fix: corrected layout of table after bootstrap update

[gigi.git] / debian / gigi.properties.5

.\"                                      Hey, EMACS: -*- nroff -*-
.\" (C) Copyright 2014-2017 WPIA Software Team <software@wpia.club>,
.\"
.TH GIGI.PROPERTIES 5 "March 21, 2017" WPIA
.\" Please adjust this date whenever revising the manpage.
.SH NAME
gigi.properties \- Gigi configuration file
.SH SYNOPSIS
.I /etc/gigi.properties
.SH DESCRIPTION
The file
.I gigi.properties
contains the configuration for the WPIA
.BR gigi (1)
system.
It is a Java properties file with \fIname=value\fR assignments and \fI# comment lines\fR.

The following options can be set:
.TP
.B appName
The name of the main application, for example \fISomeCA\fR.
.TP
.B appIdentifier
The
.B \%appName
in a format suitable for inclusion in Internet domain names and HTTP URLs,
used in challenges to verify Internet domain name ownership via DNS or HTTP.
This identifier should be limited to lowercase ASCII letters, numbers and perhaps hyphens.
.TP
.B name.suffix
The main Internet domain name suffix of the application.
Used for administrative email addresses (e.g., \fIsupport@\fBname.suffix\fR)
and for all other domain names that are not explicitly specified (see \fBname.*\fR below).
Defaults to \fIwpia.local\fR.
.TP
.B host
The IP address that Gigi listens on, for example 127.0.0.1.
.TP
.B http.port
The port on which Gigi is reachable from outside via HTTP
(that is, the port it uses to refer to itself in hyperlinks),
and also the port on which Gigi listens unless
.B \%http.bindPort
is specified.
Usually 80.
.TP
.B https.port
The port on which Gigi is reachable from outside via HTTPS
(that is, the port it uses to refer to itself in hyperlinks),
and also the port on which Gigi listens unless
.B \%https.bindPort
is specified.
Usually 443.
.TP
.B http.bindPort
The port on which Gigi listens for HTTP requests, or
.IR stdin
to specify that Gigi has received a socket on file descriptor 0 (standard input)
which it should use for HTTP
(for example, via
.BR \%systemd.socket (5)
or
.BR inetd (1)).
.TP
.B https.bindPort
The port on which Gigi listens for HTTPS requests, or
.IR stdin
to specify that Gigi has received a socket on file descriptor 0 (standard input)
which it should use for HTTPS
(for example, via
.BR \%systemd.socket (5)
or
.BR inetd (1)).
Not used if
.B \%proxy
is
.IR true .
.TP
.B proxy
If
.IR true ,
Gigi expects to sit behind a proxy server that handles HTTPS,
for example
.BR \%apache2 (8)
or
.BR \%nginx (1).
The real client IP, real protocol and (if present) real client certificate
are expected to be transferred in the \fI\%X-Real-IP\fR, \fI\%X-Real-Proto\fR and \fI\%X-Client-Cert\fR HTTP headers.
.B \%https.bindPort
is not used.
.TP
.B sql.driver
The JDBC driver used for connecting to the database.
As PostgreSQL is currently the only supported database,
the only value that really makes sense is \fI\%org.postgresql.Driver\fR.
.TP
.B sql.url
The database URL that Gigi connects to,
for example \fI\%jdbc:postgresql://localhost/gigi\fR.
.TP
.B sql.user
The user name that Gigi uses to connect to the database.
.TP
.B sql.password
The password that Gigi uses to connect to the database.
.TP
.B emailProvider
The fully-qualified name of a Java class that Gigi uses to send emails.
The only value available in production is \fIclub.wpia.gigi.email.Sendmail\fR.
.TP
.B emailProvider.smtpHost
The host to which the
.B \%emailProvider
should try to connect.
Defaults to \fI\%localhost\fR.
.TP
.B emailProvider.smtpPort
The port to which the
.B \%emailProvider
should try to connect.
Defaults to \fI25\fR.
.TP
.B highFinancialValue
A path to a plain text file of Internet domain names, one per line,
which Gigi should refuse to issue certificates to.
.TP
.B knownPasswordHashes
A path to a file of SHA-1 hashes of known passwords.
The file should contain the hashes in binary format, without any separators, and should be sorted.
Gigi will refuse user passwords with hashes that are found in this file.
If this option is specified, Gigi will refuse startup if the file cannot be opened,
otherwise it will attempt to use the file
.I /usr/share/pwned-passwords/pwned-passwords.bin
(provided by the \fBpwned-passwords-bin\fR package)
but continue startup if the file cannot be opened.
.TP
.B time.testValidMonths
The maximum time, in months, for which a passed agent quiz is considered recent.
Defaults to \fI12\fR.
.TP
.B time.reverificationDays
The minimum time, in days, that needs to pass before a name can be verified by the same agent again.
Defaults to \fI90\fR.
.TP
.B time.verificationMaxAgeMonths
The maximum time, in months, for which a verification is considered recent.
Defaults to \fI24\fR.
.TP
.B time.verificationFreshMonths
The maximum time period, in months, in which a verification can be entered into the system after it took place.
Defaults to \fI39\fR.
.TP
.B time.emailPingMonths
The maximum time period, in months, in which an email address can be used to create client certificates
before it must be verified again.
Defaults to \fI6\fR.
.TP
.B gigi.uid
Gigi will try to change to this user ID (see
.BR \%setuid (2))
after opening its communication sockets.
This allows Gigi to bind to privileged ports as the superuser
and then drop privileges and run as a normal user.
This should rarely be necessary: it is much safer to not start Gigi as superuser in the first place
and instead only run it with the \fBCAP_NET_BIND_SERVICE\fR capability (see
.BR \%capabilities (7)),
or to have a privileged parent process (for example
.BR \%systemd (1))
create the socket and pass it to Gigi (see
.BR \%http.bindPort ).
If
.B \%gigi.uid
and
.B \%gigi.gid
are both \fI-1\fR, this mechanism is disabled.
Defaults to \fI65534\fR, the user ID of the \fInobody\fR user on Debian GNU/Linux systems.
.TP
.B gigi.gid
Analogous to
.BR \%gigi.uid :
Gigi will try to change to this group ID (see
.BR \%setgid (2))
after opening its communication sockets.
Defaults to \fI65534\fR.
.TP
.B scrypt.params
The parameters to the scrypt password hashing function.
Defaults to \fI14;8;1\fR.
.TP
.B name.www
The Internet domain name for the main application, served both via HTTP and HTTPS.
Defaults to \fI\%www.\fBname.suffix\fR.
.TP
.B name.secure
The Internet domain name for the forced-secure version of the application.
Gigi only serves this domain via HTTPS,
and requires authentication via a client certificate.
Defaults to \fI\%secure.\fBname.suffix\fR.
.TP
.B name.static
The Internet domain name for static resources,
like CSS style sheets and JS resources.
Defaults to \fI\%static.\fBname.suffix\fR.
.TP
.B name.api
The Internet domain name for the Gigi API,
which is used to issue certificates and receive quiz results.
Defaults to \fI\%api.\fBname.suffix\fR.
.TP
.B name.link
The Internet domain name of a link redirector service.
Gigi does not provide this service itself,
but links to it as a place for external documentation.
Defaults to \fI\%link.\fBname.suffix\fR.
.TP
.B name.g2.crt
The Internet domain name of a server that hosts a certificate repository
containing the certificates generated during the NRE procedure.
This service is also not provided by Gigi.
Defaults to \fI\%g2.crt.\fBname.suffix\fR.
.SH SEE ALSO
.BR gigi (1)