· 6 years ago · May 07, 2019, 09:38 AM
1# generate the following six parameters with the following command
2# docker run --rm -ti psono/psono-server:latest python3 ./psono/manage.py generateserverkeys
3SECRET_KEY: 'OeNd_42X7\\/`i":c`,.Y#4Km]`QB{?@*"wQF/G#l0:!TCo7pmf'
4ACTIVATION_LINK_SECRET: 'xv*%n;F3f"5^f(aH-(;6<gd&&at2l.0SAp8Z,oAsf>ML_S,N@&'
5DB_SECRET: '<Sc%"}LO"t=Bzju2ag2Z("#dQ^}P1BCWDB,aKF|9zz`fDDh5"y'
6EMAIL_SECRET_SALT: '$2b$12$iNURlPdbMglVMdGOuVZEMu'
7PRIVATE_KEY: '92257488cbb780a3770ef7b6b31b2e5759ce9a2a8f899008f2d9ef25349b2f0c'
8PUBLIC_KEY: '518249c521a825d98126e89cfc6521b74cadfda64a60d608b3c6b9d20e60423b'
9
10# The URL of the web client (path to e.g activate.html without the trailing slash)
11# WEB_CLIENT_URL: 'https://www.psono.pw'
12
13# Switch DEBUG to false if you go into production
14DEBUG: False
15
16# Adjust this according to Django Documentation https://docs.djangoproject.com/en/1.10/ref/settings/
17ALLOWED_HOSTS: ['*']
18
19# Should be your domain without "www.". Will be the last part of the username
20ALLOWED_DOMAINS: ['psono.securedtech.co.za']
21
22# If you want to disable registration, you can comment in the following line
23# ALLOW_REGISTRATION: False
24
25# If you want to disable the lost password functionality, you can comment in the following line
26# ALLOW_LOST_PASSWORD: False
27
28# If you want to restrict registration to some email addresses you can specify here a list of domains to filter
29# REGISTRATION_EMAIL_FILTER: ['company1.com', 'company2.com']
30
31# Should be the URL of the host under which the host is reachable
32# If you open the url and append /info/ to it you should have a text similar to {"info":"{\"version\": \"....}
33HOST_URL: 'https://www.psono.securedtech.co.za/server'
34
35# The email used to send emails, e.g. for activation
36# ATTENTION: If executed in a docker container, then "localhost" will resolve to the docker container, so
37# "localhost" will not work as host. Use the public IP or DNS record of the server.
38EMAIL_FROM: 'psono@securedtech.co.za'
39EMAIL_HOST: 'smtp-relay.gmail.com'
40EMAIL_HOST_USER: ''
41EMAIL_HOST_PASSWORD : ''
42EMAIL_PORT: 587
43EMAIL_SUBJECT_PREFIX: ''
44EMAIL_USE_TLS: False
45EMAIL_USE_SSL: False
46EMAIL_SSL_CERTFILE:
47EMAIL_SSL_KEYFILE:
48EMAIL_TIMEOUT:
49
50# In case one wants to use mailgun, comment in below lines and provide the mailgun access key and server name
51# EMAIL_BACKEND: 'anymail.backends.mailgun.EmailBackend'
52# MAILGUN_ACCESS_KEY: ''
53# MAILGUN_SERVER_NAME: ''
54
55# In case you want to offer Yubikey support, create a pair of credentials here https://upgrade.yubico.com/getapikey/
56# and update the following two lines before commenting them in
57# YUBIKEY_CLIENT_ID: '123456'
58# YUBIKEY_SECRET_KEY: '8I65IA6ASDFIUHGIH5021FKJA='
59
60# If you have own Yubico servers, you can specify here the urls as a list
61# YUBICO_API_URLS: ['https://api.yubico.com/wsapi/2.0/verify']
62
63# Cache enabled without belows Redis may lead to unexpected behaviour
64
65# Cache with Redis
66# By default you should use something different than database 0 or 1, e.g. 13 (default max is 16, can be configured in
67# redis.conf) possible URLS are:
68# redis://[:password]@localhost:6379/0
69# rediss://[:password]@localhost:6379/0
70# unix://[:password]@/path/to/socket.sock?db=0
71# CACHE_ENABLE: False
72# CACHE_REDIS: False
73# CACHE_REDIS_LOCATION: 'redis://127.0.0.1:6379/13'
74
75# Disables Throttling (necessary for unittests to pass) by overriding the cache with a dummy cache
76# https://docs.djangoproject.com/en/1.11/topics/cache/#dummy-caching-for-development
77# THROTTLING: False
78
79# The server will automatically connect to the license server to get a license for 10 users.
80# For paying customers we offer the opportunity to get an offline license code.
81#
82# LICENSE_CODE: |
83# 0abcdefg...
84# 1abcdefg...
85# 2abcdefg...
86# 3abcdefg...
87# 4abcdefg...
88# 5abcdefg...
89# 6abcdefg...
90# 7abcdefg...
91# 8abcdefg...
92
93# Enables the management API, required for the psono-admin-client / admin portal
94# MANAGEMENT_ENABLED: False
95
96# Enables the fileserver API, required for the psono-fileserver
97# FILESERVER_HANDLER_ENABLED: False
98
99# Enables files for the client
100# FILES_ENABLED: False
101
102# Allows that users can search for partial usernames
103# ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL: True
104
105# Allows that users can search for email addresses too
106# ALLOW_USER_SEARCH_BY_EMAIL: True
107
108# Allows admins to limit the offered second factors in the client
109# ALLOWED_SECOND_FACTORS: ['yubikey_otp', 'google_authenticator', 'duo']
110
111# Enforce the user to setup a second factor
112# COMPLIANCE_ENFORCE_2FA: True
113
114# Disables recovery codes
115# COMPLIANCE_DISABLE_RECOVERY_CODES: True
116
117# Disables file repositories
118# COMPLIANCE_DISABLE_FILE_REPOSITORIES: True
119
120# Disables emergency codes
121# COMPLIANCE_DISABLE_EMERGENCY_CODES: True
122
123# Disables the export of passwords
124# COMPLIANCE_DISABLE_EXPORT: True
125
126# Disables API keys
127# COMPLIANCE_DISABLE_API_KEYS: True
128
129# Only necessary if the psono-client runs on a sub path (no trailing slash) e.g. "https://wwww.psono.pw"
130# WEB_CLIENT_URL: ''
131
132# Prevents the use of the last X passwords. 0 disables it.
133# DISABLE_LAST_PASSWORDS: 0
134
135# If you want to use LDAP, then you can configure it like this
136#
137# LDAP_URL: Any valid LDAP string, preferable with ldaps. usual urls are 'ldaps://example.com:636' or 'ldap://192.168.0.1:389'
138# LDAP_DOMAIN: Your LDAP domain, is added at the end of the username to form the full username
139# LDAP_BIND_DN: One User that can be used to search your LDAP
140# LDAP_BIND_PASS: The password of the user specified in LDAP_BIND_DN
141# LDAP_ATTR_GUID: The uuid attribute. e.g. on Windows 'objectGUID', but common are 'GUID' or 'entryUUID', default 'objectGUID'
142# LDAP_OBJECT_CLASS_USER: The objectClass value to filter user objects e.g. on Windows 'user', default 'user'
143# LDAP_OBJECT_CLASS_GROUP: The objectClass value to filter group objects e.g. on Windows 'group', default 'group'
144# LDAP_SEARCH_USER_DN: The "root" from which downwards we search for the users
145# LDAP_SEARCH_GROUP_DN: The "root" from which downwards we search for the groups
146# LDAP_ATTR_USERNAME: The username attribute to try to match against. e.g. on Windows 'sAMAccountName', default 'sAMAccountName'
147# LDAP_ATTR_EMAIL: The attribute of the user objects that holds the mail address e.g. on Windows 'mail', default 'mail'
148# LDAP_ATTR_GROUPS: The attribute of the user objects that holds the groups e.g. on Windows 'memberOf', default 'memberOf'
149# LDAP_CA_CERT_FILE: If you want to use ldaps and don't have a publicly trusted and signed certificate you can specify here the path to your ca certificate
150#
151# To help you setup LDAP, we have created a small "testldap" command that should make things alot easier. You can execute it like:
152# python3 psono/manage.py testldap username@something.com thePassWord
153#
154# For Windows AD it could look like this:
155#
156# LDAP : [
157# {
158# 'LDAP_URL': 'ldaps://192.168.0.1:636',
159# 'LDAP_DOMAIN': 'example.com',
160# 'LDAP_BIND_DN': 'CN=LDAPPsono,OU=UsersTech,OU=example.com,DC=example,DC=com',
161# 'LDAP_BIND_PASS': 'hopefully_not_123456',
162# 'LDAP_SEARCH_USER_DN': 'OU=Users,OU=example.com,DC=example,DC=com',
163# 'LDAP_SEARCH_GROUP_DN': 'OU=Groups,OU=example.com,DC=example,DC=com',
164# },
165# ]
166#
167# For OpenLDAP it could look like this:
168#
169# LDAP : [
170# {
171# 'LDAP_URL': 'ldaps://192.168.0.1:636',
172# 'LDAP_DOMAIN': 'example.com',
173# 'LDAP_BIND_DN': 'CN=LDAPPsono,OU=UsersTech,OU=example.com,DC=example,DC=com',
174# 'LDAP_BIND_PASS': 'hopefully_not_123456',
175# 'LDAP_SEARCH_USER_DN': 'OU=Users,OU=example.com,DC=example,DC=com',
176# 'LDAP_SEARCH_GROUP_DN': 'OU=Groups,OU=example.com,DC=example,DC=com',
177# 'LDAP_OBJECT_CLASS_USER': 'simpleSecurityObject',
178# 'LDAP_ATTR_USERNAME': 'cn',
179# 'LDAP_ATTR_GUID': 'entryUUID',
180# },
181# ]
182#
183# ATTENTION: API kays currently bypass LDAP authentication, that means API keys can still access secrets even if the
184# user was disabled in LDAP. API keys can be disabled with COMPLIANCE_DISABLE_API_KEYS
185
186# You also have to comment in the line below if you want to use LDAP (default: ['AUTHKEY'])
187# AUTHENTICATION_METHODS: ['AUTHKEY', 'LDAP']
188
189# Enable Audit logging
190# LOGGING_AUDIT: True
191
192# To log to another destination you can specify this here, default '/var/log/psono'
193# Never really necessary, as we will run the psono server in a docker container and can mount /var/log/psono to any
194# location on the underlying docker host.
195# LOGGING_AUDIT_FOLDER: '/var/log/psono'
196
197# If you prefer server time over utc, you can do that like below (default 'time_utc')
198# LOGGING_AUDIT_TIME: 'time_server'
199
200# If the server logs too much for you can either whitelist or blacklist events by their event code. (default: [])
201# LOGGING_AUDIT_WHITELIST: []
202# LOGGING_AUDIT_BLACKLIST: []
203
204# Your Postgres Database credentials
205# ATTENTION: If executed in a docker container, then "localhost" will resolve to the docker container, so
206# "localhost" will not work as host. Use the public IP or DNS record of the server.
207DATABASES:
208 default:
209 'ENGINE': 'django.db.backends.postgresql_psycopg2'
210 'NAME': 'psono'
211 'USER': 'psono'
212 'PASSWORD': 'password'
213 'HOST': '192.168.88.205'
214 'PORT': '5432'
215# for master / slave replication setup comment in the following (all reads will be redirected to the slave
216# slave:
217# 'ENGINE': 'django.db.backends.postgresql_psycopg2'
218# 'NAME': 'YourPostgresDatabase'
219# 'USER': 'YourPostgresUser'
220# 'PASSWORD': 'YourPostgresPassword'
221# 'HOST': 'YourPostgresHost'
222# 'PORT': 'YourPostgresPort'
223
224# The path to the template folder can be "shadowed" if required later
225TEMPLATES: [
226 {
227 'BACKEND': 'django.template.backends.django.DjangoTemplates',
228 'DIRS': ['/root/psono/templates'],
229 'APP_DIRS': True,
230 'OPTIONS': {
231 'context_processors': [
232 'django.template.context_processors.debug',
233 'django.template.context_processors.request',
234 'django.contrib.auth.context_processors.auth',
235 'django.contrib.messages.context_processors.messages',
236 ],
237 },
238 },
239]