fas.cfg.sample

[global]

#
# Deployment type
# Determines which color of the header is being used
# Valid options:
# - "dev": Development
# - "stg": Staging
# - "prod": Production
#
deployment_type = "dev"

# TODO: better namespacing (maybe a [fas] section)
# admingroup is for humans that can see and do anything

###
### GPG Keys for specific operations
###
# This is the GPG Key ID used to encrypt the answer to the user's security question.
# The private key should be known to the admins to verify that the user supplied the correct answer.
key_securityquestion = '00000000'

###
### UI
###

theme = 'fas'

# Personal Info / Form availability
# Select/deselect items in the form
show_postal_address = 0

# Language support
available_languages = ['en', 'en_GB', 'ar', 'as', 'ast', 'bg', 'bn', 'bn_IN', 'bo', 'bs', 'ca', 'cs', 'da', 'de', 'el', 'es', 'eu', 'fa', 'fi', 'fr', 'ga', 'gl', 'he', 'hi', 'hu', 'id', 'is', 'it', 'ja', 'kn', 'ko', 'lv', 'mai', 'ml', 'mr', 'nb', 'nl', 'nn', 'pa', 'pl', 'pt_BR', 'pt', 'ru', 'si', 'sk', 'sl', 'sq', 'sr', 'sv', 'ta', 'te', 'tg', 'tr', 'uk', 'vi', 'zh_CN', 'zh_HK', 'zh_TW']

default_language = 'en'

# Country codes from GEOIP that we don't want to display in
# country selection boxes
country_blacklist = ["--", "A1", "A2", "AN", "AS", "AX", "BI", "BL", "BV", "CC", "CU", "CV", "CX", "DM", "FK", "FO", "GF", "GG", "GP", "GS", "GW", "HM", "IO", "IR", "IQ", "JE", "KI", "KP", "MF", "MP", "MS", "MW", "NF", "NR", "NU", "PM", "PN", "RE", "SB", "SD", "SH", "SJ", "SY", "TC", "TF", "TK", "TL", "TV", "UM", "VC", "VG", "WF", "YT"]

# Captcha
tgcaptcha2.key = 'Cx{$<_1W@]\Zv}*On;z]e'
tgcaptcha2.jpeg_generator = 'mcdermott'
tgcaptcha2.audio = True

###
### IPA Sync settings
###
ipa_sync_enabled = False
ipa_sync_server = "ipa01.example.com"
ipa_sync_principal = "fas_sync@EXAMPLE.COM"
ipa_sync_keytab = "/etc/fas_sync_keytab"
ipa_sync_certfile = "/etc/fas_sync_cert.pem"

###
### Administrative settings
###

# Usernames that are unavailable for fas allocation
username_blacklist = "abuse,accounts,adm,admin,amanda,apache,askfedora,asterisk,bin,board,bodhi2,canna,chair,chairman,cvsdirsec,cvsdocs,cvseclipse,cvsextras,cvsfont,daemon,dbus,decode,desktop,dgilmore,directors,dovecot,dumper,fama,famsco,fax,fedora,fedorarewards,fesco,freemedia,ftbfs,ftp,ftpadm,ftpadmin,games,gdm,gopher,gregdek,halt,hostmaster,ident,info,ingres,jaboutboul,jan,keys,kojiadmin,ldap,legal,logo,lp,mail,mailnull,manager,marketing,mysql,nagios,named,netdump,news,newsadm,newsadmin,nfsnobody,nobody,noc,nrpe,nscd,ntp,nut,openvideo,operator,packager,pcap,pkgdb,pkgsigner,postfix,postgres,postmaster,press,privoxy,pvm,quagga,radiusd,radvd,relnotes,root,rpc,rpcuser,rpm,sales,scholarship,secalert,security,shutdown,smmsp,squid,sshd,support,sync,system,tickets,toor,updates,usenet,uucp,vcsa,vendors,voting,webalizer,webmaster,wikiadmin,wnn,www,xfs,zabbix"
email_domain_blacklist = "@example.com,@evil.com"

#Valid SSH Key
valid_ssh_key = "rsa,ssh-rsa,ecdsa,ecdsa-sha2"

# admingroup has powers to change anything in the fas UI
admingroup = 'accounts'
# systemgroup is for automated systems that can read any info from the FAS db
systemgroup = 'fas-system'

# Moderator group provides its members restricted admin power
# allowed by defined action below.
# Valid action :
# modo.allow.update_status, allow approved member to do related action.
modo.group = 'accounts-moderators'
modo.allow.update_status = False

# thirdpartygroup is for thirdparties that also need group management
# via fas, but maintain their own actual account systems
thirdpartygroup = 'thirdparty'

# Placing a group into privileged_view_group protects the information in it
# only admins of the group can view the group
privileged_view_groups = "(^fas-.*)"

# Who should we say is sending email from fas and get email
# when fas sends a message about something?
accounts_email = "nobody@fedoraproject.org"
# Who should be listed as the legal contact for the Contributor Agreement?
legal_cla_email = "nobody@fedoraproject.org"
# Who should be listed as the webmaster contact for the site?
webmaster_email = "webmaster@fedoraproject.org"

# All groups and some users get email aliases created for them via a cron
# job.  This setting is appended to group names when sending email to members
# of a group.  Be sure to set up a cron job for your site for this to work
email_host = "fedoraproject.org" # as in, web-members@email_host

# Settings for Contributor Agreements
# Meta group for anyone who's satisfied the contributor agreement requirement
cla_done_group = "cla_done"
# The standard group is what you're placed in when you sign the contributor
# agreement via fas
cla_standard_group = "cla_fpca"
# If you have a contributor agreement that you're getting rid of but want
# to give people a transition period to sign a new one, you can put the
# deprecated group in here for now.
cla_deprecated_groups = ['cla_fedora']

# Groups that automatically grant membership to other groups
# Format: 'group1:a,b,c|group2:d,e,f'
auto_approve_groups = 'packager:fedorabugs|triagers:fedorabugs|docs-writers:fedorabugs|cla_fpca:cla_done|cla_redhat:cla_done|cla_dell:cla_done|cla_ibm:cla_done|cla_intel:cla_done'

# Anti-spam approval check script, which injects in both registration and CLA steps
antispam.api.url = 'http://acceptance.fas.local/api'
antispam.api.username = ''
antispam.api.password = ''
antispam.registration.autoaccept = False
antispam.cla.autoaccept = False

# Some server parameters that you may want to tweak
server.socket_port=8088
server.thread_pool=50
server.socket_queue_size=30

# Needed for translations
### Q for ricky: Should this move to app.cfg?
session_filter.on = True

# Set to True if you'd like to abort execution if a controller gets an
# unexpected parameter. False by default
tg.strict_parameters = True

server.webpath='/accounts'
base_url_filter.on = True
base_url_filter.use_x_forwarded_host = False
base_url_filter.base_url = "http://localhost:8088/"
fas.url = "http://localhost:8088/accounts/"

# Knobs to tweak for debugging

# Enable the debug output at the end on pages.
# log_debug_info_filter.on = False
debug = 'on'
server.environment="development"
autoreload.package="fas"
autoreload.on = True
server.throw_errors = True
server.log_to_screen = True

# Make the session cookie only return to the host over an SSL link
# Disabled for testing only (Uncomment when deployed)
#visit.cookie.secure = True
#session_filter.cookie_secure = True

###
### Communicating to other services
###

# Database
sqlalchemy.dburi="postgres://fedora:fedora@localhost/fas2"
sqlalchemy.echo=False
# When using wsgi, we want the pool to be very low (as a separate instance is
# run in each apache mod_wsgi thread.  So each one is going to have very few
# concurrent db connections.
sqlalchemy.pool_size=1
sqlalchemy.max_overflow=2

# If you're serving standalone (cherrypy), since FAS2 is much busier than
# other servers due to serving visit and auth via JSON you want higher values
#sqlalchemy.pool_size=10
#sqlalchemy.max_overflow=25

memcached_server = "127.0.0.1:11211"

# Sending of email via TurboMail
mail.on = False
mail.smtp.server = 'localhost'
#mail.testmode = True
mail.smtp.debug = False
mail.encoding = 'utf-8'
mail.transport = 'smtp'
mail.manager = 'demand'

# Enable yubikeys
yubi_server_prefix='http://localhost/yk-val/verify?id='
ykksm_db="postgres://ykksmimporter:ykksmimporter@localhost/ykksm"
ykval_db="postgres://ykval_verifier:ykval_verifier@localhost/ykval"

# Enable or disable generation of SSL certificates for users
# In a load balanced environment, you likely only want one server to set
# this to true
gencert = True

makeexec = "/usr/bin/make"
openssl_lockdir = "/var/lock/fas-openssl"
openssl_digest = "md5"
openssl_expire = 15552000 # 60*60*24*180 = 6 months
openssl_ca_dir = "/home/ricky/work/fedora/fas/ca"
openssl_ca_newcerts = "/home/ricky/work/fedora/fas/ca/newcerts"
openssl_ca_index = "/home/ricky/work/fedora/fas/ca/index"
openssl_c = "US"
openssl_st = "North Carolina"
openssl_l = "Raleigh"
openssl_o = "Fedora Project"
openssl_ou = "Fedora User Cert"

# These determine where FAS will read the public keyring from used in all GPG operations
gpgexec = "/usr/bin/gpg"
gpghome = "/home/ricky/work/fedora/fas/gnupg"
# Note: gpg_fingerprint and gpg_passphrase are for encrypting password reset mail if the user has
# a gpg key registered.  It's currently broken
gpg_fingerprint = "C199 1E25 D00A D200 2D2E  54D1 BF7F 1647 C54E 8410"
# If you were wondering, this isn't a real passphrase :)
gpg_passphrase = "m00!s@ysth3c0w"
gpg_keyserver = "hkp://subkeys.pgp.net"

[/fedora-server-ca.cert]
static_filter.on = True
static_filter.file = "/etc/pki/fas/fedora-server-ca.cert"

[/fedora-upload-ca.cert]
static_filter.on = True
static_filter.file = "/etc/pki/fas/fedora-upload-ca.cert"

# LOGGING
# Logging configuration generally follows the style of the standard
# Python logging module configuration. Note that when specifying
# log format messages, you need to use *() for formatting variables.
# Deployment independent log configuration is in fas/config/log.cfg
[logging]

[[loggers]]
[[[fas]]]
level='DEBUG'
qualname='fas'
handlers=['debug_out']

[[[allinfo]]]
level='INFO'
handlers=['debug_out']

[[[access]]]
level='INFO'
qualname='turbogears.access'
handlers=['access_out']
propagate=0

[[[identity]]]
level='INFO'
qualname='turbogears.identity'
handlers=['access_out']
propagate=0

[[[database]]]
# Set to INFO to make SQLAlchemy display SQL commands
level='ERROR'
qualname='sqlalchemy.engine'
handlers=['debug_out']
propagate=0