255 lines
13 KiB
YAML
255 lines
13 KiB
YAML
apiVersion: v1
|
|
kind: ConfigMap
|
|
metadata:
|
|
name: psono-settings
|
|
namespace: psono
|
|
data:
|
|
settings.yaml: |
|
|
SECRET_KEY: 'PLACEHOLDER'
|
|
ACTIVATION_LINK_SECRET: 'PLACEHOLDER'
|
|
DB_SECRET: 'PLACEHOLDER'
|
|
EMAIL_SECRET_SALT: 'PLACEHOLDER'
|
|
PRIVATE_KEY: 'PLACEHOLDER'
|
|
PUBLIC_KEY: 'PLACEHOLDER'
|
|
|
|
WEB_CLIENT_URL: 'https://psono.jsme.be'
|
|
|
|
# The number of proxies in your environment to parse the X-Forwarded-For header. The basic setup of Psono uses 2
|
|
# reverse proxies, the regular one and one in the combo container. If you have additional Loadbalancers you may have
|
|
# adjust this parameter.
|
|
NUM_PROXIES: 2
|
|
|
|
FAVICON_SERVICE_URL: 'https://favicon.psono.com/v1/icon/'
|
|
|
|
# Switch DEBUG to false if you go into production
|
|
DEBUG: False
|
|
|
|
# Adjust this according to Django Documentation https://docs.djangoproject.com/en/5.2/ref/settings/
|
|
ALLOWED_HOSTS: ['*']
|
|
|
|
# Should be your domain without "www.". Will be the last part of the username
|
|
ALLOWED_DOMAINS: ['jsme.be', 'gmail.com']
|
|
|
|
# If you want to disable registration, you can comment in the following line
|
|
# ALLOW_REGISTRATION: False
|
|
|
|
# If you want to disable the lost password functionality, you can comment in the following line
|
|
# ALLOW_LOST_PASSWORD: False
|
|
|
|
# If you want to enforce that the email address and username needs to match upon registration
|
|
ENFORCE_MATCHING_USERNAME_AND_EMAIL: False
|
|
|
|
# If you want to restrict registration to some email addresses you can specify here a list of domains to filter
|
|
# REGISTRATION_EMAIL_FILTER: ['company1.com', 'company2.com']
|
|
|
|
# Should be the URL of the host under which the host is reachable
|
|
# If you open the url and append /info/ to it you should have a text similar to {"info":"{\"version\": \"....}
|
|
HOST_URL: 'https://psono.jsme.be/server'
|
|
|
|
# The email used to send emails, e.g. for activation
|
|
# ATTENTION: If executed in a docker container, then "localhost" will resolve to the docker container, so
|
|
# "localhost" will not work as host. Use the public IP or DNS record of the server.
|
|
EMAIL_FROM: $email_from
|
|
EMAIL_HOST: $email_host
|
|
EMAIL_HOST_USER: $email_user
|
|
EMAIL_HOST_PASSWORD: $email_password
|
|
EMAIL_PORT: $email_port
|
|
EMAIL_SUBJECT_PREFIX: ''
|
|
EMAIL_USE_TLS: True
|
|
EMAIL_TIMEOUT: 10
|
|
|
|
|
|
# Cache with Redis
|
|
# By default you should use something different than database 0 or 1, e.g. 13 (default max is 16, can be configured in
|
|
# redis.conf) possible URLS are:
|
|
# redis://[:password]@localhost:6379/0
|
|
# rediss://[:password]@localhost:6379/0
|
|
# unix://[:password]@/path/to/socket.sock?db=0
|
|
# CACHE_ENABLE: False
|
|
# CACHE_REDIS: False
|
|
# CACHE_REDIS_LOCATION: 'redis://127.0.0.1:6379/13'
|
|
|
|
# The server will automatically connect to the license server to get a license for 10 users.
|
|
# For paying customers we offer the opportunity to get an offline license code.
|
|
#
|
|
# LICENSE_CODE: |
|
|
# 0abcdefg...
|
|
# 1abcdefg...
|
|
# 2abcdefg...
|
|
# 3abcdefg...
|
|
# 4abcdefg...
|
|
# 5abcdefg...
|
|
# 6abcdefg...
|
|
# 7abcdefg...
|
|
# 8abcdefg...
|
|
|
|
# Optional: Send an email notification when remaining licenses reach a threshold.
|
|
# The threshold is checked whenever users are created or activated.
|
|
ADMIN_EMAIL: [$email_user]
|
|
# ADMIN_EMAIL_LICENSE_THRESHOLD: 1
|
|
|
|
# Enables the management API, required for the psono-admin-client / admin portal (Default is set to False)
|
|
MANAGEMENT_ENABLED: True
|
|
|
|
# Enables the fileserver API, required for the psono-fileserver
|
|
# FILESERVER_HANDLER_ENABLED: False
|
|
|
|
# Enables files for the client
|
|
# FILES_ENABLED: False
|
|
|
|
# Allows that users can search for partial usernames
|
|
ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL: True
|
|
|
|
# Allows that users can search for email addresses too
|
|
ALLOW_USER_SEARCH_BY_EMAIL: True
|
|
|
|
# Disables central security reports
|
|
# DISABLE_CENTRAL_SECURITY_REPORTS: True
|
|
|
|
# If you want to use SAML, then you can configure it like this as a dictionary.
|
|
#
|
|
# About the parameters:
|
|
# idp->entityId: Thats the url to the metadata of your IDP
|
|
# idp->singleLogoutService->url: Thats the url to the logout service of your IDP
|
|
# idp->singleSignOnService->url: Thats the url to the single sign-on service of your IDP
|
|
# idp->x509cert: Thats the certificate of your IDP
|
|
# idp->groups_attribute: The attribute in the SAML response that holds your groups
|
|
# idp->username_attribute: The attribute in the SAML response that holds the username. If you put here null, then it will use the NameID
|
|
# idp->email_attribute: The attribute in the SAML response that holds the email address.
|
|
# idp->username_domain: The domain that is appended to the provided username, if the provided username is not already in email format.
|
|
# idp->required_group: A list of group names (casesensitive) in order to restrict who can use SAML login with this installation. Leave empty for no restriction.
|
|
# idp->is_adfs: If you are using ADFS.
|
|
# idp->honor_multifactors: Multifactor authentication can be bypassed with this flag for all SAML users (e.g. when you already enforce multifactor on the SAML provider).
|
|
# idp->max_session_lifetime: The time in seconds that a session created throught SAML will live
|
|
#
|
|
# sp->NameIDFormat: The normal nameformat parameter. (should only be set to transient if you have set a username attribute with username_attribute)
|
|
# sp->attributeConsumingService: Only necessary if the IDP needs to be told to send some specific attributes
|
|
# sp->x509cert: The X.509 cert
|
|
# sp->privateKey: The corresponding private key of the X.509 cert
|
|
#
|
|
# There are a couple of more options next to those required ones below.
|
|
# More information can be found here https://github.com/onelogin/python3-saml
|
|
#
|
|
# A self-signed certificate can be generated with:
|
|
# openssl req -new -newkey rsa:2048 -x509 -days 3650 -nodes -sha256 -out sp_x509cert.crt -keyout sp_private_key.key
|
|
#
|
|
# To help you setup SAML, we have created a small "testsaml" command that should make things easier. You can execute it like:
|
|
# docker run --rm \
|
|
# -v /opt/docker/psono/settings.yaml:/root/.psono_server/settings.yaml \
|
|
# -ti psono/psono-combo-enterprise:latest python3 psono/manage.py testsaml
|
|
#
|
|
# The number 1 in line 2 is the provider id. Users are matched by the constructed username.
|
|
#
|
|
# SAML_CONFIGURATIONS:
|
|
# 1:
|
|
# idp:
|
|
# entityId: "https://idp.exampple.com/metadata.php"
|
|
# singleLogoutService:
|
|
# binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
# url: "https://idp.exampple.com/SingleLogoutService.php"
|
|
# singleSignOnService:
|
|
# binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
# url: "https://idp.exampple.com/SingleSignOnService.php"
|
|
# x509cert: "ABC...=="
|
|
# groups_attribute: "groups"
|
|
# username_attribute: 'username'
|
|
# email_attribute: 'email'
|
|
# username_domain: 'example.com'
|
|
# required_group: []
|
|
# is_adfs: false
|
|
# honor_multifactors: true
|
|
# max_session_lifetime: 86400
|
|
# sp:
|
|
# NameIDFormat: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
|
|
# assertionConsumerService:
|
|
# binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
|
|
# attributeConsumingService:
|
|
# serviceName: "Psono"
|
|
# serviceDescription: "Psono password manager"
|
|
# requestedAttributes:
|
|
# -
|
|
# attributeValue: []
|
|
# friendlyName: ""
|
|
# isRequired: false
|
|
# name: "attribute-that-has-to-be-requested-explicitely"
|
|
# nameFormat: ""
|
|
# privateKey: "ABC...=="
|
|
# singleLogoutService:
|
|
# binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
|
|
# x509cert: "ABC...=="
|
|
# autoprovision_psono_folder: false
|
|
# autoprovision_psono_group: false
|
|
# strict: true
|
|
#
|
|
# You need a couple of urls to configure the IDP correctly. If the server is accessible under https://example.com/server
|
|
# (e.g. https://example.com/server/healthcheck/ shows some json output) and the provider id is 1 as in the example
|
|
# above the following urls are valid:
|
|
#
|
|
# for metadata : https://example.com/server/saml/1/metadata/
|
|
# for assertion consumer service : https://example.com/server/saml/1/acs/
|
|
# for single logout service : https://example.com/server/saml/1/sls/
|
|
#
|
|
#
|
|
# ATTENTION: API kays currently bypass SAML authentication, that means API keys can still access secrets even if the
|
|
# user was disabled in SAML. API keys can be disabled with COMPLIANCE_DISABLE_API_KEYS
|
|
|
|
# If you want to use OIDC, then you can configure it like this as a dictionary.
|
|
# OIDC_CONFIGURATIONS:
|
|
# 1:
|
|
# OIDC_RP_SIGN_ALGO: 'RS256'
|
|
# OIDC_RP_CLIENT_ID: 'whatever client id was provided'
|
|
# OIDC_RP_CLIENT_SECRET: 'whatever secret was provided'
|
|
# OIDC_OP_JWKS_ENDPOINT: 'https://example.com/jwks'
|
|
# OIDC_OP_AUTHORIZATION_ENDPOINT: 'https://example.com/authorize'
|
|
# OIDC_OP_TOKEN_ENDPOINT: 'https://example.com/token'
|
|
# OIDC_OP_USER_ENDPOINT: 'https://example.com/userinfo'
|
|
#
|
|
# Standard parameters explained:
|
|
# OIDC_RP_SIGN_ALGO defaults to HS256 and needs to match the algo of your IDP
|
|
# OIDC_RP_CLIENT_ID the client id that is provided by your IDP
|
|
# OIDC_RP_CLIENT_SECRET the secret that is provided by your IDP
|
|
# OIDC_OP_JWKS_ENDPOINT The JWKS endpoint of your IDP
|
|
# OIDC_OP_AUTHORIZATION_ENDPOINT The authorization endpoint of your IDP
|
|
# OIDC_OP_TOKEN_ENDPOINT The token endpoint of your IDP
|
|
#
|
|
# other parameters are:
|
|
# OIDC_VERIFY_JWT defaults to true, Controls whether Psono verifies the signature of the JWT tokens
|
|
# OIDC_USE_NONCE defaults to true, Controls whether Psono uses nonce verification
|
|
# OIDC_VERIFY_SSL defaults to true, Controls whether Psono verifies the SSL certificate of the IDP responses
|
|
# OIDC_TIMEOUT defaults to 10, Defines a timeout for all requests in seconds to the IDP (fetch JWS, retrieve JWT tokens, userinfo endpoint))
|
|
# OIDC_PROXY defaults to None, Defines a proxy for all requests to the IDP (fetch JWS, retrieve JWT tokens, Userinfo Endpoint). More infos can be found here https://requests.readthedocs.io/en/master/user/advanced/#proxies
|
|
# OIDC_RP_SCOPES defaults to 'openid email', The OpenID Connect scopes to request during login.
|
|
# OIDC_AUTH_REQUEST_EXTRA_PARAMS defaults to {}, Additional parameters to include in the initial authorization request.
|
|
# OIDC_RP_IDP_SIGN_KEY defaults to None, Sets the key the IDP uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format.
|
|
# OIDC_ALLOW_UNSECURED_JWT defaults to False, Controls whether the Psono is going to allow unsecured JWT tokens (tokens with header {"alg":"none"}). This needs to be set to True if the IDP is returning unsecured JWT tokens and you want to accept them. See also https://tools.ietf.org/html/rfc7519#section-6
|
|
# OIDC_TOKEN_USE_BASIC_AUTH defaults to False, Use HTTP Basic Authentication instead of sending the client secret in token request POST body.
|
|
|
|
# Your Postgres Database credentials
|
|
# ATTENTION: If executed in a docker container, then "localhost" will resolve to the docker container, so
|
|
# "localhost" will not work as host. Use the public IP or DNS record of the server.
|
|
DATABASES:
|
|
default:
|
|
'ENGINE': 'django.db.backends.postgresql_psycopg2'
|
|
'NAME': $db_name
|
|
'USER': $db_user
|
|
'PASSWORD': $db_password
|
|
'HOST': $db_host
|
|
'PORT': $db_port
|
|
|
|
# The path to the template folder can be "shadowed" if required later
|
|
TEMPLATES: [
|
|
{
|
|
'BACKEND': 'django.template.backends.django.DjangoTemplates',
|
|
'DIRS': ['/root/psono/templates'],
|
|
'APP_DIRS': True,
|
|
'OPTIONS': {
|
|
'context_processors': [
|
|
'django.template.context_processors.debug',
|
|
'django.template.context_processors.request',
|
|
'django.contrib.auth.context_processors.auth',
|
|
'django.contrib.messages.context_processors.messages',
|
|
],
|
|
},
|
|
},
|
|
]
|