-
Notifications
You must be signed in to change notification settings - Fork 47
/
Copy pathmokey.toml.sample
198 lines (151 loc) · 6.06 KB
/
mokey.toml.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
#------------------------------------------------------------------------------
# Sample Mokey Config
#------------------------------------------------------------------------------
#------------------------------------------------------------------------------
# Site specific configuration
#------------------------------------------------------------------------------
[site]
# Name of your site
name = "Identity Management"
# Homepage of your organization
homepage = ""
# Link to your sites help pages
help_url = ""
# Link to your getting started guide
getting_started_url = ""
# Link to your terms of service
tos_url = ""
# Path to custom favicon.ico file
favicon = ""
# Path to logo
logo = ""
# Path to custom css styles file
css = ""
# Path to local template override directory. You can override one or more
# of the templates using this directory
# templates_dir = "/usr/share/mokey/templates"
# Path to local static assets directory This is used to host all
# css/javascript/images assets locally. Only used for advanced customization.
# static_assets_dir = "/usr/share/mokey/assets"
# User account for the mokey service
ktuser = "mokeyapp"
# Path to keytab file
keytab = "/etc/mokey/private/mokeyapp.keytab"
# Path to logo
# logo = "/etc/mokey/assets/my-logo.png"
#------------------------------------------------------------------------------
# User account settings
#------------------------------------------------------------------------------
[accounts]
# Default home directory
default_homedir = "/home"
# Default login shell
default_shell = "/bin/bash"
# Minimum password length. Used for validating new passwords. Should match your
# password policy set in FreeIPA
min_passwd_len = 8
# Minimum password classes. Classes are lowercase, uppercase, numbers, and
# special characters. Used for validating new passwords. Should match your
# password policy set in FreeIPA
min_passwd_classes = 2
# Hash algorithm for generating OTP tokens: sha1, sha256, or sha512
otp_hash_algorithm = "sha1"
# Custom issuer name for OTP tokens. This creates a nice name for importing into authenticator apps
otp_issuer = "MYORG"
# Block list of user accounts from logging in
# block_users = ["username1", "username2", "username3"]
# Extract username from email address
username_from_email = false
# Allowed domains. Format is {"domain": "username-generator"}, where
# username-generator can be one of the following username generator algorithms:
# - default = takes username part from email
# - flast = assumes emails are formated [email protected]
# Generates usernames using the first letter firstname + last name.
# Example: [email protected] = jdoe
# allowed_domains = {"example.edu" = "default", "example.com" = "flast"}
# Require Two-Factor authentication on all accounts. This prevents users from
# uploading ssh keys and displays a warning message reminding users to enable
# Two-Factor authentication.
require_mfa = false
# Require FreeIPA admin to activate the account. With this option enabled new
# accounts are disabled by default until a FreeIPA admin activates them.
require_admin_verify = false
# By default, login attempts for non-existent user accounts will be shown an
# error message indicating that the username is not found in the system. If
# your site is concerned about the potential for username enumeration attacks,
# you could hide this error message by setting this to true.
hide_invalid_username_error = false
#------------------------------------------------------------------------------
# Email
#------------------------------------------------------------------------------
[email]
# Base URL used for email links. This should be the URL where mokey is being
# hosted and defaults to the hostname used in the http request. Set this value
# to hard code the base_url.
# base_url = "https://localhost"
# Max lifetime of branca tokens used for password resets and account verify
token_max_age = 3600
# Secret key for branca tokens. Must be 32 bytes. To generate run:
# openssl rand -hex 32
token_secret = ""
# Hostname for smtp server
smtp_host = "localhost"
# Port for smtp server
smtp_port = 25
# Enable smtp tls
smtp_tls = "off"
# SMTP Authentication Credentials
#smtp_username = ""
#smtp_password = ""
# Email signature to append to end of all emails
signature = ""
# From email address
from = "[email protected]"
#------------------------------------------------------------------------------
# Server settings
#------------------------------------------------------------------------------
[server]
# Address and port to listen
listen = "0.0.0.0:8866"
# Times out the session after inactivity (in seconds)
session_idle_timeout = 900
# Path to ssl certificate
# ssl_cert = ""
# Path to ssl key
# ssl_key = ""
# Require secure cookies
secure_cookies = true
# CSRF token secret key. Should be a random string
csrf_secret = ""
# Timeouts
read_timeout = 5
write_timeout = 5
idle_timeout = 120
# Rate limiter
# Expiration time in seconds on how long to keep records of requests
rate_limit_expiration = 60
# Max number of recent connections during rate_limit_expiration seconds before sending a 429 response
rate_limit_max = 25
# Enable prometheus metrics endpoint. WARNING: there is no authentication
# required for this endpoint and it's recommended to proxy this behind
# something like nginx and enable appropriate access controls.
enable_metrics = false
#------------------------------------------------------------------------------
# Storage
#------------------------------------------------------------------------------
[storage]
# Storage driver. Supported drivers: memory, sqlite3, and redis
driver = "memory"
[storage.sqlite3]
# Path to sqlite3 database used for session storage
# dbpath = "/srv/mokey/storage/mokey.db"
[storage.redis]
# Redis URL
# url = "redis://<user>:<pass>@127.0.0.1:6379/<db>"
#------------------------------------------------------------------------------
# Hydra
#------------------------------------------------------------------------------
[hydra]
# admin_url: "http://locahost:4445"
# login_timeout: 3600
# fake_tls_termination: true