Configuration
InterDiode can be configured by environment variables. Here is the complete list of available settings, with their default values and descriptions. These environment variables can be directly set in the compose file or in a environment file shared by all InterDiode containers. See Docker Install for more information about Docker installation and Local Files for more information about the directory structures. Transfer Options provides more details about the settings related to data transfers.
The current configuration can be displayed by running the following command in any of the InterDiode containers:
interdiode-ctl configuration environ
Here is the complete list of available environment variables:
Email addresses of the administrator, mainly used as recipients of logged errors.
This list must follow RFC 5322 format, and can be comma-separated.
Example: ‘Admin1 <admin1@example.com>, “Admin, Dev” <admin2@example.com>’
Allow to create users within InterDiode (without using the authentication by reverse proxy)
and to authenticate them with local passwords.
Values: ‘true’, ‘false’.
Allow new users to create their account themselves (if ALLOW_LOCAL_USERS=true),
or the automatic creation of missing users when users are authenticated by the reverse proxy.
Values: ‘true’, ‘false’.
Comma-separated list of trusted InterDiode servers, used to trust incoming transfers.
If empty, all incoming transfers will be trusted.
Example: ‘127.0.0.1,::1,10.0.0.0/16,172.18.0.0/16’.
Activate daily upkeep tasks, removing obsolete files, data and transfers.
Values: ‘true’, ‘false’.
URL of the SQL database. Available schemes are ‘postgresql’ and ‘mysql’ and can use SSL parameters.
Example: ‘postgresql://interdiode:interdiode@db.interdiode.fr:5432/interdiode_db?ssl_check_hostname=true&ssl_cert_reqs=required&ssl_certfile=/secrets/localhost.crt&ssl_keyfile=/secrets/localhost.key&ssl_ca_certs=/secrets/CA.crt’.
SSL-related files must be mounted in all Docker containers.
Base directory where all data will be stored (static web assets, PID files, uploaded or temporary files, …). You should not need to change this value, but if you do, the ‘interdiode-ctl configuration apply’ command is required.
GitHub authentication token used by default.
A different token can be provided for each cloned account.
ReadTheDocs authentication token used by default.
A different authentication token can be provided for each cloned project.
X (Twitter) authentication token used by default.
A different token can also be provided for each cloned account.
Email address for automated correspondence from the site managers. This address is used in the From: header of outgoing emails and can take any format valid in the chosen email sending protocol.
URL of the SMTP server for sending admin emails. Use smtp+tls for explicit TLS connections, generally on port 587,
Use smtps for implicit TLS connections, generally on port 465.
Example: ‘smtp+tls://account@example.com:password@smtp.example.com:587/’.
Max size in bytes of POST requests, must be large enough for uploading large files like Vagrant boxes.
Do not forget to also configure your reverse proxies accordingly.
Example: ‘10000000000’.
Allow the usage of git-lfs (for large files) when cloning Git repositories.
Values: ‘true’, ‘false’.
Comma-separated list of group attributes that cannot be changed by administrators.
. Add ‘name’ to disable manual group creation/deletion or ‘permissions’ to disallow permissions changes.
Example: ‘name,permissions’.
Set the email of the current user in this HTTP header.
Leave empty to disable automatic email assignment.
Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
Example: ‘X-Forwarded-Email’.
Set the first name of the current user in this HTTP header.
Leave empty to disable automatic name assignment.
Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
Example: ‘X-Forwarded-First-Name’.
Set the list of groups in this HTTP header. The header value can be a JSON-serialized list, or a comma-separated list.
Leave empty to disable automatic group assignment.
Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
Example: ‘X-Forwarded-Groups’.
Set the last name of the current user in this HTTP header.
Leave empty to disable automatic name assignment.
Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
Example: ‘X-Forwarded-Last-Name’.
Set it if the reverse-proxy authenticates users (single sign-on).
Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.
Example: ‘X-Remote-User’.
CA certificates bundle (concatenated list of PEM certificates) used for HTTPS requests.
The CA certificates bundle must be present in a volume mounted on all containers.
SSL certificate file, used by the HTTP server (also requires HTTP_SSL_CERTFILE to be set).
Can be used to encrypt the communication between the reverse proxy and the HTTP server.
The certificate file in PEM format must be present in a volume mounted on all containers.
SSL key file, used by the HTTP server (also requires HTTP_SSL_CERTFILE to be set).
Can be used to encrypt the communication between the reverse proxy and the HTTP server.
The keyfile in PEM format must be present in a volume mounted on all containers.
InterDiode mode.
Values: ‘black’ for the server connected to the Internet, and ‘red’ for the internal network.
Default language, default to en-us.
Available languages: ‘en-us’, ‘fr-fr’.
The license key can also be imported at runtime with the web interface, without restarting servers.
Address listen by your web server.
Examples: ‘0.0.0.0:8000’, ‘:8000’.
Base storage path for all cache/export/import operations.
The same volume must be mounted in the export workers and in the transfer worker
(when the selected transfer mode is UDP or TCP).
The same volume can be mounted on all containers and must be large enough.
Example: ‘/data/caches’.
Write all local logs to this directory, mounted in the container.
Default to empty string, meaning that logs are sent to stdout (warnings and below) and stderr (errors and above).
Example: ‘/var/log/interdiode’.
Log level.
Values: ‘debug’, ‘info’, ‘warn’, ‘error’ or ‘critical’.
Also logs HTTP connections to the remote collector, when defined in LOG_REMOTE_URL.
Values: ‘true’, ‘false’.
Send logs to a remote log collector.
Examples: ‘syslog+tcp://localhost:514/user’, ‘syslog:///local7’ or ‘syslog:///dev/log/daemon’.
A Grafana Loki collector (https://grafana.com/oss/loki/) can also be used: ‘lokis://username:password@host:port?query’.
Log slow SQL database queries that take more than this time in seconds, for performance analysis.
Example: ‘0.1’.
Directory for long-term storage of uploaded or downloaded media. Set the absolute path of the main storage directory, mounted on your container.
Can also be the URL of a S3 storage with credentials, using the ‘s3:http:’ scheme.
Examples: ‘/data/files/’,
‘s3:https://access-key:secret-key@domain.name:port/bucket’.
See S3_REGION.
Number of finished actions to keep for each source.
Example: ‘100’.
Total size of finished transfers before removing them.
The more reliable is your transfer method, the lower you can set this value.
Data can be transferred again without preparing the export again.
Example: ‘10000000000’.
Retention delay (in days) before actually cleaning old data from the database.
A transfer from the black side to the red one must happen before this purge to keep both sides synchronized.
Example: ‘100’.
Redis database URL, used for cache and task queues.
This URL can use authentication and SSL parameters (use ‘rediss’ protocol to use SSL encryption).
Example: ‘rediss://:interdiode@redis.interdiode.fr:6379/1?ssl_check_hostname=true&ssl_certfile=/secrets/localhost.crt&ssl_keyfile=/secrets/localhost.key&ssl_ca_certs=/secrets/CA.crt’.
SSL-related files must be mounted in all Docker containers.
IP address of your red-side InterDiode server. This information is required to use UDP and TCP transfers.
Example: ‘12.12.12.12’.
MAC address of your red-side InterDiode server. This information is required to use UDP transfers.
The MAC address must be in the ARP cache of your black-side transfer host since no broadcast can be performed through a data-diode.
This informations is only required to check if the ARP cache is valid.
Example: ‘91:12:12:AC:81:92’.
Port number of your red-side InterDiode server. This information is required to use UDP transfers.
Example: ‘15124’.
Comma-separated list of group names to add to new users that are authenticated by HTTP header, when HTTP_REMOTE_GROUPS_HEADER setting is not used.
Example: ‘Users,New users’.
Require new users to be validated by an administrator.
Values: ‘true’, ‘false’.
Directory for all process ID (pid) files.
Example: ‘/data/run’.
S3 storage regions, if S3 storage is used for downloaded or uploaded media.
Example: ‘us-east-1’.
Sends errors to a Sentry collector (https://sentry.io/).
Example: ‘https://6eb600b24dd5@sentry.interdiode.fr/5543040’.
Public URL of your InterDiode instance, default to “http://{listen_address}/”.
Example: ‘https://black.interdiode.fr/’.
This secret key is used to sign transfers from the black server to the red one.
It must be identical on both servers: transfers signed with a different key will be rejected.
Example: ‘Qkg9cF-i0jbNa-zqOQao’.
A timezone defined in the IANA Time Zone Database.
Default to ‘Europe/Paris’.
Verify the SHA3 checksum of all exported files.
All data prepared to the transfer will be checked before being actually transferred.
In any case, the SHA3 checksum can be verified upon import.
Values: ‘true’, ‘false’.
Verify the SHA3 checksum before importing files.
This is a safety check to ensure that the files have not been corrupted during transfer.
Values: ‘true’, ‘false’.
Time to wait (in seconds) between two UDP or TCP transfers.
Due to the unidirectional nature of the transfer, the black side cannot know if the red side is ready to receive a new transfer,
so it must wait a reasonable amount of time before sending the next file.
Example: ‘1.0’.
Do not delete corrupted import data, e.g. for post-mortem analysis.
Values: ‘true’, ‘false’.
Number of finished transfers to keep when removing data. The more reliable is your transfer method, the lower you can set this value.
Example: ‘100’.
Do not delete failed imports, e.g. for post-mortem analysis.
Values: ‘true’, ‘false’.
Do not delete successfully imported exports.
Values: ‘true’, ‘false’.
Do not automatically remove temporary data used for network transfers.
Values: ‘true’, ‘false’.
Transfer method:
- udp: use a UDP protocol with error checking protocol that can be used through a physical data-diode,
- tcp: use a unidirectional raw TCP connection, so a firewall can only accepts TCP acks from the internal network,
- file: let you transfer the files from the black side to the red one by your own.
Values: ‘udp’, ‘tcp’, ‘file’.
Comma-separated list of trusted reverse proxy IP addresses, used to trust forwarded headers.
Example: ‘127.0.0.1,::1,10.0.0.0/16,172.18.0.0/16’.
Number of UDP packets in an error correction chunk. Default (and ideal) is 1000,
increasing it will make the transfer more robust to big loss bursts, but possibly slower. 2 <= NUM <= 64000.
Example: ‘1000’.
Size in bytes of the UDP payloads to send, that must be inferior to the MTU of your network equipment.
Example: ‘1400’.
Redundancy factor of UDP transfers.
Due to the unidirectional nature of the transfer, no error checking can be done after the transfer, so a large redundancy factor is required to ensure a high probability of success.
Example: ‘3.0’.
Once a transfer is started, if no packets are received for <timeout> seconds, the transfer is interrupted.
Example: ‘0.1’.
Comma-separated list of user attributes that cannot be changed by the user nor an administrator.
Add ‘username’ to disable manual user creation/deletion, ‘password’ to disallow password changes.
Other attributes are ‘is_active’, ‘is_superuser’, ‘groups’, ‘user_permissions’, ‘first_name’, ‘last_name’,
‘email’, ‘black_username’, ‘black_email’.
‘black_username’, ‘black_email’ are only used on the red instance, to map external users to the internal ones.
Example: ‘is_active,user_permissions,black_email’.
Allow users to use API tokens.
Values: ‘true’, ‘false’.
Allow HTTP basic auth using the user password: this can be required by some repositories.
Values: ‘true’, ‘false’.
Number of processes used by the worker command for background tasks.
Default to the number of available CPUs on the system.
Example: ‘2’.
HTTP proxy for all outgoing HTTP requests.
Example: ‘username:password@proxy.server.lan:3128’