|
| 1 | +// SPDX-FileCopyrightText: 2023 XWiki CryptPad Team <contact@cryptpad.org> and contributors |
| 2 | +// |
| 3 | +// SPDX-License-Identifier: AGPL-3.0-or-later |
| 4 | + |
| 5 | +/* DISCLAIMER: |
| 6 | +
|
| 7 | + There are two recommended methods of running a CryptPad instance: |
| 8 | +
|
| 9 | + 1. Using a standalone nodejs server without HTTPS (suitable for local development) |
| 10 | + 2. Using NGINX to serve static assets and to handle HTTPS for API server's websocket traffic |
| 11 | +
|
| 12 | + We do not officially recommend or support Apache, Docker, Kubernetes, Traefik, or any other configuration. |
| 13 | + Support requests for such setups should be directed to their authors. |
| 14 | +
|
| 15 | + If you're having difficulty difficulty configuring your instance |
| 16 | + we suggest that you join the project's Matrix channel. |
| 17 | +
|
| 18 | + If you don't have any difficulty configuring your instance and you'd like to |
| 19 | + support us for the work that went into making it pain-free we are quite happy |
| 20 | + to accept donations via our opencollective page: https://opencollective.com/cryptpad |
| 21 | +
|
| 22 | +*/ |
| 23 | +module.exports = { |
| 24 | + /* CryptPad is designed to serve its content over two domains. |
| 25 | + * Account passwords and cryptographic content is handled on the 'main' domain, |
| 26 | + * while the user interface is loaded on a 'sandbox' domain |
| 27 | + * which can only access information which the main domain willingly shares. |
| 28 | + * |
| 29 | + * In the event of an XSS vulnerability in the UI (that's bad) |
| 30 | + * this system prevents attackers from gaining access to your account (that's good). |
| 31 | + * |
| 32 | + * Most problems with new instances are related to this system blocking access |
| 33 | + * because of incorrectly configured sandboxes. If you only see a white screen |
| 34 | + * when you try to load CryptPad, this is probably the cause. |
| 35 | + * |
| 36 | + * PLEASE READ THE FOLLOWING COMMENTS CAREFULLY. |
| 37 | + * |
| 38 | + */ |
| 39 | + |
| 40 | + /* httpUnsafeOrigin is the URL that clients will enter to load your instance. |
| 41 | + * Any other URL that somehow points to your instance is supposed to be blocked. |
| 42 | + * The default provided below assumes you are loading CryptPad from a server |
| 43 | + * which is running on the same machine, using port 3000. |
| 44 | + * |
| 45 | + * In a production instance this should be available ONLY over HTTPS |
| 46 | + * using the default port for HTTPS (443) ie. https://cryptpad.fr |
| 47 | + * In such a case this should be also handled by NGINX, as documented in |
| 48 | + * cryptpad/docs/example.nginx.conf (see the $main_domain variable) |
| 49 | + * |
| 50 | + */ |
| 51 | + httpUnsafeOrigin: "http://localhost:3000", |
| 52 | + |
| 53 | + /* httpSafeOrigin is the URL that is used for the 'sandbox' described above. |
| 54 | + * If you're testing or developing with CryptPad on your local machine then |
| 55 | + * it is appropriate to leave this blank. The default behaviour is to serve |
| 56 | + * the main domain over port 3000 and to serve the sandbox content over port 3001. |
| 57 | + * |
| 58 | + * This is not appropriate in a production environment where invasive networks |
| 59 | + * may filter traffic going over abnormal ports. |
| 60 | + * To correctly configure your production instance you must provide a URL |
| 61 | + * with a different domain (a subdomain is sufficient). |
| 62 | + * It will be used to load the UI in our 'sandbox' system. |
| 63 | + * |
| 64 | + * This value corresponds to the $sandbox_domain variable |
| 65 | + * in the example nginx file. |
| 66 | + * |
| 67 | + * Note that in order for the sandboxing system to be effective |
| 68 | + * httpSafeOrigin must be different from httpUnsafeOrigin. |
| 69 | + * |
| 70 | + * CUSTOMIZE AND UNCOMMENT THIS FOR PRODUCTION INSTALLATIONS. |
| 71 | + */ |
| 72 | + // httpSafeOrigin: "https://some-other-domain.xyz", |
| 73 | + |
| 74 | + /* httpAddress specifies the address on which the nodejs server |
| 75 | + * should be accessible. By default it will listen on localhost |
| 76 | + * (IPv4 & IPv6 if enabled). If you want it to listen on |
| 77 | + * a specific address, specify it here. e.g '192.168.0.1' |
| 78 | + * |
| 79 | + */ |
| 80 | + //httpAddress: 'localhost', |
| 81 | + |
| 82 | + /* httpPort specifies on which port the nodejs server should listen. |
| 83 | + * By default it will serve content over port 3000, which is suitable |
| 84 | + * for both local development and for use with the provided nginx example, |
| 85 | + * which will proxy websocket traffic to your node server. |
| 86 | + * |
| 87 | + */ |
| 88 | + //httpPort: 3000, |
| 89 | + |
| 90 | + /* httpSafePort purpose is to emulate another origin for the sandbox when |
| 91 | + * you don't have two domains at hand (i.e. when httpSafeOrigin not defined). |
| 92 | + * It is meant to be used only in case where you are working on a local |
| 93 | + * development instance. The default value is your httpPort + 1. |
| 94 | + * |
| 95 | + */ |
| 96 | + //httpSafePort: 3001, |
| 97 | + |
| 98 | + /* Websockets need to be exposed on a separate port from the rest of |
| 99 | + * the platform's HTTP traffic. Port 3003 is used by default. |
| 100 | + * You can change this to a different port if it is in use by a |
| 101 | + * different service, but under most circumstances you can leave this |
| 102 | + * commented and it will work. |
| 103 | + * |
| 104 | + * In production environments, your reverse proxy (usually NGINX) |
| 105 | + * will need to forward websocket traffic (/cryptpad_websocket) |
| 106 | + * to this port. |
| 107 | + * |
| 108 | + */ |
| 109 | + // websocketPort: 3003, |
| 110 | + |
| 111 | + /* CryptPad will launch a child process for every core available |
| 112 | + * in order to perform CPU-intensive tasks in parallel. |
| 113 | + * Some host environments may have a very large number of cores available |
| 114 | + * or you may want to limit how much computing power CryptPad can take. |
| 115 | + * If so, set 'maxWorkers' to a positive integer. |
| 116 | + */ |
| 117 | + // maxWorkers: 4, |
| 118 | + |
| 119 | + /* ===================== |
| 120 | + * Sessions |
| 121 | + * ===================== */ |
| 122 | + |
| 123 | + /* Accounts can be protected with an OTP (One Time Password) system |
| 124 | + * to add a second authentication layer. Such accounts use a session |
| 125 | + * with a given lifetime after which they are logged out and need |
| 126 | + * to be re-authenticated. You can configure the lifetime of these |
| 127 | + * sessions here. |
| 128 | + * |
| 129 | + * defaults to 7 days |
| 130 | + */ |
| 131 | + //otpSessionExpiration: 7*24, // hours |
| 132 | + |
| 133 | + /* Registered users can be forced to protect their account |
| 134 | + * with a Multi-factor Authentication (MFA) tool like a TOTP |
| 135 | + * authenticator application. |
| 136 | + * |
| 137 | + * defaults to false |
| 138 | + */ |
| 139 | + //enforceMFA: false, |
| 140 | + |
| 141 | + /* ===================== |
| 142 | + * Privacy |
| 143 | + * ===================== */ |
| 144 | + |
| 145 | + /* Depending on where your instance is hosted, you may be required to log IP |
| 146 | + * addresses of the users who make a change to a document. This setting allows you |
| 147 | + * to do so. You can configure the logging system below in this config file. |
| 148 | + * Setting this value to true will include a log for each websocket connection |
| 149 | + * including this connection's unique ID, the user public key and the IP. |
| 150 | + * NOTE: this option requires a log level of "info" or below. |
| 151 | + * |
| 152 | + * defaults to false |
| 153 | + */ |
| 154 | + //logIP: false, |
| 155 | + |
| 156 | + /* ===================== |
| 157 | + * Admin |
| 158 | + * ===================== */ |
| 159 | + |
| 160 | + /* |
| 161 | + * CryptPad contains an administration panel. Its access is restricted to specific |
| 162 | + * users using the following list. |
| 163 | + * To give access to the admin panel to a user account, just add their public signing |
| 164 | + * key, which can be found on the settings page for registered users. |
| 165 | + * Entries should be strings separated by a comma. |
| 166 | + * adminKeys: [ |
| 167 | + * "[cryptpad-user1@my.awesome.website/YZgXQxKR0Rcb6r6CmxHPdAGLVludrAF2lEnkbx1vVOo=]", |
| 168 | + * "[cryptpad-user2@my.awesome.website/jA-9c5iNuG7SyxzGCjwJXVnk5NPfAOO8fQuQ0dC83RE=]", |
| 169 | + * ] |
| 170 | + * |
| 171 | + */ |
| 172 | + adminKeys: [], |
| 173 | + |
| 174 | + /* ===================== |
| 175 | + * STORAGE |
| 176 | + * ===================== */ |
| 177 | + |
| 178 | + /* Pads that are not 'pinned' by any registered user can be set to expire |
| 179 | + * after a configurable number of days of inactivity (default 90 days). |
| 180 | + * The value can be changed or set to false to remove expiration. |
| 181 | + * Expired pads can then be removed using a cron job calling the |
| 182 | + * `evict-inactive.js` script with node |
| 183 | + * |
| 184 | + * defaults to 90 days if nothing is provided |
| 185 | + */ |
| 186 | + //inactiveTime: 90, // days |
| 187 | + |
| 188 | + /* CryptPad archives some data instead of deleting it outright. |
| 189 | + * This archived data still takes up space and so you'll probably still want to |
| 190 | + * remove these files after a brief period. |
| 191 | + * |
| 192 | + * cryptpad/scripts/evict-archived.js is intended to be run daily |
| 193 | + * from a crontab or similar scheduling service. |
| 194 | + * |
| 195 | + * The intent with this feature is to provide a safety net in case of accidental |
| 196 | + * deletion. Set this value to the number of days you'd like to retain |
| 197 | + * archived data before it's removed permanently. |
| 198 | + * |
| 199 | + * defaults to 15 days if nothing is provided |
| 200 | + */ |
| 201 | + //archiveRetentionTime: 15, |
| 202 | + |
| 203 | + /* It's possible to configure your instance to remove data |
| 204 | + * stored on behalf of inactive accounts. Set 'accountRetentionTime' |
| 205 | + * to the number of days an account can remain idle before its |
| 206 | + * documents and other account data is removed. |
| 207 | + * |
| 208 | + * Leave this value commented out to preserve all data stored |
| 209 | + * by user accounts regardless of inactivity. |
| 210 | + */ |
| 211 | + //accountRetentionTime: 365, |
| 212 | + |
| 213 | + /* Starting with CryptPad 3.23.0, the server automatically runs |
| 214 | + * the script responsible for removing inactive data according to |
| 215 | + * your configured definition of inactivity. Set this value to `true` |
| 216 | + * if you prefer not to remove inactive data, or if you prefer to |
| 217 | + * do so manually using `scripts/evict-inactive.js`. |
| 218 | + */ |
| 219 | + //disableIntegratedEviction: true, |
| 220 | + |
| 221 | + /* Max Upload Size (bytes) |
| 222 | + * this sets the maximum size of any one file uploaded to the server. |
| 223 | + * anything larger than this size will be rejected |
| 224 | + * defaults to 20MB if no value is provided |
| 225 | + */ |
| 226 | + //maxUploadSize: 20 * 1024 * 1024, |
| 227 | + |
| 228 | + /* Users with premium accounts (those with a plan included in their customLimit) |
| 229 | + * can benefit from an increased upload size limit. By default they are restricted to the same |
| 230 | + * upload size as any other registered user. |
| 231 | + * |
| 232 | + */ |
| 233 | + //premiumUploadSize: 100 * 1024 * 1024, |
| 234 | + |
| 235 | + /* ===================== |
| 236 | + * DATABASE VOLUMES |
| 237 | + * ===================== */ |
| 238 | + |
| 239 | + /* |
| 240 | + * CryptPad stores each document in an individual file on your hard drive. |
| 241 | + * Specify a directory where files should be stored. |
| 242 | + * It will be created automatically if it does not already exist. |
| 243 | + */ |
| 244 | + filePath: "./datastore/", |
| 245 | + |
| 246 | + /* CryptPad offers the ability to archive data for a configurable period |
| 247 | + * before deleting it, allowing a means of recovering data in the event |
| 248 | + * that it was deleted accidentally. |
| 249 | + * |
| 250 | + * To set the location of this archive directory to a custom value, change |
| 251 | + * the path below: |
| 252 | + */ |
| 253 | + archivePath: "./data/archive", |
| 254 | + |
| 255 | + /* CryptPad allows logged in users to request that particular documents be |
| 256 | + * stored by the server indefinitely. This is called 'pinning'. |
| 257 | + * Pin requests are stored in a pin-store. The location of this store is |
| 258 | + * defined here. |
| 259 | + */ |
| 260 | + pinPath: "./data/pins", |
| 261 | + |
| 262 | + /* if you would like the list of scheduled tasks to be stored in |
| 263 | + a custom location, change the path below: |
| 264 | + */ |
| 265 | + taskPath: "./data/tasks", |
| 266 | + |
| 267 | + /* if you would like users' authenticated blocks to be stored in |
| 268 | + a custom location, change the path below: |
| 269 | + */ |
| 270 | + blockPath: "./block", |
| 271 | + |
| 272 | + /* CryptPad allows logged in users to upload encrypted files. Files/blobs |
| 273 | + * are stored in a 'blob-store'. Set its location here. |
| 274 | + */ |
| 275 | + blobPath: "./blob", |
| 276 | + |
| 277 | + /* CryptPad stores incomplete blobs in a 'staging' area until they are |
| 278 | + * fully uploaded. Set its location here. |
| 279 | + */ |
| 280 | + blobStagingPath: "./data/blobstage", |
| 281 | + |
| 282 | + decreePath: "./data/decrees", |
| 283 | + |
| 284 | + /* CryptPad supports logging events directly to the disk in a 'logs' directory |
| 285 | + * Set its location here, or set it to false (or nothing) if you'd rather not log |
| 286 | + */ |
| 287 | + logPath: "./data/logs", |
| 288 | + |
| 289 | + /* ===================== |
| 290 | + * Debugging |
| 291 | + * ===================== */ |
| 292 | + |
| 293 | + /* CryptPad can log activity to stdout |
| 294 | + * This may be useful for debugging |
| 295 | + */ |
| 296 | + logToStdout: false, |
| 297 | + |
| 298 | + /* CryptPad can be configured to log more or less |
| 299 | + * the various settings are listed below by order of importance |
| 300 | + * |
| 301 | + * silly, verbose, debug, feedback, info, warn, error |
| 302 | + * |
| 303 | + * Choose the least important level of logging you wish to see. |
| 304 | + * For example, a 'silly' logLevel will display everything, |
| 305 | + * while 'info' will display 'info', 'warn', and 'error' logs |
| 306 | + * |
| 307 | + * This will affect both logging to the console and the disk. |
| 308 | + */ |
| 309 | + logLevel: "info", |
| 310 | + |
| 311 | + /* clients can use the /settings/ app to opt out of usage feedback |
| 312 | + * which informs the server of things like how much each app is being |
| 313 | + * used, and whether certain clientside features are supported by |
| 314 | + * the client's browser. The intent is to provide feedback to the admin |
| 315 | + * such that the service can be improved. Enable this with `true` |
| 316 | + * and ignore feedback with `false` or by commenting the attribute |
| 317 | + * |
| 318 | + * You will need to set your logLevel to include 'feedback'. Set this |
| 319 | + * to false if you'd like to exclude feedback from your logs. |
| 320 | + */ |
| 321 | + logFeedback: false, |
| 322 | + |
| 323 | + /* CryptPad supports verbose logging |
| 324 | + * (false by default) |
| 325 | + */ |
| 326 | + verbose: false, |
| 327 | + |
| 328 | + /* Surplus information: |
| 329 | + * |
| 330 | + * 'installMethod' is included in server telemetry to voluntarily |
| 331 | + * indicate how many instances are using unofficial installation methods |
| 332 | + * such as Docker. |
| 333 | + * |
| 334 | + */ |
| 335 | + installMethod: "unspecified", |
| 336 | +}; |
0 commit comments