360 lines
13 KiB
YAML
360 lines
13 KiB
YAML
# SPDX-FileCopyrightText: 2022-2024 Sarah Vaupel <sarah.vaupel@uniworx.de>, David Mosbach <david.mosbach@uniworx.de>, Gregor Kleen <gregor.kleen@ifi.lmu.de>, Sarah Vaupel <sarah.vaupel@ifi.lmu.de>, Steffen Jost <jost@tcs.ifi.lmu.de>, Wolfgang Witt <Wolfgang.Witt@campus.lmu.de>
|
|
#
|
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
|
|
|
# Values formatted like "_env:ENV_VAR_NAME:default_value" can be overridden by the specified environment variable.
|
|
# See https://github.com/yesodweb/yesod/wiki/Configuration#overriding-configuration-values-with-environment-variables
|
|
# NB: If you need a numeric value (e.g. 123) to parse as a String, wrap it in single quotes (e.g. "_env:PGPASS:'123'")
|
|
# See https://github.com/yesodweb/yesod/wiki/Configuration#parsing-numeric-values-as-strings
|
|
|
|
static-dir: "_env:STATIC_DIR:static"
|
|
well-known-dir: "_env:WELL_KNOWN_DIR:well-known"
|
|
well-known-link-file: html_code.html
|
|
|
|
webpack-manifest: "_env:WEBPACK_MANIFEST:config/webpack.yml"
|
|
host: "_env:HOST:*4" # any IPv4 host
|
|
port: "_env:PORT:3000"
|
|
ip-from-header: "_env:IP_FROM_HEADER:false"
|
|
approot: "_env:APPROOT:http://localhost:3000"
|
|
# approot:
|
|
# default: "http://localhost:3000"
|
|
# user-generated: "http://127.0.0.1:3000"
|
|
mail-from:
|
|
name: "_env:MAILFROM_NAME:Uni2work"
|
|
email: "_env:MAILFROM_EMAIL:uniworx@localhost"
|
|
mail-object-domain: "_env:MAILOBJECT_DOMAIN:localhost"
|
|
mail-use-replyto-instead-sender: "_env:MAIL_USES_REPLYTO:true"
|
|
mail-reroute-to:
|
|
name: "_env:MAIL_REROUTE_TO_NAME:"
|
|
email: "_env:MAIL_REROUTE_TO_EMAIL:"
|
|
#mail-verp:
|
|
# separator: "_env:VERP_SEPARATOR:+"
|
|
# prefix: "_env:VERP_PREFIX:bounce"
|
|
mail-support:
|
|
name: "_env:MAILSUPPORT_NAME:"
|
|
email: "_env:MAILSUPPORT:uni2work@ifi.lmu.de"
|
|
mail-retain-sent: 31470547
|
|
|
|
legal-external:
|
|
- language: "en"
|
|
imprint: "https://www.fraport.com/en/tools/imprint.html"
|
|
data-protection: "https://www.fraport.com/en/our-group/data-protection-statement.html"
|
|
terms-of-use: "https://www.fraport.com/en/tools/legal-information.html"
|
|
payments: "https://www.fraport.com/de/geschaeftsfelder/service/geschaeftspartner/richtlinien-und-zahlungsbedingungen.html"
|
|
- language: "de"
|
|
imprint: "https://www.fraport.com/de/tools/impressum.html"
|
|
data-protection: "https://www.fraport.com/de/konzern/datenschutz.html"
|
|
terms-of-use: "https://www.fraport.com/de/tools/disclaimer.html"
|
|
payments: "https://www.fraport.com/de/geschaeftsfelder/service/geschaeftspartner/richtlinien-und-zahlungsbedingungen.html"
|
|
|
|
job-workers: "_env:JOB_WORKERS:10"
|
|
job-flush-interval: "_env:JOB_FLUSH:30"
|
|
job-cron-interval: "_env:CRON_INTERVAL:60"
|
|
job-stale-threshold: 1800
|
|
job-move-threshold: 30
|
|
notification-rate-limit: 3600
|
|
notification-collate-delay: 7200
|
|
notification-expiration: 259200
|
|
session-timeout: 7200
|
|
bearer-expiration: 604800
|
|
bearer-encoding: HS256
|
|
maximum-content-length: "_env:MAX_UPLOAD_SIZE:805306368"
|
|
session-files-expire: 3600
|
|
prune-unreferenced-files-within: 604801
|
|
prune-unreferenced-files-interval: 3600
|
|
keep-unreferenced-files: 86400
|
|
health-check-interval:
|
|
matching-cluster-config: "_env:HEALTHCHECK_INTERVAL_MATCHING_CLUSTER_CONFIG:600"
|
|
http-reachable: "_env:HEALTHCHECK_INTERVAL_HTTP_REACHABLE:600"
|
|
ldap-admins: "_env:HEALTHCHECK_INTERVAL_LDAP_ADMINS:600" # TODO: either generalize over every external auth sources, or otherwise reimplement for different semantics
|
|
smtp-connect: "_env:HEALTHCHECK_INTERVAL_SMTP_CONNECT:600"
|
|
widget-memcached: "_env:HEALTHCHECK_INTERVAL_WIDGET_MEMCACHED:600"
|
|
active-job-executors: "_env:HEALTHCHECK_INTERVAL_ACTIVE_JOB_EXECUTORS:60"
|
|
does-flush: "_env:HEALTHCHECK_INTERVAL_DOES_FLUSH:15"
|
|
health-check-delay-notify: "_env:HEALTHCHECK_DELAY_NOTIFY:true"
|
|
health-check-http: "_env:HEALTHCHECK_HTTP:true" # Can we assume, that we can reach ourselves under APPROOT via HTTP (reverse proxies or firewalls might prevent this)?
|
|
|
|
health-check-active-job-executors-timeout: "_env:HEALTHCHECK_ACTIVE_JOB_EXECUTORS_TIMEOUT:5"
|
|
health-check-active-widget-memcached-timeout: "_env:HEALTHCHECK_ACTIVE_WIDGET_MEMCACHED_TIMEOUT:2"
|
|
health-check-smtp-connect-timeout: "_env:HEALTHCHECK_SMTP_CONNECT_TIMEOUT:5"
|
|
health-check-ldap-admins-timeout: "_env:HEALTHCHECK_LDAP_ADMINS_TIMEOUT:60" # TODO: either generalize over every external auth sources, or otherwise reimplement for different semantics
|
|
health-check-http-reachable-timeout: "_env:HEALTHCHECK_HTTP_REACHABLE_TIMEOUT:2"
|
|
health-check-matching-cluster-config-timeout: "_env:HEALTHCHECK_MATCHING_CLUSTER_CONFIG_TIMEOUT:2"
|
|
|
|
synchronise-avs-users-within: "_env:SYNCHRONISE_AVS_WITHIN:5702400" # alle 66 Tage
|
|
synchronise-avs-users-interval: "_env:SYNCHRONISE_AVS_INTERVAL:21600" # alle 6 Stunden
|
|
|
|
study-features-recache-relevance-within: 172800
|
|
study-features-recache-relevance-interval: 293
|
|
|
|
# Enqueue at specified hour, a few minutes later
|
|
# job-lms-qualifications-enqueue-hour: 15
|
|
# job-lms-qualifications-dequeue-hour: 3
|
|
|
|
log-settings:
|
|
detailed: "_env:DETAILED_LOGGING:false"
|
|
all: "_env:LOG_ALL:false"
|
|
minimum-level: "_env:LOGLEVEL:warn"
|
|
destination: "_env:LOGDEST:stderr"
|
|
serializable-transaction-retry-limit: 2
|
|
|
|
ip-retention-time: 1209600
|
|
|
|
# Debugging
|
|
auth-dummy-login: "_env:DUMMY_LOGIN:false"
|
|
allow-deprecated: "_env:ALLOW_DEPRECATED:false"
|
|
encrypt-errors: "_env:ENCRYPT_ERRORS:true"
|
|
server-session-acid-fallback: "_env:SERVER_SESSION_ACID_FALLBACK:false"
|
|
|
|
auth-pw-hash:
|
|
algorithm: pbkdf2
|
|
strength: 14
|
|
|
|
# Optional values with the following production defaults.
|
|
# In development, they default to the opposite.
|
|
# reload-templates: false
|
|
# mutable-static: false
|
|
# skip-combining: false
|
|
# clear-cache: false
|
|
|
|
database:
|
|
user: "_env:PGUSER:uniworx"
|
|
password: "_env:PGPASS:uniworx"
|
|
host: "_env:PGHOST:127.0.0.1"
|
|
port: "_env:PGPORT:5432"
|
|
# See config/test-settings.yml for an override during tests
|
|
database: "_env:PGDATABASE:uniworx"
|
|
poolsize: "_env:PGPOOLSIZE:990"
|
|
|
|
auto-db-migrate: "_env:AUTO_DB_MIGRATE:true"
|
|
|
|
# External sources used for user authentication and userdata lookups
|
|
user-auth:
|
|
# mode: single-source
|
|
protocol: azureadv2
|
|
config:
|
|
client-id: "_env:AZURECLIENTID:00000000-0000-0000-0000-000000000000"
|
|
client-secret: "_env:AZURECLIENTSECRET:''"
|
|
tenant-id: "_env:AZURETENANTID:00000000-0000-0000-0000-000000000000"
|
|
scopes: "_env:AZURESCOPES:[ID,Profile]"
|
|
# protocol: "ldap"
|
|
# config:
|
|
# host: "_env:LDAPHOST:"
|
|
# tls: "_env:LDAPTLS:"
|
|
# port: "_env:LDAPPORT:389"
|
|
# user: "_env:LDAPUSER:"
|
|
# pass: "_env:LDAPPASS:"
|
|
# baseDN: "_env:LDAPBASE:"
|
|
# scope: "_env:LDAPSCOPE:WholeSubtree"
|
|
# timeout: "_env:LDAPTIMEOUT:5"
|
|
# search-timeout: "_env:LDAPSEARCHTIME:5"
|
|
|
|
single-sign-on: "_env:OIDC_SSO:false"
|
|
|
|
# Automatically redirect to SSO route when not signed on
|
|
# Note: This will force authentication, thus the site will be inaccessible without external credentials. Only use this option when it is ensured that every user that should be able to access the site has valid external credentials!
|
|
auto-sign-on: "_env:AUTO_SIGN_ON:false"
|
|
|
|
# TODO: generalize for arbitrary auth protocols
|
|
# TODO: maybe use separate pools for external databases?
|
|
ldap-pool:
|
|
stripes: "_env:LDAPSTRIPES:1"
|
|
timeout: "_env:LDAPTIMEOUT:20"
|
|
limit: "_env:LDAPLIMIT:10"
|
|
|
|
# TODO: reintroduce and move into failover settings once failover mode has been reimplemented
|
|
# user-retest-failover: 60
|
|
# TODO; maybe implement syncWithin and syncInterval per auth source
|
|
user-sync-within: "_env:USER_SYNC_WITHIN:1209600" # 14 Tage in Sekunden
|
|
user-sync-interval: "_env:USER_SYNC_INTERVAL:3600" # jede Stunde
|
|
|
|
lms-direct:
|
|
upload-header: "_env:LMSUPLOADHEADER:true"
|
|
upload-delimiter: "_env:LMSUPLOADDELIMITER:"
|
|
download-header: "_env:LMSDOWNLOADHEADER:true"
|
|
download-delimiter: "_env:LMSDOWNLOADDELIMITER:,"
|
|
download-cr-lf: "_env:LMSDOWNLOADCRLF:true"
|
|
deletion-days: "_env:LMSDELETIONDAYS:7"
|
|
|
|
avs:
|
|
host: "_env:AVSHOST:skytest.fra.fraport.de"
|
|
port: "_env:AVSPORT:443"
|
|
user: "_env:AVSUSER:fradrive"
|
|
pass: "_env:AVSPASS:"
|
|
|
|
lpr:
|
|
host: "_env:LPRHOST:fravm017173.fra.fraport.de"
|
|
port: "_env:LPRPORT:515"
|
|
queue: "_env:LPRQUEUE:fradrive"
|
|
|
|
smtp:
|
|
host: "_env:SMTPHOST:"
|
|
port: "_env:SMTPPORT:25"
|
|
ssl: "_env:SMTPSSL:starttls"
|
|
auth:
|
|
type: login
|
|
user: "_env:SMTPUSER:"
|
|
pass: "_env:SMTPPASS:"
|
|
pool:
|
|
stripes: "_env:SMTPSTRIPES:1"
|
|
timeout: "_env:SMTPTIMEOUT:20"
|
|
limit: "_env:SMTPLIMIT:10"
|
|
|
|
widget-memcached:
|
|
host: "_env:WIDGET_MEMCACHED_HOST:localhost"
|
|
port: "_env:WIDGET_MEMCACHED_PORT:11211"
|
|
auth: []
|
|
limit: "_env:WIDGET_MEMCACHED_LIMIT:1024"
|
|
timeout: "_env:WIDGET_MEMCACHED_TIMEOUT:20"
|
|
base-url: "_env:WIDGET_MEMCACHED_ROOT:"
|
|
expiration: "_env:WIDGET_MEMCACHED_EXPIRATION:3600"
|
|
|
|
session-memcached:
|
|
host: "_env:SESSION_MEMCACHED_HOST:localhost"
|
|
port: "_env:SESSION_MEMCACHED_PORT:11211"
|
|
auth: []
|
|
limit: "_env:SESSION_MEMCACHED_LIMIT:1024"
|
|
timeout: "_env:SESSION_MEMCACHED_TIMEOUT:20"
|
|
expiration: "_env:SESSION_MEMCACHED_EXPIRATION:28807"
|
|
|
|
memcached:
|
|
host: "_env:MEMCACHED_HOST:localhost"
|
|
port: "_env:MEMCACHED_PORT:11211"
|
|
auth: []
|
|
limit: "_env:MEMCACHED_LIMIT:1024"
|
|
timeout: "_env:MEMCACHED_TIMEOUT:20"
|
|
expiration: "_env:MEMCACHED_EXPIRATION:300"
|
|
memcache-auth: true
|
|
memcached-local:
|
|
maximum-ghost: 512
|
|
maximum-weight: 104857600 # 100MiB
|
|
|
|
upload-cache:
|
|
host: "_env:UPLOAD_S3_HOST:" # should be optional, but all file transfers will be empty without an S3 cache
|
|
port: "_env:UPLOAD_S3_PORT:9000"
|
|
access-key: "_env:UPLOAD_S3_KEY_ID:"
|
|
secret-key: "_env:UPLOAD_S3_KEY"
|
|
is-secure: "_env:UPLOAD_S3_SSL:false"
|
|
region: "_env:UPLOAD_S3_REGION:"
|
|
auto-discover-region: "_env:UPLOAD_S3_AUTO_DISCOVER_REGION:true"
|
|
disable-cert-validation: "_env:UPLOAD_S3_DISABLE_CERT_VALIDATION:false"
|
|
upload-cache-bucket: "uni2work-uploads"
|
|
upload-tmp-bucket: "uni2work-tmp"
|
|
|
|
inject-files: 601
|
|
rechunk-files: 1201
|
|
check-missing-files: 7207
|
|
|
|
file-upload-db-chunksize: 4194304 # 4MiB
|
|
file-chunking-target-exponent: 21 # 2MiB
|
|
file-chunking-hash-window: 4096
|
|
|
|
server-sessions:
|
|
idle-timeout: 28807
|
|
absolute-timeout: 604801
|
|
timeout-resolution: 601
|
|
persistent-cookies: true
|
|
session-token-start: null
|
|
session-token-expiration: 28807
|
|
session-token-encoding: HS256
|
|
|
|
session-token-clock-leniency-start: 5
|
|
bearer-token-clock-leniency-start: 5
|
|
upload-token-clock-leniency-start: 5
|
|
|
|
cookies:
|
|
SESSION:
|
|
same-site: lax
|
|
http-only: true
|
|
secure: "_env:SERVER_SESSION_COOKIES_SECURE:true"
|
|
XSRF-TOKEN:
|
|
expires: null
|
|
same-site: strict
|
|
http-only: false
|
|
secure: "_env:COOKIES_SECURE:true"
|
|
LANG:
|
|
expires: 12622780800
|
|
same-site: lax
|
|
http-only: false
|
|
secure: "_env:COOKIES_SECURE:true"
|
|
SYSTEM-MESSAGE-STATE:
|
|
expires: 12622780800
|
|
same-site: lax
|
|
http-only: false
|
|
secure: "_env:COOKIES_SECURE:true"
|
|
ACTIVE-AUTH-TAGS:
|
|
expires: 12622780800
|
|
same-site: lax
|
|
http-only: true
|
|
secure: "_env:COOKIES_SECURE:true"
|
|
|
|
external-apis-ping-interval: 300
|
|
external-apis-pong-timeout: 600
|
|
external-apis-expiry: 1200
|
|
|
|
user-defaults:
|
|
max-favourites: 0
|
|
max-favourite-terms: 2
|
|
theme: Default
|
|
date-time-format: "%d %b %y %R"
|
|
date-format: "%d %b %Y"
|
|
time-format: "%R"
|
|
download-files: false
|
|
warning-days: 1209600
|
|
show-sex: false
|
|
exam-office-get-synced: true
|
|
exam-office-get-labels: true
|
|
prefers-postal: true
|
|
|
|
|
|
instance-id: "_env:INSTANCE_ID:instance"
|
|
ribbon: "_env:RIBBON:"
|
|
|
|
|
|
favourites-quick-actions-burstsize: 40
|
|
favourites-quick-actions-avg-inverse-rate: 50e3 # µs/token
|
|
favourites-quick-actions-timeout: 40e-3 # s
|
|
favourites-quick-actions-cache-ttl: 120 # s
|
|
|
|
|
|
token-buckets:
|
|
inject-files:
|
|
depth: 20971520 # 20MiB
|
|
inv-rate: 9.5e-7 # 1MiB/s
|
|
initial-value: 0
|
|
inject-files-count:
|
|
depth: 100
|
|
inv-rate: 1
|
|
initial-value: 0
|
|
prune-files:
|
|
depth: 1572864000 # 1500MiB
|
|
inv-rate: 1.9e-6 # 2MiB/s
|
|
initial-value: 0
|
|
rechunk-files:
|
|
depth: 20971520 # 20MiB
|
|
inv-rate: 9.5e-7 # 1MiB/s
|
|
initial-value: 0
|
|
|
|
fallback-personalised-sheet-files-keys-expire: 2419200
|
|
|
|
download-token-expire: 604801
|
|
|
|
file-source-arc:
|
|
maximum-ghost: 512
|
|
maximum-weight: 1073741824 # 1GiB
|
|
file-source-prewarm:
|
|
maximum-weight: 1073741824 # 1GiB
|
|
start: 1800 # 30m
|
|
end: 600 # 10m
|
|
inhibit: 3600 # 60m
|
|
steps: 20
|
|
max-speedup: 3
|
|
|
|
bot-mitigations:
|
|
- only-logged-in-table-sorting
|
|
- unauthorized-form-honeypots
|
|
|
|
volatile-cluster-settings-cache-time: 10
|
|
|
|
communication-attachments-max-size: 20971520 # 20MiB
|