Psono Documentation

# Environment Variables

You can actually configure Psono with environment variables instead of config files.

# Server: Required

All these parameters need to be configured either through the settings.yaml or as environment variable.

# PSONO_SECRET_KEY*

Used to overwrite the SECRET_KEY parameter of the settings.yaml, e.g.

export PSONO_SECRET_KEY=jrgwvgCRPGJeOi9xcFIlfpVL09EZdIkrAJqQIUvTVtB3BO9gsuWi32Ie3VfKtaCk

WARNING

This parameter needs to be generated by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

# PSONO_PRIVATE_KEY*

Used to overwrite the PRIVATE_KEY parameter of the settings.yaml, e.g.

export PSONO_PRIVATE_KEY=5476100ad30e22881bb71d96e5c3e02e3964ede13fbcaa3ff886c36a27f7e3fd

WARNING

This parameter needs to be generated together with the PUBLIC_KEY by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

# PSONO_PUBLIC_KEY*

Used to overwrite the PUBLIC_KEY parameter of the settings.yaml, e.g.

export PSONO_PUBLIC_KEY=141e1f988831ccbae4a43b20e6dbfc085be4b9b63902baa23d74f23e94301622

WARNING

This parameter needs to be generated together with the PRIVATE_KEY by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

Used to overwrite the ACTIVATION_LINK_SECRET parameter of the settings.yaml, which is used to generate the "activation links" whenever a user registers e.g.

export PSONO_ACTIVATION_LINK_SECRET=6kkvvTaPisiHMaLFHRPFjCztjByY8LINkxkhBHmj4FpIEk1kdY9aGIR7xulcs6ij

WARNING

This parameter needs to be generated by ./psono/manage.py generateserverkeys

# PSONO_DB_SECRET*

Used to overwrite the DB_SECRET parameter of the settings.yaml, and is used to encrypt the data in the database e.g.

export PSONO_DB_SECRET=True

WARNING

This parameter needs to be generated by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

# PSONO_EMAIL_SECRET_SALT*

Used to overwrite the EMAIL_SECRET_SALT parameter of the settings.yaml, and used to store a hash of the email address in the database to prevent duplicates e.g.

export PSONO_EMAIL_SECRET_SALT=True

WARNING

This parameter needs to be generated by ./psono/manage.py generateserverkeys and may never change during the lifetime of a server.

# PSONO_HOST_URL*

Used to overwrite the HOST_URL parameter of the settings.yaml, the url of the server itself e.g.

export PSONO_HOST_URL=https://psono.example.com/server

# PSONO_DATABASE_URL*

Used to overwrite the DATABASE_URL parameter of the settings.yaml, and to connect the Psono server to your database e.g.

export PSONO_DATABASE_URL=postgres://myuser:mypassword@192.168.0.5:5432/mydatabase

or for unix domain socket paths

export PSONO_DATABASE_URL=postgres://%2Fvar%2Flib%2Fpostgresql/mydatabase

WARNING

If you want to specify the host, username and so on separately, you can do so with the optional database parameters listed below.

# PSONO_WEB_CLIENT_URL

Used to overwrite the WEB_CLIENT_URL parameter of the settings.yaml, and to specify the location of the webclient e.g.

export PSONO_WEB_CLIENT_URL=https://psono.example.com

# PSONO_ALLOWED_DOMAINS

Used to overwrite the ALLOWED_DOMAINS parameter of the settings.yaml as a comma separated list of the domain that you allow as username suffix e.g.

export PSONO_ALLOWED_DOMAINS=example.com,something.else.com

# Server: Other

# PSONO_DEBUG

Used to overwrite the DEBUG parameter of the settings.yaml and enables the debug mode, e.g.

export PSONO_DEBUG=True

# PSONO_DISABLED

Used to overwrite the DISABLED parameter of the settings.yaml and disables the server, e.g.

export PSONO_DISABLED=True

# PSONO_MAINTENANCE_ACTIVE

Used to overwrite the MAINTENANCE_ACTIVE parameter of the settings.yaml and enables the maintenance mode, e.g.

export PSONO_MAINTENANCE_ACTIVE=True

# PSONO_ALLOWED_HOSTS

Used to overwrite the ALLOWED_HOSTS parameter of the settings.yaml as a comma separated list, e.g.

export PSONO_ALLOWED_HOSTS=a.example.com,something.else.com

# PSONO_ALLOW_REGISTRATION

Used to overwrite the ALLOW_REGISTRATION parameter of the settings.yaml, and to disable the registration e.g.

export PSONO_ALLOW_REGISTRATION=True

# PSONO_ALLOW_LOST_PASSWORD

Used to overwrite the ALLOW_LOST_PASSWORD parameter of the settings.yaml, and to disable the password recovery mechanism e.g.

export PSONO_ALLOW_LOST_PASSWORD=True

# PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL

Used to overwrite the ENFORCE_MATCHING_USERNAME_AND_EMAIL parameter of the settings.yaml, and enforces matching username and emails e.g.

export PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL=True

# PSONO_ALLOWED_SECOND_FACTORS

Used to overwrite the ALLOWED_SECOND_FACTORS parameter of the settings.yaml, and restricts the possible options for second factors e.g.

export PSONO_ALLOWED_SECOND_FACTORS=yubikey_otp,google_authenticator,duo

# PSONO_ALLOW_USER_SEARCH_BY_EMAIL

Used to overwrite the ALLOW_USER_SEARCH_BY_EMAIL parameter of the settings.yaml, and allows users to search other users by their email address e.g.

export PSONO_ALLOW_USER_SEARCH_BY_EMAIL=True

# PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL

Used to overwrite the ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL parameter of the settings.yaml, and allows users to search other users by partial usernames e.g.

export PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL=True

# PSONO_DUO_INTEGRATION_KEY

Used to overwrite the DUO_INTEGRATION_KEY parameter of the settings.yaml, the duo integration key e.g.

export PSONO_DUO_INTEGRATION_KEY=DI785965869BJHGKZ

# PSONO_DUO_SECRET_KEY

Used to overwrite the DUO_SECRET_KEY parameter of the settings.yaml, the duo secret key e.g.

export PSONO_DUO_SECRET_KEY=8ho7IZK7jioi7joi7glZBJKmhnz

# PSONO_DUO_API_HOSTNAME

Used to overwrite the DUO_API_HOSTNAME parameter of the settings.yaml, the duo api hostname e.g.

export PSONO_DUO_API_HOSTNAME=api-abcd1234.duosecurity.com

# PSONO_DUO_PROXY_HOST

Used to overwrite the DUO_PROXY_HOST parameter of the settings.yaml, the duo proxy host e.g.

export PSONO_DUO_PROXY_HOST=duoproxy.example.com

# PSONO_DUO_PROXY_PORT

Used to overwrite the DUO_PROXY_PORT parameter of the settings.yaml, the port of the duo proxy e.g.

export PSONO_DUO_PROXY_PORT=45612

# PSONO_DUO_PROXY_HEADERS

Used to overwrite the DUO_PROXY_HEADERS parameter of the settings.yaml, all headers for the duo proxy e.g.

export PSONO_DUO_PROXY_HEADERS=True

# PSONO_DUO_PROXY_TYPE

Used to overwrite the DUO_PROXY_TYPE parameter of the settings.yaml, the type of the proxy, by default CONNECT e.g.

export PSONO_DUO_PROXY_TYPE=CONNECT

# PSONO_MULTIFACTOR_ENABLED

Used to overwrite the MULTIFACTOR_ENABLED parameter of the settings.yaml, and to enforce multifactor (all second factors need to be solved) e.g.

export PSONO_MULTIFACTOR_ENABLED=True

# PSONO_REGISTRATION_EMAIL_FILTER

Used to overwrite the REGISTRATION_EMAIL_FILTER parameter of the settings.yaml, and to enforce that only certain email addresses can register separated by comma e.g.

export PSONO_REGISTRATION_EMAIL_FILTER=googlemail.com,gmail.com

# PSONO_MANAGEMENT_COMMAND_ACCESS_KEY

Used to overwrite the MANAGEMENT_COMMAND_ACCESS_KEY parameter of the settings.yaml, the authentication parameter for remote management commands e.g.

export PSONO_MANAGEMENT_COMMAND_ACCESS_KEY=kjzunI6789BJKNzbjnmnftbvhKJHUzjnk

# PSONO_TRUSTED_IP_HEADER

Used to overwrite the TRUSTED_IP_HEADER parameter of the settings.yaml, a parameter that if specified and passed through is trusted to contain the correct IP of the client e.g.

export PSONO_TRUSTED_IP_HEADER=HTTP_CF_CONNECTING_IP

# PSONO_NUM_PROXIES

Used to overwrite the NUM_PROXIES parameter of the settings.yaml, the amount of proxies in front of the server in order to parse the HTTP_X_FORWARDED_FOR header proper e.g.

export PSONO_NUM_PROXIES=3

# PSONO_THROTTLE_RATE_ANON

Used to overwrite the THROTTLE_RATE_ANON parameter of the settings.yaml, and to specify the throttle rate for anonymous access e.g.

export PSONO_THROTTLE_RATE_ANON=1440/day

# PSONO_THROTTLE_RATE_LOGIN

Used to overwrite the THROTTLE_RATE_LOGIN parameter of the settings.yaml, and to specify the throttle rate for login requests e.g.

export PSONO_THROTTLE_RATE_LOGIN=48/day

Used to overwrite the THROTTLE_RATE_LINK_SHARE_SECRET parameter of the settings.yaml, and to specify the throttle rate for link share access e.g.

export PSONO_THROTTLE_RATE_LINK_SHARE_SECRET=60/hour

# PSONO_THROTTLE_RATE_PASSWORD

Used to overwrite the THROTTLE_RATE_PASSWORD parameter of the settings.yaml, and to specify the throttle rate for password resets e.g.

export PSONO_THROTTLE_RATE_PASSWORD=24/day

# PSONO_THROTTLE_RATE_USER

Used to overwrite the THROTTLE_RATE_USER parameter of the settings.yaml, and to specify the throttle rate for all general authenticated requests e.g.

export PSONO_THROTTLE_RATE_USER=86400/day

# PSONO_THROTTLE_RATE_HEALTH_CHECK

Used to overwrite the THROTTLE_RATE_HEALTH_CHECK parameter of the settings.yaml, and to specify the throttle rate for requests to the health check endpoint e.g.

export PSONO_THROTTLE_RATE_HEALTH_CHECK=61/hour

# PSONO_THROTTLE_RATE_STATUS_CHECK

Used to overwrite the THROTTLE_RATE_STATUS_CHECK parameter of the settings.yaml, and to specify the throttle rate for requests to the status endpoint e.g.

export PSONO_THROTTLE_RATE_STATUS_CHECK=6/minute

# PSONO_THROTTLE_RATE_GA_VERIFY

Used to overwrite the THROTTLE_RATE_GA_VERIFY parameter of the settings.yaml, and to specify the throttle rate how often a user can try to solve a Google Authenticator second factor challenge e.g.

export PSONO_THROTTLE_RATE_GA_VERIFY=6/minute

# PSONO_THROTTLE_RATE_DUO_VERIFY

Used to overwrite the THROTTLE_RATE_DUO_VERIFY parameter of the settings.yaml, and to specify the throttle rate how often a user can try to solve a DUO second factor challenge e.g.

export PSONO_THROTTLE_RATE_DUO_VERIFY=6/minute

# PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY

Used to overwrite the THROTTLE_RATE_YUBIKEY_OTP_VERIFY parameter of the settings.yaml, and to specify the throttle rate how often a user can try to solve a YubiKey second factor challenge e.g.

export PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY=6/minute

# PSONO_THROTTLE_RATE_REGISTRATION

Used to overwrite the THROTTLE_RATE_REGISTRATION parameter of the settings.yaml, and to specify how often someone can try to register e.g.

export PSONO_THROTTLE_RATE_REGISTRATION=20/day

# PSONO_THROTTLE_RATE_USER_DELETE

Used to overwrite the THROTTLE_RATE_USER_DELETE parameter of the settings.yaml, and to specify how often someone can try to delete his account e.g.

export PSONO_THROTTLE_RATE_USER_DELETE=20/day

# PSONO_THROTTLE_RATE_USER_UPDATE

Used to overwrite the THROTTLE_RATE_USER_UPDATE parameter of the settings.yaml, and to specify how often someone can try to update his account e.g.

export PSONO_THROTTLE_RATE_USER_UPDATE=20/day

# PSONO_THROTTLE_RATE_FILESERVER_ALIVE

Used to overwrite the THROTTLE_RATE_FILESERVER_ALIVE parameter of the settings.yaml, and to specify how often a fileserver can announce it being alive e.g.

export PSONO_THROTTLE_RATE_FILESERVER_ALIVE=61/minute

# PSONO_THROTTLE_RATE_FILESERVER_UPLOAD

Used to overwrite the THROTTLE_RATE_FILESERVER_UPLOAD parameter of the settings.yaml, and to specify how often a fileserver can announce fileuploads e.g.

export PSONO_THROTTLE_RATE_FILESERVER_UPLOAD=10000/minute

# PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD

Used to overwrite the THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD parameter of the settings.yaml, and to specify how often a fileserver can announce fileuploads e.g.

export PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD=10000/minute

# PSONO_DATABASE_SLAVE_URL

Used to overwrite the DATABASE_SLAVE_URL parameter of the settings.yaml, and to configure a postgres instance that will be used as read slave e.g.

export PSONO_DATABASE_SLAVE_URL=postgres://myuser:mypassword@192.168.0.6:5432/mydatabase

# PSONO_DATABASES_DEFAULT_ENGINE

Used to overwrite the DATABASES_DEFAULT_ENGINE parameter of the settings.yaml, and to specify a different database engine e.g.

export PSONO_DATABASES_DEFAULT_ENGINE=django.db.backends.postgresql_psycopg2

# PSONO_DATABASES_DEFAULT_NAME

Used to overwrite the DATABASES_DEFAULT_NAME parameter of the settings.yaml, and to specify a database name e.g.

export PSONO_DATABASES_DEFAULT_NAME=mypostgresdatabase

# PSONO_DATABASES_DEFAULT_USER

Used to overwrite the DATABASES_DEFAULT_USER parameter of the settings.yaml, and to specify the username used to connect to the database e.g.

export PSONO_DATABASES_DEFAULT_USER=mypostgresusername

# PSONO_DATABASES_DEFAULT_PASSWORD

Used to overwrite the DATABASES_DEFAULT_PASSWORD parameter of the settings.yaml, and to specify the password used to connect to the database e.g.

export PSONO_DATABASES_DEFAULT_PASSWORD=mypostgrespassword

# PSONO_DATABASES_DEFAULT_HOST

Used to overwrite the DATABASES_DEFAULT_HOST parameter of the settings.yaml, and to specify the host used to connect to the database e.g.

export PSONO_DATABASES_DEFAULT_HOST=192.168.10

# PSONO_DATABASES_DEFAULT_PORT

Used to overwrite the DATABASES_DEFAULT_PORT parameter of the settings.yaml, and to specify the port used to connect to the database e.g.

export PSONO_DATABASES_DEFAULT_PORT=5432

# PSONO_EMAIL_FROM

Used to overwrite the EMAIL_FROM parameter of the settings.yaml, and to specify the email address that is used to send emails e.g.

export PSONO_EMAIL_FROM=something@example.com

# PSONO_EMAIL_HOST

Used to overwrite the EMAIL_HOST parameter of the settings.yaml, and to configure the host used to connect to your email server e.g.

export PSONO_EMAIL_HOST=192.168.0.5

# PSONO_EMAIL_HOST_USER

Used to overwrite the EMAIL_HOST_USER parameter of the settings.yaml, and to configure the user used to connect to your email server e.g.

export PSONO_EMAIL_HOST_USER=myemailuser

# PSONO_EMAIL_HOST_PASSWORD

Used to overwrite the EMAIL_HOST_PASSWORD parameter of the settings.yaml, and to configure the password used to connect to your email server e.g.

export PSONO_EMAIL_HOST_PASSWORD=myemailpassword

# PSONO_EMAIL_PORT

Used to overwrite the EMAIL_PORT parameter of the settings.yaml, and to configure the port used to connect to your email server e.g.

export PSONO_EMAIL_PORT=25

# PSONO_EMAIL_SUBJECT_PREFIX

Used to overwrite the EMAIL_SUBJECT_PREFIX parameter of the settings.yaml, and to configure a certain suffix being shown in the subject of all emails e.g.

export PSONO_EMAIL_SUBJECT_PREFIX=True

# PSONO_EMAIL_USE_TLS

Used to overwrite the EMAIL_USE_TLS parameter of the settings.yaml, and to specify whether to use TLS or not e.g.

export PSONO_EMAIL_USE_TLS=True

TIP

EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive, so only set one of those settings to True.

# PSONO_EMAIL_USE_SSL

Used to overwrite the EMAIL_USE_SSL parameter of the settings.yaml, and to specify whether to use SSL or not e.g.

export PSONO_EMAIL_USE_SSL=True

TIP

EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive, so only set one of those settings to True.

# PSONO_EMAIL_SSL_CERTFILE

Used to overwrite the EMAIL_SSL_CERTFILE parameter of the settings.yaml, and to specify a path to a certificate file used to authenticate with your email host e.g.

export PSONO_EMAIL_SSL_CERTFILE=/etc/ssl/email.crt

# PSONO_EMAIL_SSL_KEYFILE

Used to overwrite the EMAIL_SSL_KEYFILE parameter of the settings.yaml, and to specify a path to a key used to authenticate with your email host e.g.

export PSONO_EMAIL_SSL_KEYFILE=/etc/ssl/email.key

# PSONO_EMAIL_TIMEOUT

Used to overwrite the EMAIL_TIMEOUT parameter of the settings.yaml, and to specify a timeout for requests to your email server e.g.

export PSONO_EMAIL_TIMEOUT=10

# PSONO_YUBIKEY_CLIENT_ID

Used to overwrite the YUBIKEY_CLIENT_ID parameter of the settings.yaml, and to configure the required Client ID for YubiKey verification which can be obtained here upgrade.yubico.com/getapikey/ (opens new window) e.g.

export PSONO_YUBIKEY_CLIENT_ID=121334

# PSONO_YUBIKEY_SECRET_KEY

Used to overwrite the YUBIKEY_SECRET_KEY parameter of the settings.yaml, and to configure the required secret key for YubiKey verification which can be obtained here upgrade.yubico.com/getapikey/ (opens new window) e.g.

export PSONO_YUBIKEY_SECRET_KEY=abcd

# PSONO_YUBICO_API_URLS

Used to overwrite the YUBICO_API_URLS parameter of the settings.yaml, and to specify urls to own yubico API servers, separated by a comma e.g.

export PSONO_YUBICO_API_URLS=https://yubico1.example.com,https://yubico2.example.com

# PSONO_EMAIL_BACKEND

Used to overwrite the EMAIL_BACKEND parameter of the settings.yaml, and to change the backend used for emails e.g.

export PSONO_EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend

# PSONO_MAILGUN_API_URL

Used to overwrite the MAILGUN_API_URL parameter of the settings.yaml, and to specify the mailgun api url e.g.

export PSONO_MAILGUN_API_URL=https://api.eu.mailgun.net/v3

# PSONO_MAILGUN_ACCESS_KEY

Used to overwrite the MAILGUN_ACCESS_KEY parameter of the settings.yaml, and to specify the mailgun access key e.g.

export PSONO_MAILGUN_ACCESS_KEY=jkhhklbjkzuzbjkbjkz

# PSONO_MAILGUN_SERVER_NAME

Used to overwrite the MAILGUN_SERVER_NAME parameter of the settings.yaml, and to specify the mailgun server name e.g.

export PSONO_MAILGUN_SERVER_NAME=example.com

# PSONO_MAILJET_API_KEY

Used to overwrite the MAILJET_API_KEY parameter of the settings.yaml, and to specify the mailjet api key e.g.

export PSONO_MAILJET_API_KEY=Trhuklhuklhuklhkukhublue

# PSONO_MAILJET_SECRET_KEY

Used to overwrite the MAILJET_SECRET_KEY parameter of the settings.yaml, and to specify the mailjet api secret e.g.

export PSONO_MAILJET_SECRET_KEY=hfrgdtes3xwtdt4edh4tghdge

# PSONO_MAILJET_API_URL

Used to overwrite the MAILJET_API_URL parameter of the settings.yaml, and to specify the mailjet api url e.g.

export PSONO_MAILJET_API_URL=https://api.mailjet.com/v3

# PSONO_MANDRILL_API_KEY

Used to overwrite the MANDRILL_API_KEY parameter of the settings.yaml, and to specify the mandrill api key e.g.

export PSONO_MANDRILL_API_KEY=fdhbdfdfbdfbdfgfgd

# PSONO_MANDRILL_API_URL

Used to overwrite the MANDRILL_API_URL parameter of the settings.yaml, and to specify the mandrill api url e.g.

export PSONO_MANDRILL_API_URL=https://mandrillapp.com/api/1.0

# PSONO_POSTMARK_SERVER_TOKEN

Used to overwrite the POSTMARK_SERVER_TOKEN parameter of the settings.yaml, and to specify the postmark server token e.g.

export PSONO_POSTMARK_SERVER_TOKEN=fdhbdfdfbdfbdfgfgd

# PSONO_POSTMARK_API_URL

Used to overwrite the POSTMARK_API_URL parameter of the settings.yaml, and to specify the postmark api url e.g.

export PSONO_POSTMARK_API_URL=https://api.postmarkapp.com/

# PSONO_SENDGRID_API_KEY

Used to overwrite the SENDGRID_API_KEY parameter of the settings.yaml, and to specify the sendgrid api url e.g.

export PSONO_SENDGRID_API_KEY=fdhbdfdfbdfbdfgfgd

# PSONO_SENDGRID_API_URL

Used to overwrite the SENDGRID_API_URL parameter of the settings.yaml, and to specify the sendgrid api url e.g.

export PSONO_SENDGRID_API_URL=https://api.sendgrid.com/v3/

# PSONO_SENDINBLUE_API_KEY

Used to overwrite the SENDINBLUE_API_KEY parameter of the settings.yaml, and to specify the sendinblue api key e.g.

export PSONO_SENDINBLUE_API_KEY=fdhbdfdfbdfbdfgfgd

# PSONO_SENDINBLUE_API_URL

Used to overwrite the SENDINBLUE_API_URL parameter of the settings.yaml, and to specify the sendinblue api url e.g.

export PSONO_SENDINBLUE_API_URL=https://api.sendinblue.com/v3/

# PSONO_SPARKPOST_API_KEY

Used to overwrite the SPARKPOST_API_KEY parameter of the settings.yaml, and to specify the sparkpost api key e.g.

export PSONO_SPARKPOST_API_KEY=fdhbdfdfbdfbdfgfgd

# PSONO_SPARKPOST_API_URL

Used to overwrite the SPARKPOST_API_URL parameter of the settings.yaml, and to specify the sparkpost api url e.g.

export PSONO_SPARKPOST_API_URL=https://api.eu.sparkpost.com/api/v1

# PSONO_IGNORE_UNSUPPORTED_FEATURES

Used to overwrite the IGNORE_UNSUPPORTED_FEATURES parameter of the settings.yaml, and to ignore unsupported features in email delivery with certain providers e.g.

export PSONO_IGNORE_UNSUPPORTED_FEATURES=True

# PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID

Used to overwrite the AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID parameter of the settings.yaml, and to configure the access key id for Amazon SES e.g.

export PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID=dthdhtdhtsrgdsrgrg

# PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY

Used to overwrite the AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY parameter of the settings.yaml, and to configure the secret access key for Amazon SES e.g.

export PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY=dfdfhgdrgdrgrgddhrtg

# PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME

Used to overwrite the AMAZON_SES_CLIENT_PARAMS_REGION_NAME parameter of the settings.yaml, and to configure the region for Amazon SES e.g.

export PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME=us-west-2

# PSONO_HEALTHCHECK_TIME_SYNC_ENABLED

Used to overwrite the HEALTHCHECK_TIME_SYNC_ENABLED parameter of the settings.yaml, and to disable the healthcheck for the time sync e.g.

export PSONO_HEALTHCHECK_TIME_SYNC_ENABLED=False

# PSONO_CACHE_ENABLE

Used to overwrite the CACHE_ENABLE parameter of the settings.yaml, and to enable caching e.g.

export PSONO_CACHE_ENABLE=True

# PSONO_CACHE_DB

Used to overwrite the CACHE_DB parameter of the settings.yaml, and to specify the DB as central cache e.g.

export PSONO_CACHE_DB=True

# PSONO_CACHE_REDIS

Used to overwrite the CACHE_REDIS parameter of the settings.yaml, and to specify redis as central cache e.g.

export PSONO_CACHE_REDIS=True

# PSONO_CACHE_REDIS_LOCATION

Used to overwrite the CACHE_REDIS_LOCATION parameter of the settings.yaml, and to specify the redis host, port and database for caching e.g.

export PSONO_CACHE_REDIS_LOCATION=redis://localhost:6379/0

# PSONO_THROTTLING

Used to overwrite the THROTTLING parameter of the settings.yaml, and disables all rate limits e.g.

export PSONO_THROTTLING=False

# PSONO_DISABLE_LAST_PASSWORDS

Used to overwrite the DISABLE_LAST_PASSWORDS parameter of the settings.yaml, and to prevent the user from reusing the last X passwords e.g.

export PSONO_DISABLE_LAST_PASSWORDS=5

# PSONO_MANAGEMENT_ENABLED

Used to overwrite the MANAGEMENT_ENABLED parameter of the settings.yaml, and to enable the management API required for the portal e.g.

export PSONO_MANAGEMENT_ENABLED=True

# PSONO_FILESERVER_HANDLER_ENABLED

Used to overwrite the FILESERVER_HANDLER_ENABLED parameter of the settings.yaml, and to enable the fileserver API required for fileservers e.g.

export PSONO_FILESERVER_HANDLER_ENABLED=True

# PSONO_FILES_ENABLED

Used to overwrite the FILES_ENABLED parameter of the settings.yaml, and to disable the file upload e.g.

export PSONO_FILES_ENABLED=False

Used to overwrite the ACTIVATION_LINK_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that an activation link is valid before expiration e.g.

export PSONO_ACTIVATION_LINK_TIME_VALID=2592000

# PSONO_DEFAULT_TOKEN_TIME_VALID

Used to overwrite the DEFAULT_TOKEN_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a session is valid before expiration e.g.

export PSONO_DEFAULT_TOKEN_TIME_VALID=86400

# PSONO_MAX_WEB_TOKEN_TIME_VALID

Used to overwrite the MAX_WEB_TOKEN_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a session of a webclient is valid before expiration e.g.

export PSONO_MAX_WEB_TOKEN_TIME_VALID=2592000

# PSONO_MAX_APP_TOKEN_TIME_VALID

Used to overwrite the MAX_APP_TOKEN_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a session of an app is valid before expiration e.g.

export PSONO_MAX_APP_TOKEN_TIME_VALID=31536000

# PSONO_MAX_API_KEY_TOKEN_TIME_VALID

Used to overwrite the MAX_API_KEY_TOKEN_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a session of an API key is valid before expiration e.g.

export PSONO_MAX_API_KEY_TOKEN_TIME_VALID=600

# PSONO_RECOVERY_VERIFIER_TIME_VALID

Used to overwrite the RECOVERY_VERIFIER_TIME_VALID parameter of the settings.yaml, and to specify a time in seconds that a verification challenge needs to be solved before expiration e.g.

export PSONO_RECOVERY_VERIFIER_TIME_VALID=600

# PSONO_REPLAY_PROTECTION_DISABLED

Used to overwrite the REPLAY_PROTECTION_DISABLED parameter of the settings.yaml, and to disable the replay protection e.g.

export PSONO_REPLAY_PROTECTION_DISABLED=True

# PSONO_DEVICE_PROTECTION_DISABLED

Used to overwrite the DEVICE_PROTECTION_DISABLED parameter of the settings.yaml, and to disable the device protection e.g.

export PSONO_DEVICE_PROTECTION_DISABLED=True

# PSONO_REPLAY_PROTECTION_TIME_DFFERENCE

Used to overwrite the REPLAY_PROTECTION_TIME_DFFERENCE parameter of the settings.yaml, and to configure a time in seconds for time differences on the device e.g.

export PSONO_REPLAY_PROTECTION_TIME_DFFERENCE=True

# PSONO_DISABLE_CALLBACKS

Used to overwrite the DISABLE_CALLBACKS parameter of the settings.yaml, and to enable or disable callbacks e.g.

export PSONO_DISABLE_CALLBACKS=False

WARNING

The use of callbacks might allow attackers to execute a SSRF attack. Before you enable callbacks you should eather isolate the system network wise or use ALLOWED_CALLBACK_URL_PREFIX to whitelist possible targets for callbacks.

# PSONO_DISABLE_CENTRAL_SECURITY_REPORTS

Used to overwrite the DISABLE_CENTRAL_SECURITY_REPORTS parameter of the settings.yaml, and to disable central security reports e.g.

export PSONO_DISABLE_CENTRAL_SECURITY_REPORTS=True

# PSONO_ALLOWED_CALLBACK_URL_PREFIX

Used to overwrite the ALLOWED_CALLBACK_URL_PREFIX parameter of the settings.yaml, and to whitelist certain URL prefixes to receive callbacks e.g.

export PSONO_ALLOWED_CALLBACK_URL_PREFIX=https://example.com/path,http://test.example.com

# PSONO_ALLOWED_FILE_REPOSITORY_TYPES

Used to overwrite the ALLOWED_FILE_REPOSITORY_TYPES parameter of the settings.yaml, and to limit the allowed file repository providers e.g.

export ALLOWED_FILE_REPOSITORY_TYPES=azure_blob,gcp_cloud_storage,aws_s3,do_spaces,backblaze,other_s3

WARNING

The use "Other S3 Compatible" file repositories (other_s3) you should use ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX to limit the potential targets, otherwise this may lead to the possibility of SSRF attacks.

# PSONO_ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX

Used to overwrite the ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX parameter of the settings.yaml, and to limit the target for "Other S3 compatible" file repositories e.g.

export ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX=https://s3.example.com/path,https://others3.example.com

# PSONO_ALLOW_MULTIPLE_SESSIONS

Used to overwrite the ALLOW_MULTIPLE_SESSIONS parameter of the settings.yaml, and to prevent multiple sessions e.g.

export PSONO_ALLOW_MULTIPLE_SESSIONS=False

# PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID

Used to overwrite the AUTO_PROLONGATION_TOKEN_TIME_VALID parameter of the settings.yaml, and configure the time that a session is prolonged upon activity in seconds, so 900 for 15 minutes e.g.

export PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID=900

# PSONO_SECURE_PROXY_SSL_HEADER

Used to overwrite the SECURE_PROXY_SSL_HEADER parameter of the settings.yaml, and to specify Django's SECURE_PROXY_SSL_HEADER e.g.

export PSONO_SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https

More infos can be found here docs.djangoproject.com/en/3.2/ref/settings/ (opens new window)

# PSONO_TIME_SERVER

Used to overwrite the TIME_SERVER parameter of the settings.yaml, and to configure an own timeserver that should be userd for the time health check e.g.

export PSONO_TIME_SERVER=time.example.com

# PSONO_AUTHENTICATION_METHODS

Used to overwrite the AUTHENTICATION_METHODS parameter of the settings.yaml, and to specify the list of allowed authetnication methods separated by a comma e.g.

export PSONO_AUTHENTICATION_METHODS=LDAP,SAML,AUTHKEY,OIDC

# PSONO_SENTRY_DSN

Used to overwrite the SENTRY_DSN parameter of the settings.yaml, and to configure the DSN parameter of sentry e.g.

export PSONO_SENTRY_DSN=https://...

# PSONO_SENTRY_ENVIRONMENT

Used to overwrite the SENTRY_ENVIRONMENT parameter of the settings.yaml, and to configure the DSN parameter of sentry e.g.

export PSONO_SENTRY_ENVIRONMENT=production

# Server: UWSGI

Psono's server component is a python application that runs with UWSGI which can be configured if necessary.

# UWSGI_PORT

Used to specify the UWSGI port, by default 80 e.g.

export UWSGI_PORT=80

# UWSGI_PROCESSES

Used to specify the amount of processes that UWSGI spawns to handle requests. A smaller amount can be favorable if you have less resources or a higher amount if you have more than 4 cores. By default 10. Rule of thumb: 2 x #cores + 2 e.g.

export UWSGI_PROCESSES=10

# UWSGI_BUFFER_SIZE

Used to specify the buffer size of UWSGI, by default 8192 bytes e.g.

export UWSGI_BUFFER_SIZE=8192

# Server: Enterprise Edition only

There are certain environment variables that only work with the enterprise edition server.

# PSONO_LICENSE_CODE

Used to overwrite the LICENSE_CODE parameter of the settings.yaml, and to configure a license code to prevent the server from trying to connect to the license server e.g.

export PSONO_LICENSE_CODE=jkhzzjzgkghjbztktbjhtgvhzjfzjgfzjkzbjkzbjkzbjkkgzjgzjk

# PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS

Used to overwrite the COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS parameter of the settings.yaml, and to prevent central security reports e.g.

export PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS=False

# PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL

Used to overwrite the COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL parameter of the settings.yaml, and to specify the recurrence interval in seconds for security reports. 0 disables it. e.g.

export PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL=2592000

# PSONO_COMPLIANCE_ENFORCE_2FA

Used to overwrite the COMPLIANCE_ENFORCE_2FA parameter of the settings.yaml, and to enforce second factors e.g.

export PSONO_COMPLIANCE_ENFORCE_2FA=True

# PSONO_COMPLIANCE_DISABLE_EXPORT

Used to overwrite the COMPLIANCE_DISABLE_EXPORT parameter of the settings.yaml, and to disable the export feature e.g.

export PSONO_COMPLIANCE_DISABLE_EXPORT=True

# PSONO_COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS

Used to overwrite the COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS parameter of the settings.yaml, and to disable the export of shared items e.g.

export PSONO_COMPLIANCE_DISABLE_EXPORT_OF_SHARED_ITEMS=True

# PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS

Used to overwrite the COMPLIANCE_DISABLE_UNMANAGED_GROUPS parameter of the settings.yaml, and to disable unmanaged groups, so normal users cannot create groups anymore e.g.

export PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS=True

# PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT

Used to overwrite the COMPLIANCE_DISABLE_DELETE_ACCOUNT parameter of the settings.yaml, and to disable the delete account option e.g.

export PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT=True

# PSONO_COMPLIANCE_DISABLE_API_KEYS

Used to overwrite the COMPLIANCE_DISABLE_API_KEYS parameter of the settings.yaml, and to disable API keys e.g.

export PSONO_COMPLIANCE_DISABLE_API_KEYS=True

# PSONO_COMPLIANCE_SERVER_SECRETS

Used to overwrite the COMPLIANCE_SERVER_SECRETS parameter of the settings.yaml. The server will by default keep for SAML / OIDC / LDAP users a backup of the user's keys and as such not ask the user for encryption password during login, while the server won't know / store those keys for regular AUTHKEY users (COMPLIANCE_SERVER_SECRETS: 'auto'). You may want to change this behavior and potentially force users to use a separate encryption password (COMPLIANCE_SERVER_SECRETS: 'noone', most secure but no way to regain access to an account if a user loses his encryption password) or force even AUTHKEY users to hand over their keys to the server (COMPLIANCE_SERVER_SECRETS: 'all', least secure, but allows admins to set a new password for a user if he loses his password) e.g.

export PSONO_COMPLIANCE_SERVER_SECRETS=noone

# PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES

Used to overwrite the COMPLIANCE_DISABLE_EMERGENCY_CODES parameter of the settings.yaml, and to disable emergency codes e.g.

export PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES=True

# PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES

Used to overwrite the COMPLIANCE_DISABLE_RECOVERY_CODES parameter of the settings.yaml, and to disable recovery codes e.g.

export PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES=True

# PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES

Used to overwrite the COMPLIANCE_DISABLE_FILE_REPOSITORIES parameter of the settings.yaml, and to disable file repositories e.g.

export PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES=True

Used to overwrite the COMPLIANCE_DISABLE_LINK_SHARES parameter of the settings.yaml, and to disable link shares e.g.

export PSONO_COMPLIANCE_DISABLE_LINK_SHARES=True

# PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE

Used to overwrite the COMPLIANCE_DISABLE_OFFLINE_MODE parameter of the settings.yaml, and to prevent offline mode e.g.

export PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE=True

# PSONO_COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID

Used to overwrite the COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID parameter of the settings.yaml, and to restrict how long an offline cache can be used e.g.

export PSONO_COMPLIANCE_MAX_OFFLINE_CACHE_TIME_VALID=31536000

# PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH

Used to overwrite the COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH parameter of the settings.yaml, and to specify a minimal master password length e.g.

export PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH=14

# PSONO_COMPLIANCE_IP_RESTRICTIONS

Used to overwrite the COMPLIANCE_IP_RESTRICTIONS parameter of the settings.yaml, and to restrict usage (webclient, apps, portal, API keys) of Psono to certain IP ranges. Specifically excluded are link shares and all API endpoints for the fileserver, SCIM and remote management commands.

export PSONO_COMPLIANCE_IP_RESTRICTIONS=10.5.0.0/24,10.4.0.0/16

# PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY

Used to overwrite the COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY parameter of the settings.yaml, and to enforce a minimal password complexity e.g.

export PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY=3


### `PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH`

Used to overwrite  the `COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH` parameter of the `settings.yaml`, and to configure the default length for passwords generated by the password generator e.g.

```bash
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH=16

# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE

Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE parameter of the settings.yaml, and to configure the default set of uppercase letters for passwords generated by the password generator e.g.

export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE=ABCDEFGHIJKLMNOPQRSTUVWXYZ

# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE

Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE parameter of the settings.yaml, and to configure the default set of lowercase letters for passwords generated by the password generator e.g.

export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE=abcdefghijklmnopqrstuvwxyz

# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS

Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS parameter of the settings.yaml, and to configure the default set of numbers for passwords generated by the password generator e.g.

export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS=0123456789

# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS

Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS parameter of the settings.yaml, and to configure the default set of special characters for passwords generated by the password generator e.g.

export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS=,.-:_

# PSONO_LDAPGATEWAY_TIMEOUT

Used to overwrite the LDAPGATEWAY_TIMEOUT parameter of the settings.yaml, and to configure the timeout in seconds for LDAP gateway requests e.g.

export PSONO_LDAPGATEWAY_TIMEOUT=10

# PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS

Used to overwrite the LDAPGATEWAY_EXCLUSIVE_SECRETS parameter of the settings.yaml, and to specify that the LDAP gateway should handle all user secrets exclusively e.g.

export PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS=True

# PSONO_LDAPGATEWAY

Used to overwrite the LDAPGATEWAY parameter of the settings.yaml, and to configure the connection to a LDAP gateway e.g.

export PSONO_LDAPGATEWAY=[...]

With [...] being the json representation of the LDAPGATEWAY yaml, e.g.

[
    {
      "CLIENT_ID": "3073da7d-5925-4142-a50b-f0478d7ee4aa",
      "CLIENT_PRIVATE_KEY": "5476100ad30e22881bb71d96e5c3e02e3964ede13fbcaa3ff886c36a27f7e3fd",
      "SERVER_PUBLIC_KEY": "141e1f988831ccbae4a43b20e6dbfc085be4b9b63902baa23d74f23e94301622",
      "SERVER_URL": "https://ldapgateway.example.com",
      "SSL_VERIFY": true
    }
  ]

TIP

Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json

# PSONO_LDAP

Used to overwrite the LDAP parameter of the settings.yaml, and to configure the connection to an LDAP server e.g.

export PSONO_LDAP=[...]

With [...] being the json representation of the LDAP yaml, e.g.

[
    {
      "LDAP_URL": "ldap://ldap.example.com:389",
      "LDAP_DOMAIN": "example.com",
      "LDAP_BIND_DN": "CN=LDAPPsono,OU=UsersTech,OU=example.com,DC=example,DC=com",
      "LDAP_BIND_PASS": "a_password",
      "LDAP_SEARCH_USER_DN": "OU=Users,OU=example.com,DC=example,DC=com",
      "LDAP_SEARCH_GROUP_DN": "OU=example.com,DC=example,DC=com",
      "LDAP_ATTR_EMAIL": "mail"
    }
  ]

TIP

Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json

# PSONO_SAML_CONFIGURATIONS

Used to overwrite the SAML_CONFIGURATIONS parameter of the settings.yaml, and to configure the connection to a SAML IDP e.g.

export PSONO_SAML_CONFIGURATIONS={...}

With {...} being the json representation of the SAML_CONFIGURATIONS yaml, e.g.

{
    "1": {
      "idp": {
        "entityId": "http://saml.example.com:8080/simplesaml/saml2/idp/metadata.php",
        "singleLogoutService": {
          "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
          "url": "http://saml.example.com:8080/simplesaml/saml2/idp/SingleLogoutService.php"
        },
        "singleSignOnService": {
          "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
          "url": "http://saml.example.com:8080/simplesaml/saml2/idp/SSOService.php"
        },
        "x509cert": "MIIDXTCCA...==",
        "groups_attribute": "eduPersonAffiliation",
        "username_attribute": "email",
        "email_attribute": "email",
        "username_domain": "example.com",
        "required_group": [
          "group1"
        ],
        "is_adfs": false,
        "honor_multifactors": true,
        "max_session_lifetime": 86400
      },
      "sp": {
        "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
        "assertionConsumerService": {
          "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
        },
        "attributeConsumingService": {
          "requestedAttributes": [
            {
              "attributeValue": [],
              "friendlyName": "",
              "isRequired": false,
              "name": "asdf",
              "nameFormat": ""
            }
          ],
          "serviceDescription": "Test Service",
          "serviceName": "SP test"
        },
        "privateKey": "-----BEGIN RSA PRIVATE KEY-----\n.\n.\n.\n-----END RSA PRIVATE KEY-----\n",
        "singleLogoutService": {
          "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        },
        "user_default_active": false,
        "autoprovision_psono_folder": false,
        "autoprovision_psono_group": false,
        "x509cert": "-----BEGIN CERTIFICATE-----\n.\n.\n.\n-----END CERTIFICATE-----\n"
      },
      "strict": true
    }
}

TIP

Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json

# PSONO_OIDC_CONFIGURATIONS

Used to overwrite the OIDC_CONFIGURATIONS parameter of the settings.yaml, and to configure the connection to an OIDC provider e.g.

export PSONO_OIDC_CONFIGURATIONS=True

With {...} being the json representation of the OIDC_CONFIGURATIONS yaml, e.g.

{
    "1": {
      "OIDC_RP_SIGN_ALGO": "RS256",
      "OIDC_RP_CLIENT_ID": "2564ebf9-3c1e-43e6-8ba9-e553d80f1000",
      "OIDC_RP_CLIENT_SECRET": "b176052a-bc24-408a-94fe-163750dca482",
      "OIDC_OP_JWKS_ENDPOINT": "http://oidc.example.com:8585/jwks",
      "OIDC_OP_AUTHORIZATION_ENDPOINT": "http://oidc.example.com:8585/authorize",
      "OIDC_OP_TOKEN_ENDPOINT": "http://oidc.example.com:8585/token",
      "OIDC_OP_USER_ENDPOINT": "http://oidc.example.com:8585/userinfo",
      "OIDC_OP_ENDSESSION_ENDPOINT": "http://oidc.example.com:8585/end-session",
      "OIDC_ALLOWED_REDIRECT_URLS": [
        "https://psono.example.com/"
      ],
      "OIDC_GROUPS_ATTRIBUTE_DICT_GROUP_ID": "groupId"
    }
}

TIP

Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json (opens new window) to convert between yaml and json

# PSONO_LOGGING_AUDIT

Used to overwrite the LOGGING_AUDIT parameter of the settings.yaml, and to enable audit logging e.g.

export PSONO_LOGGING_AUDIT=True

# PSONO_LOGGING_AUDIT_WHITELIST

Used to overwrite the LOGGING_AUDIT_WHITELIST parameter of the settings.yaml, and to whitelist only certain events to be logged, separated by a comma e.g.

export PSONO_LOGGING_AUDIT_WHITELIST=API_KEY_LOGIN_ERROR,SAML_LOGIN_ERROR,SAML_INITIATE_LOGIN_ERROR,SAML_LOGIN_ERROR,OIDC_INITIATE_LOGIN_ERROR

# PSONO_LOGGING_AUDIT_BLACKLIST

Used to overwrite the LOGGING_AUDIT_BLACKLIST parameter of the settings.yaml, and to blacklist certain events so they are not logged, separated by a comma e.g.

export PSONO_LOGGING_AUDIT_BLACKLIST=CHECK_HEALTH_SUCCESS,READ_STATUS_SUCCESS

# PSONO_LOGGING_AUDIT_FOLDER

Used to overwrite the LOGGING_AUDIT_FOLDER parameter of the settings.yaml, and used to configure the directory for the audit log files e.g.

export PSONO_LOGGING_AUDIT_FOLDER=/var/log/psono

# PSONO_LOGGING_AUDIT_TIME

Used to overwrite the LOGGING_AUDIT_TIME parameter of the settings.yaml, and used to configure a different timezone for the logging. Either UTC (value time_utc) or your server time (value time_server) e.g.

export PSONO_LOGGING_AUDIT_TIME=time_utc

# PSONO_LOGSTASH_FORMATTER

Used to overwrite the LOGSTASH_FORMATTER parameter of the settings.yaml, and to specify a different formatter e.g.

export PSONO_LOGSTASH_FORMATTER=logstash_async.formatter.DjangoLogstashFormatter

# PSONO_LOGSTASH_MESSAGE_TYPE

Used to overwrite the LOGSTASH_MESSAGE_TYPE parameter of the settings.yaml, and to specify a different message type e.g.

export PSONO_LOGSTASH_MESSAGE_TYPE=psono:auditLog

# PSONO_LOGSTASH_EXTRA_PREFIX

Used to overwrite the LOGSTASH_EXTRA_PREFIX parameter of the settings.yaml, and to specify a certain prefix e.g.

export PSONO_LOGSTASH_EXTRA_PREFIX=something_

# PSONO_SPLUNK_HOST

Used to overwrite the SPLUNK_HOST parameter of the settings.yaml, and to specify the host of your Splunk Receiver e.g.

export PSONO_SPLUNK_HOST=splunk.example.com

# PSONO_SPLUNK_PORT

Used to overwrite the SPLUNK_PORT parameter of the settings.yaml, and to specify the host of your Splunk Receiver e.g.

export PSONO_SPLUNK_PORT=1234

# PSONO_SPLUNK_TOKEN

Used to overwrite the SPLUNK_TOKEN parameter of the settings.yaml, and to specify the generated token of your Splunk Receiver e.g.

export PSONO_SPLUNK_TOKEN=True

# PSONO_SPLUNK_INDEX

Used to overwrite the SPLUNK_INDEX parameter of the settings.yaml, and to specify the Splunk index that should be used e.g.

export PSONO_SPLUNK_INDEX=whatever

# PSONO_SPLUNK_VERIFY

Used to overwrite the SPLUNK_VERIFY parameter of the settings.yaml, and used to disable SSL verification for your Splunk transport e.g.

export PSONO_SPLUNK_VERIFY=False

# PSONO_SPLUNK_PROTOCOL

Used to overwrite the SPLUNK_PROTOCOL parameter of the settings.yaml, and to specify the splunk transport mmechanism e.g.

export PSONO_SPLUNK_PROTOCOL=https

# PSONO_SPLUNK_SOURCETYPE

Used to overwrite the SPLUNK_SOURCETYPE parameter of the settings.yaml, and to specify the source type of the entries in Splunk e.g.

export PSONO_SPLUNK_SOURCETYPE=psono:auditLog

# PSONO_LOGSTASH_HANDLER

Used to overwrite the LOGSTASH_HANDLER parameter of the settings.yaml, and to configure a different handler class e.g.

export PSONO_LOGSTASH_HANDLER=logstash_async.handler.SynchronousLogstashHandler

# PSONO_LOGSTASH_TRANSPORT

Used to overwrite the LOGSTASH_TRANSPORT parameter of the settings.yaml, and used to specify a different transport mechanism e.g.

export PSONO_LOGSTASH_TRANSPORT=logstash_async.transport.TcpTransport

# PSONO_LOGSTASH_HOST

Used to overwrite the LOGSTASH_HOST parameter of the settings.yaml, and to specify the the logstash host e.g.

export PSONO_LOGSTASH_HOST=logstash.example.com

# PSONO_LOGSTASH_PORT

Used to overwrite the LOGSTASH_PORT parameter of the settings.yaml, and to specify the the logstash port e.g.

export PSONO_LOGSTASH_PORT=5959

# PSONO_LOGSTASH_SSL_ENABLED

Used to overwrite the LOGSTASH_SSL_ENABLED parameter of the settings.yaml, and to specify whether one wants to use SSL or not e.g.

export PSONO_LOGSTASH_SSL_ENABLED=True

# PSONO_LOGSTASH_SSL_VERIFY

Used to overwrite the LOGSTASH_SSL_VERIFY parameter of the settings.yaml, and to specify whether to verify the certificate or not e.g.

export PSONO_LOGSTASH_SSL_VERIFY=True

# PSONO_LOGSTASH_CA_CERTS

Used to overwrite the LOGSTASH_CA_CERTS parameter of the settings.yaml, and to specify the path to a file containing the custom CAs e.g.

export PSONO_LOGSTASH_CA_CERTS=/etc/ssl/custom.ca

# PSONO_LOGSTASH_CERFILE

Used to overwrite the LOGSTASH_CERFILE parameter of the settings.yaml, and to specify the path to an own cert file e.g.

export PSONO_LOGSTASH_CERFILE=/etc/ssl/logstash.cert

# PSONO_LOGSTASH_KEYFILE

Used to overwrite the LOGSTASH_KEYFILE parameter of the settings.yaml, and to specify the path to an own key file e.g.

export PSONO_LOGSTASH_KEYFILE=/etc/ssl/logstash.key

# PSONO_LOGSTASH_DATABASE_PATH

Used to overwrite the LOGSTASH_DATABASE_PATH parameter of the settings.yaml, and to configure a custom path for the database e.g.

export PSONO_LOGSTASH_DATABASE_PATH=/logstash/database/

# Client

You can configure the client with the following parameter.

# PSONO_WEBCLIENT_CONFIG_JSON

Used to overwrite the config.json, e.g.

export PSONO_WEBCLIENT_CONFIG_JSON={...}

With {...} being the config.json e.g.

{
  "backend_servers": [{
    "title": "Psono.pw"
  }],
  "allow_custom_server": true,
  "allow_registration": true,
  "allow_lost_password": true,
  "authentication_methods": ["AUTHKEY", "LDAP"],
  "more_links": [{
    "href": "https://doc.psono.com/",
    "title": "DOCUMENTATION",
    "class": "fa-book"
  },{
    "href": "privacy-policy.html",
    "title": "PRIVACY_POLICY",
    "class": "fa-user-secret"
  },{
    "href": "https://www.psono.com",
    "title": "ABOUT_US",
    "class": "fa-info-circle"
  }]
}

# Portal

You can configure the portal with the following parameter.

# PSONO_PORTAL_CONFIG_JSON

Used to overwrite the config.json, e.g.

export PSONO_PORTAL_CONFIG_JSON={...}

With {...} being the config.json e.g.

{
  "backend_servers": [{
    "title": "Psono.pw"
  }],
  "allow_custom_server": true,
  "allow_registration": true,
  "allow_lost_password": true,
  "authentication_methods": ["AUTHKEY", "LDAP"],
  "more_links": [{
    "href": "https://doc.psono.com/",
    "title": "DOCUMENTATION",
    "class": "fa-book"
  },{
    "href": "privacy-policy.html",
    "title": "PRIVACY_POLICY",
    "class": "fa-user-secret"
  },{
    "href": "https://www.psono.com",
    "title": "ABOUT_US",
    "class": "fa-info-circle"
  }]
}

# Combo Images

Psono combo images come with an nginx, that glues the bundled server, client and portal together. You can use the following parameters to configure the nginx.

# NGINX_WORKER_PROCESSES

Used to configure nginx' worker_processes parameter, defaults to 1.

export NGINX_WORKER_PROCESSES=1

# NGINX_STRICT_TRANSPORT_SECURITY

Used to configure nginx' add_header Strict-Transport-Security parameter, defaults to not being specified.

export NGINX_STRICT_TRANSPORT_SECURITY='"max-age=31536000; includeSubDomains" always;'

# NGINX_HEADER_REFERRER_POLICY

Used to configure nginx' add_header Referrer-Policy parameter, defaults to same-origin.

export NGINX_HEADER_REFERRER_POLICY=same-origin

# NGINX_HEADER_X_FRAME_OPTIONS

Used to configure nginx' add_header X-Frame-Options parameter, defaults to DENY.

export NGINX_HEADER_X_FRAME_OPTIONS=DENY

# NGINX_HEADER_X_CONTENT_TYPE_OPTIONS

Used to configure nginx' add_header X-Content-Type-Options parameter, defaults to nosniff.

export NGINX_HEADER_X_CONTENT_TYPE_OPTIONS=nosniff

# NGINX_HEADER_X_XSS_PROTECTION

Used to configure nginx' add_header X-XSS-Protection parameter, defaults to "1; mode=block".

export NGINX_HEADER_X_XSS_PROTECTION='"1; mode=block"'

# NGINX_HEADER_CONTENT_SECURITY_POLICY

Used to configure nginx' add_header Content-Security-Policy parameter, defaults to "default-src none; manifest-src self; connect-src self https://static.psono.com https://keyserver.ubuntu.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.s3.amazonaws.com https://*.digitaloceanspaces.com https://api.pwnedpasswords.com https://sentry.io; font-src self; img-src self www.google-analytics.com data:; script-src self www.google-analytics.com; style-src self unsafe-inline; object-src self; child-src self; form-action self".

export NGINX_HEADER_CONTENT_SECURITY_POLICY='"default-src \'none\'; manifest-src \'self\'; connect-src \'self\' https://static.psono.com https://keyserver.ubuntu.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.s3.amazonaws.com https://*.digitaloceanspaces.com https://api.pwnedpasswords.com https://sentry.io; font-src \'self\'; img-src \'self\' www.google-analytics.com data:; script-src \'self\' www.google-analytics.com; style-src \'self\' \'unsafe-inline\'; object-src \'self\'; child-src \'self\'; form-action \'self\'"'

Docker secrets