDisablePersistence   bool          `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheAuthUsername         string        `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheAuthPassword         string        `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheEnableTLS            bool          `yaml:"stat_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;FRONTEND_OCS_STAT_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	StatCacheTLSInsecure          bool          `yaml:"stat_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;FRONTEND_OCS_STAT_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	StatCacheTLSRootCACertificate string        `yaml:"stat_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;FRONTEND_OCS_STAT_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 
 	CacheWarmupDriver                    string             `yaml:"cache_warmup_driver,omitempty"`  // not supported by the OpenCloud product, therefore not part of docs
 	CacheWarmupDrivers                   CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the OpenCloud product, therefore not part of docs

services/frontend/pkg/revaconfig/config.go

@@ -164,14 +164,17 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 					"share_prefix":         cfg.OCS.SharePrefix,
 					"home_namespace":       cfg.OCS.HomeNamespace,
 					"stat_cache_config": map[string]interface{}{
-						"cache_store":               cfg.OCS.StatCacheType,
-						"cache_nodes":               cfg.OCS.StatCacheNodes,
-						"cache_database":            cfg.OCS.StatCacheDatabase,
-						"cache_table":               cfg.OCS.StatCacheTable,
-						"cache_ttl":                 cfg.OCS.StatCacheTTL,
-						"cache_disable_persistence": cfg.OCS.StatCacheDisablePersistence,
-						"cache_auth_username":       cfg.OCS.StatCacheAuthUsername,
-						"cache_auth_password":       cfg.OCS.StatCacheAuthPassword,
+						"cache_store":                   cfg.OCS.StatCacheType,
+						"cache_nodes":                   cfg.OCS.StatCacheNodes,
+						"cache_database":                cfg.OCS.StatCacheDatabase,
+						"cache_table":                   cfg.OCS.StatCacheTable,
+						"cache_ttl":                     cfg.OCS.StatCacheTTL,
+						"cache_disable_persistence":     cfg.OCS.StatCacheDisablePersistence,
+						"cache_auth_username":           cfg.OCS.StatCacheAuthUsername,
+						"cache_auth_password":           cfg.OCS.StatCacheAuthPassword,
+						"cache_tls_enabled":             cfg.OCS.StatCacheEnableTLS,
+						"cache_tls_insecure":            cfg.OCS.StatCacheTLSInsecure,
+						"cache_tls_root_ca_certificate": cfg.OCS.StatCacheTLSRootCACertificate,
 					},
 					"prefix":                    cfg.OCS.Prefix,
 					"additional_info_attribute": cfg.OCS.AdditionalInfoAttribute,

services/frontend/pkg/server/debug/server.go

@@ -5,6 +5,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr))
 
+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))
 
 	return debug.NewService(
 		debug.Logger(options.Logger),

services/gateway/cmd/gateway/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/gateway/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/gateway/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/gateway/pkg/config/config.go

@@ -91,11 +91,18 @@ type Cache struct {
 	ProviderCacheDisablePersistence   bool          `yaml:"provider_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
 	ProviderCacheAuthUsername         string        `yaml:"provider_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
 	ProviderCacheAuthPassword         string        `yaml:"provider_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	CreateHomeCacheStore              string        `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	CreateHomeCacheNodes              []string      `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	CreateHomeCacheDatabase           string        `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	CreateHomeCacheTTL                time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	CreateHomeCacheDisablePersistence bool          `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	CreateHomeCacheAuthUsername       string        `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	CreateHomeCacheAuthPassword       string        `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	ProviderCacheEnableTLS            bool          `yaml:"provider_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_PROVIDER_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	ProviderCacheTLSInsecure          bool          `yaml:"provider_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_PROVIDER_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	ProviderCacheTLSRootCACertificate string        `yaml:"provider_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_PROVIDER_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_PROVIDER_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
+
+	CreateHomeCacheStore                string        `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	CreateHomeCacheNodes                []string      `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	CreateHomeCacheDatabase             string        `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	CreateHomeCacheTTL                  time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	CreateHomeCacheDisablePersistence   bool          `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	CreateHomeCacheAuthUsername         string        `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	CreateHomeCacheAuthPassword         string        `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	CreateHomeCacheEnableTLS            bool          `yaml:"create_home_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_CREATE_HOME_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	CreateHomeCacheTLSInsecure          bool          `yaml:"create_home_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	CreateHomeCacheTLSRootCACertificate string        `yaml:"create_home_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_CREATE_HOME_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

services/gateway/pkg/revaconfig/config.go

@@ -70,14 +70,17 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]i
 						"cache_auth_password": cfg.Cache.ProviderCacheAuthPassword,
 					},
 					"create_personal_space_cache_config": map[string]interface{}{
-						"cache_store":               cfg.Cache.CreateHomeCacheStore,
-						"cache_nodes":               cfg.Cache.CreateHomeCacheNodes,
-						"cache_database":            cfg.Cache.CreateHomeCacheDatabase,
-						"cache_table":               "create_personal_space",
-						"cache_ttl":                 cfg.Cache.CreateHomeCacheTTL,
-						"cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence,
-						"cache_auth_username":       cfg.Cache.CreateHomeCacheAuthUsername,
-						"cache_auth_password":       cfg.Cache.CreateHomeCacheAuthPassword,
+						"cache_store":                   cfg.Cache.CreateHomeCacheStore,
+						"cache_nodes":                   cfg.Cache.CreateHomeCacheNodes,
+						"cache_database":                cfg.Cache.CreateHomeCacheDatabase,
+						"cache_table":                   "create_personal_space",
+						"cache_ttl":                     cfg.Cache.CreateHomeCacheTTL,
+						"cache_disable_persistence":     cfg.Cache.CreateHomeCacheDisablePersistence,
+						"cache_auth_username":           cfg.Cache.CreateHomeCacheAuthUsername,
+						"cache_auth_password":           cfg.Cache.CreateHomeCacheAuthPassword,
+						"cache_tls_enabled":             cfg.IDCache.EnableTLS,
+						"cache_tls_insecure":            cfg.IDCache.TLSInsecure,
+						"cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate,
 					},
 				},
 				"authregistry": map[string]interface{}{

services/gateway/pkg/server/debug/server.go

@@ -18,6 +18,7 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("nats reachability", func(ctx context.Context) error {
 			if options.Config.Cache.ProviderCacheStore == "nats-js-kv" && len(options.Config.Cache.ProviderCacheNodes) > 0 {
+				// no secureOption because we cannot yet configure tls for the cache store
 				return checks.NewNatsCheck(options.Config.Cache.ProviderCacheNodes[0])(ctx)
 			}
 			return nil

services/graph/cmd/graph/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/graph/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/graph/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/graph/pkg/command/server.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"fmt"
 	"os/signal"
+	"strings"
 
 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
+	natspkg "github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/runner"
 	"github.com/opencloud-eu/opencloud/pkg/tracing"
 	"github.com/opencloud-eu/opencloud/pkg/version"
@@ -50,13 +52,9 @@ func Server(cfg *config.Config) *cobra.Command {
 			var kv jetstream.KeyValue
 			// Allow to run without a NATS store (e.g. for the standalone Education provisioning service)
 			if len(cfg.Store.Nodes) > 0 {
-				//Connect to NATS servers
-				natsOptions := nats.Options{
-					Servers:  cfg.Store.Nodes,
-					User:     cfg.Store.AuthUsername,
-					Password: cfg.Store.AuthPassword,
-				}
-				conn, err := natsOptions.Connect()
+				// Connect to NATS servers
+				secureOption := natspkg.Secure(cfg.Store.EnableTLS, cfg.Store.TLSInsecure, cfg.Store.TLSRootCACertificate)
+				conn, err := nats.Connect(strings.Join(cfg.Store.Nodes, ","), secureOption, nats.UserInfo(cfg.Store.AuthUsername, cfg.Store.AuthPassword))
 				if err != nil {
 					return err
 				}

services/graph/pkg/config/cache.go

@@ -4,12 +4,15 @@ import "time"
 
 // Cache defines the available configuration for a cache store
 type Cache struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database           string        `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table              string        `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;GRAPH_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GRAPH_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GRAPH_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

services/graph/pkg/config/config.go

@@ -172,8 +172,11 @@ type Metadata struct {
 
 // Store configures the store to use
 type Store struct {
-	Nodes        []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string   `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	AuthUsername string   `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string   `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Nodes                []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string   `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	AuthUsername         string   `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string   `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool     `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;GRAPH_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool     `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;GRAPH_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string   `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;GRAPH_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

services/graph/pkg/l10n/locale/ca/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Ivan Fustero, 2025\n"
 "Language-Team: Catalan (https://app.transifex.com/opencloud-eu/teams/204053/ca/)\n"

services/graph/pkg/l10n/locale/de/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Jörn Friedrich Dreyer <jfd@butonic.de>, 2025\n"
 "Language-Team: German (https://app.transifex.com/opencloud-eu/teams/204053/de/)\n"

services/graph/pkg/l10n/locale/es/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Elías Martín, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/opencloud-eu/teams/204053/es/)\n"

services/graph/pkg/l10n/locale/fr/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: eric_G <junk.eg@free.fr>, 2025\n"
 "Language-Team: French (https://app.transifex.com/opencloud-eu/teams/204053/fr/)\n"

services/graph/pkg/l10n/locale/it/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Simone Broglia, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/opencloud-eu/teams/204053/it/)\n"

services/graph/pkg/l10n/locale/ko/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: gapho shin, 2025\n"
 "Language-Team: Korean (https://app.transifex.com/opencloud-eu/teams/204053/ko/)\n"

services/graph/pkg/l10n/locale/nl/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Stephan Paternotte <stephan@paternottes.net>, 2025\n"
 "Language-Team: Dutch (https://app.transifex.com/opencloud-eu/teams/204053/nl/)\n"

services/graph/pkg/l10n/locale/pl/LC_MESSAGES/graph.po

@@ -14,7 +14,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Radoslaw Posim, 2025\n"
 "Language-Team: Polish (https://app.transifex.com/opencloud-eu/teams/204053/pl/)\n"

services/graph/pkg/l10n/locale/pt/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Mário Machado, 2025\n"
 "Language-Team: Portuguese (https://app.transifex.com/opencloud-eu/teams/204053/pt/)\n"

services/graph/pkg/l10n/locale/ru/LC_MESSAGES/graph.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Lulufox, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/opencloud-eu/teams/204053/ru/)\n"

services/graph/pkg/l10n/locale/sv/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-19 00:05+0000\n"
+"POT-Creation-Date: 2025-11-29 00:01+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Daniel Nylander <po@danielnylander.se>, 2025\n"
 "Language-Team: Swedish (https://app.transifex.com/opencloud-eu/teams/204053/sv/)\n"

services/graph/pkg/l10n/locale/zh/LC_MESSAGES/graph.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: YQS Yang, 2025\n"
 "Language-Team: Chinese (https://app.transifex.com/opencloud-eu/teams/204053/zh/)\n"

services/graph/pkg/server/debug/server.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -32,8 +33,13 @@ func Server(opts ...Option) (*http.Server, error) {
 
 	// only check nats if really needed
 	if options.Config.Events.Endpoint != "" {
+		secureOption := nats.Secure(
+			options.Config.Events.EnableTLS,
+			options.Config.Events.TLSInsecure,
+			options.Config.Events.TLSRootCACertificate,
+		)
 		readyHandlerConfiguration = readyHandlerConfiguration.
-			WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+			WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))
 	}
 
 	return debug.NewService(

services/groups/cmd/groups/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/groups/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/groups/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/idm/cmd/idm/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/idm/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/idm/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/idp/cmd/idp/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/idp/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/idp/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/invitations/cmd/invitations/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/invitations/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/invitations/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/nats/cmd/nats/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/nats/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/nats/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/nats/pkg/server/debug/server.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -14,12 +15,17 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)
 
+	secureOption := nats.Secure(
+		options.Config.Nats.EnableTLS,
+		options.Config.Nats.TLSSkipVerifyClientCert,
+		options.Config.Nats.TLSCert,
+	)
 	// For nats readiness and liveness checks are identical
 	// the nats server will neither be healthy nor ready when it can not reach the nats server/cluster
 	checkHandler := handlers.NewCheckHandler(
 		handlers.NewCheckHandlerConfiguration().
 			WithLogger(options.Logger).
-			WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port))),
+			WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port), secureOption)),
 	)
 
 	return debug.NewService(

services/notifications/cmd/notifications/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/notifications/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/notifications/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}

services/notifications/pkg/command/server.go

@@ -130,6 +130,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Database(cfg.Store.Database),
 				microstore.Table(cfg.Store.Table),
 				store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
+				store.TLSEnabled(cfg.Store.EnableTLS),
+				store.TLSInsecure(cfg.Store.TLSInsecure),
+				store.TLSRootCA(cfg.Store.TLSRootCACertificate),
 			)
 
 			svc := service.NewEventsNotifier(evts, channel, logger, gatewaySelector, valueService,

services/notifications/pkg/config/config.go

@@ -70,11 +70,14 @@ type ServiceAccount struct {
 
 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;NOTIFICATIONS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;NOTIFICATIONS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;NOTIFICATIONS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

services/notifications/pkg/email/l10n/locale/ca/LC_MESSAGES/notifications.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Ivan Fustero, 2025\n"
 "Language-Team: Catalan (https://app.transifex.com/opencloud-eu/teams/204053/ca/)\n"

services/notifications/pkg/email/l10n/locale/de/LC_MESSAGES/notifications.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Jonas, 2025\n"
 "Language-Team: German (https://app.transifex.com/opencloud-eu/teams/204053/de/)\n"

services/notifications/pkg/email/l10n/locale/es/LC_MESSAGES/notifications.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: miguel tapias, 2025\n"
 "Language-Team: Spanish (https://app.transifex.com/opencloud-eu/teams/204053/es/)\n"

services/notifications/pkg/email/l10n/locale/fi/LC_MESSAGES/notifications.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-03 00:06+0000\n"
+"POT-Creation-Date: 2025-12-14 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>, 2025\n"
 "Language-Team: Finnish (https://app.transifex.com/opencloud-eu/teams/204053/fi/)\n"

services/notifications/pkg/email/l10n/locale/fr/LC_MESSAGES/notifications.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: eric_G <junk.eg@free.fr>, 2025\n"
 "Language-Team: French (https://app.transifex.com/opencloud-eu/teams/204053/fr/)\n"

services/notifications/pkg/email/l10n/locale/it/LC_MESSAGES/notifications.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Simone Broglia, 2025\n"
 "Language-Team: Italian (https://app.transifex.com/opencloud-eu/teams/204053/it/)\n"

services/notifications/pkg/email/l10n/locale/ko/LC_MESSAGES/notifications.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: gapho shin, 2025\n"
 "Language-Team: Korean (https://app.transifex.com/opencloud-eu/teams/204053/ko/)\n"

services/notifications/pkg/email/l10n/locale/nl/LC_MESSAGES/notifications.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Stephan Paternotte <stephan@paternottes.net>, 2025\n"
 "Language-Team: Dutch (https://app.transifex.com/opencloud-eu/teams/204053/nl/)\n"

services/notifications/pkg/email/l10n/locale/pt/LC_MESSAGES/notifications.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Mário Machado, 2025\n"
 "Language-Team: Portuguese (https://app.transifex.com/opencloud-eu/teams/204053/pt/)\n"

services/notifications/pkg/email/l10n/locale/ru/LC_MESSAGES/notifications.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2026-01-02 00:06+0000\n"
+"POT-Creation-Date: 2025-12-13 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Lulufox, 2025\n"
 "Language-Team: Russian (https://app.transifex.com/opencloud-eu/teams/204053/ru/)\n"

services/notifications/pkg/email/l10n/locale/sv/LC_MESSAGES/notifications.po

@@ -12,7 +12,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-19 00:05+0000\n"
+"POT-Creation-Date: 2025-11-29 00:01+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: Daniel Nylander <po@danielnylander.se>, 2025\n"
 "Language-Team: Swedish (https://app.transifex.com/opencloud-eu/teams/204053/sv/)\n"

services/notifications/pkg/email/l10n/locale/zh/LC_MESSAGES/notifications.po

@@ -11,7 +11,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: EMAIL\n"
-"POT-Creation-Date: 2025-12-20 00:05+0000\n"
+"POT-Creation-Date: 2025-11-30 00:02+0000\n"
 "PO-Revision-Date: 2025-01-27 10:17+0000\n"
 "Last-Translator: YQS Yang, 2025\n"
 "Language-Team: Chinese (https://app.transifex.com/opencloud-eu/teams/204053/zh/)\n"

services/notifications/pkg/server/debug/server.go

@@ -6,6 +6,7 @@ import (
 
 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -14,9 +15,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)
 
+	secureOption := nats.Secure(
+		options.Config.Notifications.Events.EnableTLS,
+		options.Config.Notifications.Events.TLSInsecure,
+		options.Config.Notifications.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint)).
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint, secureOption)).
 		WithCheck("smtp-check", checks.NewTCPCheck(options.Config.Notifications.SMTP.Host+":"+strconv.Itoa(options.Config.Notifications.SMTP.Port)))
 
 	return debug.NewService(

services/ocdav/cmd/ocdav/main.go

@@ -0,0 +1,19 @@
+package main
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/opencloud-eu/opencloud/services/ocdav/pkg/command"
+	"github.com/opencloud-eu/opencloud/services/ocdav/pkg/config/defaults"
+)
+
+func main() {
+	cfg := defaults.DefaultConfig()
+	cfg.Context, _ = signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM, syscall.SIGQUIT, syscall.SIGHUP)
+	if err := command.Execute(cfg); err != nil {
+		os.Exit(1)
+	}
+}