1 .\" Hey, EMACS: -*- nroff -*-
2 .\" (C) Copyright 2014-2017 WPIA Software Team <software@wpia.club>,
4 .TH GIGI.PROPERTIES 5 "March 21, 2017" WPIA
5 .\" Please adjust this date whenever revising the manpage.
7 gigi.properties \- Gigi configuration file
9 .I /etc/gigi.properties
13 contains the configuration for the WPIA
16 It is a Java properties file with \fIname=value\fR assignments and \fI# comment lines\fR.
18 The following options can be set:
21 The name of the main application, for example \fISomeCA\fR.
26 in a format suitable for inclusion in Internet domain names and HTTP URLs,
27 used in challenges to verify Internet domain name ownership via DNS or HTTP.
28 This identifier should be limited to lowercase ASCII letters, numbers and perhaps hyphens.
31 The main Internet domain name suffix of the application.
32 Used for administrative email addresses (e.g., \fIsupport@\fBname.suffix\fR)
33 and for all other domain names that are not explicitly specified (see \fBname.*\fR below).
34 Defaults to \fIwpia.local\fR.
37 The IP address that Gigi listens on, for example 127.0.0.1.
40 The port on which Gigi is reachable from outside via HTTP
41 (that is, the port it uses to refer to itself in hyperlinks),
42 and also the port on which Gigi listens unless
48 The port on which Gigi is reachable from outside via HTTPS
49 (that is, the port it uses to refer to itself in hyperlinks),
50 and also the port on which Gigi listens unless
56 The port on which Gigi listens for HTTP requests, or
58 to specify that Gigi has received a socket on file descriptor 0 (standard input)
59 which it should use for HTTP
61 .BR \%systemd.socket (5)
66 The port on which Gigi listens for HTTPS requests, or
68 to specify that Gigi has received a socket on file descriptor 0 (standard input)
69 which it should use for HTTPS
71 .BR \%systemd.socket (5)
82 Gigi expects to sit behind a proxy server that handles HTTPS,
87 The real client IP, real protocol and (if present) real client certificate
88 are expected to be transferred in the \fI\%X-Real-IP\fR, \fI\%X-Real-Proto\fR and \fI\%X-Client-Cert\fR HTTP headers.
93 The JDBC driver used for connecting to the database.
94 As PostgreSQL is currently the only supported database,
95 the only value that really makes sense is \fI\%org.postgresql.Driver\fR.
98 The database URL that Gigi connects to,
99 for example \fI\%jdbc:postgresql://localhost/gigi\fR.
102 The user name that Gigi uses to connect to the database.
105 The password that Gigi uses to connect to the database.
108 The fully-qualified name of a Java class that Gigi uses to send emails.
109 The only value available in production is \fIclub.wpia.gigi.email.Sendmail\fR.
111 .B emailProvider.smtpHost
112 The host to which the
114 should try to connect.
115 Defaults to \fI\%localhost\fR.
117 .B emailProvider.smtpPort
118 The port to which the
120 should try to connect.
121 Defaults to \fI25\fR.
123 .B highFinancialValue
124 A path to a plain text file of Internet domain names, one per line,
125 which Gigi should refuse to issue certificates to.
127 .B time.testValidMonths
128 The maximum time, in months, for which a passed agent quiz is considered recent.
129 Defaults to \fI12\fR.
131 .B time.reverificationDays
132 The minimum time, in days, that needs to pass before a name can be verified by the same agent again.
133 Defaults to \fI90\fR.
135 .B time.verificationMaxAgeMonths
136 The maximum time, in months, for which a verification is considered recent.
137 Defaults to \fI24\fR.
139 .B time.verificationFreshMonths
140 The maximum time period, in months, in which a verification can be entered into the system after it took place.
141 Defaults to \fI39\fR.
143 .B time.emailPingMonths
144 The maximum time period, in months, in which an email address can be used to create client certificates
145 before it must be verified again.
149 Gigi will try to change to this user ID (see
151 after opening its communication sockets.
152 This allows Gigi to bind to privileged ports as the superuser
153 and then drop privileges and run as a normal user.
154 This should rarely be necessary: it is much safer to not start Gigi as superuser in the first place
155 and instead only run it with the \fBCAP_NET_BIND_SERVICE\fR capability (see
156 .BR \%capabilities (7)),
157 or to have a privileged parent process (for example
159 create the socket and pass it to Gigi (see
160 .BR \%http.bindPort ).
165 are both \fI-1\fR, this mechanism is disabled.
166 Defaults to \fI65534\fR, the user ID of the \fInobody\fR user on Debian GNU/Linux systems.
171 Gigi will try to change to this group ID (see
173 after opening its communication sockets.
174 Defaults to \fI65534\fR.
177 The parameters to the scrypt password hashing function.
178 Defaults to \fI14;8;1\fR.
181 The Internet domain name for the main application, served both via HTTP and HTTPS.
182 Defaults to \fI\%www.\fBname.suffix\fR.
185 The Internet domain name for the forced-secure version of the application.
186 Gigi only serves this domain via HTTPS,
187 and requires authentication via a client certificate.
188 Defaults to \fI\%secure.\fBname.suffix\fR.
191 The Internet domain name for static resources,
192 like CSS style sheets and JS resources.
193 Defaults to \fI\%static.\fBname.suffix\fR.
196 The Internet domain name for the Gigi API,
197 which is used to issue certificates and receive quiz results.
198 Defaults to \fI\%api.\fBname.suffix\fR.
201 The Internet domain name of a link redirector service.
202 Gigi does not provide this service itself,
203 but links to it as a place for external documentation.
204 Defaults to \fI\%link.\fBname.suffix\fR.
207 The Internet domain name of a server that hosts a certificate repository
208 containing the certificates generated during the NRE procedure.
209 This service is also not provided by Gigi.
210 Defaults to \fI\%g2.crt.\fBname.suffix\fR.