# Environment Variables
You can actually configure Psono with environment variables instead of config files.
- Server: Required
- Server: Recommended
- Server: Other
- PSONO_DEBUG
- PSONO_DISABLED
- PSONO_MAINTENANCE_ACTIVE
- PSONO_ALLOWED_HOSTS
- PSONO_ALLOW_REGISTRATION
- PSONO_ALLOW_LOST_PASSWORD
- PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL
- PSONO_ALLOWED_SECOND_FACTORS
- PSONO_ALLOW_USER_SEARCH_BY_EMAIL
- PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL
- PSONO_DUO_INTEGRATION_KEY
- PSONO_DUO_SECRET_KEY
- PSONO_DUO_API_HOSTNAME
- PSONO_DUO_PROXY_HOST
- PSONO_DUO_PROXY_PORT
- PSONO_DUO_PROXY_HEADERS
- PSONO_DUO_PROXY_TYPE
- PSONO_MULTIFACTOR_ENABLED
- PSONO_REGISTRATION_EMAIL_FILTER
- PSONO_MANAGEMENT_COMMAND_ACCESS_KEY
- PSONO_TRUSTED_IP_HEADER
- PSONO_NUM_PROXIES
- PSONO_THROTTLE_RATE_ANON
- PSONO_THROTTLE_RATE_LOGIN
- PSONO_THROTTLE_RATE_LINK_SHARE_SECRET
- PSONO_THROTTLE_RATE_PASSWORD
- PSONO_THROTTLE_RATE_USER
- PSONO_THROTTLE_RATE_HEALTH_CHECK
- PSONO_THROTTLE_RATE_STATUS_CHECK
- PSONO_THROTTLE_RATE_GA_VERIFY
- PSONO_THROTTLE_RATE_DUO_VERIFY
- PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY
- PSONO_THROTTLE_RATE_REGISTRATION
- PSONO_THROTTLE_RATE_USER_DELETE
- PSONO_THROTTLE_RATE_USER_UPDATE
- PSONO_THROTTLE_RATE_FILESERVER_ALIVE
- PSONO_THROTTLE_RATE_FILESERVER_UPLOAD
- PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD
- PSONO_DATABASE_SLAVE_URL
- PSONO_DATABASES_DEFAULT_ENGINE
- PSONO_DATABASES_DEFAULT_NAME
- PSONO_DATABASES_DEFAULT_USER
- PSONO_DATABASES_DEFAULT_PASSWORD
- PSONO_DATABASES_DEFAULT_HOST
- PSONO_DATABASES_DEFAULT_PORT
- PSONO_EMAIL_FROM
- PSONO_EMAIL_HOST
- PSONO_EMAIL_HOST_USER
- PSONO_EMAIL_HOST_PASSWORD
- PSONO_EMAIL_PORT
- PSONO_EMAIL_SUBJECT_PREFIX
- PSONO_EMAIL_USE_TLS
- PSONO_EMAIL_USE_SSL
- PSONO_EMAIL_SSL_CERTFILE
- PSONO_EMAIL_SSL_KEYFILE
- PSONO_EMAIL_TIMEOUT
- PSONO_YUBIKEY_CLIENT_ID
- PSONO_YUBIKEY_SECRET_KEY
- PSONO_YUBICO_API_URLS
- PSONO_EMAIL_BACKEND
- PSONO_MAILGUN_API_URL
- PSONO_MAILGUN_ACCESS_KEY
- PSONO_MAILGUN_SERVER_NAME
- PSONO_MAILJET_API_KEY
- PSONO_MAILJET_SECRET_KEY
- PSONO_MAILJET_API_URL
- PSONO_MANDRILL_API_KEY
- PSONO_MANDRILL_API_URL
- PSONO_POSTMARK_SERVER_TOKEN
- PSONO_POSTMARK_API_URL
- PSONO_SENDGRID_API_KEY
- PSONO_SENDGRID_API_URL
- PSONO_SENDINBLUE_API_KEY
- PSONO_SENDINBLUE_API_URL
- PSONO_SPARKPOST_API_KEY
- PSONO_SPARKPOST_API_URL
- PSONO_IGNORE_UNSUPPORTED_FEATURES
- PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID
- PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY
- PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME
- PSONO_HEALTHCHECK_TIME_SYNC_ENABLED
- PSONO_CACHE_ENABLE
- PSONO_CACHE_DB
- PSONO_CACHE_REDIS
- PSONO_CACHE_REDIS_LOCATION
- PSONO_THROTTLING
- PSONO_DISABLE_LAST_PASSWORDS
- PSONO_MANAGEMENT_ENABLED
- PSONO_FILESERVER_HANDLER_ENABLED
- PSONO_FILES_ENABLED
- PSONO_ACTIVATION_LINK_TIME_VALID
- PSONO_DEFAULT_TOKEN_TIME_VALID
- PSONO_MAX_WEB_TOKEN_TIME_VALID
- PSONO_MAX_APP_TOKEN_TIME_VALID
- PSONO_MAX_API_KEY_TOKEN_TIME_VALID
- PSONO_RECOVERY_VERIFIER_TIME_VALID
- PSONO_REPLAY_PROTECTION_DISABLED
- PSONO_DEVICE_PROTECTION_DISABLED
- PSONO_REPLAY_PROTECTION_TIME_DFFERENCE
- PSONO_DISABLE_CALLBACKS
- PSONO_DISABLE_CENTRAL_SECURITY_REPORTS
- PSONO_ALLOWED_CALLBACK_URL_PREFIX
- PSONO_ALLOWED_FILE_REPOSITORY_TYPES
- PSONO_ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX
- PSONO_ALLOW_MULTIPLE_SESSIONS
- PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID
- PSONO_SECURE_PROXY_SSL_HEADER
- PSONO_TIME_SERVER
- PSONO_AUTHENTICATION_METHODS
- PSONO_SENTRY_DSN
- PSONO_SENTRY_ENVIRONMENT
- Server: UWSGI
- Server: Enterprise Edition only
- PSONO_LICENSE_CODE
- PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS
- PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL
- PSONO_COMPLIANCE_ENFORCE_2FA
- PSONO_COMPLIANCE_DISABLE_EXPORT
- PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS
- PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT
- PSONO_COMPLIANCE_DISABLE_API_KEYS
- PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES
- PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES
- PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES
- PSONO_COMPLIANCE_DISABLE_LINK_SHARES
- PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE
- PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH
- PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS
- PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS
- PSONO_LDAPGATEWAY_TIMEOUT
- PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS
- PSONO_LDAPGATEWAY
- PSONO_LDAP
- PSONO_SAML_CONFIGURATIONS
- PSONO_OIDC_CONFIGURATIONS
- PSONO_LOGGING_AUDIT
- PSONO_LOGGING_AUDIT_WHITELIST
- PSONO_LOGGING_AUDIT_BLACKLIST
- PSONO_LOGGING_AUDIT_FOLDER
- PSONO_LOGGING_AUDIT_TIME
- PSONO_LOGSTASH_FORMATTER
- PSONO_LOGSTASH_MESSAGE_TYPE
- PSONO_LOGSTASH_EXTRA_PREFIX
- PSONO_SPLUNK_HOST
- PSONO_SPLUNK_PORT
- PSONO_SPLUNK_TOKEN
- PSONO_SPLUNK_INDEX
- PSONO_SPLUNK_VERIFY
- PSONO_SPLUNK_PROTOCOL
- PSONO_SPLUNK_SOURCETYPE
- PSONO_LOGSTASH_HANDLER
- PSONO_LOGSTASH_TRANSPORT
- PSONO_LOGSTASH_HOST
- PSONO_LOGSTASH_PORT
- PSONO_LOGSTASH_SSL_ENABLED
- PSONO_LOGSTASH_SSL_VERIFY
- PSONO_LOGSTASH_CA_CERTS
- PSONO_LOGSTASH_CERFILE
- PSONO_LOGSTASH_KEYFILE
- PSONO_LOGSTASH_DATABASE_PATH
- Client
- Portal
- Combo Images
# Server: Required
All these parameters need to be configured either through the settings.yaml
or as environment variable.
# PSONO_SECRET_KEY
*
Used to overwrite the SECRET_KEY
parameter of the settings.yaml
, e.g.
export PSONO_SECRET_KEY=jrgwvgCRPGJeOi9xcFIlfpVL09EZdIkrAJqQIUvTVtB3BO9gsuWi32Ie3VfKtaCk
WARNING
This parameter needs to be generated by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_PRIVATE_KEY
*
Used to overwrite the PRIVATE_KEY
parameter of the settings.yaml
, e.g.
export PSONO_PRIVATE_KEY=5476100ad30e22881bb71d96e5c3e02e3964ede13fbcaa3ff886c36a27f7e3fd
WARNING
This parameter needs to be generated together with the PUBLIC_KEY
by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_PUBLIC_KEY
*
Used to overwrite the PUBLIC_KEY
parameter of the settings.yaml
, e.g.
export PSONO_PUBLIC_KEY=141e1f988831ccbae4a43b20e6dbfc085be4b9b63902baa23d74f23e94301622
WARNING
This parameter needs to be generated together with the PRIVATE_KEY
by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_ACTIVATION_LINK_SECRET
*
Used to overwrite the ACTIVATION_LINK_SECRET
parameter of the settings.yaml
, which is used to generate the "activation links" whenever a user registers e.g.
export PSONO_ACTIVATION_LINK_SECRET=6kkvvTaPisiHMaLFHRPFjCztjByY8LINkxkhBHmj4FpIEk1kdY9aGIR7xulcs6ij
WARNING
This parameter needs to be generated by ./psono/manage.py generateserverkeys
# PSONO_DB_SECRET
*
Used to overwrite the DB_SECRET
parameter of the settings.yaml
, and is used to encrypt the data in the database e.g.
export PSONO_DB_SECRET=True
WARNING
This parameter needs to be generated by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_EMAIL_SECRET_SALT
*
Used to overwrite the EMAIL_SECRET_SALT
parameter of the settings.yaml
, and used to store a hash of the email address in the database to prevent duplicates e.g.
export PSONO_EMAIL_SECRET_SALT=True
WARNING
This parameter needs to be generated by ./psono/manage.py generateserverkeys
and may never change during the lifetime of a server.
# PSONO_HOST_URL
*
Used to overwrite the HOST_URL
parameter of the settings.yaml
, the url of the server itself e.g.
export PSONO_HOST_URL=https://psono.example.com/server
# PSONO_DATABASE_URL
*
Used to overwrite the DATABASE_URL
parameter of the settings.yaml
, and to connect the Psono server to your database e.g.
export PSONO_DATABASE_URL=postgres://myuser:mypassword@192.168.0.5:5432/mydatabase
or for unix domain socket paths
export PSONO_DATABASE_URL=postgres://%2Fvar%2Flib%2Fpostgresql/mydatabase
WARNING
If you want to specify the host, username and so on separately, you can do so with the optional database parameters listed below.
# Server: Recommended
# PSONO_WEB_CLIENT_URL
Used to overwrite the WEB_CLIENT_URL
parameter of the settings.yaml
, and to specify the location of the webclient e.g.
export PSONO_WEB_CLIENT_URL=https://psono.example.com
# PSONO_ALLOWED_DOMAINS
Used to overwrite the ALLOWED_DOMAINS
parameter of the settings.yaml
as a comma separated list of the domain that you allow as username suffix e.g.
export PSONO_ALLOWED_DOMAINS=example.com,something.else.com
# Server: Other
# PSONO_DEBUG
Used to overwrite the DEBUG
parameter of the settings.yaml
and enables the debug mode, e.g.
export PSONO_DEBUG=True
# PSONO_DISABLED
Used to overwrite the DISABLED
parameter of the settings.yaml
and disables the server, e.g.
export PSONO_DISABLED=True
# PSONO_MAINTENANCE_ACTIVE
Used to overwrite the MAINTENANCE_ACTIVE
parameter of the settings.yaml
and enables the maintenance mode, e.g.
export PSONO_MAINTENANCE_ACTIVE=True
# PSONO_ALLOWED_HOSTS
Used to overwrite the ALLOWED_HOSTS
parameter of the settings.yaml
as a comma separated list, e.g.
export PSONO_ALLOWED_HOSTS=a.example.com,something.else.com
# PSONO_ALLOW_REGISTRATION
Used to overwrite the ALLOW_REGISTRATION
parameter of the settings.yaml
, and to disable the registration e.g.
export PSONO_ALLOW_REGISTRATION=True
# PSONO_ALLOW_LOST_PASSWORD
Used to overwrite the ALLOW_LOST_PASSWORD
parameter of the settings.yaml
, and to disable the password recovery mechanism e.g.
export PSONO_ALLOW_LOST_PASSWORD=True
# PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL
Used to overwrite the ENFORCE_MATCHING_USERNAME_AND_EMAIL
parameter of the settings.yaml
, and enforces matching username and emails e.g.
export PSONO_ENFORCE_MATCHING_USERNAME_AND_EMAIL=True
# PSONO_ALLOWED_SECOND_FACTORS
Used to overwrite the ALLOWED_SECOND_FACTORS
parameter of the settings.yaml
, and restricts the possible options for second factors e.g.
export PSONO_ALLOWED_SECOND_FACTORS=yubikey_otp,google_authenticator,duo
# PSONO_ALLOW_USER_SEARCH_BY_EMAIL
Used to overwrite the ALLOW_USER_SEARCH_BY_EMAIL
parameter of the settings.yaml
, and allows users to search other users by their email address e.g.
export PSONO_ALLOW_USER_SEARCH_BY_EMAIL=True
# PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL
Used to overwrite the ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL
parameter of the settings.yaml
, and allows users to search other users by partial usernames e.g.
export PSONO_ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL=True
# PSONO_DUO_INTEGRATION_KEY
Used to overwrite the DUO_INTEGRATION_KEY
parameter of the settings.yaml
, the duo integration key e.g.
export PSONO_DUO_INTEGRATION_KEY=DI785965869BJHGKZ
# PSONO_DUO_SECRET_KEY
Used to overwrite the DUO_SECRET_KEY
parameter of the settings.yaml
, the duo secret key e.g.
export PSONO_DUO_SECRET_KEY=8ho7IZK7jioi7joi7glZBJKmhnz
# PSONO_DUO_API_HOSTNAME
Used to overwrite the DUO_API_HOSTNAME
parameter of the settings.yaml
, the duo api hostname e.g.
export PSONO_DUO_API_HOSTNAME=api-abcd1234.duosecurity.com
# PSONO_DUO_PROXY_HOST
Used to overwrite the DUO_PROXY_HOST
parameter of the settings.yaml
, the duo proxy host e.g.
export PSONO_DUO_PROXY_HOST=duoproxy.example.com
# PSONO_DUO_PROXY_PORT
Used to overwrite the DUO_PROXY_PORT
parameter of the settings.yaml
, the port of the duo proxy e.g.
export PSONO_DUO_PROXY_PORT=45612
# PSONO_DUO_PROXY_HEADERS
Used to overwrite the DUO_PROXY_HEADERS
parameter of the settings.yaml
, all headers for the duo proxy e.g.
export PSONO_DUO_PROXY_HEADERS=True
# PSONO_DUO_PROXY_TYPE
Used to overwrite the DUO_PROXY_TYPE
parameter of the settings.yaml
, the type of the proxy, by default CONNECT e.g.
export PSONO_DUO_PROXY_TYPE=CONNECT
# PSONO_MULTIFACTOR_ENABLED
Used to overwrite the MULTIFACTOR_ENABLED
parameter of the settings.yaml
, and to enforce multifactor (all second factors need to be solved) e.g.
export PSONO_MULTIFACTOR_ENABLED=True
# PSONO_REGISTRATION_EMAIL_FILTER
Used to overwrite the REGISTRATION_EMAIL_FILTER
parameter of the settings.yaml
, and to enforce that only certain email addresses can register separated by comma e.g.
export PSONO_REGISTRATION_EMAIL_FILTER=googlemail.com,gmail.com
# PSONO_MANAGEMENT_COMMAND_ACCESS_KEY
Used to overwrite the MANAGEMENT_COMMAND_ACCESS_KEY
parameter of the settings.yaml
, the authentication parameter for remote management commands e.g.
export PSONO_MANAGEMENT_COMMAND_ACCESS_KEY=kjzunI6789BJKNzbjnmnftbvhKJHUzjnk
# PSONO_TRUSTED_IP_HEADER
Used to overwrite the TRUSTED_IP_HEADER
parameter of the settings.yaml
, a parameter that if specified and passed through is trusted to contain the correct IP of the client e.g.
export PSONO_TRUSTED_IP_HEADER=HTTP_CF_CONNECTING_IP
# PSONO_NUM_PROXIES
Used to overwrite the NUM_PROXIES
parameter of the settings.yaml
, the amount of proxies in front of the server in order to parse the HTTP_X_FORWARDED_FOR header proper e.g.
export PSONO_NUM_PROXIES=3
# PSONO_THROTTLE_RATE_ANON
Used to overwrite the THROTTLE_RATE_ANON
parameter of the settings.yaml
, and to specify the throttle rate for anonymous access e.g.
export PSONO_THROTTLE_RATE_ANON=1440/day
# PSONO_THROTTLE_RATE_LOGIN
Used to overwrite the THROTTLE_RATE_LOGIN
parameter of the settings.yaml
, and to specify the throttle rate for login requests e.g.
export PSONO_THROTTLE_RATE_LOGIN=48/day
# PSONO_THROTTLE_RATE_LINK_SHARE_SECRET
Used to overwrite the THROTTLE_RATE_LINK_SHARE_SECRET
parameter of the settings.yaml
, and to specify the throttle rate for link share access e.g.
export PSONO_THROTTLE_RATE_LINK_SHARE_SECRET=60/hour
# PSONO_THROTTLE_RATE_PASSWORD
Used to overwrite the THROTTLE_RATE_PASSWORD
parameter of the settings.yaml
, and to specify the throttle rate for password resets e.g.
export PSONO_THROTTLE_RATE_PASSWORD=24/day
# PSONO_THROTTLE_RATE_USER
Used to overwrite the THROTTLE_RATE_USER
parameter of the settings.yaml
, and to specify the throttle rate for all general authenticated requests e.g.
export PSONO_THROTTLE_RATE_USER=86400/day
# PSONO_THROTTLE_RATE_HEALTH_CHECK
Used to overwrite the THROTTLE_RATE_HEALTH_CHECK
parameter of the settings.yaml
, and to specify the throttle rate for requests to the health check endpoint e.g.
export PSONO_THROTTLE_RATE_HEALTH_CHECK=61/hour
# PSONO_THROTTLE_RATE_STATUS_CHECK
Used to overwrite the THROTTLE_RATE_STATUS_CHECK
parameter of the settings.yaml
, and to specify the throttle rate for requests to the status endpoint e.g.
export PSONO_THROTTLE_RATE_STATUS_CHECK=6/minute
# PSONO_THROTTLE_RATE_GA_VERIFY
Used to overwrite the THROTTLE_RATE_GA_VERIFY
parameter of the settings.yaml
, and to specify the throttle rate how often a user can try to solve a Google Authenticator second factor challenge e.g.
export PSONO_THROTTLE_RATE_GA_VERIFY=6/minute
# PSONO_THROTTLE_RATE_DUO_VERIFY
Used to overwrite the THROTTLE_RATE_DUO_VERIFY
parameter of the settings.yaml
, and to specify the throttle rate how often a user can try to solve a DUO second factor challenge e.g.
export PSONO_THROTTLE_RATE_DUO_VERIFY=6/minute
# PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY
Used to overwrite the THROTTLE_RATE_YUBIKEY_OTP_VERIFY
parameter of the settings.yaml
, and to specify the throttle rate how often a user can try to solve a YubiKey second factor challenge e.g.
export PSONO_THROTTLE_RATE_YUBIKEY_OTP_VERIFY=6/minute
# PSONO_THROTTLE_RATE_REGISTRATION
Used to overwrite the THROTTLE_RATE_REGISTRATION
parameter of the settings.yaml
, and to specify how often someone can try to register e.g.
export PSONO_THROTTLE_RATE_REGISTRATION=20/day
# PSONO_THROTTLE_RATE_USER_DELETE
Used to overwrite the THROTTLE_RATE_USER_DELETE
parameter of the settings.yaml
, and to specify how often someone can try to delete his account e.g.
export PSONO_THROTTLE_RATE_USER_DELETE=20/day
# PSONO_THROTTLE_RATE_USER_UPDATE
Used to overwrite the THROTTLE_RATE_USER_UPDATE
parameter of the settings.yaml
, and to specify how often someone can try to update his account e.g.
export PSONO_THROTTLE_RATE_USER_UPDATE=20/day
# PSONO_THROTTLE_RATE_FILESERVER_ALIVE
Used to overwrite the THROTTLE_RATE_FILESERVER_ALIVE
parameter of the settings.yaml
, and to specify how often a fileserver can announce it being alive e.g.
export PSONO_THROTTLE_RATE_FILESERVER_ALIVE=61/minute
# PSONO_THROTTLE_RATE_FILESERVER_UPLOAD
Used to overwrite the THROTTLE_RATE_FILESERVER_UPLOAD
parameter of the settings.yaml
, and to specify how often a fileserver can announce fileuploads e.g.
export PSONO_THROTTLE_RATE_FILESERVER_UPLOAD=10000/minute
# PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD
Used to overwrite the THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD
parameter of the settings.yaml
, and to specify how often a fileserver can announce fileuploads e.g.
export PSONO_THROTTLE_RATE_RATE_FILESERVER_DOWNLOAD=10000/minute
# PSONO_DATABASE_SLAVE_URL
Used to overwrite the DATABASE_SLAVE_URL
parameter of the settings.yaml
, and to configure a postgres instance that will be used as read slave e.g.
export PSONO_DATABASE_SLAVE_URL=postgres://myuser:mypassword@192.168.0.6:5432/mydatabase
# PSONO_DATABASES_DEFAULT_ENGINE
Used to overwrite the DATABASES_DEFAULT_ENGINE
parameter of the settings.yaml
, and to specify a different database engine e.g.
export PSONO_DATABASES_DEFAULT_ENGINE=django.db.backends.postgresql_psycopg2
# PSONO_DATABASES_DEFAULT_NAME
Used to overwrite the DATABASES_DEFAULT_NAME
parameter of the settings.yaml
, and to specify a database name e.g.
export PSONO_DATABASES_DEFAULT_NAME=mypostgresdatabase
# PSONO_DATABASES_DEFAULT_USER
Used to overwrite the DATABASES_DEFAULT_USER
parameter of the settings.yaml
, and to specify the username used to connect to the database e.g.
export PSONO_DATABASES_DEFAULT_USER=mypostgresusername
# PSONO_DATABASES_DEFAULT_PASSWORD
Used to overwrite the DATABASES_DEFAULT_PASSWORD
parameter of the settings.yaml
, and to specify the password used to connect to the database e.g.
export PSONO_DATABASES_DEFAULT_PASSWORD=mypostgrespassword
# PSONO_DATABASES_DEFAULT_HOST
Used to overwrite the DATABASES_DEFAULT_HOST
parameter of the settings.yaml
, and to specify the host used to connect to the database e.g.
export PSONO_DATABASES_DEFAULT_HOST=192.168.10
# PSONO_DATABASES_DEFAULT_PORT
Used to overwrite the DATABASES_DEFAULT_PORT
parameter of the settings.yaml
, and to specify the port used to connect to the database e.g.
export PSONO_DATABASES_DEFAULT_PORT=5432
# PSONO_EMAIL_FROM
Used to overwrite the EMAIL_FROM
parameter of the settings.yaml
, and to specify the email address that is used to send emails e.g.
export PSONO_EMAIL_FROM=something@example.com
# PSONO_EMAIL_HOST
Used to overwrite the EMAIL_HOST
parameter of the settings.yaml
, and to configure the host used to connect to your email server e.g.
export PSONO_EMAIL_HOST=192.168.0.5
# PSONO_EMAIL_HOST_USER
Used to overwrite the EMAIL_HOST_USER
parameter of the settings.yaml
, and to configure the user used to connect to your email server e.g.
export PSONO_EMAIL_HOST_USER=myemailuser
# PSONO_EMAIL_HOST_PASSWORD
Used to overwrite the EMAIL_HOST_PASSWORD
parameter of the settings.yaml
, and to configure the password used to connect to your email server e.g.
export PSONO_EMAIL_HOST_PASSWORD=myemailpassword
# PSONO_EMAIL_PORT
Used to overwrite the EMAIL_PORT
parameter of the settings.yaml
, and to configure the port used to connect to your email server e.g.
export PSONO_EMAIL_PORT=25
# PSONO_EMAIL_SUBJECT_PREFIX
Used to overwrite the EMAIL_SUBJECT_PREFIX
parameter of the settings.yaml
, and to configure a certain suffix being shown in the subject of all emails e.g.
export PSONO_EMAIL_SUBJECT_PREFIX=True
# PSONO_EMAIL_USE_TLS
Used to overwrite the EMAIL_USE_TLS
parameter of the settings.yaml
, and to specify whether to use TLS or not e.g.
export PSONO_EMAIL_USE_TLS=True
TIP
EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive, so only set one of those settings to True.
# PSONO_EMAIL_USE_SSL
Used to overwrite the EMAIL_USE_SSL
parameter of the settings.yaml
, and to specify whether to use SSL or not e.g.
export PSONO_EMAIL_USE_SSL=True
TIP
EMAIL_USE_TLS/EMAIL_USE_SSL are mutually exclusive, so only set one of those settings to True.
# PSONO_EMAIL_SSL_CERTFILE
Used to overwrite the EMAIL_SSL_CERTFILE
parameter of the settings.yaml
, and to specify a path to a certificate file used to authenticate with your email host e.g.
export PSONO_EMAIL_SSL_CERTFILE=/etc/ssl/email.crt
# PSONO_EMAIL_SSL_KEYFILE
Used to overwrite the EMAIL_SSL_KEYFILE
parameter of the settings.yaml
, and to specify a path to a key used to authenticate with your email host e.g.
export PSONO_EMAIL_SSL_KEYFILE=/etc/ssl/email.key
# PSONO_EMAIL_TIMEOUT
Used to overwrite the EMAIL_TIMEOUT
parameter of the settings.yaml
, and to specify a timeout for requests to your email server e.g.
export PSONO_EMAIL_TIMEOUT=10
# PSONO_YUBIKEY_CLIENT_ID
Used to overwrite the YUBIKEY_CLIENT_ID
parameter of the settings.yaml
, and to configure the required Client ID for YubiKey verification which can be obtained here upgrade.yubico.com/getapikey/ e.g.
export PSONO_YUBIKEY_CLIENT_ID=121334
# PSONO_YUBIKEY_SECRET_KEY
Used to overwrite the YUBIKEY_SECRET_KEY
parameter of the settings.yaml
, and to configure the required secret key for YubiKey verification which can be obtained here upgrade.yubico.com/getapikey/ e.g.
export PSONO_YUBIKEY_SECRET_KEY=abcd
# PSONO_YUBICO_API_URLS
Used to overwrite the YUBICO_API_URLS
parameter of the settings.yaml
, and to specify urls to own yubico API servers, separated by a comma e.g.
export PSONO_YUBICO_API_URLS=https://yubico1.example.com,https://yubico2.example.com
# PSONO_EMAIL_BACKEND
Used to overwrite the EMAIL_BACKEND
parameter of the settings.yaml
, and to change the backend used for emails e.g.
export PSONO_EMAIL_BACKEND=django.core.mail.backends.smtp.EmailBackend
# PSONO_MAILGUN_API_URL
Used to overwrite the MAILGUN_API_URL
parameter of the settings.yaml
, and to specify the mailgun api url e.g.
export PSONO_MAILGUN_API_URL=https://api.eu.mailgun.net/v3
# PSONO_MAILGUN_ACCESS_KEY
Used to overwrite the MAILGUN_ACCESS_KEY
parameter of the settings.yaml
, and to specify the mailgun access key e.g.
export PSONO_MAILGUN_ACCESS_KEY=jkhhklbjkzuzbjkbjkz
# PSONO_MAILGUN_SERVER_NAME
Used to overwrite the MAILGUN_SERVER_NAME
parameter of the settings.yaml
, and to specify the mailgun server name e.g.
export PSONO_MAILGUN_SERVER_NAME=example.com
# PSONO_MAILJET_API_KEY
Used to overwrite the MAILJET_API_KEY
parameter of the settings.yaml
, and to specify the mailjet api key e.g.
export PSONO_MAILJET_API_KEY=Trhuklhuklhuklhkukhublue
# PSONO_MAILJET_SECRET_KEY
Used to overwrite the MAILJET_SECRET_KEY
parameter of the settings.yaml
, and to specify the mailjet api secret e.g.
export PSONO_MAILJET_SECRET_KEY=hfrgdtes3xwtdt4edh4tghdge
# PSONO_MAILJET_API_URL
Used to overwrite the MAILJET_API_URL
parameter of the settings.yaml
, and to specify the mailjet api url e.g.
export PSONO_MAILJET_API_URL=https://api.mailjet.com/v3
# PSONO_MANDRILL_API_KEY
Used to overwrite the MANDRILL_API_KEY
parameter of the settings.yaml
, and to specify the mandrill api key e.g.
export PSONO_MANDRILL_API_KEY=fdhbdfdfbdfbdfgfgd
# PSONO_MANDRILL_API_URL
Used to overwrite the MANDRILL_API_URL
parameter of the settings.yaml
, and to specify the mandrill api url e.g.
export PSONO_MANDRILL_API_URL=https://mandrillapp.com/api/1.0
# PSONO_POSTMARK_SERVER_TOKEN
Used to overwrite the POSTMARK_SERVER_TOKEN
parameter of the settings.yaml
, and to specify the postmark server token e.g.
export PSONO_POSTMARK_SERVER_TOKEN=fdhbdfdfbdfbdfgfgd
# PSONO_POSTMARK_API_URL
Used to overwrite the POSTMARK_API_URL
parameter of the settings.yaml
, and to specify the postmark api url e.g.
export PSONO_POSTMARK_API_URL=https://api.postmarkapp.com/
# PSONO_SENDGRID_API_KEY
Used to overwrite the SENDGRID_API_KEY
parameter of the settings.yaml
, and to specify the sendgrid api url e.g.
export PSONO_SENDGRID_API_KEY=fdhbdfdfbdfbdfgfgd
# PSONO_SENDGRID_API_URL
Used to overwrite the SENDGRID_API_URL
parameter of the settings.yaml
, and to specify the sendgrid api url e.g.
export PSONO_SENDGRID_API_URL=https://api.sendgrid.com/v3/
# PSONO_SENDINBLUE_API_KEY
Used to overwrite the SENDINBLUE_API_KEY
parameter of the settings.yaml
, and to specify the sendinblue api key e.g.
export PSONO_SENDINBLUE_API_KEY=fdhbdfdfbdfbdfgfgd
# PSONO_SENDINBLUE_API_URL
Used to overwrite the SENDINBLUE_API_URL
parameter of the settings.yaml
, and to specify the sendinblue api url e.g.
export PSONO_SENDINBLUE_API_URL=https://api.sendinblue.com/v3/
# PSONO_SPARKPOST_API_KEY
Used to overwrite the SPARKPOST_API_KEY
parameter of the settings.yaml
, and to specify the sparkpost api key e.g.
export PSONO_SPARKPOST_API_KEY=fdhbdfdfbdfbdfgfgd
# PSONO_SPARKPOST_API_URL
Used to overwrite the SPARKPOST_API_URL
parameter of the settings.yaml
, and to specify the sparkpost api url e.g.
export PSONO_SPARKPOST_API_URL=https://api.eu.sparkpost.com/api/v1
# PSONO_IGNORE_UNSUPPORTED_FEATURES
Used to overwrite the IGNORE_UNSUPPORTED_FEATURES
parameter of the settings.yaml
, and to ignore unsupported features in email delivery with certain providers e.g.
export PSONO_IGNORE_UNSUPPORTED_FEATURES=True
# PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID
Used to overwrite the AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID
parameter of the settings.yaml
, and to configure the access key id for Amazon SES e.g.
export PSONO_AMAZON_SES_CLIENT_PARAMS_ACCESS_KEY_ID=dthdhtdhtsrgdsrgrg
# PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY
Used to overwrite the AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY
parameter of the settings.yaml
, and to configure the secret access key for Amazon SES e.g.
export PSONO_AMAZON_SES_CLIENT_PARAMS_SECRET_ACCESS_KEY=dfdfhgdrgdrgrgddhrtg
# PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME
Used to overwrite the AMAZON_SES_CLIENT_PARAMS_REGION_NAME
parameter of the settings.yaml
, and to configure the region for Amazon SES e.g.
export PSONO_AMAZON_SES_CLIENT_PARAMS_REGION_NAME=us-west-2
# PSONO_HEALTHCHECK_TIME_SYNC_ENABLED
Used to overwrite the HEALTHCHECK_TIME_SYNC_ENABLED
parameter of the settings.yaml
, and to disable the healthcheck for the time sync e.g.
export PSONO_HEALTHCHECK_TIME_SYNC_ENABLED=False
# PSONO_CACHE_ENABLE
Used to overwrite the CACHE_ENABLE
parameter of the settings.yaml
, and to enable caching e.g.
export PSONO_CACHE_ENABLE=True
# PSONO_CACHE_DB
Used to overwrite the CACHE_DB
parameter of the settings.yaml
, and to specify the DB as central cache e.g.
export PSONO_CACHE_DB=True
# PSONO_CACHE_REDIS
Used to overwrite the CACHE_REDIS
parameter of the settings.yaml
, and to specify redis as central cache e.g.
export PSONO_CACHE_REDIS=True
# PSONO_CACHE_REDIS_LOCATION
Used to overwrite the CACHE_REDIS_LOCATION
parameter of the settings.yaml
, and to specify the redis host, port and database for caching e.g.
export PSONO_CACHE_REDIS_LOCATION=redis://localhost:6379/0
# PSONO_THROTTLING
Used to overwrite the THROTTLING
parameter of the settings.yaml
, and disables all rate limits e.g.
export PSONO_THROTTLING=False
# PSONO_DISABLE_LAST_PASSWORDS
Used to overwrite the DISABLE_LAST_PASSWORDS
parameter of the settings.yaml
, and to prevent the user from reusing the last X passwords e.g.
export PSONO_DISABLE_LAST_PASSWORDS=5
# PSONO_MANAGEMENT_ENABLED
Used to overwrite the MANAGEMENT_ENABLED
parameter of the settings.yaml
, and to enable the management API required for the portal e.g.
export PSONO_MANAGEMENT_ENABLED=True
# PSONO_FILESERVER_HANDLER_ENABLED
Used to overwrite the FILESERVER_HANDLER_ENABLED
parameter of the settings.yaml
, and to enable the fileserver API required for fileservers e.g.
export PSONO_FILESERVER_HANDLER_ENABLED=True
# PSONO_FILES_ENABLED
Used to overwrite the FILES_ENABLED
parameter of the settings.yaml
, and to disable the file upload e.g.
export PSONO_FILES_ENABLED=False
# PSONO_ACTIVATION_LINK_TIME_VALID
Used to overwrite the ACTIVATION_LINK_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that an activation link is valid before expiration e.g.
export PSONO_ACTIVATION_LINK_TIME_VALID=2592000
# PSONO_DEFAULT_TOKEN_TIME_VALID
Used to overwrite the DEFAULT_TOKEN_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a session is valid before expiration e.g.
export PSONO_DEFAULT_TOKEN_TIME_VALID=86400
# PSONO_MAX_WEB_TOKEN_TIME_VALID
Used to overwrite the MAX_WEB_TOKEN_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a session of a webclient is valid before expiration e.g.
export PSONO_MAX_WEB_TOKEN_TIME_VALID=2592000
# PSONO_MAX_APP_TOKEN_TIME_VALID
Used to overwrite the MAX_APP_TOKEN_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a session of an app is valid before expiration e.g.
export PSONO_MAX_APP_TOKEN_TIME_VALID=31536000
# PSONO_MAX_API_KEY_TOKEN_TIME_VALID
Used to overwrite the MAX_API_KEY_TOKEN_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a session of an API key is valid before expiration e.g.
export PSONO_MAX_API_KEY_TOKEN_TIME_VALID=600
# PSONO_RECOVERY_VERIFIER_TIME_VALID
Used to overwrite the RECOVERY_VERIFIER_TIME_VALID
parameter of the settings.yaml
, and to specify a time in seconds that a verification challenge needs to be solved before expiration e.g.
export PSONO_RECOVERY_VERIFIER_TIME_VALID=600
# PSONO_REPLAY_PROTECTION_DISABLED
Used to overwrite the REPLAY_PROTECTION_DISABLED
parameter of the settings.yaml
, and to disable the replay protection e.g.
export PSONO_REPLAY_PROTECTION_DISABLED=True
# PSONO_DEVICE_PROTECTION_DISABLED
Used to overwrite the DEVICE_PROTECTION_DISABLED
parameter of the settings.yaml
, and to disable the device protection e.g.
export PSONO_DEVICE_PROTECTION_DISABLED=True
# PSONO_REPLAY_PROTECTION_TIME_DFFERENCE
Used to overwrite the REPLAY_PROTECTION_TIME_DFFERENCE
parameter of the settings.yaml
, and to configure a time in seconds for time differences on the device e.g.
export PSONO_REPLAY_PROTECTION_TIME_DFFERENCE=True
# PSONO_DISABLE_CALLBACKS
Used to overwrite the DISABLE_CALLBACKS
parameter of the settings.yaml
, and to enable or disable callbacks e.g.
export PSONO_DISABLE_CALLBACKS=False
WARNING
The use of callbacks might allow attackers to execute a SSRF attack. Before you enable callbacks you should eather isolate
the system network wise or use ALLOWED_CALLBACK_URL_PREFIX
to whitelist possible targets for callbacks.
# PSONO_DISABLE_CENTRAL_SECURITY_REPORTS
Used to overwrite the DISABLE_CENTRAL_SECURITY_REPORTS
parameter of the settings.yaml
, and to disable central security reports e.g.
export PSONO_DISABLE_CENTRAL_SECURITY_REPORTS=True
# PSONO_ALLOWED_CALLBACK_URL_PREFIX
Used to overwrite the ALLOWED_CALLBACK_URL_PREFIX
parameter of the settings.yaml
, and to whitelist certain URL prefixes to receive callbacks e.g.
export PSONO_ALLOWED_CALLBACK_URL_PREFIX=https://example.com/path,http://test.example.com
# PSONO_ALLOWED_FILE_REPOSITORY_TYPES
Used to overwrite the ALLOWED_FILE_REPOSITORY_TYPES
parameter of the settings.yaml
, and to limit the allowed file repository providers e.g.
export ALLOWED_FILE_REPOSITORY_TYPES=azure_blob,gcp_cloud_storage,aws_s3,do_spaces,backblaze,other_s3
WARNING
The use "Other S3 Compatible" file repositories (other_s3
) you should use ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX
to limit the potential targets,
otherwise this may lead to the possibility of SSRF attacks.
# PSONO_ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX
Used to overwrite the ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX
parameter of the settings.yaml
, and to limit the target for "Other S3 compatible" file repositories e.g.
export ALLOWED_OTHER_S3_ENDPOINT_URL_PREFIX=https://s3.example.com/path,https://others3.example.com
# PSONO_ALLOW_MULTIPLE_SESSIONS
Used to overwrite the ALLOW_MULTIPLE_SESSIONS
parameter of the settings.yaml
, and to prevent multiple sessions e.g.
export PSONO_ALLOW_MULTIPLE_SESSIONS=False
# PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID
Used to overwrite the AUTO_PROLONGATION_TOKEN_TIME_VALID
parameter of the settings.yaml
, and configure the time that a session is prolonged upon activity e.g.
export PSONO_AUTO_PROLONGATION_TOKEN_TIME_VALID=True
# PSONO_SECURE_PROXY_SSL_HEADER
Used to overwrite the SECURE_PROXY_SSL_HEADER
parameter of the settings.yaml
, and to specify Django's SECURE_PROXY_SSL_HEADER
e.g.
export PSONO_SECURE_PROXY_SSL_HEADER=HTTP_X_FORWARDED_PROTO,https
More infos can be found here docs.djangoproject.com/en/3.2/ref/settings/
# PSONO_TIME_SERVER
Used to overwrite the TIME_SERVER
parameter of the settings.yaml
, and to configure an own timeserver that should be userd for the time health check e.g.
export PSONO_TIME_SERVER=time.example.com
# PSONO_AUTHENTICATION_METHODS
Used to overwrite the AUTHENTICATION_METHODS
parameter of the settings.yaml
, and to specify the list of allowed authetnication methods separated by a comma e.g.
export PSONO_AUTHENTICATION_METHODS=LDAP,SAML,AUTHKEY,OIDC
# PSONO_SENTRY_DSN
Used to overwrite the SENTRY_DSN
parameter of the settings.yaml
, and to configure the DSN parameter of sentry e.g.
export PSONO_SENTRY_DSN=https://...
# PSONO_SENTRY_ENVIRONMENT
Used to overwrite the SENTRY_ENVIRONMENT
parameter of the settings.yaml
, and to configure the DSN parameter of sentry e.g.
export PSONO_SENTRY_ENVIRONMENT=production
# Server: UWSGI
Psono's server component is a python application that runs with UWSGI which can be configured if necessary.
# UWSGI_PORT
Used to specify the UWSGI port, by default 80 e.g.
export UWSGI_PORT=80
# UWSGI_PROCESSES
Used to specify the amount of processes that UWSGI spawns to handle requests. A smaller amount can be favorable if you have less resources or a higher amount if you have more than 4 cores. By default 10. Rule of thumb: 2 x #cores + 2 e.g.
export UWSGI_PROCESSES=10
# UWSGI_BUFFER_SIZE
Used to specify the buffer size of UWSGI, by default 8192 bytes e.g.
export UWSGI_BUFFER_SIZE=8192
# Server: Enterprise Edition only
There are certain environment variables that only work with the enterprise edition server.
# PSONO_LICENSE_CODE
Used to overwrite the LICENSE_CODE
parameter of the settings.yaml
, and to configure a license code to prevent the server from trying to connect to the license server e.g.
export PSONO_LICENSE_CODE=jkhzzjzgkghjbztktbjhtgvhzjfzjgfzjkzbjkzbjkzbjkkgzjgzjk
# PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS
Used to overwrite the COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS
parameter of the settings.yaml
, and to prevent central security reports e.g.
export PSONO_COMPLIANCE_ENFORCE_CENTRAL_SECURITY_REPORTS=False
# PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL
Used to overwrite the COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL
parameter of the settings.yaml
, and to specify the recurrence interval in seconds for security reports. 0 disables it. e.g.
export PSONO_COMPLIANCE_CENTRAL_SECURITY_REPORT_SECURITY_RECURRENCE_INTERVAL=2592000
# PSONO_COMPLIANCE_ENFORCE_2FA
Used to overwrite the COMPLIANCE_ENFORCE_2FA
parameter of the settings.yaml
, and to enforce second factors e.g.
export PSONO_COMPLIANCE_ENFORCE_2FA=True
# PSONO_COMPLIANCE_DISABLE_EXPORT
Used to overwrite the COMPLIANCE_DISABLE_EXPORT
parameter of the settings.yaml
, and to disable the export feature e.g.
export PSONO_COMPLIANCE_DISABLE_EXPORT=True
# PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS
Used to overwrite the COMPLIANCE_DISABLE_UNMANAGED_GROUPS
parameter of the settings.yaml
, and to disable unmanaged
groups, so normal users cannot create groups anymore e.g.
export PSONO_COMPLIANCE_DISABLE_UNMANAGED_GROUPS=True
# PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT
Used to overwrite the COMPLIANCE_DISABLE_DELETE_ACCOUNT
parameter of the settings.yaml
, and to disable the delete account option e.g.
export PSONO_COMPLIANCE_DISABLE_DELETE_ACCOUNT=True
# PSONO_COMPLIANCE_DISABLE_API_KEYS
Used to overwrite the COMPLIANCE_DISABLE_API_KEYS
parameter of the settings.yaml
, and to disable API keys e.g.
export PSONO_COMPLIANCE_DISABLE_API_KEYS=True
# PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES
Used to overwrite the COMPLIANCE_DISABLE_EMERGENCY_CODES
parameter of the settings.yaml
, and to disable emergency codes e.g.
export PSONO_COMPLIANCE_DISABLE_EMERGENCY_CODES=True
# PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES
Used to overwrite the COMPLIANCE_DISABLE_RECOVERY_CODES
parameter of the settings.yaml
, and to disable recovery codes e.g.
export PSONO_COMPLIANCE_DISABLE_RECOVERY_CODES=True
# PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES
Used to overwrite the COMPLIANCE_DISABLE_FILE_REPOSITORIES
parameter of the settings.yaml
, and to disable file repositories e.g.
export PSONO_COMPLIANCE_DISABLE_FILE_REPOSITORIES=True
# PSONO_COMPLIANCE_DISABLE_LINK_SHARES
Used to overwrite the COMPLIANCE_DISABLE_LINK_SHARES
parameter of the settings.yaml
, and to disable link shares e.g.
export PSONO_COMPLIANCE_DISABLE_LINK_SHARES=True
# PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE
Used to overwrite the COMPLIANCE_DISABLE_OFFLINE_MODE
parameter of the settings.yaml
, and to prevent offline mode e.g.
export PSONO_COMPLIANCE_DISABLE_OFFLINE_MODE=True
# PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH
Used to overwrite the COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH
parameter of the settings.yaml
, and to specify a minimal master password length e.g.
export PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_LENGTH=14
# PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY
Used to overwrite the COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY
parameter of the settings.yaml
, and to enforce a minimal password complexity e.g.
export PSONO_COMPLIANCE_MIN_MASTER_PASSWORD_COMPLEXITY=3
### `PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH`
Used to overwrite the `COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH` parameter of the `settings.yaml`, and to configure the default length for passwords generated by the password generator e.g.
```bash
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_PASSWORD_LENGTH=16
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE
parameter of the settings.yaml
, and to configure the default set of uppercase letters for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_UPPERCASE=ABCDEFGHIJKLMNOPQRSTUVWXYZ
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE
parameter of the settings.yaml
, and to configure the default set of lowercase letters for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_LETTERS_LOWERCASE=abcdefghijklmnopqrstuvwxyz
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS
parameter of the settings.yaml
, and to configure the default set of numbers for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_NUMBERS=0123456789
# PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS
Used to overwrite the COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS
parameter of the settings.yaml
, and to configure the default set of special characters for passwords generated by the password generator e.g.
export PSONO_COMPLIANCE_PASSWORD_GENERATOR_DEFAULT_SPECIAL_CHARS=,.-:_
# PSONO_LDAPGATEWAY_TIMEOUT
Used to overwrite the LDAPGATEWAY_TIMEOUT
parameter of the settings.yaml
, and to configure the timeout in seconds for LDAP gateway requests e.g.
export PSONO_LDAPGATEWAY_TIMEOUT=10
# PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS
Used to overwrite the LDAPGATEWAY_EXCLUSIVE_SECRETS
parameter of the settings.yaml
, and to specify that the LDAP gateway should handle all user secrets exclusively e.g.
export PSONO_LDAPGATEWAY_EXCLUSIVE_SECRETS=True
# PSONO_LDAPGATEWAY
Used to overwrite the LDAPGATEWAY
parameter of the settings.yaml
, and to configure the connection to a LDAP gateway e.g.
export PSONO_LDAPGATEWAY=[...]
With [...]
being the json representation of the LDAPGATEWAY yaml, e.g.
[
{
"CLIENT_ID": "3073da7d-5925-4142-a50b-f0478d7ee4aa",
"CLIENT_PRIVATE_KEY": "5476100ad30e22881bb71d96e5c3e02e3964ede13fbcaa3ff886c36a27f7e3fd",
"SERVER_PUBLIC_KEY": "141e1f988831ccbae4a43b20e6dbfc085be4b9b63902baa23d74f23e94301622",
"SERVER_URL": "https://ldapgateway.example.com",
"SSL_VERIFY": true
}
]
TIP
Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json to convert between yaml and json
# PSONO_LDAP
Used to overwrite the LDAP
parameter of the settings.yaml
, and to configure the connection to an LDAP server e.g.
export PSONO_LDAP=[...]
With [...]
being the json representation of the LDAP yaml, e.g.
[
{
"LDAP_URL": "ldap://ldap.example.com:389",
"LDAP_DOMAIN": "example.com",
"LDAP_BIND_DN": "CN=LDAPPsono,OU=UsersTech,OU=example.com,DC=example,DC=com",
"LDAP_BIND_PASS": "a_password",
"LDAP_SEARCH_USER_DN": "OU=Users,OU=example.com,DC=example,DC=com",
"LDAP_SEARCH_GROUP_DN": "OU=example.com,DC=example,DC=com",
"LDAP_ATTR_EMAIL": "mail"
}
]
TIP
Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json to convert between yaml and json
# PSONO_SAML_CONFIGURATIONS
Used to overwrite the SAML_CONFIGURATIONS
parameter of the settings.yaml
, and to configure the connection to a SAML IDP e.g.
export PSONO_SAML_CONFIGURATIONS={...}
With {...}
being the json representation of the SAML_CONFIGURATIONS yaml, e.g.
{
"1": {
"idp": {
"entityId": "http://saml.example.com:8080/simplesaml/saml2/idp/metadata.php",
"singleLogoutService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"url": "http://saml.example.com:8080/simplesaml/saml2/idp/SingleLogoutService.php"
},
"singleSignOnService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect",
"url": "http://saml.example.com:8080/simplesaml/saml2/idp/SSOService.php"
},
"x509cert": "MIIDXTCCA...==",
"groups_attribute": "eduPersonAffiliation",
"username_attribute": "email",
"email_attribute": "email",
"username_domain": "example.com",
"required_group": [
"group1"
],
"is_adfs": false,
"honor_multifactors": true,
"max_session_lifetime": 86400
},
"sp": {
"NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent",
"assertionConsumerService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
},
"attributeConsumingService": {
"requestedAttributes": [
{
"attributeValue": [],
"friendlyName": "",
"isRequired": false,
"name": "asdf",
"nameFormat": ""
}
],
"serviceDescription": "Test Service",
"serviceName": "SP test"
},
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\n.\n.\n.\n-----END RSA PRIVATE KEY-----\n",
"singleLogoutService": {
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
},
"user_default_active": false,
"x509cert": "-----BEGIN CERTIFICATE-----\n.\n.\n.\n-----END CERTIFICATE-----\n"
},
"strict": true
}
}
TIP
Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json to convert between yaml and json
# PSONO_OIDC_CONFIGURATIONS
Used to overwrite the OIDC_CONFIGURATIONS
parameter of the settings.yaml
, and to configure the connection to an OIDC provider e.g.
export PSONO_OIDC_CONFIGURATIONS=True
With {...}
being the json representation of the OIDC_CONFIGURATIONS yaml, e.g.
{
"1": {
"OIDC_RP_SIGN_ALGO": "RS256",
"OIDC_RP_CLIENT_ID": "2564ebf9-3c1e-43e6-8ba9-e553d80f1000",
"OIDC_RP_CLIENT_SECRET": "b176052a-bc24-408a-94fe-163750dca482",
"OIDC_OP_JWKS_ENDPOINT": "http://oidc.example.com:8585/jwks",
"OIDC_OP_AUTHORIZATION_ENDPOINT": "http://oidc.example.com:8585/authorize",
"OIDC_OP_TOKEN_ENDPOINT": "http://oidc.example.com:8585/token",
"OIDC_OP_USER_ENDPOINT": "http://oidc.example.com:8585/userinfo",
"OIDC_OP_ENDSESSION_ENDPOINT": "http://oidc.example.com:8585/end-session",
"OIDC_ALLOWED_REDIRECT_URLS": [
"https://psono.example.com/"
],
"OIDC_GROUPS_ATTRIBUTE_DICT_GROUP_ID": "groupId"
}
}
TIP
Use an online converter like e.g. onlineyamltools.com/convert-yaml-to-json to convert between yaml and json
# PSONO_LOGGING_AUDIT
Used to overwrite the LOGGING_AUDIT
parameter of the settings.yaml
, and to enable audit logging e.g.
export PSONO_LOGGING_AUDIT=True
# PSONO_LOGGING_AUDIT_WHITELIST
Used to overwrite the LOGGING_AUDIT_WHITELIST
parameter of the settings.yaml
, and to whitelist only certain events to be logged, separated by a comma e.g.
export PSONO_LOGGING_AUDIT_WHITELIST=API_KEY_LOGIN_ERROR,SAML_LOGIN_ERROR,SAML_INITIATE_LOGIN_ERROR,SAML_LOGIN_ERROR,OIDC_INITIATE_LOGIN_ERROR
# PSONO_LOGGING_AUDIT_BLACKLIST
Used to overwrite the LOGGING_AUDIT_BLACKLIST
parameter of the settings.yaml
, and to blacklist certain events so they are not logged, separated by a comma e.g.
export PSONO_LOGGING_AUDIT_BLACKLIST=CHECK_HEALTH_SUCCESS,READ_STATUS_SUCCESS
# PSONO_LOGGING_AUDIT_FOLDER
Used to overwrite the LOGGING_AUDIT_FOLDER
parameter of the settings.yaml
, and used to configure the directory for the audit log files e.g.
export PSONO_LOGGING_AUDIT_FOLDER=/var/log/psono
# PSONO_LOGGING_AUDIT_TIME
Used to overwrite the LOGGING_AUDIT_TIME
parameter of the settings.yaml
, and used to configure a different timezone for the logging. Either UTC (value time_utc
) or your server time (value time_server
) e.g.
export PSONO_LOGGING_AUDIT_TIME=time_utc
# PSONO_LOGSTASH_FORMATTER
Used to overwrite the LOGSTASH_FORMATTER
parameter of the settings.yaml
, and to specify a different formatter e.g.
export PSONO_LOGSTASH_FORMATTER=logstash_async.formatter.DjangoLogstashFormatter
# PSONO_LOGSTASH_MESSAGE_TYPE
Used to overwrite the LOGSTASH_MESSAGE_TYPE
parameter of the settings.yaml
, and to specify a different message type e.g.
export PSONO_LOGSTASH_MESSAGE_TYPE=psono:auditLog
# PSONO_LOGSTASH_EXTRA_PREFIX
Used to overwrite the LOGSTASH_EXTRA_PREFIX
parameter of the settings.yaml
, and to specify a certain prefix e.g.
export PSONO_LOGSTASH_EXTRA_PREFIX=something_
# PSONO_SPLUNK_HOST
Used to overwrite the SPLUNK_HOST
parameter of the settings.yaml
, and to specify the host of your Splunk Receiver e.g.
export PSONO_SPLUNK_HOST=splunk.example.com
# PSONO_SPLUNK_PORT
Used to overwrite the SPLUNK_PORT
parameter of the settings.yaml
, and to specify the host of your Splunk Receiver e.g.
export PSONO_SPLUNK_PORT=1234
# PSONO_SPLUNK_TOKEN
Used to overwrite the SPLUNK_TOKEN
parameter of the settings.yaml
, and to specify the generated token of your Splunk Receiver e.g.
export PSONO_SPLUNK_TOKEN=True
# PSONO_SPLUNK_INDEX
Used to overwrite the SPLUNK_INDEX
parameter of the settings.yaml
, and to specify the Splunk index that should be used e.g.
export PSONO_SPLUNK_INDEX=whatever
# PSONO_SPLUNK_VERIFY
Used to overwrite the SPLUNK_VERIFY
parameter of the settings.yaml
, and used to disable SSL verification for your Splunk transport e.g.
export PSONO_SPLUNK_VERIFY=False
# PSONO_SPLUNK_PROTOCOL
Used to overwrite the SPLUNK_PROTOCOL
parameter of the settings.yaml
, and to specify the splunk transport mmechanism e.g.
export PSONO_SPLUNK_PROTOCOL=https
# PSONO_SPLUNK_SOURCETYPE
Used to overwrite the SPLUNK_SOURCETYPE
parameter of the settings.yaml
, and to specify the source type of the entries in Splunk e.g.
export PSONO_SPLUNK_SOURCETYPE=psono:auditLog
# PSONO_LOGSTASH_HANDLER
Used to overwrite the LOGSTASH_HANDLER
parameter of the settings.yaml
, and to configure a different handler class e.g.
export PSONO_LOGSTASH_HANDLER=logstash_async.handler.SynchronousLogstashHandler
# PSONO_LOGSTASH_TRANSPORT
Used to overwrite the LOGSTASH_TRANSPORT
parameter of the settings.yaml
, and used to specify a different transport mechanism e.g.
export PSONO_LOGSTASH_TRANSPORT=logstash_async.transport.TcpTransport
# PSONO_LOGSTASH_HOST
Used to overwrite the LOGSTASH_HOST
parameter of the settings.yaml
, and to specify the the logstash host e.g.
export PSONO_LOGSTASH_HOST=logstash.example.com
# PSONO_LOGSTASH_PORT
Used to overwrite the LOGSTASH_PORT
parameter of the settings.yaml
, and to specify the the logstash port e.g.
export PSONO_LOGSTASH_PORT=5959
# PSONO_LOGSTASH_SSL_ENABLED
Used to overwrite the LOGSTASH_SSL_ENABLED
parameter of the settings.yaml
, and to specify whether one wants to use SSL or not e.g.
export PSONO_LOGSTASH_SSL_ENABLED=True
# PSONO_LOGSTASH_SSL_VERIFY
Used to overwrite the LOGSTASH_SSL_VERIFY
parameter of the settings.yaml
, and to specify whether to verify the certificate or not e.g.
export PSONO_LOGSTASH_SSL_VERIFY=True
# PSONO_LOGSTASH_CA_CERTS
Used to overwrite the LOGSTASH_CA_CERTS
parameter of the settings.yaml
, and to specify the path to a file containing the custom CAs e.g.
export PSONO_LOGSTASH_CA_CERTS=/etc/ssl/custom.ca
# PSONO_LOGSTASH_CERFILE
Used to overwrite the LOGSTASH_CERFILE
parameter of the settings.yaml
, and to specify the path to an own cert file e.g.
export PSONO_LOGSTASH_CERFILE=/etc/ssl/logstash.cert
# PSONO_LOGSTASH_KEYFILE
Used to overwrite the LOGSTASH_KEYFILE
parameter of the settings.yaml
, and to specify the path to an own key file e.g.
export PSONO_LOGSTASH_KEYFILE=/etc/ssl/logstash.key
# PSONO_LOGSTASH_DATABASE_PATH
Used to overwrite the LOGSTASH_DATABASE_PATH
parameter of the settings.yaml
, and to configure a custom path for the database e.g.
export PSONO_LOGSTASH_DATABASE_PATH=/logstash/database/
# Client
You can configure the client with the following parameter.
# PSONO_WEBCLIENT_CONFIG_JSON
Used to overwrite the config.json
, e.g.
export PSONO_WEBCLIENT_CONFIG_JSON={...}
With {...}
being the config.json
e.g.
{
"backend_servers": [{
"title": "Psono.pw"
}],
"allow_custom_server": true,
"allow_registration": true,
"allow_lost_password": true,
"authentication_methods": ["AUTHKEY", "LDAP"],
"more_links": [{
"href": "https://doc.psono.com/",
"title": "DOCUMENTATION",
"class": "fa-book"
},{
"href": "privacy-policy.html",
"title": "PRIVACY_POLICY",
"class": "fa-user-secret"
},{
"href": "https://www.psono.com",
"title": "ABOUT_US",
"class": "fa-info-circle"
}]
}
# Portal
You can configure the portal with the following parameter.
# PSONO_PORTAL_CONFIG_JSON
Used to overwrite the config.json
, e.g.
export PSONO_PORTAL_CONFIG_JSON={...}
With {...}
being the config.json
e.g.
{
"backend_servers": [{
"title": "Psono.pw"
}],
"allow_custom_server": true,
"allow_registration": true,
"allow_lost_password": true,
"authentication_methods": ["AUTHKEY", "LDAP"],
"more_links": [{
"href": "https://doc.psono.com/",
"title": "DOCUMENTATION",
"class": "fa-book"
},{
"href": "privacy-policy.html",
"title": "PRIVACY_POLICY",
"class": "fa-user-secret"
},{
"href": "https://www.psono.com",
"title": "ABOUT_US",
"class": "fa-info-circle"
}]
}
# Combo Images
Psono combo images come with an nginx, that glues the bundled server, client and portal together. You can use the following parameters to configure the nginx.
# NGINX_WORKER_PROCESSES
Used to configure nginx' worker_processes
parameter, defaults to 1
.
export NGINX_WORKER_PROCESSES=1
# NGINX_STRICT_TRANSPORT_SECURITY
Used to configure nginx' add_header Strict-Transport-Security
parameter, defaults to not being specified.
export NGINX_STRICT_TRANSPORT_SECURITY='"max-age=31536000; includeSubDomains" always;'
# NGINX_HEADER_REFERRER_POLICY
Used to configure nginx' add_header Referrer-Policy
parameter, defaults to same-origin
.
export NGINX_HEADER_REFERRER_POLICY=same-origin
# NGINX_HEADER_X_FRAME_OPTIONS
Used to configure nginx' add_header X-Frame-Options
parameter, defaults to DENY
.
export NGINX_HEADER_X_FRAME_OPTIONS=DENY
# NGINX_HEADER_X_CONTENT_TYPE_OPTIONS
Used to configure nginx' add_header X-Content-Type-Options
parameter, defaults to nosniff
.
export NGINX_HEADER_X_CONTENT_TYPE_OPTIONS=nosniff
# NGINX_HEADER_X_XSS_PROTECTION
Used to configure nginx' add_header X-XSS-Protection
parameter, defaults to "1; mode=block"
.
export NGINX_HEADER_X_XSS_PROTECTION='"1; mode=block"'
# NGINX_HEADER_CONTENT_SECURITY_POLICY
Used to configure nginx' add_header Content-Security-Policy
parameter, defaults to "default-src none; manifest-src self; connect-src self https://static.psono.com https://keyserver.ubuntu.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.s3.amazonaws.com https://*.digitaloceanspaces.com https://api.pwnedpasswords.com https://sentry.io; font-src self; img-src self www.google-analytics.com data:; script-src self www.google-analytics.com; style-src self unsafe-inline; object-src self; child-src self; form-action self"
.
export NGINX_HEADER_CONTENT_SECURITY_POLICY='"default-src \'none\'; manifest-src \'self\'; connect-src \'self\' https://static.psono.com https://keyserver.ubuntu.com https://storage.googleapis.com https://*.blob.core.windows.net https://*.s3.amazonaws.com https://*.digitaloceanspaces.com https://api.pwnedpasswords.com https://sentry.io; font-src \'self\'; img-src \'self\' www.google-analytics.com data:; script-src \'self\' www.google-analytics.com; style-src \'self\' \'unsafe-inline\'; object-src \'self\'; child-src \'self\'; form-action \'self\'"'