afoninsky/tinode.conf

## tinode.conf
// The JSON comments are somewhat brittle. Don't try anything too fancy.
{
  // Default HTTP(S) address:port to listen on for websocket and long polling clients. Either a
  // numeric or a canonical name, e.g. ":80" or ":https". Could include a host name, e.g.
  // "localhost:80".
  // Could be blank: if TLS is not configured, will use ":80", otherwise ":443".
  // Can be overridden from the command line, see option --listen.
  "listen": ":18080",

  // Cach-Control header for static content. 11 hours.
  "cache_control": 39600,

  // URL path for mounting the directory with static files.
  "static_mount": "/",

  // Address:port to listen for gRPC clients. Leave blank to disable gRPC support.
  // Could be overridden from the command line with --grpc_listen.
  "grpc_listen": ":16061",

  // Salt for signing API key. 32 random bytes base64-encoded. Use 'keygen' to generate
  // the API key and the salt.
  "api_key_salt": "T713/rYYgW7g4m3vG6zGRh7+FM1t0T8j13koXScOAj4=",

  // Maximum message size allowed from client in bytes (262144 = 256KB).
  // Intended to prevent malicious clients from sending very large messages inband (does
  // not affect out-of-band large files).
  "max_message_size": 262144,

  // Maximum number of subscribers per group topic.
  "max_subscriber_count": 128,

  // Maximum number of indexable tags per topic or user.
  "max_tag_count": 16,

  // URL path for exposing runtime stats. Disabled if the path is blank.
  // Could be overriden from the command line with --expvar.
  "expvar": "/debug/vars",

  // Large media/blob handlers.
  "media": {
    // Media handler to use
    "use_handler": "fs",
    // Maximum size of uploaded file (8MB here for testing, maybe increase to 100MB = 104857600 in prod)
    "max_size": 8388608,
    // Garbage collection periodicity in seconds
    "gc_period": 60,
    // Number of unused entries to delete in one pass
    "gc_block_size": 100,
    // Configurations for various handlers.
    "handlers": {
      // File system storage.
      "fs": {
        // File system location to store uploaded files. In case of a cluster it
        // must be accessible by all cluster members, i.e. a network drive.
        "upload_dir": "uploads"
      },
      // Amazon AWS S3 storage.
      "s3":{
        // Use AWS console to get Access Key ID and Secret Access Key.
        // https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
        "access_key_id": "your_s3_access_key_id",
        "secret_access_key": "your_s3_secret_access_key",
        // Region where the bucket is hosted.
        "region": "s3 region, like us-east-2",
        // Name of the S3 bucket.
        "bucket": "your_s3_bucket_name",
        // Origin URLs allowed to download files. See
        // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
        "cors_origins": ["*"]
      }
    }
  },

  // TLS (httpS) configuration. Applies to both web and gRPC interfaces.
  "tls": {
    // Enable TLS.
    "enabled": false,

    // Listen for connections on this port and redirect them to HTTPS port.
    "http_redirect": ":80",

    // Add Strict-Transport-Security to headers, the value signifies age.
    // Zero or negative value turns it off.
    "strict_max_age": 604800,

    // Letsencrypt configuration
    "autocert": {
      // Location of certificates.
      "cache": "/etc/letsencrypt/live/your.domain.here",

      // Contact address for this installation. LetsEncrypt will send
      // messages to this address in case of problems. Replace with your
      // own address or remove this line.
      "email": "noreply@example.com",

      // Domains served. Replace with your own domain name.
      "domains": ["whatever.example.com"]
    },

    // If "autocert" config is not defined, read static certificates from
    // these locations. Ignored if "autocert" is defined.
    "cert_file": "/etc/httpd/conf/your.domain.crt",
    "key_file": "/etc/httpd/conf/your.domain.key"
  },

  // Authentication configuration.
  "auth_config": {
    // Optional mapping of externally-visible authenticator names to internal names.
    // For example use ["login-password:basic", "basic:"] to rename "basic" authenticator to
    // "login-password" and make it unaccessible by the old name.
    // Default is identity mapping.
    "logical_names": [],

    // Basic (login + password) authentication.
    "basic": {
      // Add 'auth-name:username' to tags making user discoverable by username.
      "add_to_tags": true,
      // The minimum length of a login in unicode runes, i.e. "登录" is length 2, not 6.
      // The maximum length is 32 and it cannot be changed.
      "min_login_length": 4,
      // The minimum length of a password in unicode runes, "пароль" is length 6, not 12.
      // There is no maximum length.
      "min_password_length": 6
    },

    // Token authentication
    "token": {
      // Lifetime of a security token in seconds. 1209600 = 2 weeks.
      "expire_in": 1209600,

      // Serial number of the token. Can be used to invalidate all issued tokens at once.
      "serial_num": 1,

      // Secret key (HMAC salt) for signing the tokens. Generate your own then keep it secret.
      // 32 random bytes base64 encioded.
      "key": "wfaY2RgF2S1OQI/ZlK+LSrp1KB2jwAdGAIHQ7JZn+Kc="
    }
  },

  // Database configuration
  "store_config": {
    // XTEA encryption key for user IDs and topic names. 16 random bytes base64-encoded.
    // Generate your own and keep it secret.
    "uid_key": "la6YsO+bNX/+XIkOqc5Svw==",

    // Maximum number of results fetched in one DB call.
    "max_results": 1024,

    // Configurations of individual adapters.
    "adapters": {
      // MySQL configuration. See https://godoc.org/github.com/go-sql-driver/mysql#Config
      // for other possible options.
      "mysql": {
        // DSN, passed unchanged to MySQL driver. The 'parseTime=true' is required.
        // The 'collation=utf8mb4_unicode_ci' is optional but highly recommended for
        // emoji and certain CJK characters.
        // See https://github.com/go-sql-driver/mysql#dsn-data-source-name for syntax.
        "dsn": "root@tcp(localhost)/tinode?parseTime=true&collation=utf8mb4_unicode_ci",
        // Name of the main database.
        "database": "tinode"
      },

      // RethinkDB configuration. https://godoc.org/github.com/rethinkdb/rethinkdb-go#ConnectOpts
      // for other possible options.
            "rethinkdb": {
            "addresses": "rethinkdb-debug-rethinkdb-debug-proxy.staging.svc.cluster.local",
            "database": "test",
            "username": "admin",
            "password": "***"
            }
    }
  },

  // Account validators (email or SMS or captcha)
  "acc_validation": {

    // Email validator config.
    "email": {
      // Restrict use of "email" namespace.
      "add_to_tags": true,

      // List of authentication levels which require this validation method.
      // Remove this line to disable email validation.
      "required": ["auth"],

      // Configuration passed to the validator unchanged.
      "config": {
        // Address of the host where the Tinode server is running. This will be used
        // in URLs in the email.
        "host_url": "http://localhost:6060/",

        // Address of the SMPT server to use.
        "smtp_server": "smtp.example.com",

        // SMTP port to use. "25" for basic email RFC 5321 (2821, 821), "587" for RFC 3207 (TLS).
        "smtp_port": "25",

        // Address to use for authentication and to show in From:
        "sender": "noreply@example.com",

        // Password of the sender.
        "sender_password": "your-password-here",

        // Message body template for credential validation. Uses http/template syntax.
        "validation_body_templ": "./templ/email-validation-body.templ",

        // Subject line for validation requests.
        "validation_subject": "Tinode registration: confirm email",

        // Message body template for password reset. Uses http/template syntax.
        "reset_body_templ": "./templ/email-password-reset.templ",

        // Subject line for password reset requests.
        "reset_subject": "Reset Tinode password",

        // Additional message headers (currently unused).
        "headers": [],

        // Allow this many confirmation attempts before blocking the credential.
        "max_retries": 4,

        // List of allowed email domains. Missing or empty list means any email domain is accepted.
        "domains": [],

        // Dummy response to accept. Remove the line in production.
        "debug_response": "123456"
      }
    },

    // Dummy placeholder validator for SMS and voice validation. Disabled by default.
    // Use something like twillio.com in production.
    "tel": {
      "add_to_tags": true,
      "config": {
        "template": "./templ/sms-validation.templ",
        "max_retries": 4,
        "debug_response": "123456"
      }
    }
  },

  // Configuration of push notifications.
  "push": [
    {
      // Notificator which writes to STDOUT. Useful for debugging.
      "name":"stdout",
      "config": {
        // Disabled.
        "enabled": false
      }
    },
    {
      // Google FCM notificator.
      "name":"fcm",
      "config": {
        // Disabled. Won't work without the server key anyway. See below.
        "enabled": false,

        // Number of notifications to keep before they start to be dropped.
        "buffer": 1024,

        // Firebase project ID.
        "project_id": "your-project-id",

        // Service account credentials as json.
        // See instructions how to download the service account credentials file:
        // https://cloud.google.com/iam/docs/creating-managing-service-account-keys
        // Then insert the file contents here. Yes, this is convoluted, but that's Google's fault.
        "credentials": {
          "type": "service_account",
            "project_id": "your-project-id",
            "private_key_id": "some-random-looking-hex-number",
            "private_key": "-----BEGIN PRIVATE KEY----- base64-encoded bits of your private key \n-----END PRIVATE KEY-----\n",
            "client_email": "firebase-adminsdk-abc123@your-project-id.iam.gserviceaccount.com",
            "client_id": "1234567890123456789",
            "auth_uri": "https://accounts.google.com/o/oauth2/auth",
            "token_uri": "https://oauth2.googleapis.com/token",
            "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
            "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-abc123%40your-project-id.iam.gserviceaccount.com"
        },

        // An alternative way to provide Firebase service account credentials.
        "credentials_file": "/path/to/service-account-file-with-credentials.json",

        // Time in seconds before notification is discarded if undelivered (by Google).
        "time_to_live": 3600,

        // Include Android Notification. Set to false to push a data-only message.
        "include_android_notification": false,

        // Android resource ID to use as a notification icon. Used only if include_android_notification=true.
        "icon": "ic_logo_push",

        // Notification color (Android). Used only if include_android_notification=true.
        "icon_color": "#3949AB"
      }
    }
  ],

  // Cluster-mode configuration.
  "cluster_config": {
    // Name of this node. Can be assigned from the command line.
    // Empty string disables clustering.
    "self": "",

    // List of available nodes.
    "nodes": [
      // Name and TCP address of every node in the cluster. The ports 12001..12003
      // are cluster communication ports. They don't need to be exposed to clients.
      {"name": "one", "addr":"localhost:12001"},
      {"name": "two", "addr":"localhost:12002"},
      {"name": "three", "addr":"localhost:12003"}
    ],

    // Failover config.
    "failover": {
      // Failover is enabled.
      "enabled": true,
      // Time in milliseconds between heartbeats.
      "heartbeat": 100,
      // Initiate leader election when the leader is not available for this many heartbeats.
      "vote_after": 8,
      // Consider node failed when it missed this many heartbeats.
      "node_fail_after": 16
    }
  },

  // Configuration of plugins
  "plugins": [
    {
      // Enable or disable this plugin.
      "enabled": false,

      // Name of the plugin, must be unique.
      "name": "python_chat_bot",

      // Timeout in microseconds.
      "timeout": 20000,

      // Events to send to the plugin.
      "filters": {
        // Account creation events.
        "account": "C"
      },

      // Error code to use in case flugin has failed.
      "failure_code": 0,

      // Text of an error message to report in case of plugin falure.
      "failure_text": null,

      // Address of the plugin.
      "service_addr": "tcp://localhost:40051"
    }
  ]
}
	// The JSON comments are somewhat brittle. Don't try anything too fancy.
	{
	// Default HTTP(S) address:port to listen on for websocket and long polling clients. Either a
	// numeric or a canonical name, e.g. ":80" or ":https". Could include a host name, e.g.
	// "localhost:80".
	// Could be blank: if TLS is not configured, will use ":80", otherwise ":443".
	// Can be overridden from the command line, see option --listen.
	"listen": ":18080",

	// Cach-Control header for static content. 11 hours.
	"cache_control": 39600,

	// URL path for mounting the directory with static files.
	"static_mount": "/",

	// Address:port to listen for gRPC clients. Leave blank to disable gRPC support.
	// Could be overridden from the command line with --grpc_listen.
	"grpc_listen": ":16061",

	// Salt for signing API key. 32 random bytes base64-encoded. Use 'keygen' to generate
	// the API key and the salt.
	"api_key_salt": "T713/rYYgW7g4m3vG6zGRh7+FM1t0T8j13koXScOAj4=",

	// Maximum message size allowed from client in bytes (262144 = 256KB).
	// Intended to prevent malicious clients from sending very large messages inband (does
	// not affect out-of-band large files).
	"max_message_size": 262144,

	// Maximum number of subscribers per group topic.
	"max_subscriber_count": 128,

	// Maximum number of indexable tags per topic or user.
	"max_tag_count": 16,

	// URL path for exposing runtime stats. Disabled if the path is blank.
	// Could be overriden from the command line with --expvar.
	"expvar": "/debug/vars",

	// Large media/blob handlers.
	"media": {
	// Media handler to use
	"use_handler": "fs",
	// Maximum size of uploaded file (8MB here for testing, maybe increase to 100MB = 104857600 in prod)
	"max_size": 8388608,
	// Garbage collection periodicity in seconds
	"gc_period": 60,
	// Number of unused entries to delete in one pass
	"gc_block_size": 100,
	// Configurations for various handlers.
	"handlers": {
	// File system storage.
	"fs": {
	// File system location to store uploaded files. In case of a cluster it
	// must be accessible by all cluster members, i.e. a network drive.
	"upload_dir": "uploads"
	},
	// Amazon AWS S3 storage.
	"s3":{
	// Use AWS console to get Access Key ID and Secret Access Key.
	// https://aws.amazon.com/blogs/security/wheres-my-secret-access-key/
	"access_key_id": "your_s3_access_key_id",
	"secret_access_key": "your_s3_secret_access_key",
	// Region where the bucket is hosted.
	"region": "s3 region, like us-east-2",
	// Name of the S3 bucket.
	"bucket": "your_s3_bucket_name",
	// Origin URLs allowed to download files. See
	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
	"cors_origins": ["*"]
	}
	}
	},

	// TLS (httpS) configuration. Applies to both web and gRPC interfaces.
	"tls": {
	// Enable TLS.
	"enabled": false,

	// Listen for connections on this port and redirect them to HTTPS port.
	"http_redirect": ":80",

	// Add Strict-Transport-Security to headers, the value signifies age.
	// Zero or negative value turns it off.
	"strict_max_age": 604800,

	// Letsencrypt configuration
	"autocert": {
	// Location of certificates.
	"cache": "/etc/letsencrypt/live/your.domain.here",

	// Contact address for this installation. LetsEncrypt will send
	// messages to this address in case of problems. Replace with your
	// own address or remove this line.
	"email": "noreply@example.com",

	// Domains served. Replace with your own domain name.
	"domains": ["whatever.example.com"]
	},

	// If "autocert" config is not defined, read static certificates from
	// these locations. Ignored if "autocert" is defined.
	"cert_file": "/etc/httpd/conf/your.domain.crt",
	"key_file": "/etc/httpd/conf/your.domain.key"
	},

	// Authentication configuration.
	"auth_config": {
	// Optional mapping of externally-visible authenticator names to internal names.
	// For example use ["login-password:basic", "basic:"] to rename "basic" authenticator to
	// "login-password" and make it unaccessible by the old name.
	// Default is identity mapping.
	"logical_names": [],

	// Basic (login + password) authentication.
	"basic": {
	// Add 'auth-name:username' to tags making user discoverable by username.
	"add_to_tags": true,
	// The minimum length of a login in unicode runes, i.e. "登录" is length 2, not 6.
	// The maximum length is 32 and it cannot be changed.
	"min_login_length": 4,
	// The minimum length of a password in unicode runes, "пароль" is length 6, not 12.
	// There is no maximum length.
	"min_password_length": 6
	},

	// Token authentication
	"token": {
	// Lifetime of a security token in seconds. 1209600 = 2 weeks.
	"expire_in": 1209600,

	// Serial number of the token. Can be used to invalidate all issued tokens at once.
	"serial_num": 1,

	// Secret key (HMAC salt) for signing the tokens. Generate your own then keep it secret.
	// 32 random bytes base64 encioded.
	"key": "wfaY2RgF2S1OQI/ZlK+LSrp1KB2jwAdGAIHQ7JZn+Kc="
	}
	},

	// Database configuration
	"store_config": {
	// XTEA encryption key for user IDs and topic names. 16 random bytes base64-encoded.
	// Generate your own and keep it secret.
	"uid_key": "la6YsO+bNX/+XIkOqc5Svw==",

	// Maximum number of results fetched in one DB call.
	"max_results": 1024,

	// Configurations of individual adapters.
	"adapters": {
	// MySQL configuration. See https://godoc.org/github.com/go-sql-driver/mysql#Config
	// for other possible options.
	"mysql": {
	// DSN, passed unchanged to MySQL driver. The 'parseTime=true' is required.
	// The 'collation=utf8mb4_unicode_ci' is optional but highly recommended for
	// emoji and certain CJK characters.
	// See https://github.com/go-sql-driver/mysql#dsn-data-source-name for syntax.
	"dsn": "root@tcp(localhost)/tinode?parseTime=true&collation=utf8mb4_unicode_ci",
	// Name of the main database.
	"database": "tinode"
	},

	// RethinkDB configuration. https://godoc.org/github.com/rethinkdb/rethinkdb-go#ConnectOpts
	// for other possible options.
	"rethinkdb": {
	"addresses": "rethinkdb-debug-rethinkdb-debug-proxy.staging.svc.cluster.local",
	"database": "test",
	"username": "admin",
	"password": "***"
	}
	}
	},

	// Account validators (email or SMS or captcha)
	"acc_validation": {

	// Email validator config.
	"email": {
	// Restrict use of "email" namespace.
	"add_to_tags": true,

	// List of authentication levels which require this validation method.
	// Remove this line to disable email validation.
	"required": ["auth"],

	// Configuration passed to the validator unchanged.
	"config": {
	// Address of the host where the Tinode server is running. This will be used
	// in URLs in the email.
	"host_url": "http://localhost:6060/",

	// Address of the SMPT server to use.
	"smtp_server": "smtp.example.com",

	// SMTP port to use. "25" for basic email RFC 5321 (2821, 821), "587" for RFC 3207 (TLS).
	"smtp_port": "25",

	// Address to use for authentication and to show in From:
	"sender": "noreply@example.com",

	// Password of the sender.
	"sender_password": "your-password-here",

	// Message body template for credential validation. Uses http/template syntax.
	"validation_body_templ": "./templ/email-validation-body.templ",

	// Subject line for validation requests.
	"validation_subject": "Tinode registration: confirm email",

	// Message body template for password reset. Uses http/template syntax.
	"reset_body_templ": "./templ/email-password-reset.templ",

	// Subject line for password reset requests.
	"reset_subject": "Reset Tinode password",

	// Additional message headers (currently unused).
	"headers": [],

	// Allow this many confirmation attempts before blocking the credential.
	"max_retries": 4,

	// List of allowed email domains. Missing or empty list means any email domain is accepted.
	"domains": [],

	// Dummy response to accept. Remove the line in production.
	"debug_response": "123456"
	}
	},

	// Dummy placeholder validator for SMS and voice validation. Disabled by default.
	// Use something like twillio.com in production.
	"tel": {
	"add_to_tags": true,
	"config": {
	"template": "./templ/sms-validation.templ",
	"max_retries": 4,
	"debug_response": "123456"
	}
	}
	},

	// Configuration of push notifications.
	"push": [
	{
	// Notificator which writes to STDOUT. Useful for debugging.
	"name":"stdout",
	"config": {
	// Disabled.
	"enabled": false
	}
	},
	{
	// Google FCM notificator.
	"name":"fcm",
	"config": {
	// Disabled. Won't work without the server key anyway. See below.
	"enabled": false,

	// Number of notifications to keep before they start to be dropped.
	"buffer": 1024,

	// Firebase project ID.
	"project_id": "your-project-id",

	// Service account credentials as json.
	// See instructions how to download the service account credentials file:
	// https://cloud.google.com/iam/docs/creating-managing-service-account-keys
	// Then insert the file contents here. Yes, this is convoluted, but that's Google's fault.
	"credentials": {
	"type": "service_account",
	"project_id": "your-project-id",
	"private_key_id": "some-random-looking-hex-number",
	"private_key": "-----BEGIN PRIVATE KEY----- base64-encoded bits of your private key \n-----END PRIVATE KEY-----\n",
	"client_email": "firebase-adminsdk-abc123@your-project-id.iam.gserviceaccount.com",
	"client_id": "1234567890123456789",
	"auth_uri": "https://accounts.google.com/o/oauth2/auth",
	"token_uri": "https://oauth2.googleapis.com/token",
	"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
	"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-abc123%40your-project-id.iam.gserviceaccount.com"
	},

	// An alternative way to provide Firebase service account credentials.
	"credentials_file": "/path/to/service-account-file-with-credentials.json",

	// Time in seconds before notification is discarded if undelivered (by Google).
	"time_to_live": 3600,

	// Include Android Notification. Set to false to push a data-only message.
	"include_android_notification": false,

	// Android resource ID to use as a notification icon. Used only if include_android_notification=true.
	"icon": "ic_logo_push",

	// Notification color (Android). Used only if include_android_notification=true.
	"icon_color": "#3949AB"
	}
	}
	],

	// Cluster-mode configuration.
	"cluster_config": {
	// Name of this node. Can be assigned from the command line.
	// Empty string disables clustering.
	"self": "",

	// List of available nodes.
	"nodes": [
	// Name and TCP address of every node in the cluster. The ports 12001..12003
	// are cluster communication ports. They don't need to be exposed to clients.
	{"name": "one", "addr":"localhost:12001"},
	{"name": "two", "addr":"localhost:12002"},
	{"name": "three", "addr":"localhost:12003"}
	],

	// Failover config.
	"failover": {
	// Failover is enabled.
	"enabled": true,
	// Time in milliseconds between heartbeats.
	"heartbeat": 100,
	// Initiate leader election when the leader is not available for this many heartbeats.
	"vote_after": 8,
	// Consider node failed when it missed this many heartbeats.
	"node_fail_after": 16
	}
	},

	// Configuration of plugins
	"plugins": [
	{
	// Enable or disable this plugin.
	"enabled": false,

	// Name of the plugin, must be unique.
	"name": "python_chat_bot",

	// Timeout in microseconds.
	"timeout": 20000,

	// Events to send to the plugin.
	"filters": {
	// Account creation events.
	"account": "C"
	},

	// Error code to use in case flugin has failed.
	"failure_code": 0,

	// Text of an error message to report in case of plugin falure.
	"failure_text": null,

	// Address of the plugin.
	"service_addr": "tcp://localhost:40051"
	}
	]
	}