onegov.yml.example

# OneGov Cloud Example Configuration
# ----------------------------------

# Mail Queues
# Each queue will need to have its own unique directory specified.
# The queues will make no attempt to split up or balance the load
# between each other if they share the same directory.
# Use yaml anchors/aliases to refer to the mail queue in the app
# config
mail_queues:
  # Postmark mailer will use the mail category to determine the
  # MessageStream that's used. Currently 'transactional' will be
  # transformed to 'outbound' i.e. the default stream. As such
  # the same queue can be used for both categories.
  # postmark: &postmark
  #   mailer: postmark
  #   token: postmark-server-token
  #   directory: '/usr/local/var/onegov/mail/postmark'

  # SMTP mailer will ignore the mail category. If you wish to use
  # separate SMTP servers for separate categories, then you will
  # need to specify different queues for them.
  local_smtp: &local_smtp
    mailer: smtp
    directory: '/usr/local/var/onegov/mail/smtp'
    host: localhost
    port: 1025
    force_tls: false
    username:
    password:

# The following block is shared with all applications below, though each
# application may override any or all values.
configuration: &global-config

  # OneGov only accepts requests with URLs matching the following expression,
  # in addition to localhost, which is always allowed.
  allowed_hosts_expression: '^[a-z0-9-\.]+.(dev|test|io)'

  # Additional exceptions to the host expressions can be listed one by one
  # here (those are not expressions, but full host names)
  # allowed_hosts:
  #   - example.org

  # The DSN to the postgres serve in use. The database has to exist and onegov
  # processes must have access. To create the db in the following example, you
  # can simply use 'createdb onegov' on a host with postgres installed.
  dsn: postgresql://localhost:5432/onegov

  # Set this to true for production deployments. It ensures that cookies are
  # only sent over a secure connection (TLS)
  identity_secure: false

  # The secrets with which cookie identities and CSRF tokens are created.
  #
  # If not given, a random secret will be created every time the host reboots.
  # Has to be different for each application and should be configured
  # explicitly on production systems.
  #
  # identity_secret: very-secret-key
  # csrf_secret: another-very-secret-key

  # OneGov knows two kinds of file storage. The first is called 'filestorage'
  # and it only supports very simple storage without links to the database.
  filestorage: fs.osfs.OSFS
  filestorage_options:
    root_path: '/usr/local/var/onegov/files'
    create: true
    dir_mode: 0755

  # The second kind of storage is depot, which is linked with the database
  # and is used more often and is the default for new deployments
  depot_backend: 'depot.io.local.LocalFileStorage'
  depot_storage_path: '/usr/local/var/onegov/depot'

  # Theme compilation is quick and in development it is possible to always
  # compile theme on every request.
  always_compile_theme: false

  # Some browsers send a special header when a user clicks on refresh while
  # holding down shift. The following setting will recompile themes whenever
  # that happens.
  allow_shift_f5_compile: true

  # OneGov keeps track of queries run against postgres and reports the
  # redundant ones when 'redundant' is selected. Other possible values are
  # 'all' and 'summary', to either get a print of all queries or just the
  # number of queries. Either comment out or set to False to disable reporting.
  sql_query_report: summary

  # If this is set to true, each request will create a cprofile in the
  # profiles folder. This slows down requests significantly.
  profile: false

  # Configures signing services (digital PDF signing), can be left out
  # signing_services: './signing-services'

  # Configures sentry tracebacks, usually only used in production or if
  # the sentry integration needs to be tested.
  # sentry_dsn: https://foo@sentry.io/bar

  # OneGov holds two sorts of mail. Transactional, non-spammy e-mail or
  # marketing e-mail. Though they can both have different configurations
  # Each mail config can write to one of the mail_queues defined in
  # global scope. This could all be the same queue. Use *aliases
  # to refer to the mail queue &anchors declared above.
  mail:
    transactional:
      sender: service@onegovcloud.ch
      <<: *local_smtp
    marketing:
      sender: newsletters@onegovcloud.ch
      <<: *local_smtp

  # SMS delivery works a little differently from mail delivery, from the onset
  # we assume that each schema has its own queue with its own ASPSM account and
  # it is optional. They all share the same base directory though, each schema
  # has its own subdirectory. We still allow defining a shared account at the
  # application level however.
  sms:
    directory: '/usr/local/var/onegov/sms'
    user:
    password:
    originator: OneGov
  # tenants:
  #   "onegov_town6/meggen":
  #     user:
  #     password:
  #     originator: Meggen

  # To test yubikey integration, a yubikey API access token has to be provided
  # yubikey_client_id:
  # yubikey_secret_key:

  # To test mTAN second factor, enable it here
  # mtan_second_factor_enabled: true
  # mtan_automatic_setup: true

  # To test mapbox integration, a mapbox token has to be provided
  # mapbox_token:

  # API rate limit, default is 100 requests per 15 Minutes
  # api_rate_limit:
  # requests: 100
  # expiration: 900

  # Websocket server configuration.
  websockets:
    client_url: ws://localhost:8765
    client_csp: ws://localhost:8765
    manage_url: ws://localhost:8765
    manage_token: super-secret-token

  # Install https://github.com/seantis/d3-renderer
  # d3_renderer: 'http://localhost:1337'

  # For Swissvotes, the Museum für Gestatlung has an api
  # mfg_api_token:

  # for org app, disable the password reset view (case the users have their own auth providers)
  # disable_password_reset: true

  # How long a user can fill out a form before we consider it too old
  csrf_time_limit: 3600  # in minutes

  # True if payment provider integration is used
  payment_providers_enabled: false

  # Stripe configuration with oauth gateway
  payment_provider_defaults:
    stripe_connect:
      client_id: foo
      client_secret: bar
      # the gateway through which the redirects go
      oauth_gateway: https://oauth.example.org
      # the key needed to authenticate oneself with the gateway
      oauth_gateway_auth: foobar
      # the client-specific secret that is used to authenticate the
      oauth_gateway_secret: barfoo

  # Alternative login providers
  # authentication_providers:
#     msal:
#           tenants:
#             "onegov_agency/bs":
#               tenant_id: ''
#               client_id: ''
#               client_secret: ''
#             attributes:
#               source_id: 'sub'
#               username: 'email'
#               groups: 'groups'
#               first_name: 'given_name'
#               last_name: 'family_name'
#           roles:
#             "onegov_agency/bs":
#               admins: ''
#               editors: ''
#               members: ''

#    # Login with LDAP, using Kerberos as authentication
#    ldap_kerberos:
#
#      # If set to true, the provider will automatically log in users that
#      # hit the root page (/) if they have an account
#      auto_login: true
#
#      # Kerberos configuration
#      kerberos_keytab: /etc/keytab
#      kerberos_hostname: ogc.example.org
#      kerberos_service: HTTP
#
#      # LDAP configuration (TLS is required!)
#      ldap_url: ldaps://ldap.example.org
#      ldap_username: 'cn=service,ou=service,dc=seantis,dc=ch'
#      ldap_password: 'hunter2'
#
#      # LDAP attributes
#      name_attribute: cn
#      mails_attribute: mail
#      groups_attribute: memberOf
#
#      # This suffix is stripped from all user names if found.
#      # For example, if Kerberos returns foo@example.org, but LDAP only
#      # contains, 'foo', then setting the suffix to '@example.org' will help.
#      suffix: '@example.org'
#
#      # Role mapping
#      roles:
#
#        # For all applications
#        "__default__":
#          admin: admins
#          editor: editors
#          member: members
#
#        # For applications of a specific namespace
#        "onegov_org":
#          admin: admins
#          editor: editors
#          member: members
#
#        # For applications of a specific application id
#        "onegov_org/govikon":
#          admin: admins
#          editor: editors
#          member: members

# All supported applications
applications:

  - path: /onegov_town6/*
    application: onegov.town6.TownApp
    namespace: onegov_town6
    configuration:
      <<: *global-config

  - path: /onegov_agency/*
    application: onegov.agency.AgencyApp
    namespace: onegov_agency
    configuration:
      <<: *global-config

  - path: /onegov_org/*
    application: onegov.org.OrgApp
    namespace: onegov_org
    configuration:
      <<: *global-config

  - path: /events/*
    application: onegov.org.OrgApp
    namespace: events
    configuration:
      <<: *global-config

  - path: /onegov_feriennet/*
    application: onegov.feriennet.FeriennetApp
    namespace: onegov_feriennet
    configuration:
      <<: *global-config

  - path: /onegov_fsi/*
    application: onegov.fsi.FsiApp
    namespace: fsi
    configuration:
      <<: *global-config

  - path: /onegov_election_day/*
    application: onegov.election_day.ElectionDayApp
    namespace: onegov_election_day
    configuration:
      <<: *global-config

  - path: /onegov_gazette/*
    application: onegov.gazette.GazetteApp
    namespace: onegov_gazette
    configuration:
      <<: *global-config

  - path: /onegov_intranet/*
    application: onegov.intranet.IntranetApp
    namespace: onegov_intranet
    configuration:
      <<: *global-config

  - path: /onegov_landsgemeinde/*
    application: onegov.landsgemeinde.LandsgemeindeApp
    namespace: onegov_landsgemeinde
    configuration:
      <<: *global-config

  - path: /onegov_winterthur/*
    application: onegov.winterthur.WinterthurApp
    namespace: onegov_winterthur
    configuration:
      <<: *global-config

  - path: /onegov_swissvotes/*
    application: onegov.swissvotes.SwissvotesApp
    namespace: onegov_swissvotes
    configuration:
      <<: *global-config

  - path: /onegov_translator_directory/*
    application: onegov.translator_directory.TranslatorDirectoryApp
    namespace: translator_directory
    configuration:
      <<: *global-config

  - path: /onegov_pas/*
    application: onegov.pas.PasApp
    namespace: onegov_pas
    configuration:
      <<: *global-config

  - path: /onegov_onboarding
    application: onegov.onboarding.OnboardingApp
    namespace: onegov_onboarding
    configuration:
      <<: *global-config

      onboarding:
        onegov.town6:
          namespace: onegov_town6
          domain: onegov.test
          configuration:
            depot_backend: depot.io.local.LocalFileStorage
            depot_storage_path: /usr/local/var/onegov/depot

# Default logging output
logging:
  disable_existing_loggers: true

  formatters:
    default:
      format: '%(asctime)s - %(levelname)s: %(message)s'
      datefmt: '%Y-%m-%d %H:%M:%S'

  handlers:
    console:
      class: logging.StreamHandler
      formatter: default
      level: DEBUG
      stream: ext://sys.stdout
    index_log:
      class: logging.FileHandler
      formatter: default
      level: DEBUG
      filename: /usr/local/var/onegov/logs/onegov-search-reindex.log
      mode: w

  loggers:
    onegov:
      level: DEBUG
      handlers: [console]
      propagate: False
    onegov.search.index:
      level: DEBUG
      handlers: [index_log]
      propagate: False
    stripe:
      level: INFO
      handlers: [console]