~fnux/meta.sr.ht

ref: 3bad716474023aa367775f87683c3c2debc38e39 meta.sr.ht/config.example.ini -rw-r--r-- 6.2 KiB
3bad7164Timothée Floure auth: handle LDAP connection failures 6 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
[sr.ht]
#
# The name of your network of sr.ht-based sites
site-name=sourcehut
#
# The top-level info page for your site
site-info=https://sourcehut.org
#
# {{ site-name }}, {{ site-blurb }}
site-blurb=the hacker's forge
#
# If this != production, we add a banner to each page
environment=development
#
# Contact information for the site owners
owner-name=Drew DeVault
owner-email=sir@cmpwn.com
#
# The source code for your fork of sr.ht
source-url=https://git.sr.ht/~sircmpwn/srht
#
# Link to your instance's privacy policy. Uses the sr.ht privacy policy as the
# default, which describes the information collected by the upstream SourceHut
# code.
privacy-policy=
#
# A key used for encrypting session cookies. Use `srht-keygen service` to
# generate the service key. This must be shared between each node of the same
# service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
# different keys. If you configure all of your services with the same
# config.ini, you may use the same service-key for all of them.
service-key=
#
# A secret key to encrypt internal messages with. Use `srht-keygen network` to
# generate this key. It must be consistent between all services and nodes.
network-key=
#
# The redis host URL. This is used for caching and temporary storage, and must
# be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be
# shared between services. It may be shared between services, however, with no
# ill effect, if this better suits your infrastructure.
redis-host=

[mail]
#
# Outgoing SMTP settings
smtp-host=
smtp-port=
smtp-user=
smtp-password=
smtp-from=
#
# Application exceptions are emailed to this address
error-to=
error-from=
#
# You should generate a PGP key to allow users to authenticate emails received
# from your services. Use `gpg --edit-key [key id]` to remove the password from
# your private key, then export it to a file and set pgp-privkey to the path to
# that file. pgp-pubkey should be set to the path to your public key, and
# pgp-key-id should be set to the key ID string. Outgoing emails are signed with
# this PGP key.
pgp-privkey=
pgp-pubkey=
pgp-key-id=

[webhooks]
#
# base64-encoded Ed25519 key for signing webhook payloads. This should be
# consistent between all services.
#
# Use the `srht-keygen webhook` command to generate this key. Put the private
# key here and distribute the public key to anyone who would want to verify
# webhook payloads from your service.
private-key=

[meta.sr.ht]
# 
# URL meta.sr.ht is being served at (protocol://domain)
origin=http://meta.sr.ht.local
#
# Address and port to bind the debug server to
debug-host=0.0.0.0
debug-port=5000
#
# Configures the SQLAlchemy connection string for the database.
connection-string=postgresql://postgres@localhost/meta.sr.ht
#
# Set to "yes" to automatically run migrations on package upgrade.
migrate-on-upgrade=yes
#
# The redis connection used for the webhooks worker
webhooks=redis://localhost:6379/1
#
# If "yes", the user will be sent the stock sourcehut welcome emails after
# signup (requires cron to be configured properly). These are specific to the
# sr.ht instance so you probably want to patch these before enabling this.
welcome-emails=no

[meta.sr.ht::api]
#
# Maximum complexity of GraphQL queries. The higher this number, the more work
# that API clients can burden the API backend with. Complexity is equal to the
# number of discrete fields which would be returned to the user. 200 is a good
# default.
max-complexity=200

#
# The maximum time the API backend will spend processing a single API request.
#
# See https://golang.org/pkg/time/#ParseDuration
max-duration=3s

#
# Set of IP subnets which are permitted to utilize internal API
# authentication. This should be limited to the subnets from which your
# *.sr.ht services are running.
#
# Comma-separated, CIDR notation.
internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8

[meta.sr.ht::settings]
# 
# If "no", public registration will not be permitted.
registration=no
#
# Where to redirect new users upon registration
onboarding-redirect=http://example.org
#
# How many invites each user is issued upon registration (only applicable if
# open registration is disabled)
user-invites=5

[meta.sr.ht::aliases]
#
# You can add aliases for the client IDs of commonly used OAuth clients here.
#
# Example:
# git.sr.ht=12345

[meta.sr.ht::billing]
#
# "yes" to enable the billing system
enabled=no
#
# Get your keys at https://dashboard.stripe.com/account/apikeys
stripe-public-key=
stripe-secret-key=

[meta.sr.ht::auth]
#
# What authentication method to use.
#   builtin:  use sr.ht builtin authentication
#   unix-pam: use Unix PAM authentication
#   ldap:     use LDAP authentication
#auth-method=builtin

[meta.sr.ht::auth::unix-pam]
#
# The default email domain to assign to newly created users when they first log
# in.
# User's email will be set to <username>@<email-default-domain>
email-default-domain=example.com
#
# The PAM service to use for logging in.
#service=sshd
#
# Whether to automatically create new users when authentication succeeds but the
# user is not in the database.
create-users=yes
#
# The UNIX group users need to belong to to have access to sourcehut.
# If set,
# only users belonging to this group will be able to log into the site.
# If unset, any user on the system is able to log in if PAM authentication
# succeeds.
user-group=
#
# The UNIX group users need to belong to to have administrator permissions.
# If set, administrator status on the site will be synced with group
# association. Additionally, any user of this group will also be able to access
# sourcehut even if they are not in the group specified in user-group.
# If unset, administrator status can be manually assigned from the web
# interface.
admin-group=wheel

[meta.sr.ht::auth::ldap]
#
# Address of LDAP server.
server=ldaps://ldap.domain.tld

# Whether to automatically create new users when authentication succeeds but the
# user is not in the database.
create-users=yes

# Service account DN used by meta to authenticate against the LDAP server.
bind-dn=uid=srht,ou=services,dc=domain,dc=tls

# Password of the server account.
bind-password=secretsecretsecret

# Base DN used to search for users.
# NOTE: we assume user DN formatted as follow: uid=$username,$user_base
user-base=ou=users,dc=domain,dc=tld