-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathconfig-example.yml
More file actions
291 lines (268 loc) · 12.2 KB
/
config-example.yml
File metadata and controls
291 lines (268 loc) · 12.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
# TMI Example Configuration File
#
# This file provides an example configuration for the TMI server.
# Copy this to config-development.yml or config-production.yml and customize.
#
# Environment variables can override any value using TMI_ prefixed names.
#
# Required environment variables:
# TMI_DATABASE_URL=postgres://user:pass@localhost:5432/tmi?sslmode=disable
#
# Optional environment variables:
# TMI_SERVER_PORT=9090
# TMI_JWT_SECRET=your-jwt-secret
# OAUTH_PROVIDERS_GOOGLE_CLIENT_ID=your-google-client-id
#
server:
port: "8080" # Server port
interface: "0.0.0.0" # Interface to bind to (0.0.0.0 for all)
read_timeout: "5s" # HTTP read timeout
write_timeout: "10s" # HTTP write timeout
idle_timeout: "1m0s" # HTTP idle timeout
tls_enabled: false # Enable HTTPS/TLS
tls_cert_file: "" # Path to TLS certificate file
tls_key_file: "" # Path to TLS key file
tls_subject_name: "localhost" # TLS certificate subject name
http_to_https_redirect: true # Redirect HTTP to HTTPS when TLS enabled
# CORS configuration
cors:
# Allowed origins for cross-origin requests (required in production).
# In dev mode (logging.is_dev=true), any origin is allowed.
# Env: TMI_CORS_ALLOWED_ORIGINS (comma-separated)
allowed_origins: []
# Example for production:
# allowed_origins:
# - "https://app.example.com"
# - "https://admin.example.com"
database:
# DATABASE_URL (12-factor app pattern) - REQUIRED
# Supports: postgres://, mysql://, sqlserver://, sqlite:///, oracle://
# The URL scheme determines the database type automatically.
# Examples:
# TMI_DATABASE_URL=postgres://user:pass@host:5432/db?sslmode=require
# TMI_DATABASE_URL=mysql://user:pass@host:3306/db
# TMI_DATABASE_URL=sqlserver://user:pass@host:1433?database=db
# TMI_DATABASE_URL=sqlite:///path/to/file.db
# TMI_DATABASE_URL=oracle://user:pass@host:1521/service_name
url: "" # Set via env var TMI_DATABASE_URL (REQUIRED)
# Oracle Wallet location for Oracle Autonomous Database (ADB) connections
# This cannot be encoded in the URL and must be specified separately.
# oracle_wallet_location: "/path/to/wallet" # Set via env var TMI_ORACLE_WALLET_LOCATION
# Connection pool settings (optional)
connection_pool:
max_open_conns: 25 # Maximum open connections to the database
max_idle_conns: 25 # Maximum idle connections in the pool
conn_max_lifetime: 300 # Maximum lifetime of a connection (seconds)
conn_max_idle_time: 300 # Maximum idle time before connection is closed (seconds)
redis:
host: "localhost" # Redis host
port: "6379" # Redis port
password: "" # Redis password (if required)
db: 0 # Redis database number
auth:
# everyone_is_a_reviewer: false # Set true to auto-add all users to Security Reviewers group at first login
jwt:
secret: "CHANGE_ME" # JWT signing secret (MUST be changed)
expiration_seconds: 3600 # JWT token expiration (1 hour)
signing_method: "HS256" # JWT signing method
# HttpOnly session cookie configuration (XSS protection for browser clients)
cookie:
enabled: true # Enable HttpOnly cookie-based auth (default: true)
# domain: "" # Cookie domain (auto-inferred from server base_url if empty)
# secure: false # Require HTTPS for cookies (auto-derived from tls_enabled)
# Env vars: TMI_COOKIE_ENABLED, TMI_COOKIE_DOMAIN, TMI_COOKIE_SECURE
oauth:
callback_url: "http://localhost:8080/oauth2/callback" # OAuth callback URL
providers:
github:
id: "github"
name: "GitHub"
enabled: false
icon: "fa-brands fa-github"
client_id: "" # Set via env var OAUTH_PROVIDERS_GITHUB_CLIENT_ID
client_secret: "" # Set via env var OAUTH_PROVIDERS_GITHUB_CLIENT_SECRET
authorization_url: "https://github.com/login/oauth/authorize"
token_url: "https://github.com/login/oauth/access_token"
auth_header_format: "token %s" # GitHub uses "token" instead of "Bearer"
accept_header: "application/json"
userinfo:
- url: "https://api.github.com/user"
claims:
subject_claim: "id"
name_claim: "name"
picture_claim: "avatar_url"
- url: "https://api.github.com/user/emails"
claims:
email_claim: "[0].email"
email_verified_claim: "[0].verified"
issuer: ""
jwks_url: ""
scopes:
- "user:email"
additional_params: {}
google:
id: "google"
name: "Google"
enabled: false
icon: "fa-brands fa-google"
client_id: "" # Set via env var OAUTH_PROVIDERS_GOOGLE_CLIENT_ID
client_secret: "" # Set via env var OAUTH_PROVIDERS_GOOGLE_CLIENT_SECRET
authorization_url: "https://accounts.google.com/o/oauth2/auth"
token_url: "https://oauth2.googleapis.com/token"
userinfo:
- url: "https://www.googleapis.com/oauth2/v3/userinfo"
claims: {} # Will use defaults: sub, email, name
issuer: "https://accounts.google.com"
jwks_url: "https://www.googleapis.com/oauth2/v3/certs"
scopes:
- "openid"
- "profile"
- "email"
additional_params: {}
microsoft:
id: "microsoft"
name: "Microsoft"
enabled: false # Disabled by default
icon: "fa-brands fa-microsoft"
client_id: ""
client_secret: ""
# Choose endpoints based on your Azure AD app's signInAudience configuration:
# For "AzureADandPersonalMicrosoftAccount" (all accounts):
# authorization_url: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize"
# token_url: "https://login.microsoftonline.com/common/oauth2/v2.0/token"
# For "PersonalMicrosoftAccount" (personal accounts only):
authorization_url: "https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize"
token_url: "https://login.microsoftonline.com/consumers/oauth2/v2.0/token"
# For "AzureADMultipleOrgs" (work/school accounts only):
# authorization_url: "https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize"
# token_url: "https://login.microsoftonline.com/organizations/oauth2/v2.0/token"
# For "AzureADMyOrg" (specific tenant only):
# authorization_url: "https://login.microsoftonline.com/{your-tenant-id}/oauth2/v2.0/authorize"
# token_url: "https://login.microsoftonline.com/{your-tenant-id}/oauth2/v2.0/token"
userinfo:
- url: "https://graph.microsoft.com/v1.0/me"
claims:
subject_claim: "id"
email_claim: "mail"
name_claim: "displayName"
given_name_claim: "givenName"
family_name_claim: "surname"
email_verified_claim: "true" # Literal value - Microsoft accounts are always verified
# Microsoft's consumer tenant ID (for personal accounts):
issuer: "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0"
jwks_url: "https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/discovery/v2.0/keys"
scopes:
- "openid"
- "profile"
- "email"
- "User.Read"
additional_params: {}
tmi:
id: "tmi"
name: "TMI Provider"
enabled: true # Enable for configuration testing
icon: "/static/provider-logos/signin/tmi.svg"
client_id: "tmi-client-id"
client_secret: "tmi-oauth-secret-12345"
authorization_url: "http://localhost:8080/oauth2/authorize?idp=tmi"
token_url: "http://localhost:8080/oauth2/token?idp=tmi"
userinfo: [] # TMI provider handles this internally
issuer: "tmi-oauth-provider"
jwks_url: "http://localhost:8080/.well-known/"
scopes:
- "openid"
- "profile"
- "email"
additional_params: {}
saml:
enabled: false # Enable SAML authentication
providers:
# Example SAML provider configuration
# okta:
# id: "saml_okta"
# name: "Okta"
# enabled: false
# icon: "fa-brands fa-okta" # Font Awesome icon, URL, or path
# entity_id: "https://tmi.example.com"
# acs_url: "https://tmi.example.com/saml/acs"
# slo_url: "https://tmi.example.com/saml/slo"
# idp_metadata_url: "" # Set via env var SAML_IDP_METADATA_URL
# sp_private_key_path: "" # Set via env var SAML_SP_PRIVATE_KEY_PATH
# sp_certificate_path: "" # Set via env var SAML_SP_CERTIFICATE_PATH
# email_attribute: "email"
# name_attribute: "displayName"
# groups_attribute: "groups"
websocket:
inactivity_timeout_seconds:
300 # WebSocket inactivity timeout (5 minutes)
# Sessions with no activity are cleaned up after this timeout
# Minimum value: 15 seconds
# Environment override: WEBSOCKET_INACTIVITY_TIMEOUT_SECONDS
logging:
level: "info" # Log level (debug/info/warn/error)
is_dev: true # Development mode (includes file/line info)
is_test: false # Test mode (uses in-memory stores)
log_dir: "logs" # Directory for log files
max_age_days: 7 # Max age of log files in days
max_size_mb: 100 # Max size of log files in MB
max_backups: 10 # Max number of log file backups
also_log_to_console: true # Also log to console/stdout
operator:
name: "" # Operator/maintainer name (set via env var OPERATOR_NAME)
contact: "" # Operator contact info - email/URL (set via env var OPERATOR_CONTACT)
administrators:
# Example: Administrator by Google provider ID (preferred method)
- provider: "google" # OAuth/SAML provider ID (required)
provider_id: "101155414856250184779" # Provider's unique user ID (preferred)
email: "admin@example.com" # Provider's email (optional, for reference)
subject_type: "user" # "user" or "group" (required)
# Example: Administrator by email when provider_id not available
# - provider: "github"
# email: "admin@example.com"
# subject_type: "user"
# Example: Group-based administrator
# - provider: "microsoft"
# group_name: "platform-admins"
# subject_type: "group"
# For Heroku deployments (single administrator only):
# Set environment variables instead of YAML:
# TMI_ADMIN_PROVIDER=google
# TMI_ADMIN_PROVIDER_ID=101155414856250184779
# TMI_ADMIN_EMAIL=admin@example.com # Optional
# TMI_ADMIN_SUBJECT_TYPE=user # or "group"
# TMI_ADMIN_GROUP_NAME=group-name # Only for groups
# Secret Management
# TMI can retrieve secrets from external providers instead of environment variables.
# This is useful for production deployments where secrets should not be in env vars.
secrets:
# Provider: "env" (default), "aws", "oci"
# Future providers (config only, not implemented): "vault", "azure", "gcp"
provider: "env" # Set via env var TMI_SECRETS_PROVIDER
# AWS Secrets Manager
# Secrets are stored as a JSON object with keys matching TMI_SECRET_* names
# Example: {"JWT_SECRET": "secret-value", "DATABASE_PASSWORD": "db-pass"}
aws:
region: "" # AWS region (env: TMI_AWS_REGION)
secret_name: "" # Secret name in AWS Secrets Manager (env: TMI_AWS_SECRET_NAME)
# Authentication: Uses AWS SDK default credential chain
# (env vars, IAM role, ~/.aws/credentials, etc.)
# OCI Vault Secrets
# Supports both single JSON secret (like AWS) and multiple individual secrets
oci:
compartment_id: "" # OCI compartment OCID (env: TMI_OCI_COMPARTMENT_ID)
vault_id: "" # OCI vault OCID (env: TMI_OCI_VAULT_ID)
secret_name: "" # Single JSON secret name (env: TMI_OCI_SECRET_NAME)
# If secret_name is empty, retrieves individual secrets by key name
# Authentication: Uses OCI SDK default config (~/.oci/config or instance principal)
# HashiCorp Vault (config only - implementation deferred)
# vault:
# address: "" # Vault server address (env: TMI_VAULT_ADDRESS)
# token: "" # Vault token (env: TMI_VAULT_TOKEN)
# path: "" # Secret path in Vault (env: TMI_VAULT_PATH)
# Azure Key Vault (config only - implementation deferred)
# azure:
# vault_url: "" # Key Vault URL (env: TMI_AZURE_VAULT_URL)
# GCP Secret Manager (config only - implementation deferred)
# gcp:
# project_id: "" # GCP project ID (env: TMI_GCP_PROJECT_ID)
# secret_name: "" # Secret name (env: TMI_GCP_SECRET_NAME)