# Environment Variables

You can actually configure Psono with environment variables instead of config files.

# Server: Required

All these parameters need to be configured either through the settings.yaml or as environment variable.

# PSONO_SECRET_KEY*

Used to overwrite the SECRET_KEY parameter of the settings.yaml, e.g.

export PSONO_SECRET_KEY=jrgwvgCRPGJeOi9xcFIlfpVL09EZdIkrAJqQIUvTVtB3BO9gsuWi32Ie3VfKtaCk

WARNING

This parameter needs to be generated by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

# PSONO_PRIVATE_KEY*

Used to overwrite the PRIVATE_KEY parameter of the settings.yaml, e.g.

export PSONO_PRIVATE_KEY=5476100ad30e22881bb71d96e5c3e02e3964ede13fbcaa3ff886c36a27f7e3fd

WARNING

This parameter needs to be generated together with the PUBLIC_KEY by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

# PSONO_PUBLIC_KEY*

Used to overwrite the PUBLIC_KEY parameter of the settings.yaml, e.g.

export PSONO_PUBLIC_KEY=141e1f988831ccbae4a43b20e6dbfc085be4b9b63902baa23d74f23e94301622

WARNING

This parameter needs to be generated together with the PRIVATE_KEY by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

Used to overwrite the ACTIVATION_LINK_SECRET parameter of the settings.yaml, which is used to generate the "activation links" whenever a user registers e.g.

export PSONO_ACTIVATION_LINK_SECRET=6kkvvTaPisiHMaLFHRPFjCztjByY8LINkxkhBHmj4FpIEk1kdY9aGIR7xulcs6ij

WARNING

This parameter needs to be generated by ./psono/manage.py generateserverkeys

# PSONO_DB_SECRET*

Used to overwrite the DB_SECRET parameter of the settings.yaml, and is used to encrypt the data in the database e.g.

export PSONO_DB_SECRET=True

WARNING

This parameter needs to be generated by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

# PSONO_EMAIL_SECRET_SALT*

Used to overwrite the EMAIL_SECRET_SALT parameter of the settings.yaml, and used to store a hash of the email address in the database to prevent duplicates e.g.

export PSONO_EMAIL_SECRET_SALT=True

WARNING

This parameter needs to be generated by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

# PSONO_HOST_URL*

Used to overwrite the HOST_URL parameter of the settings.yaml, the url of the server itself e.g.

export PSONO_HOST_URL=https://psono.example.com/server

# PSONO_DATABASE_URL*

Used to overwrite the DATABASE_URL parameter of the settings.yaml, and to connect the Psono server to your database e.g.

export PSONO_DATABASE_URL=postgres://myuser:mypassword@192.168.0.5:5432/mydatabase

or for unix domain socket paths

export PSONO_DATABASE_URL=postgres://%2Fvar%2Flib%2Fpostgresql/mydatabase

WARNING

If you want to specify the host, username and so on separately, you can do so with the optional database parameters listed below.

# PSONO_WEB_CLIENT_URL

Used to overwrite the WEB_CLIENT_URL parameter of the settings.yaml, and to specify the location of the webclient e.g.

export PSONO_WEB_CLIENT_URL=https://psono.example.com

# PSONO_ALLOWED_DOMAINS

Used to overwrite the ALLOWED_DOMAINS parameter of the settings.yaml as a comma separated list of the domain that you allow as username suffix e.g.

export PSONO_ALLOWED_DOMAINS=example.com,something.else.com

# Server: Other

# PSONO_DEBUG

Used to overwrite the DEBUG parameter of the settings.yaml and enables the debug mode, e.g.

export PSONO_DEBUG=True

# PSONO_DISABLED

Used to overwrite the DISABLED parameter of the settings.yaml and disables the server, e.g.

export PSONO_DISABLED=True

# PSONO_MAINTENANCE_ACTIVE

Used to overwrite the MAINTENANCE_ACTIVE parameter of the settings.yaml and enables the maintenance mode, e.g.

export PSONO_MAINTENANCE_ACTIVE=True

# PSONO_ALLOWED_HOSTS

Used to overwrite the ALLOWED_HOSTS parameter of the settings.yaml as a comma separated list, e.g.

export PSONO_ALLOWED_HOSTS=a.example.com,something.else.com

# PSONO_ALLOW_REGISTRATION

Used to overwrite the ALLOW_REGISTRATION parameter of the settings.yaml, and to disable the registration e.g.

export PSONO_ALLOW_REGISTRATION=True

# PSONO_ALLOW_LOST_PASSWORD

Used to overwrite the ALLOW_LOST_PASSWORD parameter of the settings.yaml, and to disable the password recovery mechanism e.g.

export PSONO_ALLOW_LOST_PASSWORD=True

# PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL

Used to overwrite the ENFORCE_MATCHING_USERNAME_AND_EMAIL parameter of the settings.yaml, and enforces matching username and emails e.g.

export PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL=True

# PSONO_ALLOWED_SECOND_FACTORS

Used to overwrite the ALLOWED_SECOND_FACTORS parameter of the settings.yaml, and restricts the possible options for second factors e.g.

export PSONO_ALLOWED_SECOND_FACTORS=yubikey_otp,google_authenticator,duo

# PSONO_ALLOW_USER_SEARCH_BY_EMAIL

Used to overwrite the ALLOW_USER_SEARCH_BY_EMAIL parameter of the settings.yaml, and allows users to search other users by their email address e.g.

export PSONO_ALLOW_USER_SEARCH_BY_EMAIL=True

# PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL

Used to overwrite the ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL parameter of the settings.yaml, and allows users to search other users by partial usernames e.g.

export PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL=True

# PSONO_DUO_INTEGRATION_KEY

Used to overwrite the DUO_INTEGRATION_KEY parameter of the settings.yaml, the duo integration key e.g.

export PSONO_DUO_INTEGRATION_KEY=DI785965869BJHGKZ

# PSONO_DUO_SECRET_KEY

Used to overwrite the DUO_SECRET_KEY parameter of the settings.yaml, the duo secret key e.g.

export PSONO_DUO_SECRET_KEY=8ho7IZK7jioi7joi7glZBJKmhnz

# PSONO_DUO_API_HOSTNAME

Used to overwrite the DUO_API_HOSTNAME parameter of the settings.yaml, the duo api hostname e.g.

export PSONO_DUO_API_HOSTNAME=api-abcd1234.duosecurity.com

# PSONO_DUO_PROXY_HOST

Used to overwrite the DUO_PROXY_HOST parameter of the settings.yaml, the duo proxy host e.g.

export PSONO_DUO_PROXY_HOST=duoproxy.example.com

# PSONO_DUO_PROXY_PORT

Used to overwrite the DUO_PROXY_PORT parameter of the settings.yaml, the port of the duo proxy e.g.

export PSONO_DUO_PROXY_PORT=45612

# PSONO_DUO_PROXY_HEADERS

Used to overwrite the DUO_PROXY_HEADERS parameter of the settings.yaml, all headers for the duo proxy e.g.

export PSONO_DUO_PROXY_HEADERS=True

# PSONO_DUO_PROXY_TYPE

Used to overwrite the DUO_PROXY_TYPE parameter of the settings.yaml, the type of the proxy, by default CONNECT e.g.

export PSONO_DUO_PROXY_TYPE=CONNECT

# PSONO_MULTIFACTOR_ENABLED

Used to overwrite the MULTIFACTOR_ENABLED parameter of the settings.yaml, and to enforce multifactor (all second factors need to be solved) e.g.

export PSONO_MULTIFACTOR_ENABLED=True

# PSONO_REGISTRATION_EMAIL_FILTER

Used to overwrite the REGISTRATION_EMAIL_FILTER parameter of the settings.yaml, and to enforce that only certain email addresses can register separated by comma e.g.

export PSONO_REGISTRATION_EMAIL_FILTER=googlemail.com,gmail.com

# PSONO_MANAGEMENT_COMMAND_ACCESS_KEY

Used to overwrite the MANAGEMENT_COMMAND_ACCESS_KEY parameter of the settings.yaml, the authentication parameter for remote management commands e.g.

export PSONO_MANAGEMENT_COMMAND_ACCESS_KEY=kjzunI6789BJKNzbjnmnftbvhKJHUzjnk

# PSONO_TRUSTED_IP_HEADER

Used to overwrite the TRUSTED_IP_HEADER parameter of the settings.yaml, a parameter that if specified and passed through is trusted to contain the correct IP of the client e.g.

export PSONO_TRUSTED_IP_HEADER=HTTP_CF_CONNECTING_IP

# PSONO_NUM_PROXIES

Used to overwrite the NUM_PROXIES parameter of the settings.yaml, the amount of proxies in front of the server in order to parse the HTTP_X_FORWARDED_FOR header proper e.g.

export PSONO_NUM_PROXIES=3

# PSONO_THROTTLE_RATE_ANON

Used to overwrite the THROTTLE_RATE_ANON parameter of the settings.yaml, and to specify the throttle rate for anonymous access e.g.

export PSONO_THROTTLE_RATE_ANON=1440/day

# PSONO_THROTTLE_RATE_LOGIN

Used to overwrite the THROTTLE_RATE_LOGIN parameter of the settings.yaml, and to specify the throttle rate for login requests e.g.

export PSONO_THROTTLE_RATE_LOGIN=48/day

Used to overwrite the THROTTLE_RATE_LINK_SHARE_SECRET parameter of the settings.yaml, and to specify the throttle rate for link share access e.g.

export PSONO_THROTTLE_RATE_LINK_SHARE_SECRET=60/hour

# PSONO_THROTTLE_RATE_PASSWORD

Used to overwrite the THROTTLE_RATE_PASSWORD parameter of the settings.yaml, and to specify the throttle rate for password resets e.g.

export PSONO_THROTTLE_RATE_PASSWORD=24/day

# PSONO_THROTTLE_RATE_USER

Used to overwrite the THROTTLE_RATE_USER parameter of the settings.yaml, and to specify the throttle rate for all general authenticated requests e.g.

export PSONO_THROTTLE_RATE_USER=86400/day

# PSONO_THROTTLE_RATE_HEALTH_CHECK

Used to overwrite the THROTTLE_RATE_HEALTH_CHECK parameter of the settings.yaml, and to specify the throttle rate for requests to the health check endpoint e.g.

export PSONO_THROTTLE_RATE_HEALTH_CHECK=61/hour

# PSONO_THROTTLE_RATE_STATUS_CHECK

Used to overwrite the THROTTLE_RATE_STATUS_CHECK parameter of the settings.yaml, and to specify the throttle rate for requests to the status endpoint e.g.

export PSONO_THROTTLE_RATE_STATUS_CHECK=6/minute

# PSONO_THROTTLE_RATE_GA_VERIFY

Used to overwrite the THROTTLE_RATE_GA_VERIFY parameter of the settings.yaml, and to specify the throttle rate how often a user can try to solve a Google Authenticator second factor challenge e.g.

export PSONO_THROTTLE_RATE_GA_VERIFY=6/minute

# PSONO_THROTTLE_RATE_DUO_VERIFY

Used to overwrite the THROTTLE_RATE_DUO_VERIFY parameter of the settings.yaml, and to specify the throttle rate how often a user can try to solve a DUO second factor challenge e.g.

export PSONO_THROTTLE_RATE_DUO_VERIFY=6/minute

# PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY

Used to overwrite the THROTTLE_RATE_YUBIKEY_OTP_VERIFY parameter of the settings.yaml, and to specify the throttle rate how often a user can try to solve a YubiKey second factor challenge e.g.

export PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY=6/minute

# PSONO_THROTTLE_RATE_REGISTRATION

Used to overwrite the THROTTLE_RATE_REGISTRATION parameter of the settings.yaml, and to specify how often someone can try to register e.g.

export PSONO_THROTTLE_RATE_REGISTRATION=20/day

# PSONO_THROTTLE_RATE_USER_DELETE

Used to overwrite the THROTTLE_RATE_USER_DELETE parameter of the settings.yaml, and to specify how often someone can try to delete his account e.g.

export PSONO_THROTTLE_RATE_USER_DELETE=20/day

# PSONO_THROTTLE_RATE_USER_UPDATE

Used to overwrite the THROTTLE_RATE_USER_UPDATE parameter of the settings.yaml, and to specify how often someone can try to update his account e.g.

export PSONO_THROTTLE_RATE_USER_UPDATE=20/day

# PSONO_THROTTLE_RATE_FILESERVER_ALIVE

Used to overwrite the THROTTLE_RATE_FILESERVER_ALIVE parameter of the settings.yaml, and to specify how often a fileserver can announce it being alive e.g.

export PSONO_THROTTLE_RATE_FILESERVER_ALIVE=61/minute

# PSONO_THROTTLE_RATE_FILESERVER_UPLOAD

Used to overwrite the THROTTLE_RATE_FILESERVER_UPLOAD parameter of the settings.yaml, and to specify how often a fileserver can announce fileuploads e.g.

export PSONO_THROTTLE_RATE_FILESERVER_UPLOAD=10000/minute

# PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD

Used to overwrite the THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD parameter of the settings.yaml, and to specify how often a fileserver can announce fileuploads e.g.

export PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD=10000/minute

# PSONO_DATABASE_SLAVE_URL

Used to overwrite the DATABASE_SLAVE_URL parameter of the settings.yaml, and to configure a postgres instance that will be used as read slave e.g.

export PSONO_DATABASE_SLAVE_URL=postgres://myuser:mypassword@192.168.0.6:5432/mydatabase

# PSONO_DATABASES_DEFAULT_ENGINE

Used to overwrite the DATABASES_DEFAULT_ENGINE parameter of the settings.yaml, and to specify a different database engine e.g.

export PSONO_DATABASES_DEFAULT_ENGINE=django.db.backends.postgresql_psycopg2

# PSONO_DATABASES_DEFAULT_NAME

Used to overwrite the DATABASES_DEFAULT_NAME parameter of the settings.yaml, and to specify a database name e.g.

export PSONO_DATABASES_DEFAULT_NAME=mypostgresdatabase

# PSONO_DATABASES_DEFAULT_USER

Used to overwrite the DATABASES_DEFAULT_USER parameter of the settings.yaml, and to specify the username used to connect to the database e.g.

export PSONO_DATABASES_DEFAULT_USER=mypostgresusername

# PSONO_DATABASES_DEFAULT_PASSWORD

Used to overwrite the DATABASES_DEFAULT_PASSWORD parameter of the settings.yaml, and to specify the password used to connect to the database e.g.

export PSONO_DATABASES_DEFAULT_PASSWORD=mypostgrespassword

# PSONO_DATABASES_DEFAULT_HOST

Used to overwrite the DATABASES_DEFAULT_HOST parameter of the settings.yaml, and to specify the host used to connect to the database e.g.

export PSONO_DATABASES_DEFAULT_HOST=192.168.10

# PSONO_DATABASES_DEFAULT_PORT

Used to overwrite the DATABASES_DEFAULT_PORT parameter of the settings.yaml, and to specify the port used to connect to the database e.g.

export PSONO_DATABASES_DEFAULT_PORT=5432

# PSONO_EMAIL_FROM

Used to overwrite the EMAIL_FROM parameter of the settings.yaml, and to specify the email address that is used to send emails e.g.

export PSONO_EMAIL_FROM=something@example.com

# PSONO_EMAIL_HOST

Used to overwrite the EMAIL_HOST parameter of the settings.yaml, and to configure the host used to connect to your email server e.g.

export PSONO_EMAIL_HOST=192.168.0.5

# PSONO_EMAIL_HOST_USER

Used to overwrite the EMAIL_HOST_USER parameter of the settings.yaml, and to configure the user used to connect to your email server e.g.

export PSONO_EMAIL_HOST_USER=myemailuser

# PSONO_EMAIL_HOST_PASSWORD

Used to overwrite the EMAIL_HOST_PASSWORD parameter of the settings.yaml, and to configure the password used to connect to your email server e.g.

export PSONO_EMAIL_HOST_PASSWORD=myemailpassword

# PSONO_EMAIL_PORT

Used to overwrite the EMAIL_PORT parameter of the settings.yaml, and to configure the port used to connect to your email server e.g.

export PSONO_EMAIL_PORT=25

# PSONO_EMAIL_SUBJECT_PREFIX

Used to overwrite the EMAIL_SUBJECT_PREFIX parameter of the settings.yaml, and to configure a certain suffix being shown in the subject of all emails e.g.

export PSONO_EMAIL_SUBJECT_PREFIX=True

# PSONO_EMAIL_USE_TLS

Used to overwrite the EMAIL_USE_TLS parameter of the settings.yaml, and to specify whether to use TLS or not e.g.

export PSONO_EMAIL_USE_TLS=True

TIP

EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive, so only set one of those settings to True.

# PSONO_EMAIL_USE_SSL

Used to overwrite the EMAIL_USE_SSL parameter of the settings.yaml, and to specify whether to use SSL or not e.g.

export PSONO_EMAIL_USE_SSL=True

TIP

EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive, so only set one of those settings to True.

# PSONO_EMAIL_SSL_CERTFILE

Used to overwrite the EMAIL_SSL_CERTFILE parameter of the settings.yaml, and to specify a path to a certificate file used to authenticate with your email host e.g.

export PSONO_EMAIL_SSL_CERTFILE=/etc/ssl/email.crt

# PSONO_EMAIL_SSL_KEYFILE

Used to overwrite the EMAIL_SSL_KEYFILE parameter of the settings.yaml, and to specify a path to a key used to authenticate with your email host e.g.

export PSONO_EMAIL_SSL_KEYFILE=/etc/ssl/email.key

# PSONO_EMAIL_TIMEOUT

Used to overwrite the EMAIL_TIMEOUT parameter of the settings.yaml, and to specify a timeout for requests to your email server e.g.

export PSONO_EMAIL_TIMEOUT=10

# PSONO_YUBIKEY_CLIENT_ID

Used to overwrite the YUBIKEY_CLIENT_ID parameter of the settings.yaml, and to configure the required Client ID for YubiKey verification which can be obtained here upgrade.yubico.com/getapikey/ (opens new window) e.g.

export PSONO_YUBIKEY_CLIENT_ID=121334

# PSONO_YUBIKEY_SECRET_KEY

Used to overwrite the YUBIKEY_SECRET_KEY parameter of the settings.yaml, and to configure the required secret key for YubiKey verification which can be obtained here upgrade.yubico.com/getapikey/ (opens new window) e.g.

export PSONO_YUBIKEY_SECRET_KEY=abcd

# PSONO_YUBICO_API_URLS

Used to overwrite the YUBICO_API_URLS parameter of the settings.yaml, and to specify urls to own yubico API servers, separated by a comma e.g.

export PSONO_YUBICO_API_URLS=https://yubico1.example.com,https://yubico2.example.com

# PSONO_EMAIL_BACKEND

Used to overwrite the EMAIL_BACKEND parameter of the settings.yaml, and to change the backend used for emails e.g.

export PSONO_EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend

# PSONO_MAILGUN_API_URL

Used to overwrite the MAILGUN_API_URL parameter of the settings.yaml, and to specify the mailgun api url e.g.

export PSONO_MAILGUN_API_URL=https://api.eu.mailgun.net/v3

# PSONO_MAILGUN_ACCESS_KEY

Used to overwrite the MAILGUN_ACCESS_KEY parameter of the settings.yaml, and to specify the mailgun access key e.g.

export PSONO_MAILGUN_ACCESS_KEY=jkhhklbjkzuzbjkbjkz

# PSONO_MAILGUN_SERVER_NAME

Used to overwrite the MAILGUN_SERVER_NAME parameter of the settings.yaml, and to specify the mailgun server name e.g.

export PSONO_MAILGUN_SERVER_NAME=example.com

# PSONO_MAILJET_API_KEY

Used to overwrite the MAILJET_API_KEY parameter of the settings.yaml, and to specify the mailjet api key e.g.

export PSONO_MAILJET_API_KEY=Trhuklhuklhuklhkukhublue

# PSONO_MAILJET_SECRET_KEY

Used to overwrite the MAILJET_SECRET_KEY parameter of the settings.yaml, and to specify the mailjet api secret e.g.

export PSONO_MAILJET_SECRET_KEY=hfrgdtes3xwtdt4edh4tghdge

# PSONO_MAILJET_API_URL

Used to overwrite the MAILJET_API_URL parameter of the settings.yaml, and to specify the mailjet api url e.g.

export PSONO_MAILJET_API_URL=https://api.mailjet.com/v3

# PSONO_MANDRILL_API_KEY

Used to overwrite the MANDRILL_API_KEY parameter of the settings.yaml, and to specify the mandrill api key e.g.

export PSONO_MANDRILL_API_KEY=fdhbdfdfbdfbdfgfgd

# PSONO_MANDRILL_API_URL

Used to overwrite the MANDRILL_API_URL parameter of the settings.yaml, and to specify the mandrill api url e.g.

export PSONO_MANDRILL_API_URL=https://mandrillapp.com/api/1.0

# PSONO_POSTMARK_SERVER_TOKEN

Used to overwrite the POSTMARK_SERVER_TOKEN parameter of the settings.yaml, and to specify the postmark server token e.g.

export PSONO_POSTMARK_SERVER_TOKEN=fdhbdfdfbdfbdfgfgd

# PSONO_POSTMARK_API_URL

Used to overwrite the POSTMARK_API_URL parameter of the settings.yaml, and to specify the postmark api url e.g.

export PSONO_POSTMARK_API_URL=https://api.postmarkapp.com/

# PSONO_SENDGRID_API_KEY

Used to overwrite the SENDGRID_API_KEY parameter of the settings.yaml, and to specify the sendgrid api url e.g.

export PSONO_SENDGRID_API_KEY=fdhbdfdfbdfbdfgfgd

# PSONO_SENDGRID_API_URL

Used to overwrite the SENDGRID_API_URL parameter of the settings.yaml, and to specify the sendgrid api url e.g.

export PSONO_SENDGRID_API_URL=https://api.sendgrid.com/v3/

# PSONO_SENDINBLUE_API_KEY

Used to overwrite the SENDINBLUE_API_KEY parameter of the settings.yaml, and to specify the sendinblue api key e.g.

export PSONO_SENDINBLUE_API_KEY=fdhbdfdfbdfbdfgfgd

# PSONO_SENDINBLUE_API_URL

Used to overwrite the SENDINBLUE_API_URL parameter of the settings.yaml, and to specify the sendinblue api url e.g.

export PSONO_SENDINBLUE_API_URL=https://api.sendinblue.com/v3/

# PSONO_SPARKPOST_API_KEY

Used to overwrite the SPARKPOST_API_KEY parameter of the settings.yaml, and to specify the sparkpost api key e.g.

export PSONO_SPARKPOST_API_KEY=fdhbdfdfbdfbdfgfgd

# PSONO_SPARKPOST_API_URL

Used to overwrite the SPARKPOST_API_URL parameter of the settings.yaml, and to specify the sparkpost api url e.g.

export PSONO_SPARKPOST_API_URL=https://api.eu.sparkpost.com/api/v1

# PSONO_IGNORE_UNSUPPORTED_FEATURES

Used to overwrite the IGNORE_UNSUPPORTED_FEATURES parameter of the settings.yaml, and to ignore unsupported features in email delivery with certain providers e.g.

export PSONO_IGNORE_UNSUPPORTED_FEATURES=True

# PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID

Used to overwrite the AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID parameter of the settings.yaml, and to configure the access key id for Amazon SES e.g.

export PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID=dthdhtdhtsrgdsrgrg

# PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY

Used to overwrite the AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY parameter of the settings.yaml, and to configure the secret access key for Amazon SES e.g.

export PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY=dfdfhgdrgdrgrgddhrtg

# PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME

Used to overwrite the AMAZON_SES_CLIENT_PARAMS_REGION_NAME parameter of the settings.yaml, and to configure the region for Amazon SES e.g.

export PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME=us-west-2

# PSONO_HEALTHCHECK_TIME_SYNC_ENABLED

Used to overwrite the HEALTHCHECK_TIME_SYNC_ENABLED parameter of the settings.yaml, and to disable the healthcheck for the time sync e.g.

export PSONO_HEALTHCHECK_TIME_SYNC_ENABLED=False

# PSONO_CACHE_ENABLE

Used to overwrite the CACHE_ENABLE parameter of the settings.yaml, and to enable caching e.g.

export PSONO_CACHE_ENABLE=True

# PSONO_CACHE_DB

Used to overwrite the CACHE_DB parameter of the settings.yaml, and to specify the DB as central cache e.g.

export PSONO_CACHE_DB=True

# PSONO_CACHE_REDIS

Used to overwrite the CACHE_REDIS parameter of the settings.yaml, and to specify redis as central cache e.g.

export PSONO_CACHE_REDIS=True

# PSONO_CACHE_REDIS_LOCATION

Used to overwrite the CACHE_REDIS_LOCATION parameter of the settings.yaml, and to specify the redis host, port and database for caching e.g.

export PSONO_CACHE_REDIS_LOCATION=redis://localhost:6379/0

# PSONO_THROTTLING

Used to overwrite the THROTTLING parameter of the settings.yaml, and disables all rate limits e.g.

export PSONO_THROTTLING=False

# PSONO_DISABLE_LAST_PASSWORDS

Used to overwrite the DISABLE_LAST_PASSWORDS parameter of the settings.yaml, and to prevent the user from reusing the last X passwords e.g.

export PSONO_DISABLE_LAST_PASSWORDS=5

# PSONO_MANAGEMENT_ENABLED

Used to overwrite the MANAGEMENT_ENABLED parameter of the settings.yaml, and to enable the management API required for the portal e.g.

export PSONO_MANAGEMENT_ENABLED=True

# PSONO_FILESERVER_HANDLER_ENABLED

Used to overwrite the FILESERVER_HANDLER_ENABLED parameter of the settings.yaml, and to enable the fileserver API required for fileservers e.g.

export PSONO_FILESERVER_HANDLER_ENABLED=True

# PSONO_FILES_ENABLED

Used to overwrite the FILES_ENABLED parameter of the settings.yaml, and to disable the file upload e.g.

export PSONO_FILES_ENABLED=False

Used to overwrite the ACTIVATION_LINK_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that an activation link is valid before expiration e.g.

export PSONO_ACTIVATION_LINK_TIME_VALID=2592000

# PSONO_DEFAULT_TOKEN_TIME_VALID

Used to overwrite the DEFAULT_TOKEN_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a session is valid before expiration e.g.

export PSONO_DEFAULT_TOKEN_TIME_VALID=86400

# PSONO_MAX_WEB_TOKEN_TIME_VALID

Used to overwrite the MAX_WEB_TOKEN_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a session of a webclient is valid before expiration e.g.

export PSONO_MAX_WEB_TOKEN_TIME_VALID=2592000

# PSONO_MAX_APP_TOKEN_TIME_VALID

Used to overwrite the MAX_APP_TOKEN_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a session of an app is valid before expiration e.g.

export PSONO_MAX_APP_TOKEN_TIME_VALID=31536000

# PSONO_MAX_API_KEY_TOKEN_TIME_VALID

Used to overwrite the MAX_API_KEY_TOKEN_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a session of an API key is valid before expiration e.g.

export PSONO_MAX_API_KEY_TOKEN_TIME_VALID=600

# PSONO_RECOVERY_VERIFIER_TIME_VALID

Used to overwrite the RECOVERY_VERIFIER_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a verification challenge needs to be solved before expiration e.g.

export PSONO_RECOVERY_VERIFIER_TIME_VALID=600

# PSONO_REPLAY_PROTECTION_DISABLED

Used to overwrite the REPLAY_PROTECTION_DISABLED parameter of the settings.yaml, and to disable the replay protection e.g.

export PSONO_REPLAY_PROTECTION_DISABLED=True

# PSONO_DEVICE_PROTECTION_DISABLED

Used to overwrite the DEVICE_PROTECTION_DISABLED parameter of the settings.yaml, and to disable the device protection e.g.

export PSONO_DEVICE_PROTECTION_DISABLED=True

# PSONO_REPLAY_PROTECTION_TIME_DFFERENCE

Used to overwrite the REPLAY_PROTECTION_TIME_DFFERENCE parameter of the settings.yaml, and to configure a time in seconds for time differences on the device e.g.

export PSONO_REPLAY_PROTECTION_TIME_DFFERENCE=True

# PSONO_DISABLE_CALLBACKS

Used to overwrite the DISABLE_CALLBACKS parameter of the settings.yaml, and to enable or disable callbacks e.g.

export PSONO_DISABLE_CALLBACKS=False

WARNING

The use of callbacks might allow attackers to execute a SSRF attack. Before you enable callbacks you should eather isolate the system network wise or use ALLOWED_CALLBACK_URL_PREFIX to whitelist possible targets for callbacks.

# PSONO_DISABLE_CENTRAL_SECURITY_REPORTS

Used to overwrite the DISABLE_CENTRAL_SECURITY_REPORTS parameter of the settings.yaml, and to disable central security reports e.g.

export PSONO_DISABLE_CENTRAL_SECURITY_REPORTS=True

# PSONO_ALLOWED_CALLBACK_URL_PREFIX

Used to overwrite the ALLOWED_CALLBACK_URL_PREFIX parameter of the settings.yaml, and to whitelist certain URL prefixes to receive callbacks e.g.

export PSONO_ALLOWED_CALLBACK_URL_PREFIX=https://example.com/path,http://test.example.com

# PSONO_ALLOWED_FILE_REPOSITORY_TYPES

Used to overwrite the ALLOWED_FILE_REPOSITORY_TYPES parameter of the settings.yaml, and to limit the allowed file repository providers e.g.

export ALLOWED_FILE_REPOSITORY_TYPES=azure_blob,gcp_cloud_storage,aws_s3,do_spaces,backblaze,other_s3

WARNING

The use "Other S3 Compatible" file repositories (other_s3) you should use ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX to limit the potential targets, otherwise this may lead to the possibility of SSRF attacks.

# PSONO_ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX

Used to overwrite the ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX parameter of the settings.yaml, and to limit the target for "Other S3 compatible" file repositories e.g.

export ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX=https://s3.example.com/path,https://others3.example.com

# PSONO_ALLOW_MULTIPLE_SESSIONS

Used to overwrite the ALLOW_MULTIPLE_SESSIONS parameter of the settings.yaml, and to prevent multiple sessions e.g.

export PSONO_ALLOW_MULTIPLE_SESSIONS=False

# PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID

Used to overwrite the AUTO_PROLONGATION_TOKEN_TIME_VALID parameter of the settings.yaml, and configure the time that a session is prolonged upon activity in seconds, so 900 for 15 minutes e.g.

export PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID=900

# PSONO_SECURE_PROXY_SSL_HEADER

Used to overwrite the SECURE_PROXY_SSL_HEADER parameter of the settings.yaml, and to specify Django's SECURE_PROXY_SSL_HEADER e.g.

export PSONO_SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https

More infos can be found here docs.djangoproject.com/en/3.2/ref/settings/ (opens new window)

# PSONO_TIME_SERVER

Used to overwrite the TIME_SERVER parameter of the settings.yaml, and to configure an own timeserver that should be userd for the time health check e.g.

export PSONO_TIME_SERVER=time.example.com

# PSONO_AUTHENTICATION_METHODS

Used to overwrite the AUTHENTICATION_METHODS parameter of the settings.yaml, and to specify the list of allowed authetnication methods separated by a comma e.g.

export PSONO_AUTHENTICATION_METHODS=LDAP,SAML,AUTHKEY,OIDC

# PSONO_SENTRY_DSN

Used to overwrite the SENTRY_DSN parameter of the settings.yaml, and to configure the DSN parameter of sentry e.g.

export PSONO_SENTRY_DSN=https://...

# PSONO_SENTRY_ENVIRONMENT

Used to overwrite the SENTRY_ENVIRONMENT parameter of the settings.yaml, and to configure the DSN parameter of sentry e.g.

export PSONO_SENTRY_ENVIRONMENT=production

# Server: UWSGI

Psono's server component is a python application that runs with UWSGI which can be configured if necessary.

# UWSGI_PORT

Used to specify the UWSGI port, by default 80 e.g.

export UWSGI_PORT=80

# UWSGI_PROCESSES

Used to specify the amount of processes that UWSGI spawns to handle requests. A smaller amount can be favorable if you have less resources or a higher amount if you have more than 4 cores. By default 10. Rule of thumb: 2 x #cores + 2 e.g.

export UWSGI_PROCESSES=10

# UWSGI_BUFFER_SIZE

Used to specify the buffer size of UWSGI, by default 8192 bytes e.g.

export UWSGI_BUFFER_SIZE=8192

# Server: Enterprise Edition only

There are certain environment variables that only work with the enterprise edition server.

# PSONO_LICENSE_CODE

Used to overwrite the LICENSE_CODE parameter of the settings.yaml, and to configure a license code to prevent the server from trying to connect to the license server e.g.

export PSONO_LICENSE_CODE=jkhzzjzgkghjbztktbjhtgvhzjfzjgfzjkzbjkzbjkzbjkkgzjgzjk

# PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS

Used to overwrite the COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS parameter of the settings.yaml, and to prevent central security reports e.g.

export PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS=False

# PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL

Used to overwrite the COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL parameter of the settings.yaml, and to specify the recurrence interval in seconds for security reports. 0 disables it. e.g.

export PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL=2592000

# PSONO_COMPLIANCE_ENFORCE_2FA

Used to overwrite the COMPLIANCE_ENFORCE_2FA parameter of the settings.yaml, and to enforce second factors e.g.

export PSONO_COMPLIANCE_ENFORCE_2FA=True

# PSONO_COMPLIANCE_DISABLE_EXPORT

Used to overwrite the COMPLIANCE_DISABLE_EXPORT parameter of the settings.yaml, and to disable the export feature e.g.

export PSONO_COMPLIANCE_DISABLE_EXPORT=True

# PSONO_COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS

Used to overwrite the COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS parameter of the settings.yaml, and to disable the export of shared items e.g.

export PSONO_COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS=True

# PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS

Used to overwrite the COMPLIANCE_DISABLE_UNMANAGED_GROUPS parameter of the settings.yaml, and to disable unmanaged groups, so normal users cannot create groups anymore e.g.

export PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS=True

# PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT

Used to overwrite the COMPLIANCE_DISABLE_DELETE_ACCOUNT parameter of the settings.yaml, and to disable the delete account option e.g.

export PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT=True

# PSONO_COMPLIANCE_DISABLE_API_KEYS

Used to overwrite the COMPLIANCE_DISABLE_API_KEYS parameter of the settings.yaml, and to disable API keys e.g.

export PSONO_COMPLIANCE_DISABLE_API_KEYS=True

# PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES

Used to overwrite the COMPLIANCE_DISABLE_EMERGENCY_CODES parameter of the settings.yaml, and to disable emergency codes e.g.

export PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES=True

# PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES

Used to overwrite the COMPLIANCE_DISABLE_RECOVERY_CODES parameter of the settings.yaml, and to disable recovery codes e.g.

export PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES=True

# PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES

Used to overwrite the COMPLIANCE_DISABLE_FILE_REPOSITORIES parameter of the settings.yaml, and to disable file repositories e.g.

export PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES=True

Used to overwrite the COMPLIANCE_DISABLE_LINK_SHARES parameter of the settings.yaml, and to disable link shares e.g.

export PSONO_COMPLIANCE_DISABLE_LINK_SHARES=True

# PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE

Used to overwrite the COMPLIANCE_DISABLE_OFFLINE_MODE parameter of the settings.yaml, and to prevent offline mode e.g.

export PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE=True

# PSONO_COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID

Used to overwrite the COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID parameter of the settings.yaml, and to restrict how long an offline cache can be used e.g.

export PSONO_COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID=31536000

# PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH

Used to overwrite the COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH parameter of the settings.yaml, and to specify a minimal master password length e.g.

export PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH=14

# PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY

Used to overwrite the COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY parameter of the settings.yaml, and to enforce a minimal password complexity e.g.

export PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY=3


### `PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH`

Used to overwrite  the `COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH` parameter of the `settings.yaml`, and to configure the default length for passwords generated by the password generator e.g.

```bash
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH=16

# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE

Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE parameter of the settings.yaml, and to configure the default set of uppercase letters for passwords generated by the password generator e.g.

export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE=ABCDEFGHIJKLMNOPQRSTUVWXYZ

# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE

Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE parameter of the settings.yaml, and to configure the default set of lowercase letters for passwords generated by the password generator e.g.

export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE=abcdefghijklmnopqrstuvwxyz

# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS

Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS parameter of the settings.yaml, and to configure the default set of numbers for passwords generated by the password generator e.g.

export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS=0123456789

# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS

Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS parameter of the settings.yaml, and to configure the default set of special characters for passwords generated by the password generator e.g.

export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS=,.-:_

# PSONO_LDAPGATEWAY_TIMEOUT

Used to overwrite the LDAPGATEWAY_TIMEOUT parameter of the settings.yaml, and to configure the timeout in seconds for LDAP gateway requests e.g.

export PSONO_LDAPGATEWAY_TIMEOUT=10

# PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS

Used to overwrite the LDAPGATEWAY_EXCLUSIVE_SECRETS parameter of the settings.yaml, and to specify that the LDAP gateway should handle all user secrets exclusively e.g.

export PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS=True

# PSONO_LDAPGATEWAY

Used to overwrite the LDAPGATEWAY parameter of the settings.yaml, and to configure the connection to a LDAP gateway e.g.

export PSONO_LDAPGATEWAY=[...]

With [...] being the json representation of the LDAPGATEWAY yaml, e.g.

[
    {
      "CLIENT_ID": "3073da7d-5925-4142-a50b-f0478d7ee4aa",
      "CLIENT_PRIVATE_KEY": "5476100ad30e22881bb71d96e5c3e02e3964ede13fbcaa3ff886c36a27f7e3fd",
      "SERVER_PUBLIC_KEY": "141e1f988831ccbae4a43b20e6dbfc085be4b9b63902baa23d74f23e94301622",
      "SERVER_URL": "https://ldapgateway.example.com",
      "SSL_VERIFY": true
    }
  ]                          

TIP

Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json

# PSONO_LDAP

Used to overwrite the LDAP parameter of the settings.yaml, and to configure the connection to an LDAP server e.g.

export PSONO_LDAP=[...]

With [...] being the json representation of the LDAP yaml, e.g.

[
    {
      "LDAP_URL": "ldap://ldap.example.com:389",
      "LDAP_DOMAIN": "example.com",
      "LDAP_BIND_DN": "CN=LDAPPsono,OU=UsersTech,OU=example.com,DC=example,DC=com",
      "LDAP_BIND_PASS": "a_password",
      "LDAP_SEARCH_USER_DN": "OU=Users,OU=example.com,DC=example,DC=com",
      "LDAP_SEARCH_GROUP_DN": "OU=example.com,DC=example,DC=com",
      "LDAP_ATTR_EMAIL": "mail"
    }
  ]

TIP

Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json

# PSONO_SAML_CONFIGURATIONS

Used to overwrite the SAML_CONFIGURATIONS parameter of the settings.yaml, and to configure the connection to a SAML IDP e.g.

export PSONO_SAML_CONFIGURATIONS={...}

With {...} being the json representation of the SAML_CONFIGURATIONS yaml, e.g.

{
    "1": {
      "idp": {
        "entityId": "http://saml.example.com:8080/simplesaml/saml2/idp/metadata.php",
        "singleLogoutService": {
          "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
          "url": "http://saml.example.com:8080/simplesaml/saml2/idp/SingleLogoutService.php"
        },
        "singleSignOnService": {
          "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
          "url": "http://saml.example.com:8080/simplesaml/saml2/idp/SSOService.php"
        },
        "x509cert": "MIIDXTCCA...==",
        "groups_attribute": "eduPersonAffiliation",
        "username_attribute": "email",
        "email_attribute": "email",
        "username_domain": "example.com",
        "required_group": [
          "group1"
        ],
        "is_adfs": false,
        "honor_multifactors": true,
        "max_session_lifetime": 86400
      },
      "sp": {
        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
        "assertionConsumerService": {
          "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        },
        "attributeConsumingService": {
          "requestedAttributes": [
            {
              "attributeValue": [],
              "friendlyName": "",
              "isRequired": false,
              "name": "asdf",
              "nameFormat": ""
            }
          ],
          "serviceDescription": "Test Service",
          "serviceName": "SP test"
        },
        "privateKey": "-----BEGIN RSA PRIVATE KEY-----\n.\n.\n.\n-----END RSA PRIVATE KEY-----\n",
        "singleLogoutService": {
          "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "user_default_active": false,
        "x509cert": "-----BEGIN CERTIFICATE-----\n.\n.\n.\n-----END CERTIFICATE-----\n"
      },
      "strict": true
    }
}

TIP

Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json

# PSONO_OIDC_CONFIGURATIONS

Used to overwrite the OIDC_CONFIGURATIONS parameter of the settings.yaml, and to configure the connection to an OIDC provider e.g.

export PSONO_OIDC_CONFIGURATIONS=True

With {...} being the json representation of the OIDC_CONFIGURATIONS yaml, e.g.

{
    "1": {
      "OIDC_RP_SIGN_ALGO": "RS256",
      "OIDC_RP_CLIENT_ID": "2564ebf9-3c1e-43e6-8ba9-e553d80f1000",
      "OIDC_RP_CLIENT_SECRET": "b176052a-bc24-408a-94fe-163750dca482",
      "OIDC_OP_JWKS_ENDPOINT": "http://oidc.example.com:8585/jwks",
      "OIDC_OP_AUTHORIZATION_ENDPOINT": "http://oidc.example.com:8585/authorize",
      "OIDC_OP_TOKEN_ENDPOINT": "http://oidc.example.com:8585/token",
      "OIDC_OP_USER_ENDPOINT": "http://oidc.example.com:8585/userinfo",
      "OIDC_OP_ENDSESSION_ENDPOINT": "http://oidc.example.com:8585/end-session",
      "OIDC_ALLOWED_REDIRECT_URLS": [
        "https://psono.example.com/"
      ],
      "OIDC_GROUPS_ATTRIBUTE_DICT_GROUP_ID": "groupId"
    }
}

TIP

Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json

# PSONO_LOGGING_AUDIT

Used to overwrite the LOGGING_AUDIT parameter of the settings.yaml, and to enable audit logging e.g.

export PSONO_LOGGING_AUDIT=True

# PSONO_LOGGING_AUDIT_WHITELIST

Used to overwrite the LOGGING_AUDIT_WHITELIST parameter of the settings.yaml, and to whitelist only certain events to be logged, separated by a comma e.g.

export PSONO_LOGGING_AUDIT_WHITELIST=API_KEY_LOGIN_ERROR,SAML_LOGIN_ERROR,SAML_INITIATE_LOGIN_ERROR,SAML_LOGIN_ERROR,OIDC_INITIATE_LOGIN_ERROR

# PSONO_LOGGING_AUDIT_BLACKLIST

Used to overwrite the LOGGING_AUDIT_BLACKLIST parameter of the settings.yaml, and to blacklist certain events so they are not logged, separated by a comma e.g.

export PSONO_LOGGING_AUDIT_BLACKLIST=CHECK_HEALTH_SUCCESS,READ_STATUS_SUCCESS

# PSONO_LOGGING_AUDIT_FOLDER

Used to overwrite the LOGGING_AUDIT_FOLDER parameter of the settings.yaml, and used to configure the directory for the audit log files e.g.

export PSONO_LOGGING_AUDIT_FOLDER=/var/log/psono

# PSONO_LOGGING_AUDIT_TIME

Used to overwrite the LOGGING_AUDIT_TIME parameter of the settings.yaml, and used to configure a different timezone for the logging. Either UTC (value time_utc) or your server time (value time_server) e.g.

export PSONO_LOGGING_AUDIT_TIME=time_utc

# PSONO_LOGSTASH_FORMATTER

Used to overwrite the LOGSTASH_FORMATTER parameter of the settings.yaml, and to specify a different formatter e.g.

export PSONO_LOGSTASH_FORMATTER=logstash_async.formatter.DjangoLogstashFormatter

# PSONO_LOGSTASH_MESSAGE_TYPE

Used to overwrite the LOGSTASH_MESSAGE_TYPE parameter of the settings.yaml, and to specify a different message type e.g.

export PSONO_LOGSTASH_MESSAGE_TYPE=psono:auditLog

# PSONO_LOGSTASH_EXTRA_PREFIX

Used to overwrite the LOGSTASH_EXTRA_PREFIX parameter of the settings.yaml, and to specify a certain prefix e.g.

export PSONO_LOGSTASH_EXTRA_PREFIX=something_

# PSONO_SPLUNK_HOST

Used to overwrite the SPLUNK_HOST parameter of the settings.yaml, and to specify the host of your Splunk Receiver e.g.

export PSONO_SPLUNK_HOST=splunk.example.com

# PSONO_SPLUNK_PORT

Used to overwrite the SPLUNK_PORT parameter of the settings.yaml, and to specify the host of your Splunk Receiver e.g.

export PSONO_SPLUNK_PORT=1234

# PSONO_SPLUNK_TOKEN

Used to overwrite the SPLUNK_TOKEN parameter of the settings.yaml, and to specify the generated token of your Splunk Receiver e.g.

export PSONO_SPLUNK_TOKEN=True

# PSONO_SPLUNK_INDEX

Used to overwrite the SPLUNK_INDEX parameter of the settings.yaml, and to specify the Splunk index that should be used e.g.

export PSONO_SPLUNK_INDEX=whatever

# PSONO_SPLUNK_VERIFY

Used to overwrite the SPLUNK_VERIFY parameter of the settings.yaml, and used to disable SSL verification for your Splunk transport e.g.

export PSONO_SPLUNK_VERIFY=False

# PSONO_SPLUNK_PROTOCOL

Used to overwrite the SPLUNK_PROTOCOL parameter of the settings.yaml, and to specify the splunk transport mmechanism e.g.

export PSONO_SPLUNK_PROTOCOL=https

# PSONO_SPLUNK_SOURCETYPE

Used to overwrite the SPLUNK_SOURCETYPE parameter of the settings.yaml, and to specify the source type of the entries in Splunk e.g.

export PSONO_SPLUNK_SOURCETYPE=psono:auditLog

# PSONO_LOGSTASH_HANDLER

Used to overwrite the LOGSTASH_HANDLER parameter of the settings.yaml, and to configure a different handler class e.g.

export PSONO_LOGSTASH_HANDLER=logstash_async.handler.SynchronousLogstashHandler

# PSONO_LOGSTASH_TRANSPORT

Used to overwrite the LOGSTASH_TRANSPORT parameter of the settings.yaml, and used to specify a different transport mechanism e.g.

export PSONO_LOGSTASH_TRANSPORT=logstash_async.transport.TcpTransport

# PSONO_LOGSTASH_HOST

Used to overwrite the LOGSTASH_HOST parameter of the settings.yaml, and to specify the the logstash host e.g.

export PSONO_LOGSTASH_HOST=logstash.example.com

# PSONO_LOGSTASH_PORT

Used to overwrite the LOGSTASH_PORT parameter of the settings.yaml, and to specify the the logstash port e.g.

export PSONO_LOGSTASH_PORT=5959

# PSONO_LOGSTASH_SSL_ENABLED

Used to overwrite the LOGSTASH_SSL_ENABLED parameter of the settings.yaml, and to specify whether one wants to use SSL or not e.g.

export PSONO_LOGSTASH_SSL_ENABLED=True

# PSONO_LOGSTASH_SSL_VERIFY

Used to overwrite the LOGSTASH_SSL_VERIFY parameter of the settings.yaml, and to specify whether to verify the certificate or not e.g.

export PSONO_LOGSTASH_SSL_VERIFY=True

# PSONO_LOGSTASH_CA_CERTS

Used to overwrite the LOGSTASH_CA_CERTS parameter of the settings.yaml, and to specify the path to a file containing the custom CAs e.g.

export PSONO_LOGSTASH_CA_CERTS=/etc/ssl/custom.ca

# PSONO_LOGSTASH_CERFILE

Used to overwrite the LOGSTASH_CERFILE parameter of the settings.yaml, and to specify the path to an own cert file e.g.

export PSONO_LOGSTASH_CERFILE=/etc/ssl/logstash.cert

# PSONO_LOGSTASH_KEYFILE

Used to overwrite the LOGSTASH_KEYFILE parameter of the settings.yaml, and to specify the path to an own key file e.g.

export PSONO_LOGSTASH_KEYFILE=/etc/ssl/logstash.key

# PSONO_LOGSTASH_DATABASE_PATH

Used to overwrite the LOGSTASH_DATABASE_PATH parameter of the settings.yaml, and to configure a custom path for the database e.g.

export PSONO_LOGSTASH_DATABASE_PATH=/logstash/database/

# Client

You can configure the client with the following parameter.

# PSONO_WEBCLIENT_CONFIG_JSON

Used to overwrite the config.json, e.g.

export PSONO_WEBCLIENT_CONFIG_JSON={...}

With {...} being the config.json e.g.

{
  "backend_servers": [{
    "title": "Psono.pw"
  }],
  "allow_custom_server": true,
  "allow_registration": true,
  "allow_lost_password": true,
  "authentication_methods": ["AUTHKEY", "LDAP"],
  "more_links": [{
    "href": "https://doc.psono.com/",
    "title": "DOCUMENTATION",
    "class": "fa-book"
  },{
    "href": "privacy-policy.html",
    "title": "PRIVACY_POLICY",
    "class": "fa-user-secret"
  },{
    "href": "https://www.psono.com",
    "title": "ABOUT_US",
    "class": "fa-info-circle"
  }]
}

# Portal

You can configure the portal with the following parameter.

# PSONO_PORTAL_CONFIG_JSON

Used to overwrite the config.json, e.g.

export PSONO_PORTAL_CONFIG_JSON={...}

With {...} being the config.json e.g.

{
  "backend_servers": [{
    "title": "Psono.pw"
  }],
  "allow_custom_server": true,
  "allow_registration": true,
  "allow_lost_password": true,
  "authentication_methods": ["AUTHKEY", "LDAP"],
  "more_links": [{
    "href": "https://doc.psono.com/",
    "title": "DOCUMENTATION",
    "class": "fa-book"
  },{
    "href": "privacy-policy.html",
    "title": "PRIVACY_POLICY",
    "class": "fa-user-secret"
  },{
    "href": "https://www.psono.com",
    "title": "ABOUT_US",
    "class": "fa-info-circle"
  }]
}

# Combo Images

Psono combo images come with an nginx, that glues the bundled server, client and portal together. You can use the following parameters to configure the nginx.

# NGINX_WORKER_PROCESSES

Used to configure nginx' worker_processes parameter, defaults to 1.

export NGINX_WORKER_PROCESSES=1

# NGINX_STRICT_TRANSPORT_SECURITY

Used to configure nginx' add_header Strict-Transport-Security parameter, defaults to not being specified.

export NGINX_STRICT_TRANSPORT_SECURITY='"max-age=31536000; includeSubDomains" always;'

# NGINX_HEADER_REFERRER_POLICY

Used to configure nginx' add_header Referrer-Policy parameter, defaults to same-origin.

export NGINX_HEADER_REFERRER_POLICY=same-origin

# NGINX_HEADER_X_FRAME_OPTIONS

Used to configure nginx' add_header X-Frame-Options parameter, defaults to DENY.

export NGINX_HEADER_X_FRAME_OPTIONS=DENY

# NGINX_HEADER_X_CONTENT_TYPE_OPTIONS

Used to configure nginx' add_header X-Content-Type-Options parameter, defaults to nosniff.

export NGINX_HEADER_X_CONTENT_TYPE_OPTIONS=nosniff

# NGINX_HEADER_X_XSS_PROTECTION

Used to configure nginx' add_header X-XSS-Protection parameter, defaults to "1; mode=block".

export NGINX_HEADER_X_XSS_PROTECTION='"1; mode=block"'

# NGINX_HEADER_CONTENT_SECURITY_POLICY

Used to configure nginx' add_header Content-Security-Policy parameter, defaults to "default-src none; manifest-src self; connect-src self https://static.psono.com https://keyserver.ubuntu.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.s3.amazonaws.com https://*.digitaloceanspaces.com https://api.pwnedpasswords.com https://sentry.io; font-src self; img-src self www.google-analytics.com data:; script-src self www.google-analytics.com; style-src self unsafe-inline; object-src self; child-src self; form-action self".

export NGINX_HEADER_CONTENT_SECURITY_POLICY='"default-src \'none\'; manifest-src \'self\'; connect-src \'self\' https://static.psono.com https://keyserver.ubuntu.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.s3.amazonaws.com https://*.digitaloceanspaces.com https://api.pwnedpasswords.com https://sentry.io; font-src \'self\'; img-src \'self\' www.google-analytics.com data:; script-src \'self\' www.google-analytics.com; style-src \'self\' \'unsafe-inline\'; object-src \'self\'; child-src \'self\'; form-action \'self\'"'