forked from zulip/zulip
-
Notifications
You must be signed in to change notification settings - Fork 0
/
prod_settings_template.py
449 lines (396 loc) · 19.2 KB
/
prod_settings_template.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
from typing import Optional
# Zulip Settings intended to be set by a system administrator.
#
# See https://zulip.readthedocs.io/en/latest/subsystems/settings.html for
# detailed technical documentation on the Zulip settings system.
#
### MANDATORY SETTINGS
#
# These settings MUST be set in production. In a development environment,
# sensible default values will be used.
# The user-accessible Zulip hostname for this installation, e.g.
# zulip.example.com. This should match what users will put in their
# web browser. If you want to allow multiple hostnames, add the rest
# to ALLOWED_HOSTS.
#
# If you need to access the server on a specific port, you should set
# EXTERNAL_HOST to e.g. zulip.example.com:1234 here.
EXTERNAL_HOST = 'zulip.example.com'
# The email address for the person or team who maintains the Zulip
# installation. Note that this is a public-facing email address; it may
# appear on 404 pages, is used as the sender's address for many automated
# emails, and is advertised as a support address. An email address like
# [email protected] is totally reasonable, as is [email protected].
# Do not put a display name; e.g. '[email protected]', not
# 'Zulip Support <[email protected]>'.
ZULIP_ADMINISTRATOR = '[email protected]'
# Configure the outgoing Email (aka SMTP) server below. You will need
# working SMTP to complete the installation process, in addition to
# sending email address confirmations, missed message notifications,
# onboarding follow-ups, and other user needs. If you do not have an
# SMTP server already, we recommend services intended for developers
# such as Mailgun. Detailed documentation is available at:
#
# https://zulip.readthedocs.io/en/latest/production/email.html
#
# To configure SMTP, you will need to complete the following steps:
#
# (1) Fill out the outgoing email sending configuration below.
#
# (2) Put the SMTP password for EMAIL_HOST_USER in
# /etc/zulip/zulip-secrets.conf as e.g.:
#
# email_password = abcd1234
#
# You can quickly test your sending email configuration using:
# su zulip
# /home/zulip/deployments/current/manage.py send_test_email [email protected]
#
# A common problem is hosting provider firewalls that block outgoing SMTP traffic.
#
#EMAIL_HOST = 'smtp.example.com'
#EMAIL_HOST_USER = ''
#EMAIL_PORT = 587
#EMAIL_USE_TLS = True
## OPTIONAL SETTINGS
# The noreply address to be used as the sender for certain generated
# emails. Messages sent to this address could contain sensitive user
# data and should not be delivered anywhere. The default is
# e.g. [email protected] (if EXTERNAL_HOST is
# zulip.example.com).
#NOREPLY_EMAIL_ADDRESS = '[email protected]'
# Many countries and bulk mailers require certain types of email to display
# a physical mailing address to comply with anti-spam legislation.
# Non-commercial and non-public-facing installations are unlikely to need
# this setting.
# The address should have no newlines.
#PHYSICAL_ADDRESS = ''
# A comma-separated list of strings representing the host/domain names
# that your users can enter in their browsers to access Zulip.
# This is a security measure; for details, see the Django documentation:
# https://docs.djangoproject.com/en/1.11/ref/settings/#allowed-hosts
#
# Zulip automatically adds to this list 'localhost', '127.0.0.1', and
# patterns representing EXTERNAL_HOST and subdomains of it. If you are
# accessing your server by other hostnames, list them here.
#
# Note that these should just be hostnames, without port numbers.
#ALLOWED_HOSTS = ['zulip-alias.example.com']
### AUTHENTICATION SETTINGS
#
# Enable at least one of the following authentication backends.
# See https://zulip.readthedocs.io/en/latest/production/authentication-methods.html
# for documentation on our authentication backends.
#
# The install process requires EmailAuthBackend (the default) to be
# enabled. If you want to disable it, do so after creating the
# initial realm and user.
AUTHENTICATION_BACKENDS = (
'zproject.backends.EmailAuthBackend', # Email and password; just requires SMTP setup
# 'zproject.backends.GoogleMobileOauth2Backend', # Google Apps, setup below
# 'zproject.backends.GitHubAuthBackend', # GitHub auth, setup below
# 'zproject.backends.ZulipLDAPAuthBackend', # LDAP, setup below
# 'zproject.backends.ZulipRemoteUserBackend', # Local SSO, setup docs on readthedocs
)
# To set up Google authentication, you'll need to do the following:
#
# (1) Visit https://console.developers.google.com/ , navigate to
# "APIs & Services" > "Credentials", and create a "Project" which will
# correspond to your Zulip instance.
#
# (2) Navigate to "APIs & services" > "Library", and find the
# "Google+ API". Choose "Enable".
#
# (3) Return to "Credentials", and select "Create credentials".
# Choose "OAuth client ID", and follow prompts to create a consent
# screen. Fill in "Authorized redirect URIs" with a value like
# https://zulip.example.com/accounts/login/google/done/
# based on your value for EXTERNAL_HOST.
#
# (4) You should get a client ID and a client secret. Copy them.
# Use the client ID as `GOOGLE_OAUTH2_CLIENT_ID` here, and put the
# client secret in zulip-secrets.conf as `google_oauth2_client_secret`.
#GOOGLE_OAUTH2_CLIENT_ID = <your client ID from Google>
# To set up GitHub authentication, you'll need to do the following:
#
# (1) Register an OAuth2 application with GitHub at one of:
# https://github.com/settings/developers
# https://github.com/organizations/ORGNAME/settings/developers
# Fill in "Callback URL" with a value like
# https://zulip.example.com/complete/github/ as
# based on your value for EXTERNAL_HOST.
#
# (2) You should get a page with settings for your new application,
# showing a client ID and a client secret. Use the client ID as
# `SOCIAL_AUTH_GITHUB_KEY` here, and put the client secret in
# zulip-secrets.conf as `social_auth_github_secret`.
#SOCIAL_AUTH_GITHUB_KEY = <your client ID from GitHub>
# (3) Optionally, you can configure the GitHub integration to only
# allow members of a particular GitHub team or organization to log
# into your Zulip server through GitHub authentication. To enable
# this, set one of the two parameters below:
#SOCIAL_AUTH_GITHUB_TEAM_ID = <your team id>
#SOCIAL_AUTH_GITHUB_ORG_NAME = <your org name>
# If you are using the ZulipRemoteUserBackend authentication backend,
# set this to your domain (e.g. if REMOTE_USER is "username" and the
# corresponding email address is "[email protected]", set
# SSO_APPEND_DOMAIN = "example.com")
SSO_APPEND_DOMAIN = None # type: Optional[str]
# Support for mobile push notifications. Setting controls whether
# push notifications will be forwarded through a Zulip push
# notification bouncer server to the mobile apps. See
# https://zulip.readthedocs.io/en/latest/production/mobile-push-notifications.html
# for information on how to sign up for and configure this.
#PUSH_NOTIFICATION_BOUNCER_URL = 'https://push.zulipchat.com'
# Whether to redact the content of push notifications. This is less
# usable, but avoids sending message content over the wire. In the
# future, we're likely to replace this with an end-to-end push
# notification encryption feature.
#PUSH_NOTIFICATION_REDACT_CONTENT = False
# Controls whether session cookies expire when the browser closes
SESSION_EXPIRE_AT_BROWSER_CLOSE = False
# Session cookie expiry in seconds after the last page load
SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # 2 weeks
# Password strength requirements; learn about configuration at
# https://zulip.readthedocs.io/en/latest/production/security-model.html.
# PASSWORD_MIN_LENGTH = 6
# PASSWORD_MIN_GUESSES = 10000
# Controls whether Zulip sends "new login" email notifications.
#SEND_LOGIN_EMAILS = True
# Controls whether or not there is a feedback button in the UI.
ENABLE_FEEDBACK = False
# Feedback sent by your users will be sent to this email address.
FEEDBACK_EMAIL = ZULIP_ADMINISTRATOR
# Controls whether or not error reports (tracebacks) are emailed to the
# server administrators.
#ERROR_REPORTING = True
# For frontend (JavaScript) tracebacks
#BROWSER_ERROR_REPORTING = False
# If True, each log message in the server logs will identify the
# Python module where it came from. Useful for tracking down a
# mysterious log message, but a little verbose.
#LOGGING_SHOW_MODULE = False
# If True, each log message in the server logs will identify the
# process ID. Useful for correlating logs with information from
# system-level monitoring tools.
#LOGGING_SHOW_PID = False
# Controls whether or not Zulip will provide inline image preview when
# a link to an image is referenced in a message. Note: this feature
# can also be disabled in a realm's organization settings.
#INLINE_IMAGE_PREVIEW = True
# Controls whether or not Zulip will provide inline previews of
# websites that are referenced in links in messages. Note: this feature
# can also be disabled in a realm's organization settings.
#INLINE_URL_EMBED_PREVIEW = False
# Controls whether or not Zulip will parse links starting with
# "file:///" as a hyperlink (useful if you have e.g. an NFS share).
ENABLE_FILE_LINKS = False
# By default, files uploaded by users and user avatars are stored
# directly on the Zulip server. If file storage in Amazon S3 is
# desired, you can configure that as follows:
#
# (1) Set s3_key and s3_secret_key in /etc/zulip/zulip-secrets.conf to
# be the S3 access and secret keys that you want to use, and setting
# the S3_AUTH_UPLOADS_BUCKET and S3_AVATAR_BUCKET to be the S3 buckets
# you've created to store file uploads and user avatars, respectively.
# Then restart Zulip (scripts/restart-server).
#
# (2) Edit /etc/nginx/sites-available/zulip-enterprise to comment out
# the nginx configuration for /user_uploads and /user_avatars (see
# https://github.com/zulip/zulip/issues/291 for discussion of a better
# solution that won't be automatically reverted by the Zulip upgrade
# script), and then restart nginx.
LOCAL_UPLOADS_DIR = "/home/zulip/uploads"
#S3_AUTH_UPLOADS_BUCKET = ""
#S3_AVATAR_BUCKET = ""
# Maximum allowed size of uploaded files, in megabytes. DO NOT SET
# ABOVE 80MB. The file upload implementation doesn't support chunked
# uploads, so browsers will crash if you try uploading larger files.
MAX_FILE_UPLOAD_SIZE = 25
# Controls whether name changes are completely disabled for this installation
# This is useful in settings where you're syncing names from an integrated LDAP/Active Directory
NAME_CHANGES_DISABLED = False
# Controls whether users who have not uploaded an avatar will receive an avatar
# from gravatar.com.
ENABLE_GRAVATAR = True
# To override the default avatar image if ENABLE_GRAVATAR is False, place your
# custom default avatar image at /home/zulip/local-static/default-avatar.png
# and uncomment the following line.
#DEFAULT_AVATAR_URI = '/local-static/default-avatar.png'
# To access an external postgres database you should define the host name in
# REMOTE_POSTGRES_HOST, you can define the password in the secrets file in the
# property postgres_password, and the SSL connection mode in REMOTE_POSTGRES_SSLMODE
# Valid values for REMOTE_POSTGRES_SSLMODE are documented in the
# "SSL Mode Descriptions" table in
# https://www.postgresql.org/docs/9.5/static/libpq-ssl.html
#REMOTE_POSTGRES_HOST = 'dbserver.example.com'
#REMOTE_POSTGRES_SSLMODE = 'require'
# If you want to set a Terms of Service for your server, set the path
# to your markdown file, and uncomment the following line.
#TERMS_OF_SERVICE = '/etc/zulip/terms.md'
# Similarly if you want to set a Privacy Policy.
#PRIVACY_POLICY = '/etc/zulip/privacy.md'
### TWITTER INTEGRATION
# Zulip supports showing inline Tweet previews when a tweet is linked
# to in a message. To support this, Zulip must have access to the
# Twitter API via OAuth. To obtain the various access tokens needed
# below, you must register a new application under your Twitter
# account by doing the following:
#
# 1. Log in to http://dev.twitter.com.
# 2. In the menu under your username, click My Applications. From this page, create a new application.
# 3. Click on the application you created and click "create my access token".
# 4. Fill in the values for twitter_consumer_key, twitter_consumer_secret, twitter_access_token_key,
# and twitter_access_token_secret in /etc/zulip/zulip-secrets.conf.
### EMAIL GATEWAY INTEGRATION
# The Email gateway integration supports sending messages into Zulip
# by sending an email. This is useful for receiving notifications
# from third-party services that only send outgoing notifications via
# email. Once this integration is configured, each stream will have
# an email address documented on the stream settings page and emails
# sent to that address will be delivered into the stream.
#
# There are two ways to configure email mirroring in Zulip:
# 1. Local delivery: A MTA runs locally and passes mail directly to Zulip
# 2. Polling: Checks an IMAP inbox every minute for new messages.
#
# The local delivery configuration is preferred for production because
# it supports nicer looking email addresses and has no cron delay,
# while the polling mechanism is better for testing/developing this
# feature because it doesn't require a public-facing IP/DNS setup.
#
# The main email mirror setting is the email address pattern, where
# you specify the email address format you'd like the integration to
# use. It should be one of the following:
# %[email protected] (for local delivery)
# username+%[email protected] (for polling if [email protected])
EMAIL_GATEWAY_PATTERN = ""
#
# If you are using local delivery, EMAIL_GATEWAY_PATTERN is all you need
# to change in this file. You will also need to enable the Zulip postfix
# configuration to support local delivery by adding
# , zulip::postfix_localmail
# to puppet_classes in /etc/zulip/zulip.conf and then running
# `scripts/zulip-puppet-apply -f` to do the installation.
#
# If you are using polling, you will need to setup an IMAP email
# account dedicated to Zulip email gateway messages. The model is
# that users will send emails to that account via an address of the
# form username+%[email protected] (which is what you will set as
# EMAIL_GATEWAY_PATTERN); your email provider should deliver those
# emails to the [email protected] inbox. Then you run in a cron
# job `./manage.py email_mirror` (see puppet/zulip/files/cron.d/email-mirror),
# which will check that inbox and batch-process any new messages.
#
# You will need to configure authentication for the email mirror
# command to access the IMAP mailbox below and in zulip-secrets.conf.
#
# The IMAP login; username here and password as email_gateway_password in
# zulip-secrets.conf.
EMAIL_GATEWAY_LOGIN = ""
# The IMAP server & port to connect to
EMAIL_GATEWAY_IMAP_SERVER = ""
EMAIL_GATEWAY_IMAP_PORT = 993
# The IMAP folder name to check for emails. All emails sent to EMAIL_GATEWAY_PATTERN above
# must be delivered to this folder
EMAIL_GATEWAY_IMAP_FOLDER = "INBOX"
### LDAP integration configuration
# Zulip supports retrieving information about users via LDAP, and
# optionally using LDAP as an authentication mechanism.
#
# In either configuration, you will need to do the following:
#
# * Fill in the LDAP configuration options below so that Zulip can
# connect to your LDAP server
#
# * Setup the mapping between LDAP attributes and Zulip.
# There are three supported ways to setup the username and/or email mapping:
#
# (A) If users' email addresses are in LDAP and used as username, set
# LDAP_APPEND_DOMAIN = None
# AUTH_LDAP_USER_SEARCH to lookup users by email address
#
# (B) If LDAP only has usernames but email addresses are of the form
# [email protected], you should set:
# LDAP_APPEND_DOMAIN = example.com and
# AUTH_LDAP_USER_SEARCH to lookup users by username
#
# (C) If LDAP username are completely unrelated to email addresses,
# you should set:
# LDAP_EMAIL_ATTR = "email"
# LDAP_APPEND_DOMAIN = None
# AUTH_LDAP_USER_SEARCH to lookup users by username
#
# You can quickly test whether your configuration works by running:
# ./manage.py query_ldap [email protected]
# From the root of your Zulip installation; if your configuration is working
# that will output the full name for your user.
#
# -------------------------------------------------------------
#
# If you are using LDAP for authentication, you will need to enable
# the zproject.backends.ZulipLDAPAuthBackend auth backend in
# AUTHENTICATION_BACKENDS above. After doing so, you should be able
# to login to Zulip by entering your email address and LDAP password
# on the Zulip login form.
#
# If you are using LDAP to populate names in Zulip, once you finish
# configuring this integration, you will need to run:
# ./manage.py sync_ldap_user_data
# To sync names for existing users; you may want to run this in a cron
# job to pick up name changes made on your LDAP server.
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
# URI of your LDAP server. If set, LDAP is used to prepopulate a user's name in
# Zulip. Example: "ldaps://ldap.example.com"
AUTH_LDAP_SERVER_URI = ""
# This DN will be used to bind to your server. If unset, anonymous
# binds are performed. If set, you need to specify the password as
# 'auth_ldap_bind_password' in zulip-secrets.conf.
AUTH_LDAP_BIND_DN = ""
# Specify the search base and the property to filter on that corresponds to the
# username.
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=users,dc=example,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
# If the value of a user's "uid" (or similar) property is not their email
# address, specify the domain to append here.
LDAP_APPEND_DOMAIN = None # type: Optional[str]
# If username and email are two different LDAP attributes, specify the
# attribute to get the user's email address from LDAP here.
LDAP_EMAIL_ATTR = None # type: Optional[str]
# This map defines how to populate attributes of a Zulip user from LDAP.
AUTH_LDAP_USER_ATTR_MAP = {
# Populate the Django user's name from the LDAP directory.
"full_name": "cn",
}
# The default CAMO_URI of '/external_content/' is served by the camo
# setup in the default Voyager nginx configuration. Setting CAMO_URI
# to '' will disable the Camo integration.
CAMO_URI = '/external_content/'
# RabbitMQ configuration
#
# By default, Zulip connects to rabbitmq running locally on the machine,
# but Zulip also supports connecting to RabbitMQ over the network;
# to use a remote RabbitMQ instance, set RABBITMQ_HOST here.
# RABBITMQ_HOST = "localhost"
# To use another rabbitmq user than the default 'zulip', set RABBITMQ_USERNAME here.
# RABBITMQ_USERNAME = 'zulip'
# Memcached configuration
#
# By default, Zulip connects to memcached running locally on the machine,
# but Zulip also supports connecting to memcached over the network;
# to use a remote Memcached instance, set MEMCACHED_LOCATION here.
# Format HOST:PORT
# MEMCACHED_LOCATION = 127.0.0.1:11211
# Redis configuration
#
# By default, Zulip connects to redis running locally on the machine,
# but Zulip also supports connecting to redis over the network;
# to use a remote Redis instance, set REDIS_HOST here.
# REDIS_HOST = '127.0.0.1'
# For a different redis port set the REDIS_PORT here.
# REDIS_PORT = 6379
# If you set redis_password in zulip-secrets.conf, Zulip will use that password
# to connect to the redis server.
# Controls whether Zulip will rate-limit user requests.
# RATE_LIMITING = True