root@fxa:~/fxa-auth# cat config.yml
#! THIS FILE USING YTT(https://github.com/k14s/ytt/) FORMAT
#! this is a general config for all related stuffs
#@data/values
---
#! Once config.yml changed you should rerun ./init.sh to regenerate `dest`/docker-compose.yml
#! if PERSISTENCEPATH is relative, it relates to `dest`/docker-compose.yml
persistencepath: .
#! [WARNING] DO NOT DOWNGRADE WITHOUT A CLEAN DB SINCE SCHEMA CANNOT DOWNGRADE.
#! latest tested version is : v1.305.0
#! [NOTE] Pin mysql version to 8.4 to make server compatible with argument "mysql-native-password"
#! [NOTE] You could also try my (upgraded) syncserver3 in Python3, No data integrity guaranteed!
#! [NOTE] Since we use docker-compose-wait to build wait chain, so ./wait binary in dest folder is not necessary, you could delete it.
#! [WORKAROUND] patch fxa-auth-server https://github.com/mozilla/fxa/issues/16491
#! [NOTE] Although channelserver issue fixed , still using latest sha256 digest tag.
#! [NOTE] don't use fxa version between 1.250.x to 1.258.x, https://github.com/mozilla/fxa/issues/15320
#! [NOTE] from v1.242.4 mysql version upgrade to 8.0.16+
#! [WORKAROUND] we use method 2 to to resolve below issue
#! [ISSUE] cannot change avatar due to https://github.com/mozilla/fxa/pull/7972 -> checkAvatar -> we have same domain with monogramUrl's one. issue: https://github.com/mozilla/fxa/issues/12426
#! so either 1. use different domain like profile-img or 2. patch it
#! [WORKAROUND] add LASTACCESSTIME_UPDATES_SAMPLE_RATE=1 to make sync api/v1/account/devices not return 500. see https://github.com/mozilla/fxa/issues/12373
#! [ISSUE][RESOLVED] v1.222.0 db-migration db connection need not workaround now.
#! [WORKAROUD] v1.219.5 require smtp.user and smtp.pass (even not used) to make fxa-auth-server not send mail by AWS SES. (will cause a crash if AWS_ACCESS_KEY not set)
#! [WORKAROUD] v1.215.4 workaround for 1. graphql-api's internal connection to fxa-auth-server (see debug.full_self_sign_workaround) and 2. db-migration db connection.
#! [NOTE] from v1.215.2 mysql version upgrade to 5.7 . docker-compose requires supporting `service_completed_successfully`
#! [ISSUE][RESOLVED] v1.196.0 oauth.domain.local/config return 404 causing syncserver fail to start.; fixed in https://github.com/mozilla/fxa/pull/7204
#! [NOTE]from v1.192.0 all fxa docker's image are merge into mozilla/fxa-mono so it's a breaking change!
#! [ISSUE][RESOLVED] v1.172.0 500 error after new-signup connect-another-device page maybe caused by https://github.com/mozilla/fxa/commit/2f9729154 ; fixed in https://github.com/mozilla/fxa/pull/5477
#! [NOTE] v1.173+ change base docker image . missing key_*.json in fxa-auth-server so we change to branch br-v1.174.0 to apply breaking changes
#! by default we use tested version , using latest at your own risk.
fxa_version: "v1.305.0"
option:
sync:
#! set true to keep all your sync items not expired
neverexpire: true
#! for device pairing
channelserver:
enable: true
#! Since send is EOL , so use it at your own risk
send:
enable: false
settings:
#! settings are upperize to send ENV
#! [TODO] send android , client_id 20f7931c9054d833
fxa_client_id: "xxxxxxxxxxxxxxxxxxxxxxxxxxxx"
#![TODO] file_dir need volumes or not or ....
max_file_size:
#! for security and network bandwith/traffic sake , you'd better not allow annoymous user to use your send in the internet
#! see : https://www.zdnet.com/article/mozilla-suspends-firefox-send-service-while-it-addresses-malware-abuse/
#! see https://portswigger.net/daily-swig/firefox-send-suspended-amid-concern-over-malware-abuse
#! [NOTE] number 0 will be treated as false
anon_max_file_size: "0"
#! expire_times_seconds array format "a,b,c"
expire_times_seconds:
default_expire_seconds:
max_expire_seconds:
anon_max_expire_seconds:
max_downloads:
anon_max_downloads:
max_files_per_archive:
max_archives_per_user:
#! download_counts array format "a,b,c"
download_counts:
notes:
enable: false
settings:
#! client_id is a must , depends on what you set in https://github.com/mozilla/notes/src/background.js
#! client_id should equal to _init/auth/oauthserver-prod
client_id:
webext: #! sample: "a3dbd8c5a6fd93e2"
android: #! sample: "7f368c6886429f19"
#! According to https://blog.mozilla.org/addons/2020/07/09/changes-to-storage-sync-in-firefox-79/
#! since Firefox 79 ,it will use syncserver to replace kinto in webextension storage.sync API, so disabled by default
#! if you still want to use this , make about:config webextensions.storage.sync.kinto : true and webextensions.storage.sync.serverURL point to kinto domain name below
webext_storagesync:
enable: false
settings:
#! you shall not change this , "5882386c6d801776" means firefox
client_id: "5882386c6d801776"
#! [deprecated] fxa-oauth.clients.storagesync.client_id: "5882386c6d801776"
#! last tested 13.6.3
kinto_version: "latest"
#! [TODO] intergate with kinto
#! both with_notes and with_webext_storagesync need kinto server and it's postgres
#! see kinto usage https://wiki.mozilla.org/Firefox/Kinto
#! https://testpilot.settings.services.mozilla.com/v1/
#! client_id 5882386c6d801776 == firefox
#! https://webextensions.settings.services.mozilla.com/v1/
#! [TODO] make docker-compose.tmp.yml data.values.domain.name and etc reusable via define
#! domain name related stuff
domain:
#! base name
name: "xxx.domain.org"
#! for content-server
content: "www"
auth: "api"
oauth: "oauth"
#! for profile server
profile: "profile"
#! for syncserver
sync: "token"
#! for graphql-api
graphql: "graphql"
#! must if option.channelserver.enable == true
channelserver: "channelserver"
#! for firefox send
#! must if option.send.enable == true
send: "send"
#! for notes and webextension storage.sync
kinto: "kinto"
nginx:
#! port or ip/port or unix socket folder
#! for those who want to reverse proxy ( and then we do not a host resolver ,because we just proxy_pass ip/port )
#! can be a folder contains unix socket like "/var/run/fxa-selfhosing" with ssl = false and unix_socket = true-> socket filename is nginx.sock
#! make sure your reverse proxy have permission to access the folder.
listener: "80"
#! set to true is `listener` is a unix socket
unix_socket: false
#! if false certs are not required and another fxa_nossl.conf is used
#! set to false is `listener` is a unix socket
ssl: false
#! used if `ssl` is true
#!certs:
#! wild will only be used if detailed cert is not specified.
#! certs location is absoulte or related to `dest`/docker-compose.yml
#! cert can be self-signed with debug.full_self_sign_workaround: true. see more examples/full_selfsign.
#! wild:
#! cert: "./cert/wild.cer"
#! key: "./cert/wild.key"
#! content:
#! cert: "./cert/content.cer"
#! key: "./cert/content.key"
#! auth:
#! cert:
#! key:
#! oauth:
#! cert:
#! key:
#! profile:
#! cert:
#! key:
#! sync:
#! cert:
#! key:
#! channelserver:
#! cert:
#! key:
#! graphql:
#! cert:
#! key:
#! send:
#! cert:
#! key:
#! kinto:
#! cert:
#! key:
mail:
#! types are "localhelper" , "localrelay" ,"3rd"
#! smtp_user/smtp_pass is required for "localrelay" and "3rd" (can be any non-null string) even not used.
#! "localhelper" uses fxa-auth-local-mail-helper which self sending and receiving and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect.
#! mails are stored in memory , remeber to clean them (by DELETE api or restart container)
#! "localrelay" use exim-sender and smtp_host/smtp_port/smtp_user/smtp_pass/smtp_secure do not affect.
#! "3rd" send mail to 3rd (like gmail etc)
type: "3rd"
#! for "3rd": refer to your mail service provider
smtp_host: "smtp.xxxxxxxxxx.org"
smtp_port: 587
smtp_user: "accounts@xxx.domain.org"
smtp_pass: "xxxxxxxxxxxxxxxxxxxxxxxxxxx"
smtp_secure:
#! if smtp_sender empty use "Firefox Accounts <no-reply@domain.name>" default
smtp_sender: "accounts@xxx.domain.org"
#! only for "localhelper"
#! web api
#!localhelper:
#! web: "127.0.0.1:9001"
#! Here we can add some custom OAuth Client
#! for example we add a OAuth Client which can read / write your sync data after granted by you
oauth:
clients:
#! [NOTE] DO NOT ENABLE BELOW IF NOT USED
#! - id: deadbeafdeadbeaf
#! #! hex secret xxxxxxxxxxxxxxxxxxxxxxxxxx
#! hashedSecret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#! name: SyncManager
#! imageUri: ''
#! #! if generate_redirectUri will automatic generate redircturi : https://{content}.{domain_name}/oauth/success/{id}
#! generate_redirectUri: true
#! redirectUri:
#! trusted: true
#! #! some explain https://github.com/mozilla/fxa/blob/96cbbccfaed1de93d556a2259554acfabeb4cbe5/packages/fxa-auth-server/lib/oauth/authorized_clients.js#L55
#! canGrant: true
#! publicClient: true
#! #! redirecturi will be add to contetserver.prod.tmp.yml if scope matches
#! #! allowedScopes is a space-seperated string
#! allowedScopes: https://identity.mozilla.com/apps/oldsync
secrets:
authsecret: "xxxxxxxxxxxxxxxxxxxxxxxxxx"
flowidkey: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
profileserver_authsecret_bearertoken: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
debug:
#! for register preverifed account , we need to set fxa-auth-server 's NODE_ENV not to be `prod`
#! see fxa-auth-server/lib/routes/account.js `delete routes[0].options.validate.payload.preVerified;`
auth_server_preverifed: false
deps_logs: false
#! make a e2e test compose file
#! require mail.type == localhelper
e2e_test:
enable: false
#! only used when full_self_sign_workaroud == true
root_cert:
#! workaroud for fxa-graphql-api with full self sign
#! if you want fxa-graphql-api communicate with fxa-auth-server internally , turn this `true`
#! [WARN] browserid-verifier will not work. Since BrowserID is deprecated, just do not use old browser or python `syncclient`
full_self_sign_workaround: false
#! Use a [python3 version syncserver](https://github.com/jackyzy823/syncserver3)
use_syncserver3: false
#! for old docker-compose binary backward compatibility
keep_compose_file_version_property: false