forked from tinode/chat
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtinode.conf
366 lines (304 loc) · 12.4 KB
/
tinode.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
// The JSON comments are somewhat brittle. Don't try anything too fancy.
{
// Default HTTP(S) address:port to listen on for websocket and long polling clients. Either a
// numeric value or a canonical name, e.g. ":80" or ":https". May include the host name, e.g.
// "localhost:80" or "hostname.example.com:https".
// It could be blank: if TLS is not configured it will default to ":80", otherwise to ":443".
// Can be overridden from the command line, see option --listen.
"listen": ":6060",
// Cach-Control header for static content. 11 hours.
"cache_control": 39600,
// URL path for mounting the directory with static files.
"static_mount": "/",
// Address:port to listen for gRPC clients. Leave blank to disable gRPC support.
// Could be overridden from the command line with --grpc_listen.
"grpc_listen": ":6061",
// Enable handling of gRPC keepalives https://github.com/grpc/grpc/blob/master/doc/keepalive.md
// This sets server's GRPC_ARG_KEEPALIVE_TIME_MS to 60 seconds instead of the default 2 hours.
"grpc_keepalive_enabled": true,
// Salt for signing API key. 32 random bytes base64-encoded. Use 'keygen' to generate
// the API key and the salt.
"api_key_salt": "T713/rYYgW7g4m3vG6zGRh7+FM1t0T8j13koXScOAj4=",
// Maximum message size allowed from client in bytes (262144 = 256KB).
// Intended to prevent malicious clients from sending very large messages inband (does
// not affect out-of-band large files).
"max_message_size": 262144,
// Maximum number of subscribers per group topic.
"max_subscriber_count": 128,
// Maximum number of indexable tags per topic or user.
"max_tag_count": 16,
// URL path for exposing runtime stats. Disabled if the path is blank.
// Could be overriden from the command line with --expvar.
"expvar": "/debug/vars",
// Large media/blob handlers.
"media": {
// Media handler to use
"use_handler": "fs",
// Maximum size of uploaded file (8MB here for testing, maybe increase to 100MB = 104857600 in prod)
"max_size": 8388608,
// Garbage collection periodicity in seconds
"gc_period": 60,
// Number of unused entries to delete in one pass
"gc_block_size": 100,
// Configurations for various handlers.
"handlers": {
// File system storage.
"fs": {
// File system location to store uploaded files. In case of a cluster it
// must be accessible by all cluster members, i.e. a network drive.
"upload_dir": "uploads"
},
// Amazon AWS S3 storage.
"s3":{
// Use AWS console to get Access Key ID and Secret Access Key.
// https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
"access_key_id": "your_s3_access_key_id",
"secret_access_key": "your_s3_secret_access_key",
// Region where the bucket is hosted.
"region": "s3 region, like us-east-2",
// Name of the S3 bucket.
"bucket": "your_s3_bucket_name",
// Origin URLs allowed to download files. See
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
"cors_origins": ["*"]
}
}
},
// TLS (httpS) configuration. Applies to both web and gRPC interfaces.
"tls": {
// Enable TLS.
"enabled": false,
// Listen for connections on this port and redirect them to HTTPS port.
"http_redirect": ":80",
// Add Strict-Transport-Security to headers, the value signifies age.
// Zero or negative value turns it off.
"strict_max_age": 604800,
// Letsencrypt configuration
"autocert": {
// Location of certificates.
"cache": "/etc/letsencrypt/live/your.domain.here",
// Contact address for this installation. LetsEncrypt will send
// messages to this address in case of problems. Replace with your
// own address or remove this line.
"email": "noreply@example.com",
// Domains served. Replace with your own domain name.
"domains": ["whatever.example.com"]
},
// If "autocert" config is not defined, read static certificates from
// these locations. Ignored if "autocert" is defined.
"cert_file": "/etc/httpd/conf/your.domain.crt",
"key_file": "/etc/httpd/conf/your.domain.key"
},
// Authentication configuration.
"auth_config": {
// Optional mapping of externally-visible authenticator names to internal names.
// For example use ["login-password:basic", "basic:"] to rename "basic" authenticator to
// "login-password" and make it unaccessible by the old name.
// Default is identity mapping.
"logical_names": [],
// Basic (login + password) authentication.
"basic": {
// Add 'auth-name:username' to tags making user discoverable by username.
"add_to_tags": true,
// The minimum length of a login in unicode runes, i.e. "登录" is length 2, not 6.
// The maximum length is 32 and it cannot be changed.
"min_login_length": 4,
// The minimum length of a password in unicode runes, "пароль" is length 6, not 12.
// There is no maximum length.
"min_password_length": 6
},
// Token authentication
"token": {
// Lifetime of a security token in seconds. 1209600 = 2 weeks.
"expire_in": 1209600,
// Serial number of the token. Can be used to invalidate all issued tokens at once.
"serial_num": 1,
// Secret key (HMAC salt) for signing the tokens. Generate your own then keep it secret.
// 32 random bytes base64 encioded.
//
// === IMPORTANT ===
//
// CHANGE IT IN PRODUCTION!!! Otherwise anyone will be able to log in
// to your server without the password.
"key": "wfaY2RgF2S1OQI/ZlK+LSrp1KB2jwAdGAIHQ7JZn+Kc="
}
},
// Database configuration
"store_config": {
// XTEA encryption key for user IDs and topic names. 16 random bytes base64-encoded.
// Generate your own and keep it secret. Otherwise your user IDswill be predictable
// and it will be easy to spam your users.
"uid_key": "la6YsO+bNX/+XIkOqc5Svw==",
// Maximum number of results fetched in one DB call.
"max_results": 1024,
// Configurations of individual adapters.
"adapters": {
// MySQL configuration. See https://godoc.org/github.com/go-sql-driver/mysql#Config
// for other possible options.
"mysql": {
// DSN, passed unchanged to MySQL driver. The 'parseTime=true' is required.
// The 'collation=utf8mb4_unicode_ci' is optional but highly recommended for
// emoji and certain CJK characters.
// See https://github.com/go-sql-driver/mysql#dsn-data-source-name for syntax.
"dsn": "root@tcp(localhost)/tinode?parseTime=true&collation=utf8mb4_unicode_ci",
// Name of the main database.
"database": "tinode"
},
// RethinkDB configuration. https://godoc.org/github.com/rethinkdb/rethinkdb-go#ConnectOpts
// for other possible options.
"rethinkdb": {
// Address(es) of RethinkDB node(s): either a string or an array of strings.
"addresses": "localhost:28015",
// Name of the main database.
"database": "tinode"
}
}
},
// Account validators (email or SMS or captcha)
"acc_validation": {
// Email validator config.
"email": {
// Restrict use of "email" namespace.
"add_to_tags": true,
// List of authentication levels which require this validation method.
// Remove this line to disable email validation.
"required": ["auth"],
// Configuration passed to the validator unchanged.
"config": {
// Address of the host where the Tinode server is running. This will be used
// in URLs in the email.
"host_url": "http://localhost:6060/",
// Address of the SMPT server to use.
"smtp_server": "smtp.example.com",
// SMTP port to use. "25" for basic email RFC 5321 (2821, 821), "587" for RFC 3207 (TLS).
"smtp_port": "25",
// Address to use for authentication and to show in From:
"sender": "noreply@example.com",
// Password of the sender.
"sender_password": "your-password-here",
// Message body template for credential validation. Uses http/template syntax.
"validation_body_templ": "./templ/email-validation-body.templ",
// Subject line for validation requests.
"validation_subject": "Tinode registration: confirm email",
// Message body template for password reset. Uses http/template syntax.
"reset_body_templ": "./templ/email-password-reset.templ",
// Subject line for password reset requests.
"reset_subject": "Reset Tinode password",
// Additional message headers (currently unused).
"headers": [],
// Allow this many confirmation attempts before blocking the credential.
"max_retries": 4,
// List of allowed email domains. Missing or empty list means any email domain is accepted.
"domains": [],
// Dummy response to accept. Remove the line in production.
"debug_response": "123456"
}
},
// Dummy placeholder validator for SMS and voice validation. Disabled by default.
// Use something like twillio.com in production.
"tel": {
"add_to_tags": true,
"config": {
"template": "./templ/sms-validation.templ",
"max_retries": 4,
"debug_response": "123456"
}
}
},
// Configuration of push notifications.
"push": [
{
// Notificator which writes to STDOUT. Useful for debugging.
"name":"stdout",
"config": {
// Disabled.
"enabled": false
}
},
{
// Google FCM notificator.
"name":"fcm",
"config": {
// Disabled. Won't work without the server key anyway. See below.
"enabled": false,
// Number of notifications to keep before they start to be dropped.
"buffer": 1024,
// Firebase project ID.
"project_id": "your-project-id",
// Service account credentials as json.
// See instructions how to download the service account credentials file:
// https://cloud.google.com/iam/docs/creating-managing-service-account-keys
// Then insert the file contents here. Yes, this is convoluted, but that's Google's fault.
"credentials": {
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "some-random-looking-hex-number",
"private_key": "-----BEGIN PRIVATE KEY----- base64-encoded bits of your private key \n-----END PRIVATE KEY-----\n",
"client_email": "firebase-adminsdk-abc123@your-project-id.iam.gserviceaccount.com",
"client_id": "1234567890123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-abc123%40your-project-id.iam.gserviceaccount.com"
},
// An alternative way to provide Firebase service account credentials.
"credentials_file": "/path/to/service-account-file-with-credentials.json",
// Time in seconds before notification is discarded if undelivered (by Google).
"time_to_live": 3600,
// Include Android Notification. Set to false to push a data-only message.
"include_android_notification": false,
// Android resource ID to use as a notification icon. Used only if include_android_notification=true.
"icon": "ic_logo_push",
// Notification color (Android). Used only if include_android_notification=true.
"icon_color": "#3949AB"
}
}
],
// Cluster-mode configuration.
"cluster_config": {
// Name of this node. Can be assigned from the command line.
// Empty string disables clustering.
"self": "",
// List of available nodes.
"nodes": [
// Name and TCP address of every node in the cluster. The ports 12001..12003
// are cluster communication ports. They don't need to be exposed to clients.
{"name": "one", "addr":"localhost:12001"},
{"name": "two", "addr":"localhost:12002"},
{"name": "three", "addr":"localhost:12003"}
],
// Failover config.
"failover": {
// Failover is enabled.
"enabled": true,
// Time in milliseconds between heartbeats.
"heartbeat": 100,
// Initiate leader election when the leader is not available for this many heartbeats.
"vote_after": 8,
// Consider node failed when it missed this many heartbeats.
"node_fail_after": 16
}
},
// Configuration of plugins
"plugins": [
{
// Enable or disable this plugin.
"enabled": false,
// Name of the plugin, must be unique.
"name": "python_chat_bot",
// Timeout in microseconds.
"timeout": 20000,
// Events to send to the plugin.
"filters": {
// Account creation events.
"account": "C"
},
// Error code to use in case flugin has failed.
"failure_code": 0,
// Text of an error message to report in case of plugin falure.
"failure_text": null,
// Address of the plugin.
"service_addr": "tcp://localhost:40051"
}
]
}