forked from tinode/chat
-
Notifications
You must be signed in to change notification settings - Fork 0
/
tinode.conf
537 lines (450 loc) · 19.9 KB
/
tinode.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
// The JSON comments are somewhat brittle. Don't try anything too fancy.
{
// HTTP(S) address to listen on for websocket and long polling clients. Either a TCP host:port pair
// or a path to Unix socket as "unix:/path/to/socket.sock".
// The TCP port is either a numerical value or a canonical name, e.g. ":80" or ":https". May include
// the host name, e.g. "localhost:80" or "hostname.example.com:https".
// It could be blank: if TLS is not configured it will default to ":80", otherwise to ":443".
// Can be overridden from the command line, see option --listen.
"listen": ":6060",
// Base URL path for serving streaming and large file API calls.
// Can be overridden from the command line, see option --api_path.
"api_path": "/",
// Cache-Control header for static content. 11 hours.
"cache_control": 39600,
// URL path for mounting the directory with static files.
"static_mount": "/",
// TCP host:port or unix:/path/to/socket to listen for gRPC clients.
// Leave blank to disable gRPC support.
// Could be overridden from the command line with --grpc_listen.
"grpc_listen": ":16060",
// Enable handling of gRPC keepalives https://github.com/grpc/grpc/blob/master/doc/keepalive.md
// This sets server's GRPC_ARG_KEEPALIVE_TIME_MS to 60 seconds instead of the default 2 hours.
"grpc_keepalive_enabled": true,
// Salt for signing API key. 32 random bytes base64-encoded. Use 'keygen' tool (included in this
// distro) to generate the API key and the salt.
"api_key_salt": "T713/rYYgW7g4m3vG6zGRh7+FM1t0T8j13koXScOAj4=",
// Maximum message size allowed from the clients in bytes (262144 = 256KB).
// Media files with sizes greater than this limit are sent out of band.
// Don't change this limit to a much higher value because it would likely cause crashes:
// on Android & iOS due to a limit on the SQLite cursor window size;
// on the server-side with MySQL adapter due to the limit on the sort buffer size.
"max_message_size": 262144,
// Maximum number of subscribers per group topic.
"max_subscriber_count": 128,
// Maximum number of indexable tags per topic or user.
"max_tag_count": 16,
// URL path for exposing runtime stats. Disabled if the path is blank or "-".
// Could be overriden from the command line with --expvar.
"expvar": "/debug/vars",
// URL path for internal server status. Disabled if the path is blank or "-".
// Could be overriden from the command line with --server_status.
"server_status": "/debug/status",
// Read IP address of the client from the HTTP header 'X-Forwarded-For'.
// Useful when Tinode is behind a proxy. If missing, fallback to default RemoteAddr.
"use_x_forwarded_for": true,
// 2-letter country code to assign to sessions by default when the country isn't specified
// by the client explicitly and it's impossible to infer it.
// If missing, the server will default to "US".
"default_country_code": "",
// Large media/blob handlers: large files/images included in messages.
"media": {
// The name of the media handler to use.
"use_handler": "fs",
// Maximum size of uploaded file (8MB here for testing, maybe increase to 100MB = 104857600 in prod)
"max_size": 8388608,
// Garbage collection periodicity in seconds: unused or abandoned uploads are deleted.
"gc_period": 60,
// The number of unused/abandoned entries to delete in one pass.
"gc_block_size": 100,
// Configurations of individual handlers.
"handlers": {
// File system storage.
"fs": {
// File system location to store uploaded files. In case of a cluster it
// must be accessible by all cluster members, i.e. a network drive like https://www.samba.org/
"upload_dir": "uploads",
// Origin URLs allowed to download/upload files, e.g. ["https://www.example.com", "http://example.com"].
// Not necessary in most cases.
// "cors_origins": ["*"]
},
// Amazon AWS S3 storage.
// See detailed explanation at https://pkg.go.dev/github.com/aws/aws-sdk-go/aws#Config
"s3":{
// Use AWS console to get Access Key ID and Secret Access Key.
// https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
"access_key_id": "your_s3_access_key_id",
"secret_access_key": "your_s3_secret_access_key",
// Region where the bucket is hosted.
"region": "s3 region, like us-east-2",
// Name of the S3 bucket.
"bucket": "your_s3_bucket_name",
// Set this to `true` to disable SSL when sending requests. Defaults to `false`.
"disable_ssl": false,
// Set this to `true` to force the request to use path-style addressing,
// i.e., `http://s3.amazonaws.com/BUCKET/KEY`. By default, the S3 client
// will use virtual hosted bucket addressing when possible
// (`http://BUCKET.s3.amazonaws.com/KEY`).
"force_path_style": false,
// An optional endpoint URL (hostname only or fully qualified URI)
// that overrides the default generated endpoint for a client. Set this
// to `""` to use the default generated endpoint.
"endpoint": "",
// Origin URLs allowed to download files, e.g. ["https://www.example.com", "http://example.com"].
// See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
"cors_origins": ["*"]
}
}
},
// TLS (httpS) configuration. Applies to both web and gRPC interfaces.
"tls": {
// Enable TLS.
"enabled": false,
// Listen for connections on this port and redirect them to HTTPS port.
// Cannot be a Unix socket.
"http_redirect": ":80",
// Add Strict-Transport-Security to headers, the value signifies age.
// Zero or negative value turns it off.
"strict_max_age": 604800,
// Letsencrypt configuration.
"autocert": {
// Location of certificates.
"cache": "/etc/letsencrypt/live/your.domain.here",
// Contact address for this installation. LetsEncrypt will send
// messages to this address in case of problems. Replace with your
// own address or remove this line.
"email": "[email protected]",
// Domains served. Replace with your own domain name.
"domains": ["whatever.example.com"]
},
// If "autocert" config is not defined, read static certificates from
// these locations. Ignored if "autocert" is defined.
"cert_file": "/etc/httpd/conf/your.domain.crt",
"key_file": "/etc/httpd/conf/your.domain.key"
},
// Authentication configuration.
"auth_config": {
// Optional mapping of externally-visible authenticator names to internal names.
// For example use ["my-auth:basic", "basic:"] to rename "basic" authenticator to
// "my-auth" and make "basic" unaccessible by the old name.
// Default is identity mapping.
"logical_names": [],
// Basic (login + password) authentication.
"basic": {
// Add 'auth-name:username' to tags making user discoverable by username.
"add_to_tags": true,
// The minimum length of a login in unicode runes, i.e. "登录" is length 2, not 6.
// The maximum length is 32 and it cannot be changed.
"min_login_length": 4,
// The minimum length of a password in unicode runes, "пароль" is length 6, not 12.
// There is no limit on maximum length.
"min_password_length": 6
},
// Token authentication
"token": {
// Lifetime of a security token in seconds. 1209600 = 2 weeks.
"expire_in": 1209600,
// Serial number of the token. Can be used to invalidate all issued tokens at once.
"serial_num": 1,
// Secret key (HMAC salt) for signing the tokens. Generate your own then keep it secret.
// Any 32 random bytes base64 encoded.
//
// === IMPORTANT ===
//
// CHANGE IT IN PRODUCTION!!! Otherwise anyone will be able to log in
// to your server without the password. It's just random base64-encoded bytes, use any suitable
// means to get it. For example:
// Linux/Mac:
// echo $(head -c 32 /dev/urandom | base64 | tr -d '\n')
// Windows:
// powershell -command "[Convert]::ToBase64String((1..32|%{[byte](Get-Random -Max 256)}))"
"key": "wfaY2RgF2S1OQI/ZlK+LSrp1KB2jwAdGAIHQ7JZn+Kc="
}
},
// Database configuration
"store_config": {
// XTEA encryption key for user IDs and topic names. 16 random bytes base64-encoded.
// Generate your own and keep it secret. Otherwise your user IDs will be predictable
// and it will be easy to spam your users.
"uid_key": "la6YsO+bNX/+XIkOqc5Svw==",
// Maximum number of results fetched in one DB call.
"max_results": 1024,
// DB adapter name to communicate with the DB backend.
// Must be one of the adapters from the list below.
"use_adapter": "",
// Configurations of individual adapters.
"adapters": {
// MySQL configuration. See https://godoc.org/github.com/go-sql-driver/mysql#Config
// for other possible options.
"mysql": {
// MySQL connection settings.
// See https://pkg.go.dev/github.com/go-sql-driver/mysql#Config for more info
// and available fields and options.
"User": "root",
"Net": "tcp",
"Addr": "localhost",
"DBName": "tinode",
// The 'collation=utf8mb4_unicode_ci' is optional but highly recommended for
// emoji and certain CJK characters.
"Collation": "utf8mb4_unicode_ci",
// Parse time values to time.Time. Required.
"ParseTime": true,
// Deprecated connection settings. Kept for backward compatibility.
// DSN, passed unchanged to MySQL driver. See https://github.com/go-sql-driver/mysql#dsn-data-source-name for syntax.
// "dsn": "root@tcp(localhost)/tinode?parseTime=true&collation=utf8mb4_unicode_ci",
// Name of the main database.
// "database": "tinode",
// MySQL connection pool settings.
// Maximum number of open connections to the database. Default: 0 (unlimited).
"max_open_conns": 64,
// Maximum number of connections in the idle connection pool. If negative or zero,
// no idle connections are retained.
"max_idle_conns": 64,
// Maximum amount of time a connection may be reused (in seconds).
"conn_max_lifetime": 60,
// DB request timeout (in seconds).
// If not set (or <= 0), DB queries and transactions will run without a timeout.
"sql_timeout": 10
},
// RethinkDB configuration. See
// https://godoc.org/github.com/rethinkdb/rethinkdb-go#ConnectOpts for other possible
// options.
"rethinkdb": {
// Address(es) of RethinkDB node(s): either a string or an array of strings.
"addresses": "localhost:28015",
// Name of the main database.
"database": "tinode"
},
// MongoDB configuration.
"mongodb": {
// Address(es) of MongoDB node(s): either a string or an array of strings.
"addresses": "localhost:27017",
// Name of the main database.
"database": "tinode",
// Name of replica set of mongodb instance. Remove this line to use a standalone instance.
// If replica_set is disabled, transactions will be disabled as well.
"replica_set": "rs0",
// Authentication options. Uncomment if auth is configured on your MongoDB.
// Authentication mechanism. See https://docs.mongodb.com/manual/core/authentication-mechanisms/
// Default "SCRAM-SHA-256"
// "auth_mechanism": "SCRAM-SHA-256",
// The name of database that has the collection with the user credentials. Default "admin".
// "auth_source": "admin",
// Username:
// "username": "tinode",
// Password:
// "password": "tinode",
// Driver's TLS configuration. Uncomment to enable TLS.
// "tls": true,
// Path to the client certificate. Optional.
// "tls_cert_file": "/path/to/cert_file",
// Path to private key. Optional.
// "tls_private_key": "/path/to/private_key",
// Specifies whether or not certificates and hostnames received from the server should be validated.
// Not recommended to enable in production. Default is false.
// "tls_skip_verify": false
}
}
},
// Account validators (email or SMS or captcha).
"acc_validation": {
// Email validator config.
"email": {
// Restrict use of "email" namespace: make users searchable by their emails,
// disable manual creation of email: tags.
"add_to_tags": true,
// List of authentication levels which require this validation method.
// Remove this line to disable email validation.
"required": ["auth"],
// Configuration passed to the validator unchanged.
"config": {
// Address of the host where the Tinode server is running. This will be used
// in URLs in the email.
"host_url": "http://localhost:6060/",
// Address of the SMPT server to use.
"smtp_server": "smtp.example.com",
// SMTP port to use. "25" for basic email RFC 5321 (2821, 821), "587" for RFC 3207 (TLS).
"smtp_port": "25",
// RFC 5322 email address to show in the From: field.
"sender": "\"Tinode\" <[email protected]>",
// Optional login to use for authentication; if missing, the connection is not authenticated.
"login": "[email protected]",
// Password to use when authenticating the sender; used only if "login" is provided.
"sender_password": "your-password-here",
// FQDN to use in SMTP HELO/EHLO command; if missing, the hostname from "host_url" is used.
"smtp_helo_host": "example.com",
// Skip verification of the server's certificate chain and host name.
// In this mode, TLS is susceptible to machine-in-the-middle attacks.
"insecure_skip_verify": false,
// Optional list of human languages to try to load templates for. If you don't care about i18n,
// leave it blank or remove. The first language in the list is the default language.
"languages": ["en", "es", "fr", "ru", "zh"],
// Message template for credential validation.
// The file path itself is treated as a template. It's resolved by using the
// "languages" field above. One template per language.
// See the template file for the explanation of the expected structure.
"validation_templ": "./templ/email-validation-{{.Language}}.templ",
// Message template for resetting authentication secret.
// One template per language. See email-validation-en template for the explanation
// of the expected structure.
"reset_secret_templ": "./templ/email-password-reset-{{.Language}}.templ",
// Allow this many confirmation attempts before blocking the credential.
"max_retries": 3,
// List of email domains allowed to be used for registration.
// Missing or empty list means any email domain is accepted.
"domains": [],
// Dummy response to accept.
//
// === IMPORTANT ===
//
// REMOVE IT IN PRODUCTION!!! Otherwise anyone will be able to register
// with fake emails.
"debug_response": "123456"
}
},
// Dummy placeholder validator for SMS and voice validation. Disabled by default.
// Use something like twillio.com in production.
"tel": {
"add_to_tags": true,
"config": {
"languages": ["en"],
"template": "./templ/sms-validation.templ",
"max_retries": 4,
"debug_response": "123456"
}
}
},
// Configuration of push notifications.
"push": [
{
// Notificator which writes to STDOUT. Useful for debugging.
"name":"stdout",
"config": {
// Disabled.
"enabled": false
}
},
{
// Google FCM notificator.
"name":"fcm",
"config": {
// Disabled. Won't work without the server key anyway. See below.
"enabled": false,
// Firebase project ID.
"project_id": "your-project-id",
// Service account credentials as json.
// See instructions how to download the service account credentials file:
// https://cloud.google.com/iam/docs/creating-managing-service-account-keys
// Then insert the file contents here. Yes, this is convoluted, but that's Google's fault.
"credentials": {
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "some-random-looking-hex-number",
"private_key": "-----BEGIN PRIVATE KEY----- base64-encoded bits of your private key \n-----END PRIVATE KEY-----\n",
"client_email": "[email protected]",
"client_id": "1234567890123456789",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-abc123%40your-project-id.iam.gserviceaccount.com"
},
// An alternative way to provide Firebase service account credentials.
"credentials_file": "/path/to/service-account-file-with-credentials.json",
// Time in seconds before notification is discarded (by Google) if undelivered.
"time_to_live": 3600,
// Payload of AndroidNotification. If enabled, this will take precedence over data payload.
"android": {
// Set to false to push a data-only message.
"enabled": false,
// Android drawable resource ID to use as a notification icon.
"icon": "ic_logo_push",
// Notification color.
"color": "#3949AB",
// Name of intent filter which will catch this notification.
"click_action": ".MessageActivity",
// Notification of a new message. You can include custom "icon", "color", "click_action"
// into this section and it will override the value above.
"msg": {
// Literal title string. Not recommended because it's not localized.
"title": "",
// Literal message body. Not recommended because it's not localized.
"body": "",
// Android string resource ID to use as a notification title. Localized.
// Takes precedence over "title". "new_message" is "New message" in Tindroid.
"title_loc_key": "new_message",
// Android string resource ID to use as a notification body. Localized.
// Takes precedence over "body".
"body_loc_key": ""
},
// Notification of a new subscription. Same rules as section "msg" above.
"sub": {
// Android resource string ID to use as notification title. Localized.
// "new_chat" is "New chat" in Tindroid.
"title_loc_key": "new_chat",
// Android resource string ID to use as notification body. Localized.
"body_loc_key": ""
}
}
}
},
{
// Tinode Push Gateway, see https://github.com/tinode/chat/tree/master/server/push/tnpg.
"name":"tnpg",
"config": {
// Disabled. Configure first then enable.
"enabled": false,
// Short name (URL) of the organization you registered at console.tinode.co.
"org": "test",
// Authentication token obtained from console.tinode.co
"token": "jwt-security-token-obtained-from-console.tinode.co",
}
}
],
// Cluster-mode configuration.
"cluster_config": {
// Name of this node. Can be assigned from the command line as --cluster_self.
// Empty string disables clustering.
"self": "",
// List of available nodes.
"nodes": [
// Name and TCP address of every node in the cluster. The ports 12001..12003
// are cluster communication ports. They don't need to be exposed to end-users.
{"name": "one", "addr":"localhost:12001"},
{"name": "two", "addr":"localhost:12002"},
{"name": "three", "addr":"localhost:12003"}
],
// Failover config. No need to change unless you are doing something unusual.
"failover": {
// Failover is enabled.
"enabled": true,
// Time in milliseconds between heartbeats.
"heartbeat": 100,
// Initiate leader election when the leader is not available for this many heartbeats.
"vote_after": 8,
// Consider node failed when it missed this many heartbeats.
"node_fail_after": 16
}
},
// Configuration of plugins.
"plugins": [
{
// Enable or disable this plugin.
"enabled": false,
// Name of the plugin, must be unique.
"name": "python_chat_bot",
// Timeout in microseconds.
"timeout": 20000,
// Events to send to the plugin.
"filters": {
// Account creation events.
"account": "C"
},
// Error code to use in case plugin has failed; 0 means to ignore the failures.
"failure_code": 0,
// Text of an error message to report in case of plugin failure.
"failure_text": null,
// Address of the plugin.
"service_addr": "tcp://localhost:40051"
}
]
}