public_git
/
wg-portal
mirror of https://github.com/h44z/wg-portal.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
wg-portal/config.yml.sample

145 lines
6.1 KiB
Plaintext
Raw Blame History

# More information about the configuration can be found in the documentation: https://wgportal.org/master/documentation/overview/
advanced:
log_level: trace
expiry_check_interval: 5h # How often to check for and delete expired peers (cluster-wide: only master node deletes, others skip)
core:
admin_user: test@test.de
admin_password: secret
create_default_peer: true
create_default_peer_on_creation: false
default_user_ttl: "24h" # TTL for peers: 1h, 24h, 2d, 7d, etc.
delete_expired_peers: true # true = delete, false = disable expired peers
force_client_ip_as_allowed_ip: true # Always use client's IP as AllowedIPs on server (prevents overlapping 0.0.0.0/0)
master: false # Set to true on ONE node only - that node will handle expired peer deletion (master-only cleanup for cluster safety)
web:
external_url: http://localhost:8888
request_logging: true
webhook:
url: ""
authentication: ""
timeout: 10s
# Statistics and metrics configuration
statistics:
use_ping_checks: true # Enable ICMP ping checks for peer connectivity
ping_check_workers: 10 # Number of concurrent ping check workers
ping_unprivileged: false # Use unprivileged ping (requires system configuration)
ping_check_interval: 1m # How often to ping peers
data_collection_interval: 1m # How often to collect data from WireGuard
collect_interface_data: true # Collect interface statistics
collect_peer_data: true # Collect peer statistics
collect_audit_data: true # Collect audit data
store_audit_data: true # Store audit data in database (false = only log to console/file)
listening_address: ":8787" # Prometheus metrics endpoint address
export_detailed_peer_metrics: false # false = export only wireguard_peer_up; true = export handshake, bytes received/transmitted (more metrics, more load)
only_export_connected_peers: false # If true, only export metrics for connected peers (reduces load with many inactive peers in database)
auth:
ldap:
- id: ldap1
provider_name: company ldap
url: ldap://ldap.yourcompany.local:389
bind_user: ldap_wireguard@yourcompany.local
bind_pass: super_Secret_PASSWORD
base_dn: DC=YOURCOMPANY,DC=LOCAL
login_filter: (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))
admin_group: CN=WireGuardAdmins,OU=it,DC=YOURCOMPANY,DC=LOCAL
sync_interval: 0 # sync disabled
sync_filter: (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
registration_enabled: true
oidc:
- id: oidc1
provider_name: google
display_name: Login with</br>Google
base_url: https://accounts.google.com
client_id: the-client-id-1234.apps.googleusercontent.com
client_secret: A_CLIENT_SECRET
extra_scopes:
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/userinfo.profile
registration_enabled: true
- id: oidc2
provider_name: google2
display_name: Login with</br>Google2
base_url: https://accounts.google.com
client_id: another-client-id-1234.apps.googleusercontent.com
client_secret: A_CLIENT_SECRET
extra_scopes:
- https://www.googleapis.com/auth/userinfo.email
- https://www.googleapis.com/auth/userinfo.profile
registration_enabled: true
oauth:
- id: google_plain_oauth
provider_name: google3
display_name: Login with</br>Google3
client_id: another-client-id-1234.apps.googleusercontent.com
client_secret: A_CLIENT_SECRET
auth_url: https://accounts.google.com/o/oauth2/v2/auth
token_url: https://oauth2.googleapis.com/token
user_info_url: https://openidconnect.googleapis.com/v1/userinfo
scopes:
- openid
- email
- profile
field_map:
email: email
firstname: name
user_identifier: sub
is_admin: this-attribute-must-be-true
registration_enabled: true
- id: google_plain_oauth_with_groups
provider_name: google4
display_name: Login with</br>Google4
client_id: another-client-id-1234.apps.googleusercontent.com
client_secret: A_CLIENT_SECRET
auth_url: https://accounts.google.com/o/oauth2/v2/auth
token_url: https://oauth2.googleapis.com/token
user_info_url: https://openidconnect.googleapis.com/v1/userinfo
scopes:
- openid
- email
- profile
- i-want-some-groups
field_map:
email: email
firstname: name
user_identifier: sub
user_groups: groups
admin_mapping:
admin_value_regex: ^true$
admin_group_regex: ^admin-group-name$
registration_enabled: true
log_user_info: true
# FANOUT configuration for peer synchronization between multiple servers
fanout:
enabled: false # Set to true to enable FANOUT synchronization
peers: # List of other wg-portal-2 instances to sync with (use internal Docker network URLs)
- "http://wg-server-2:8888"
- "http://wg-server-3:8888"
- "http://wg-server-4:8888"
- "http://wg-server-5:8888"
auth_header: "Authorization" # Header name for authentication
auth_value: "Bearer your-secret-token" # Authentication value
timeout: 10s # HTTP request timeout
debounce: 500ms # Debounce delay to prevent too frequent sync requests
self_url: "http://wg-server-1:8888" # This server's URL (internal Docker network)
origin: "wg-server-1" # Optional: custom origin identifier
kick_on_start: true # Trigger sync on startup
topics: # Events that trigger synchronization
- "peer:created"
- "peer:updated"
- "peer:deleted"
- "interface:created"
- "interface:updated"
- "interface:deleted"
# TLS/SSL configuration (only needed for HTTPS URLs or external communication)
tls_skip_verify: false # Set to true to skip SSL certificate verification (NOT recommended for production)
tls_ca_cert_file: "" # Path to CA certificate file for custom CA (optional)
tls_client_cert_file: "" # Path to client certificate file for mutual TLS authentication (optional)
tls_client_key_file: "" # Path to client private key file for mutual TLS authentication (optional)
Reference in New Issue View Git Blame Copy Permalink