The Magnify
project tries to follow the 12 factors app and so relies
only on environment variables for configuration.
This configuration guide applies to the production environment. The development stack is
predefined to work off-the-shelf based on environment variables defined in env.d
at the root of
the project.
When running Magnify's official Docker image, our predefined production settings are applied by default.
You may apply other predefined settings by setting the DJANGO_CONFIGURATION
environment variable:
$ docker run -e DJANGO_CONFIGURATION=PreProduction ... fundocker/jitsi-magnify:main
Other possible values for this envionment variable are: Build
, ContinuousIntegration
,
Development
, Preprod
, Staging
and Test
. You may define your own settings by overriding
the /app/sandbox/settings.py
file.
Depending on the predefined settings you run, a set of additional environment variables must be set. In the following, we give a reference guide of all the environment variables you can set to configure the way Magnify operates in production. The ones that are required are marked with a 🔴 sign.
A string of comma separated domains that Django should accept and answer to.
See Django documentation for more details about this setting.
- Type: List as comma separated string
- Required: Yes
- Default: [] (all originating domains are rejected)
- Example:
example1.com,example2.com
Warning The following syntax does not work:
DJANGO_ALLOWED_HOSTS=["example1.com"," example2.com"]
It would set the ALLOWED_HOST setting in Django to
['["example1.com"," example2.com"]']
which is not what you want.You should enter the list as a comma separated string:
DJANGO_ALLOWED_HOSTS=example1.com,example2.com
Standard Django secret key used to make the instance unique and generate hashes such as CSRF tokens or auth keys.
See Django documentation for more information about this setting.
- Type: String
- Required: Yes
- Default: None
- Example:
13f1ef@^xqmc=pjv1(!hko7li2a#!f_vuv%cq8$sr2363yn^3!
A list of trusted origins for unsafe requests (e.g. POST). Must at least contain the domain on which the backend is hosted for the Django admin site to work.
See Django documentation for more information about this setting.
- Type: List as comma separated strings
- Required: No
- Default: [] (all originating domains are rejected)
- Example:
https://subdomain.example1.com, https://*.example2.com
A string to set the default language code for this installation. This should be in standard language ID format. For example, U.S. English is "en-us".
At the moment, Magnify does not allow to override Django's LANGUAGES
setting so the
LANGUAGE_CODE
setting can only be set to en
or fr
.
- Type: String [en|fr]
- Required: No
- Default:
en
- Example:
fr
You can allow CORS requests (based on django-cors-headers) by providing a list of the allowed origins.
- Type: List as comma separated strings
- Required: No
- Default: []
- Example:
https://example1.com, https://example2.com
List of automatic checks that should be silenced because they are not appropriate for your particular deployment configuration.
For more information, see documentation.
- Type: List as comma separated strings
- Required: No
- Default: ["security.W019"]
- Example:
security.W001, security.W002
The static files storage backend that Django should use to serve static files.
For more information, see documentation.
- Type: String
- Required: No
- Default:
whitenoise.storage.CompressedManifestStaticFilesStorage
- Example:
django.contrib.staticfiles.storage.StaticFilesStorage
Should be set to activate Sentry for an environment. The value of this DSN is given when you add a project to your Sentry instance.
- Type: String
- Required: No
- Default: None
- Example:
https://[email protected]/2435467
The REST framework will attempt to authenticate with each class in this list of default authentication schemes.
For more information, see documentation.
- Type: List as comma separated strings
- Required: No
- Default: ["rest_framework_simplejwt.authentication.JWTAuthentication"]
- Example:
rest_framework_simplejwt.authentication.JWTAuthentication, rest_framework.authentication.SessionAuthentication
The base url of the API that the frontend should contact. It allows to point to a specific version of the API.
- Type: String
- Required: Yes
- Example:
https://example.com/api
The algorithm used for decoding OIDC JWT tokens. PyJWT supports different digital signature algorithms (like RSA or ECDSA), the cryptography library being installed in Magnify.
For more information, see DRF Simple JWT documentation
- Type: String
- Required: No
- Default:
RS256
- Example:
RS512
,HS256
, etc.
Dynamically resolve the public keys needed to verify the signing of OIDC tokens.
For more information, see DRF Simple JWT documentation
- Type: String
- Required: Either this setting or
MAGNIFY_JWT_VERIFYING_KEY
should be set. - Default: None
- Example:
http://keycloak.com/realms/magnify/protocol/openid-connect/certs
The public key used to verify OIDC tokens.
For more information, see [DRF Simple JWT documentation][verifying-key]
- Type: String
- Required: No
- Example: Dummy RS256 public key
-----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy8Dbv8prpJ/0kKhlGeJY ozo2t60EG8L0561g13R29LvMR5hyvGZlGJpmn65+A4xHXInJYiPuKzrKUnApeLZ+ vw1HocOAZtWK0z3r26uA8kQYOKX9Qt/DbCdvsF9wF8gRK0ptx9M6R13NvBxvVQAp fc9jB9nTzphOgM4JiEYvlV8FLhg9yZovMYd6Wwf3aoXK891VQxTr/kQYoq1Yp+68 i6T4nNq7NWC+UNVjQHxNQMQMzU6lWCX8zyg3yH88OAQkUXIXKfQ+NkvYQ1cxaMoV PpY72+eVthKzpMeyHkBn7ciumk5qgLTEJAfWZpe4f4eFZj/Rc8Y8Jj2IS5kVPjUy wQIDAQAB -----END PUBLIC KEY-----
Mapping between fields of the Magnify's User model and fields in the OIDC token used to authenticate requests.
- Type: String
- Required: No, but if you keep the default value, Authentication will work correctly only if
your JWT tokens contain a
name
and apreferred_username
fields. - Default:
{ "email": "email", "name": "name", "username": "preferred_username", }
- Example:
{"email": "email", "name": "name", "username": "preferred_username"}
A prefix that will be added in front of the room UUID to compose the Jitsi room name used for the conference.
- Type: string
- Required: No
- Default: ""
- Example:
123
Whether rooms are created as public by default. Rooms that are not marked as public, will not deliver any Jitsi JWT token to users who are not authenticated or to users who have not been assigned any role in the room.
- Type: Boolean as string
- True: 'yes', 'y', 'true', '1'
- False: 'no', 'n', 'false', '0', '' (empty string)
- Required: No
- Default: True
- Example:
false
Whether users can join a room that is not reserved in Magnify. When activated, Magnify will generate a Jitsi JWT token to any user visiting any room that is not registered.
- Type: Boolean as string
- True: 'yes', 'y', 'true', '1'
- False: 'no', 'n', 'false', '0', '' (empty string)
- Required: No
- Default: True
- Example:
false
Whether users can be created via the API. When not allowed, user handling is delegated to an external tool and Magnify creates users on-the-fly based on OIDC tokens received.
- Type: Boolean as string
- True: 'yes', 'y', 'true', '1'
- False: 'no', 'n', 'false', '0', '' (empty string)
- Required: No
- Default: False
- Example:
true
Defines what characters are accepted on the username
field of the user model.
When customizing it, don't forget to update your translations to customize the
message held by the placeholder string username_validator_message
.
Make sure your identity provider (Keycloak in the case of our development sandbox) is not more permissive on username characters otherwise a user can be created in the identity provider with a username that will then be rejected by Django.
- Type: String
- Required: No
- Default:
^[a-z0-9_.-]+$
- Example:
^[a-zA-Z0-9_.-]+$
(accept also upper case letters)
A list of "audiences" (aud
attribute in the OIDC token) that will be flagged as being reserved
to device users. This allows us to differentiate these users in the interface and customize
their experience and access rights.
- Type: List as string
- Required: No
- Default: []
- Example:
magnify-box,sip-gateway
The following settings define the Jitsi instance and the payload of the Jitsi JWT tokens generated by Magnify to authenticate with the instance.
For reference, the Jitsi JWT token is a json string of the form:
{
"exp": 1907712600,
"iat": 1907712000,
"moderator": true,
"aud": "jitsi",
"iss": "app_id",
"sub": "meet.jitsi",
"room": "my-room",
"context": {
"user": {
"avatar": "avatar.jpg",
"name": "David Bowman",
"email": "[email protected]"
}
}
}
Domain on which the Jitsi instance that is used by Magnify to host conferences is hosted.
- Type: String
- Required: Yes
- Default:
meeting.education
- Example:
meet.jit.si
XMPP domain of the Jitsi instance to which Magnify should connect.
- Type: String
- Required: Yes
- Example:
meet.jitsi
Secret key of the Jitsi instance to which Magnify should connect. Ask this from the people operating the Jitsi instance.
- Type: String
- Required: Yes
- Example:
lyb3}eDqJB:^~I[kdzG3Db>@_<)pus[KsbT<Q&0R.v_OLq&Y44W
Identifier of the Magnify app with regards to the Jitsi instance.
- Type: String
- Required: No
- Default:
magnify
- Example:
my-magnify
URL of the avatar image that should be used for guest users.
- Type: String
- Required: No
- Default: ""
- Example:
https://example.com/wp-content/uploads/2019/01/default-user-icon-8.jpg
Name that should be used for guest users.
- Type: String
- Required: No
- Default:
Guest
- Example:
Fellow Magnifyer
Expiration delay in seconds of the JWT tokens issued by Magnify to connect to the Jitsi instance.
- Type: Integer as a string
- Required: No
- Default: 300
- Example:
1800
Full path to the Python class of the backend used by Magnify to connect to the database.
- Type: String
- Required: No
- Default:
django.db.backends.postgresql_psycopg2
(Postgresql)
Address for the database used by Magnify.
- Type: String
- Required: No
- Default:
postgresql
Name of the database used by Magnify.
- Type: String
- Required: No
- Default:
magnify
Name of the user to connect to the database used by Magnify.
- Type: String
- Required: No
- Default:
magnify
Password corresponding to the user specified in DB_USER
and used by Magnify to
connect to the database.
- Type: String
- Required: Yes
- Example:
13f1ef@^xqmc=pjv1(!hko7li2a#!f_vuv%cq8$sr2363yn^3!
Port used by Magnify to connect to the database.
- Type: Integer as a string
- Required: No
- Default:
5432
Keycloak URL to which Magnify should send users to authenticate.
- Type: String
- Required: Yes
- Example:
http://keycloak.com
Keycloak realm to which Magnify should send users to authenticate.
- Type: String
- Required: No, but with the default value, your Keycloak instance will need to present a realm
called
magnify
- Default:
magnify
- Example:
my-magnify
Keycloak client with which users should be authenticated in order to consume Magnify.
- Type: String
- Required: No, but with the default value, your Keycloak instance will need to present a client
called
magnify-frontend
- Default:
magnify-frontend
- Example:
my-magnify-frontend
Expiration delay in seconds of the OIDC tokens issued by Keycloak to allow users to interact with Magnify. The frontend will refresh tokens automatically with Keycloak when they expire.
- Type: Integer as a string
- Required: No
- Default: 1800
- Example:
3600
These settings are only used for build purposes in order to push/pull translations to/from Crowdin.
The API access key provided by Crowdin. Only managers can have access to this key.
- Type: String
- Required: No
- Default: None
The unique project identifier provided by Crowdin. Only managers can have access to this setting.
- Type: String
- Required: No
- Default: None
The path from where the crowdin-cli
will work, this path should point to the src
directory of magnify.
By default its value is /app/src
and while you are using the container configured in our docker-compose
file you have no need to change it.
- Type: String
- Required: No
- Default:
/app/src