config.ini.tmpl (8157B)
1 # https://git.sr.ht/~sircmpwn/meta.sr.ht/tree/master/item/config.example.ini 2 3 [sr.ht] 4 # 5 # The name of your network of sr.ht-based sites 6 site-name=p0c 7 # 8 # The top-level info page for your site 9 site-info=https://p0c.ch 10 # 11 # site-name, site-blurb 12 site-blurb=proof of concepts for fun and profit 13 # 14 # If this != production, we add a banner to each page 15 environment=production 16 # 17 # Contact information for the site owners 18 owner-name=Andreas Gruhler 19 owner-email=contact@p0c.ch 20 # 21 # The source code for your fork of sr.ht 22 source-url=https://git.sr.ht/~sircmpwn/srht 23 # 24 # Link to your instance's privacy policy. Uses the sr.ht privacy policy as the 25 # default, which describes the information collected by the upstream SourceHut 26 # code. 27 privacy-policy= 28 # 29 # A key used for encrypting session cookies. Use `srht-keygen service` to 30 # generate the service key. This must be shared between each node of the same 31 # service (e.g. git1.sr.ht and git2.sr.ht), but different services may use 32 # different keys. If you configure all of your services with the same 33 # config.ini, you may use the same service-key for all of them. 34 service-key={{with secret "kv/meta"}}{{index .Data.data.service_key}}{{end}} 35 # 36 # A secret key to encrypt internal messages with. Use `srht-keygen network` to 37 # generate this key. It must be consistent between all services and nodes. 38 network-key={{with secret "kv/meta"}}{{index .Data.data.network_key}}{{end}} 39 # 40 # The redis host URL. This is used for caching and temporary storage, and must 41 # be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be 42 # shared between services. It may be shared between services, however, with no 43 # ill effect, if this better suits your infrastructure. 44 redis-host=redis://{{ env "NOMAD_ADDR_redis" }} 45 # 46 # Optional email address for reporting security-related issues. 47 security-address=contact@p0c.ch 48 # 49 # The global domain of the site. If unset, the global domain will be determined 50 # from the service URL: each service is assumed to be a sub-domain of the global 51 # domain, i.e. of the form `meta.globaldomain.com`. 52 global-domain=p0c.ch 53 # 54 # Path to static asses (default PREFIX from make installation) 55 # https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/Makefile 56 assets=/usr/local/share/sourcehut 57 58 [abused] 59 # 60 # Optional abused configuration for mitigating abusive traffic & usage 61 # 62 # See https://sr.ht/~sircmpwn/abused/ 63 endpoint= 64 token= 65 66 [objects] 67 # 68 # Configure S3-compatible object storage for services. Optional. 69 # 70 # Minio is recommended as a FOSS solution over AWS: https://min.io 71 s3-upstream= 72 s3-access-key= 73 s3-secret-key= 74 75 [mail] 76 # 77 # Outgoing SMTP settings 78 smtp-host={{with secret "kv/meta"}}{{index .Data.data.smtp_host}}{{end}} 79 smtp-port={{with secret "kv/meta"}}{{index .Data.data.smtp_port}}{{end}} 80 smtp-from={{with secret "kv/meta"}}{{index .Data.data.smtp_from}}{{end}} 81 # 82 # Default: starttls 83 # Options: starttls, tls, insecure 84 smtp-encryption=starttls 85 # 86 # Default: plain 87 # Options: plain, none 88 smtp-auth=plain 89 # user / password are required if smtp-auth is plain 90 smtp-user={{with secret "kv/meta"}}{{index .Data.data.smtp_user}}{{end}} 91 smtp-password={{with secret "kv/meta"}}{{index .Data.data.smtp_password}}{{end}} 92 # 93 # Application exceptions are emailed to this address 94 error-to=contact@p0c.ch 95 error-from=contact@p0c.ch 96 # 97 # You should generate a PGP key to allow users to authenticate emails received 98 # from your services. Use `gpg --edit-key [key id]` to remove the password from 99 # your private key, then export it to a file and set pgp-privkey to the path to 100 # that file. pgp-pubkey should be set to the path to your public key, and 101 # pgp-key-id should be set to the key ID string. Outgoing emails are signed with 102 # this PGP key. 103 pgp-privkey={{ env "NOMAD_SECRETS_DIR" }}/pgp_privkey.pem 104 pgp-pubkey={{ env "NOMAD_SECRETS_DIR" }}/pgp_pubkey.pem 105 pgp-key-id={{with secret "kv/meta"}}{{index .Data.data.pgp_key_id}}{{end}} 106 107 [webhooks] 108 # 109 # base64-encoded Ed25519 key for signing webhook payloads. This should be 110 # consistent between all services. 111 # 112 # Use the `srht-keygen webhook` command to generate this key. Put the private 113 # key here and distribute the public key to anyone who would want to verify 114 # webhook payloads from your service. 115 private-key={{with secret "kv/meta"}}{{index .Data.data.webhook_private_key}}{{end}} 116 117 [meta.sr.ht] 118 # 119 # URL meta.sr.ht is being served at (protocol://domain) 120 origin=https://meta.p0c.ch 121 # 122 # Address and port to bind the debug server to 123 #debug-host=0.0.0.0 124 #debug-port={{ env "NOMAD_PORT_web" }} 125 # 126 # Configures the SQLAlchemy connection string for the database. 127 connection-string=postgresql://meta:{{with secret "kv/meta"}}{{index .Data.data.postgresql_password}}{{end}}@postgres.lan/meta 128 # 129 # Set to "yes" to automatically run migrations on package upgrade. 130 migrate-on-upgrade=yes 131 # 132 # The redis connection used for the webhooks worker 133 webhooks=redis://{{ env "NOMAD_ADDR_redis" }}/1 134 135 # 136 # Origin URL for the API 137 # By default, the API port is 100 more than the web port 138 #api-origin=http://{{ env "NOMAD_ADDR_api" }} 139 140 [meta.sr.ht::api] 141 # 142 # Maximum complexity of GraphQL queries. The higher this number, the more work 143 # that API clients can burden the API backend with. Complexity is equal to the 144 # number of discrete fields which would be returned to the user. 200 is a good 145 # default. 146 max-complexity=200 147 148 # 149 # The maximum time the API backend will spend processing a single API request. 150 # 151 # See https://golang.org/pkg/time/#ParseDuration 152 max-duration=3s 153 154 # 155 # Set of IP subnets which are permitted to utilize internal API 156 # authentication. This should be limited to the subnets from which your 157 # *.sr.ht services are running. 158 # 159 # Comma-separated, CIDR notation. 160 internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8 161 162 # 163 # Queue size for account deletion operations. 164 # 165 # Default: 512 166 #account-del-queue-size=512 167 168 [meta.sr.ht::settings] 169 # 170 # If "no", public registration will not be permitted. 171 registration=no 172 # 173 # Where to redirect new users upon registration 174 onboarding-redirect=https://meta.p0c.ch 175 # 176 # If "yes", the user will be sent the stock sourcehut welcome emails after 177 # signup (requires cron to be configured properly). These are specific to the 178 # sr.ht instance so you probably want to patch these before enabling this. 179 welcome-emails=no 180 # 181 # If "yes", the user will be sent an email reminder if their registered PGP key 182 # will expire soon (requires cron to be configured properly). 183 key-expiration-emails=no 184 185 [meta.sr.ht::aliases] 186 # 187 # You can add aliases for the client IDs of commonly used OAuth clients here. 188 # 189 # Example: 190 # git.sr.ht=12345 191 192 [meta.sr.ht::billing] 193 # 194 # "yes" to enable the billing system 195 enabled=no 196 197 # 198 # Get your keys at https://dashboard.stripe.com/account/apikeys 199 stripe-public-key= 200 stripe-secret-key= 201 202 # List of countries to refuse paid service to (for reasons of e.g. sanctions 203 # compliance). Space-separated list of ISO 3166 two-letter codes. 204 prohibited-countries= 205 206 [meta.sr.ht::auth] 207 # 208 # What authentication method to use. 209 # builtin: use sr.ht builtin authentication 210 # unix-pam: use Unix PAM authentication 211 #auth-method=builtin 212 213 [meta.sr.ht::auth::unix-pam] 214 # 215 # The default email domain to assign to newly created users when they first log 216 # in. 217 # User's email will be set to <username>@<email-default-domain> 218 email-default-domain=p0c.ch 219 # 220 # The PAM service to use for logging in. 221 #service=sshd 222 # 223 # Whether to automatically create new users when authentication succeeds but the 224 # user is not in the database. 225 create-users=yes 226 # 227 # The UNIX group users need to belong to to have access to sourcehut. 228 # If set, 229 # only users belonging to this group will be able to log into the site. 230 # If unset, any user on the system is able to log in if PAM authentication 231 # succeeds. 232 user-group= 233 # 234 # The UNIX group users need to belong to to have administrator permissions. 235 # If set, administrator status on the site will be synced with group 236 # association. Additionally, any user of this group will also be able to access 237 # sourcehut even if they are not in the group specified in user-group. 238 # If unset, administrator status can be manually assigned from the web 239 # interface. 240 admin-group=wheel 241 242 [todo.sr.ht] 243 origin=https://todo.p0c.ch