-
Notifications
You must be signed in to change notification settings - Fork 14
/
config.yml.sample
238 lines (216 loc) · 10 KB
/
config.yml.sample
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
#! THIS FILE USING YTT(https://github.com/k14s/ytt/) FORMAT
#! this is a general config for all related stuffs
#@data/values
---
#! Once config.yml changed you should rerun ./init.sh to regenerate `dest`/docker-compose.yml
#! if PERSISTENCEPATH is relative, it relates to `dest`/docker-compose.yml
persistencepath: .
#! [WARNING] DO NOT DOWNGRADE WITHOUT A CLEAN DB SINCE SCHEMA CANNOT DOWNGRADE.
#! latest tested version is : v1.277.3
#! [NOTE] Pin mysql version to 8.4 to make server compatible with argument "mysql-native-password"
#! [NOTE] You could also try my (upgraded) syncserver3 in Python3, No data integrity guaranteed!
#! [NOTE] Since we use docker-compose-wait to build wait chain, so ./wait binary in dest folder is not necessary, you could delete it.
#! [WORKAROUND] patch fxa-auth-server https://github.com/mozilla/fxa/issues/16491
#! [NOTE] Although channelserver issue fixed , still using latest sha256 digest tag.
#! [NOTE] don't use fxa version between 1.250.x to 1.258.x, https://github.com/mozilla/fxa/issues/15320
#! [NOTE] from v1.242.4 mysql version upgrade to 8.0.16+
#! [WORKAROUND] we use method 2 to to resolve below issue
#! [ISSUE] cannot change avatar due to https://github.com/mozilla/fxa/pull/7972 -> checkAvatar -> we have same domain with monogramUrl's one. issue: https://github.com/mozilla/fxa/issues/12426
#! so either 1. use different domain like profile-img or 2. patch it
#! [WORKAROUND] add LASTACCESSTIME_UPDATES_SAMPLE_RATE=1 to make sync api/v1/account/devices not return 500. see https://github.com/mozilla/fxa/issues/12373
#! [ISSUE][RESOLVED] v1.222.0 db-migration db connection need not workaround now.
#! [WORKAROUD] v1.219.5 require smtp.user and smtp.pass (even not used) to make fxa-auth-server not send mail by AWS SES. (will cause a crash if AWS_ACCESS_KEY not set)
#! [WORKAROUD] v1.215.4 workaround for 1. graphql-api's internal connection to fxa-auth-server (see debug.full_self_sign_workaround) and 2. db-migration db connection.
#! [NOTE] from v1.215.2 mysql version upgrade to 5.7 . docker-compose requires supporting `service_completed_successfully`
#! [ISSUE][RESOLVED] v1.196.0 oauth.domain.local/config return 404 causing syncserver fail to start.; fixed in https://github.com/mozilla/fxa/pull/7204
#! [NOTE]from v1.192.0 all fxa docker's image are merge into mozilla/fxa-mono so it's a breaking change!
#! [ISSUE][RESOLVED] v1.172.0 500 error after new-signup connect-another-device page maybe caused by https://github.com/mozilla/fxa/commit/2f9729154 ; fixed in https://github.com/mozilla/fxa/pull/5477
#! [NOTE] v1.173+ change base docker image . missing key_*.json in fxa-auth-server so we change to branch br-v1.174.0 to apply breaking changes
#! by default we use tested version , using latest at your own risk.
fxa_version: "v1.277.3"
option:
sync:
#! set true to keep all your sync items not expired
neverexpire: false
#! for device pairing
channelserver:
enable: true
#! Since send is EOL , so use it at your own risk
send:
enable: false
settings:
#! settings are upperize to send ENV
#! [TODO] send android , client_id 20f7931c9054d833
fxa_client_id: "fced6b5e3f4c66b9"
#![TODO] file_dir need volumes or not or ....
max_file_size:
#! for security and network bandwith/traffic sake , you'd better not allow annoymous user to use your send in the internet
#! see : https://www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse/
#! see https://portswigger.net/daily-swig/firefox-send-suspended-amid-concern-over-malware-abuse
#! [NOTE] number 0 will be treated as false
anon_max_file_size: "0"
#! expire_times_seconds array format "a,b,c"
expire_times_seconds:
default_expire_seconds:
max_expire_seconds:
anon_max_expire_seconds:
max_downloads:
anon_max_downloads:
max_files_per_archive:
max_archives_per_user:
#! download_counts array format "a,b,c"
download_counts:
notes:
enable: false
settings:
#! client_id is a must , depends on what you set in https://github.com/mozilla/notes/src/background.js
#! client_id should equal to _init/auth/oauthserver-prod
client_id:
webext: #! sample: "a3dbd8c5a6fd93e2"
android: #! sample: "7f368c6886429f19"
#! According to https://blog.mozilla.org/addons/2020/07/09/changes-to-storage-sync-in-firefox-79/
#! since Firefox 79 ,it will use syncserver to replace kinto in webextension storage.sync API, so disabled by default
#! if you still want to use this , make about:config webextensions.storage.sync.kinto : true and webextensions.storage.sync.serverURL point to kinto domain name below
webext_storagesync:
enable: false
settings:
#! you shall not change this , "5882386c6d801776" means firefox
client_id : "5882386c6d801776"
#! [deprecated] fxa-oauth.clients.storagesync.client_id: "5882386c6d801776"
#! last tested 13.6.3
kinto_version: "latest"
#! [TODO] intergate with kinto
#! both with_notes and with_webext_storagesync need kinto server and it's postgres
#! see kinto usage https://wiki.mozilla.org/Firefox/Kinto
#! https://testpilot.settings.services.mozilla.com/v1/
#! client_id 5882386c6d801776 == firefox
#! https://webextensions.settings.services.mozilla.com/v1/
#! [TODO] make docker-compose.tmp.yml data.values.domain.name and etc reusable via define
#! domain name related stuff
domain:
#! base name
name: "fxa.example.local"
#! for content-server
content: "www"
auth: "api"
oauth: "oauth"
#! for profile server
profile: "profile"
#! for syncserver
sync: "token"
#! for graphql-api
graphql: "graphql"
#! must if option.channelserver.enable == true
channelserver: "channelserver"
#! for firefox send
#! must if option.send.enable == true
send: "send"
#! for notes and webextension storage.sync
kinto: "kinto"
nginx:
#! port or ip/port or unix socket folder
#! for those who want to reverse proxy ( and then we do not a host resolver ,because we just proxy_pass ip/port )
#! can be a folder contains unix socket like "/var/run/fxa-selfhosing" with ssl = false and unix_socket = true-> socket filename is nginx.sock
#! make sure your reverse proxy have permission to access the folder.
listener: "443"
#! set to true is `listener` is a unix socket
unix_socket: false
#! if false certs are not required and another fxa_nossl.conf is used
#! set to false is `listener` is a unix socket
ssl: true
#! used if `ssl` is true
certs:
#! wild will only be used if detailed cert is not specified.
#! certs location is absoulte or related to `dest`/docker-compose.yml
#! cert can be self-signed with debug.full_self_sign_workaround: true. see more examples/full_selfsign.
wild:
cert: "./cert/wild.cer"
key: "./cert/wild.key"
content:
cert: "./cert/content.cer"
key: "./cert/content.key"
auth:
cert:
key:
oauth:
cert:
key:
profile:
cert:
key:
sync:
cert:
key:
channelserver:
cert:
key:
graphql:
cert:
key:
send:
cert:
key:
kinto:
cert:
key:
mail:
#! types are "localhelper" , "localrelay" ,"3rd"
#! smtp_user/smtp_pass is required for "localrelay" and "3rd" (can be any non-null string) even not used.
#! "localhelper" uses fxa-auth-local-mail-helper which self sending and receiving and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect.
#! mails are stored in memory , remeber to clean them (by DELETE api or restart container)
#! "localrelay" use exim-sender and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect.
#! "3rd" send mail to 3rd (like gmail etc)
type: "3rd"
#! for "3rd": refer to your mail service provider
smtp_host:
smtp_port:
smtp_user:
smtp_pass:
smtp_secure:
#! if smtp_sender empty use "Firefox Accounts <no-reply@domain.name>" default
smtp_sender:
#! only for "localhelper"
#! web api
localhelper:
web: "127.0.0.1:9001"
#! Here we can add some custom OAuth Client
#! for example we add a OAuth Client which can read / write your sync data after granted by you
oauth:
clients:
#! [NOTE] DO NOT ENABLE BELOW IF NOT USED
#! - id: deadbeafdeadbeaf
#! #! hex secret 0b2b91549678167e4870d76e2b94024b2954cb8605e4a2e8179ab80ecf40b287
#! hashedSecret: b88d5613f75ed5362ecb8c263be5b918aafbb23aac39f817eac44cbe4df7cda3
#! name: SyncManager
#! imageUri: ''
#! #! if generate_redirectUri will automatic generate redircturi : https://{content}.{domain_name}/oauth/success/{id}
#! generate_redirectUri: true
#! redirectUri:
#! trusted: true
#! #! some explain https://github.com/mozilla/fxa/blob/96cbbccfaed1de93d556a2259554acfabeb4cbe5/packages/fxa-auth-server/lib/oauth/authorized_clients.js#L55
#! canGrant: true
#! publicClient: true
#! #! redirecturi will be add to contetserver.prod.tmp.yml if scope matches
#! #! allowedScopes is a space-seperated string
#! allowedScopes: https://identity.mozilla.com/apps/oldsync
secrets:
authsecret: "What3v3r"
flowidkey: "MY_FLOW_ID_KEY"
profileserver_authsecret_bearertoken: "I_DONT_WANT_TO_CHANGE_YOU"
debug:
#! for register preverifed account , we need to set fxa-auth-server 's NODE_ENV not to be `prod`
#! see fxa-auth-server/lib/routes/account.js `delete routes[0].options.validate.payload.preVerified;`
auth_server_preverifed : false
deps_logs : false
#! make a e2e test compose file
#! require mail.type == localhelper
e2e_test:
enable: false
#! only used when full_self_sign_workaroud == true
root_cert:
#! workaroud for fxa-graphql-api with full self sign
#! if you want fxa-graphql-api communicate with fxa-auth-server internally , turn this `true`
#! [WARN] browserid-verifier will not work. Since BrowserID is deprecated, just do not use old browser or python `syncclient`
full_self_sign_workaround: false
#! Use a [python3 version syncserver](https://github.com/jackyzy823/syncserver3)
use_syncserver3: false