mirror of
https://tangled.org/tranquil.farm/tranquil-pds
synced 2026-03-27 13:05:02 +00:00
485 lines
12 KiB
TOML
485 lines
12 KiB
TOML
[server]
|
|
# Public hostname of the PDS (e.g. `pds.example.com`).
|
|
#
|
|
# Can also be specified via environment variable `PDS_HOSTNAME`.
|
|
#
|
|
# Required! This value must be specified.
|
|
#hostname =
|
|
|
|
# Address to bind the HTTP server to.
|
|
#
|
|
# Can also be specified via environment variable `SERVER_HOST`.
|
|
#
|
|
# Default value: "127.0.0.1"
|
|
#host = "127.0.0.1"
|
|
|
|
# Port to bind the HTTP server to.
|
|
#
|
|
# Can also be specified via environment variable `SERVER_PORT`.
|
|
#
|
|
# Default value: 3000
|
|
#port = 3000
|
|
|
|
# List of domains for user handles.
|
|
# Defaults to the PDS hostname when not set.
|
|
#
|
|
# Can also be specified via environment variable `PDS_USER_HANDLE_DOMAINS`.
|
|
#user_handle_domains =
|
|
|
|
# List of domains available for user registration.
|
|
# Defaults to the PDS hostname when not set.
|
|
#
|
|
# Can also be specified via environment variable `AVAILABLE_USER_DOMAINS`.
|
|
#available_user_domains =
|
|
|
|
# Enable PDS-hosted did:web identities. Hosting did:web requires a
|
|
# long-term commitment to serve DID documents; opt-in only.
|
|
#
|
|
# Can also be specified via environment variable `ENABLE_PDS_HOSTED_DID_WEB`.
|
|
#
|
|
# Default value: false
|
|
#enable_pds_hosted_did_web = false
|
|
|
|
# When set to true, skip age-assurance birthday prompt for all accounts.
|
|
#
|
|
# Can also be specified via environment variable `PDS_AGE_ASSURANCE_OVERRIDE`.
|
|
#
|
|
# Default value: false
|
|
#age_assurance_override = false
|
|
|
|
# Require an invite code for new account registration.
|
|
#
|
|
# Can also be specified via environment variable `INVITE_CODE_REQUIRED`.
|
|
#
|
|
# Default value: true
|
|
#invite_code_required = true
|
|
|
|
# Allow HTTP (non-TLS) proxy requests. Only useful during development.
|
|
#
|
|
# Can also be specified via environment variable `ALLOW_HTTP_PROXY`.
|
|
#
|
|
# Default value: false
|
|
#allow_http_proxy = false
|
|
|
|
# Disable all rate limiting. Should only be used in testing.
|
|
#
|
|
# Can also be specified via environment variable `DISABLE_RATE_LIMITING`.
|
|
#
|
|
# Default value: false
|
|
#disable_rate_limiting = false
|
|
|
|
# List of additional banned words for handle validation.
|
|
#
|
|
# Can also be specified via environment variable `PDS_BANNED_WORDS`.
|
|
#banned_words =
|
|
|
|
# URL to a privacy policy page.
|
|
#
|
|
# Can also be specified via environment variable `PRIVACY_POLICY_URL`.
|
|
#privacy_policy_url =
|
|
|
|
# URL to terms of service page.
|
|
#
|
|
# Can also be specified via environment variable `TERMS_OF_SERVICE_URL`.
|
|
#terms_of_service_url =
|
|
|
|
# Operator contact email address.
|
|
#
|
|
# Can also be specified via environment variable `CONTACT_EMAIL`.
|
|
#contact_email =
|
|
|
|
# Maximum allowed blob size in bytes (default 10 GiB).
|
|
#
|
|
# Can also be specified via environment variable `MAX_BLOB_SIZE`.
|
|
#
|
|
# Default value: 10737418240
|
|
#max_blob_size = 10737418240
|
|
|
|
[database]
|
|
# PostgreSQL connection URL.
|
|
#
|
|
# Can also be specified via environment variable `DATABASE_URL`.
|
|
#
|
|
# Required! This value must be specified.
|
|
#url =
|
|
|
|
# Maximum number of connections in the pool.
|
|
#
|
|
# Can also be specified via environment variable `DATABASE_MAX_CONNECTIONS`.
|
|
#
|
|
# Default value: 100
|
|
#max_connections = 100
|
|
|
|
# Minimum number of idle connections kept in the pool.
|
|
#
|
|
# Can also be specified via environment variable `DATABASE_MIN_CONNECTIONS`.
|
|
#
|
|
# Default value: 10
|
|
#min_connections = 10
|
|
|
|
# Timeout in seconds when acquiring a connection from the pool.
|
|
#
|
|
# Can also be specified via environment variable `DATABASE_ACQUIRE_TIMEOUT_SECS`.
|
|
#
|
|
# Default value: 10
|
|
#acquire_timeout_secs = 10
|
|
|
|
[secrets]
|
|
# Secret used for signing JWTs. Must be at least 32 characters in
|
|
# production.
|
|
#
|
|
# Can also be specified via environment variable `JWT_SECRET`.
|
|
#jwt_secret =
|
|
|
|
# Secret used for DPoP proof validation. Must be at least 32 characters
|
|
# in production.
|
|
#
|
|
# Can also be specified via environment variable `DPOP_SECRET`.
|
|
#dpop_secret =
|
|
|
|
# Master key used for key-encryption and HKDF derivation. Must be at
|
|
# least 32 characters in production.
|
|
#
|
|
# Can also be specified via environment variable `MASTER_KEY`.
|
|
#master_key =
|
|
|
|
# PLC rotation key (DID key). If not set, user-level keys are used.
|
|
#
|
|
# Can also be specified via environment variable `PLC_ROTATION_KEY`.
|
|
#plc_rotation_key =
|
|
|
|
# Allow insecure/test secrets. NEVER enable in production.
|
|
#
|
|
# Can also be specified via environment variable `TRANQUIL_PDS_ALLOW_INSECURE_SECRETS`.
|
|
#
|
|
# Default value: false
|
|
#allow_insecure = false
|
|
|
|
[storage]
|
|
# Storage backend: `filesystem` or `s3`.
|
|
#
|
|
# Can also be specified via environment variable `BLOB_STORAGE_BACKEND`.
|
|
#
|
|
# Default value: "filesystem"
|
|
#backend = "filesystem"
|
|
|
|
# Path on disk for the filesystem blob backend.
|
|
#
|
|
# Can also be specified via environment variable `BLOB_STORAGE_PATH`.
|
|
#
|
|
# Default value: "/var/lib/tranquil-pds/blobs"
|
|
#path = "/var/lib/tranquil-pds/blobs"
|
|
|
|
# S3 bucket name for blob storage.
|
|
#
|
|
# Can also be specified via environment variable `S3_BUCKET`.
|
|
#s3_bucket =
|
|
|
|
# Custom S3 endpoint URL (for MinIO, R2, etc.).
|
|
#
|
|
# Can also be specified via environment variable `S3_ENDPOINT`.
|
|
#s3_endpoint =
|
|
|
|
[cache]
|
|
# Cache backend: `ripple` (default, built-in gossip) or `valkey`.
|
|
#
|
|
# Can also be specified via environment variable `CACHE_BACKEND`.
|
|
#
|
|
# Default value: "ripple"
|
|
#backend = "ripple"
|
|
|
|
# Valkey / Redis connection URL. Required when `backend = "valkey"`.
|
|
#
|
|
# Can also be specified via environment variable `VALKEY_URL`.
|
|
#valkey_url =
|
|
|
|
[cache.ripple]
|
|
# Address to bind the Ripple gossip protocol listener.
|
|
#
|
|
# Can also be specified via environment variable `RIPPLE_BIND`.
|
|
#
|
|
# Default value: "0.0.0.0:0"
|
|
#bind_addr = "0.0.0.0:0"
|
|
|
|
# List of seed peer addresses.
|
|
#
|
|
# Can also be specified via environment variable `RIPPLE_PEERS`.
|
|
#peers =
|
|
|
|
# Unique machine identifier. Auto-derived from hostname when not set.
|
|
#
|
|
# Can also be specified via environment variable `RIPPLE_MACHINE_ID`.
|
|
#machine_id =
|
|
|
|
# Gossip protocol interval in milliseconds.
|
|
#
|
|
# Can also be specified via environment variable `RIPPLE_GOSSIP_INTERVAL_MS`.
|
|
#
|
|
# Default value: 200
|
|
#gossip_interval_ms = 200
|
|
|
|
# Maximum cache size in megabytes.
|
|
#
|
|
# Can also be specified via environment variable `RIPPLE_CACHE_MAX_MB`.
|
|
#
|
|
# Default value: 256
|
|
#cache_max_mb = 256
|
|
|
|
[plc]
|
|
# Base URL of the PLC directory.
|
|
#
|
|
# Can also be specified via environment variable `PLC_DIRECTORY_URL`.
|
|
#
|
|
# Default value: "https://plc.directory"
|
|
#directory_url = "https://plc.directory"
|
|
|
|
# HTTP request timeout in seconds.
|
|
#
|
|
# Can also be specified via environment variable `PLC_TIMEOUT_SECS`.
|
|
#
|
|
# Default value: 10
|
|
#timeout_secs = 10
|
|
|
|
# TCP connect timeout in seconds.
|
|
#
|
|
# Can also be specified via environment variable `PLC_CONNECT_TIMEOUT_SECS`.
|
|
#
|
|
# Default value: 5
|
|
#connect_timeout_secs = 5
|
|
|
|
# Seconds to cache DID documents in memory.
|
|
#
|
|
# Can also be specified via environment variable `DID_CACHE_TTL_SECS`.
|
|
#
|
|
# Default value: 300
|
|
#did_cache_ttl_secs = 300
|
|
|
|
[firehose]
|
|
# Size of the in-memory broadcast buffer for firehose events.
|
|
#
|
|
# Can also be specified via environment variable `FIREHOSE_BUFFER_SIZE`.
|
|
#
|
|
# Default value: 10000
|
|
#buffer_size = 10000
|
|
|
|
# How many hours of historical events to replay for cursor-based
|
|
# firehose connections.
|
|
#
|
|
# Can also be specified via environment variable `FIREHOSE_BACKFILL_HOURS`.
|
|
#
|
|
# Default value: 72
|
|
#backfill_hours = 72
|
|
|
|
# Maximum number of lagged events before disconnecting a slow consumer.
|
|
#
|
|
# Can also be specified via environment variable `FIREHOSE_MAX_LAG`.
|
|
#
|
|
# Default value: 5000
|
|
#max_lag = 5000
|
|
|
|
# List of relay / crawler notification URLs.
|
|
#
|
|
# Can also be specified via environment variable `CRAWLERS`.
|
|
#crawlers =
|
|
|
|
[email]
|
|
# Sender email address. When unset, email sending is disabled.
|
|
#
|
|
# Can also be specified via environment variable `MAIL_FROM_ADDRESS`.
|
|
#from_address =
|
|
|
|
# Display name used in the `From` header.
|
|
#
|
|
# Can also be specified via environment variable `MAIL_FROM_NAME`.
|
|
#
|
|
# Default value: "Tranquil PDS"
|
|
#from_name = "Tranquil PDS"
|
|
|
|
# Path to the `sendmail` binary.
|
|
#
|
|
# Can also be specified via environment variable `SENDMAIL_PATH`.
|
|
#
|
|
# Default value: "/usr/sbin/sendmail"
|
|
#sendmail_path = "/usr/sbin/sendmail"
|
|
|
|
[discord]
|
|
# Discord bot token. When unset, Discord integration is disabled.
|
|
#
|
|
# Can also be specified via environment variable `DISCORD_BOT_TOKEN`.
|
|
#bot_token =
|
|
|
|
[telegram]
|
|
# Telegram bot token. When unset, Telegram integration is disabled.
|
|
#
|
|
# Can also be specified via environment variable `TELEGRAM_BOT_TOKEN`.
|
|
#bot_token =
|
|
|
|
# Secret token for incoming webhook verification.
|
|
#
|
|
# Can also be specified via environment variable `TELEGRAM_WEBHOOK_SECRET`.
|
|
#webhook_secret =
|
|
|
|
[signal]
|
|
# Protocol state is stored in postgres' signal_* tables.
|
|
# Link a device via the admin API before enabling.
|
|
#
|
|
# Can also be specified via environment variable `SIGNAL_ENABLED`.
|
|
#enabled = false
|
|
|
|
[notifications]
|
|
# Polling interval in milliseconds for the comms queue.
|
|
#
|
|
# Can also be specified via environment variable `NOTIFICATION_POLL_INTERVAL_MS`.
|
|
#
|
|
# Default value: 1000
|
|
#poll_interval_ms = 1000
|
|
|
|
# Number of notifications to process per batch.
|
|
#
|
|
# Can also be specified via environment variable `NOTIFICATION_BATCH_SIZE`.
|
|
#
|
|
# Default value: 100
|
|
#batch_size = 100
|
|
|
|
[sso]
|
|
[sso.github]
|
|
# Can also be specified via environment variable `SSO_GITHUB_ENABLED`.
|
|
# Default value: false
|
|
#enabled = false
|
|
|
|
# Can also be specified via environment variable `SSO_GITHUB_CLIENT_ID`.
|
|
#client_id =
|
|
|
|
# Can also be specified via environment variable `SSO_GITHUB_CLIENT_SECRET`.
|
|
#client_secret =
|
|
|
|
# Can also be specified via environment variable `SSO_GITHUB_DISPLAY_NAME`.
|
|
#display_name =
|
|
|
|
[sso.discord]
|
|
# Can also be specified via environment variable `SSO_DISCORD_ENABLED`.
|
|
# Default value: false
|
|
#enabled = false
|
|
|
|
# Can also be specified via environment variable `SSO_DISCORD_CLIENT_ID`.
|
|
#client_id =
|
|
|
|
# Can also be specified via environment variable `SSO_DISCORD_CLIENT_SECRET`.
|
|
#client_secret =
|
|
|
|
# Can also be specified via environment variable `SSO_DISCORD_DISPLAY_NAME`.
|
|
#display_name =
|
|
|
|
[sso.google]
|
|
# Can also be specified via environment variable `SSO_GOOGLE_ENABLED`.
|
|
# Default value: false
|
|
#enabled = false
|
|
|
|
# Can also be specified via environment variable `SSO_GOOGLE_CLIENT_ID`.
|
|
#client_id =
|
|
|
|
# Can also be specified via environment variable `SSO_GOOGLE_CLIENT_SECRET`.
|
|
#client_secret =
|
|
|
|
# Can also be specified via environment variable `SSO_GOOGLE_DISPLAY_NAME`.
|
|
#display_name =
|
|
|
|
[sso.gitlab]
|
|
# Can also be specified via environment variable `SSO_GITLAB_ENABLED`.
|
|
# Default value: false
|
|
#enabled = false
|
|
|
|
# Can also be specified via environment variable `SSO_GITLAB_CLIENT_ID`.
|
|
#client_id =
|
|
|
|
# Can also be specified via environment variable `SSO_GITLAB_CLIENT_SECRET`.
|
|
#client_secret =
|
|
|
|
# Can also be specified via environment variable `SSO_GITLAB_ISSUER`.
|
|
#issuer =
|
|
|
|
# Can also be specified via environment variable `SSO_GITLAB_DISPLAY_NAME`.
|
|
#display_name =
|
|
|
|
[sso.oidc]
|
|
# Can also be specified via environment variable `SSO_OIDC_ENABLED`.
|
|
# Default value: false
|
|
#enabled = false
|
|
|
|
# Can also be specified via environment variable `SSO_OIDC_CLIENT_ID`.
|
|
#client_id =
|
|
|
|
# Can also be specified via environment variable `SSO_OIDC_CLIENT_SECRET`.
|
|
#client_secret =
|
|
|
|
# Can also be specified via environment variable `SSO_OIDC_ISSUER`.
|
|
#issuer =
|
|
|
|
# Can also be specified via environment variable `SSO_OIDC_DISPLAY_NAME`.
|
|
#display_name =
|
|
|
|
[sso.apple]
|
|
# Can also be specified via environment variable `SSO_APPLE_ENABLED`.
|
|
# Default value: false
|
|
#enabled = false
|
|
|
|
# Can also be specified via environment variable `SSO_APPLE_CLIENT_ID`.
|
|
#client_id =
|
|
|
|
# Can also be specified via environment variable `SSO_APPLE_TEAM_ID`.
|
|
#team_id =
|
|
|
|
# Can also be specified via environment variable `SSO_APPLE_KEY_ID`.
|
|
#key_id =
|
|
|
|
# Can also be specified via environment variable `SSO_APPLE_PRIVATE_KEY`.
|
|
#private_key =
|
|
|
|
[moderation]
|
|
# External report-handling service URL.
|
|
#
|
|
# Can also be specified via environment variable `REPORT_SERVICE_URL`.
|
|
#report_service_url =
|
|
|
|
# DID of the external report-handling service.
|
|
#
|
|
# Can also be specified via environment variable `REPORT_SERVICE_DID`.
|
|
#report_service_did =
|
|
|
|
[import]
|
|
# Whether the PDS accepts repo imports.
|
|
#
|
|
# Can also be specified via environment variable `ACCEPTING_REPO_IMPORTS`.
|
|
#
|
|
# Default value: true
|
|
#accepting = true
|
|
|
|
# Maximum allowed import archive size in bytes (default 1 GiB).
|
|
#
|
|
# Can also be specified via environment variable `MAX_IMPORT_SIZE`.
|
|
#
|
|
# Default value: 1073741824
|
|
#max_size = 1073741824
|
|
|
|
# Maximum number of blocks allowed in an import.
|
|
#
|
|
# Can also be specified via environment variable `MAX_IMPORT_BLOCKS`.
|
|
#
|
|
# Default value: 500000
|
|
#max_blocks = 500000
|
|
|
|
# Skip CAR verification during import. Only for development/debugging.
|
|
#
|
|
# Can also be specified via environment variable `SKIP_IMPORT_VERIFICATION`.
|
|
#
|
|
# Default value: false
|
|
#skip_verification = false
|
|
|
|
[scheduled]
|
|
# Interval in seconds between scheduled delete checks.
|
|
#
|
|
# Can also be specified via environment variable `SCHEDULED_DELETE_CHECK_INTERVAL_SECS`.
|
|
#
|
|
# Default value: 3600
|
|
#delete_check_interval_secs = 3600
|