Configuration

InterDiode can be configured by environment variables. Here is the complete list of available settings, with their default values and descriptions. These environment variables can be directly set in the compose file or in a environment file shared by all InterDiode containers. See Docker Install for more information about Docker installation and Local Files for more information about the directory structures. Transfer Options provides more details about the settings related to data transfers.

The current configuration can be displayed by running the following command in any of the InterDiode containers:

interdiode-ctl configuration environ

Here is the complete list of available environment variables:

ADMINS

Email addresses of the administrator, mainly used as recipients of logged errors.

This list must follow RFC 5322 format, and can be comma-separated.

Example: ‘Admin1 <admin1@example.com>, “Admin, Dev” <admin2@example.com>’

ALLOW_LOCAL_USERS

Allow to create users within InterDiode (without using the authentication by reverse proxy)

and to authenticate them with local passwords.

Values: ‘true’, ‘false’.

ALLOW_USER_CREATION

Allow new users to create their account themselves (if ALLOW_LOCAL_USERS=true),

or the automatic creation of missing users when users are authenticated by the reverse proxy.

Values: ‘true’, ‘false’.

BLACK_SOURCE_IPS

Comma-separated list of trusted InterDiode servers, used to trust incoming transfers.

If empty, all incoming transfers will be trusted.

Example: ‘127.0.0.1,::1,10.0.0.0/16,172.18.0.0/16’.

DAILY_UPKEEP

Activate daily upkeep tasks, removing obsolete files, data and transfers.

Values: ‘true’, ‘false’.

DATABASE_URL

URL of the SQL database. Available schemes are ‘postgresql’ and ‘mysql’ and can use SSL parameters.

Example: ‘postgresql://interdiode:interdiode@db.interdiode.fr:5432/interdiode_db?ssl_check_hostname=true&ssl_cert_reqs=required&ssl_certfile=/secrets/localhost.crt&ssl_keyfile=/secrets/localhost.key&ssl_ca_certs=/secrets/CA.crt’.

SSL-related files must be mounted in all Docker containers.

DATA_ROOT

Base directory where all data will be stored (static web assets, PID files, uploaded or temporary files, …). You should not need to change this value, but if you do, the ‘interdiode-ctl configuration apply’ command is required.

DEFAULT_GITHUB_BEARER_TOKEN

GitHub authentication token used by default.

A different token can be provided for each cloned account.

DEFAULT_READTHEDOCS_BEARER_TOKEN

ReadTheDocs authentication token used by default.

A different authentication token can be provided for each cloned project.

DEFAULT_X_BEARER_TOKEN

X (Twitter) authentication token used by default.

A different token can also be provided for each cloned account.

EMAIL_FROM

Email address for automated correspondence from the site managers. This address is used in the From: header of outgoing emails and can take any format valid in the chosen email sending protocol.

EMAIL_HOST_URL

URL of the SMTP server for sending admin emails. Use smtp+tls for explicit TLS connections, generally on port 587,

Use smtps for implicit TLS connections, generally on port 465.

Example: ‘smtp+tls://account@example.com:password@smtp.example.com:587/’.

FILE_UPLOAD_MAX_MEMORY_SIZE

Max size in bytes of POST requests, must be large enough for uploading large files like Vagrant boxes.

Do not forget to also configure your reverse proxies accordingly.

Example: ‘10000000000’.

GIT_ALLOW_LFS

Allow the usage of git-lfs (for large files) when cloning Git repositories.

Values: ‘true’, ‘false’.

GROUP_DISABLED_ATTRIBUTES

Comma-separated list of group attributes that cannot be changed by administrators.

. Add ‘name’ to disable manual group creation/deletion or ‘permissions’ to disallow permissions changes.

Example: ‘name,permissions’.

HTTP_REMOTE_EMAIL_HEADER

Set the email of the current user in this HTTP header.

Leave empty to disable automatic email assignment.

Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.

Example: ‘X-Forwarded-Email’.

HTTP_REMOTE_FIRST_NAME_HEADER

Set the first name of the current user in this HTTP header.

Leave empty to disable automatic name assignment.

Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.

Example: ‘X-Forwarded-First-Name’.

HTTP_REMOTE_GROUPS_HEADER

Set the list of groups in this HTTP header. The header value can be a JSON-serialized list, or a comma-separated list.

Leave empty to disable automatic group assignment.

Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.

Example: ‘X-Forwarded-Groups’.

HTTP_REMOTE_LAST_NAME_HEADER

Set the last name of the current user in this HTTP header.

Leave empty to disable automatic name assignment.

Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.

Example: ‘X-Forwarded-Last-Name’.

HTTP_REMOTE_USER_HEADER

Set it if the reverse-proxy authenticates users (single sign-on).

Note: the HTTP_ prefix added by the reverse proxy is automatically handled by InterDiode.

Example: ‘X-Remote-User’.

HTTP_SSL_CA_CERTS

CA certificates bundle (concatenated list of PEM certificates) used for HTTPS requests.

The CA certificates bundle must be present in a volume mounted on all containers.

HTTP_SSL_CERTFILE

SSL certificate file, used by the HTTP server (also requires HTTP_SSL_CERTFILE to be set).

Can be used to encrypt the communication between the reverse proxy and the HTTP server.

The certificate file in PEM format must be present in a volume mounted on all containers.

HTTP_SSL_KEYFILE

SSL key file, used by the HTTP server (also requires HTTP_SSL_CERTFILE to be set).

Can be used to encrypt the communication between the reverse proxy and the HTTP server.

The keyfile in PEM format must be present in a volume mounted on all containers.

INTERDIODE_MODE

InterDiode mode.

Values: ‘black’ for the server connected to the Internet, and ‘red’ for the internal network.

LANGUAGE

Default language, default to en-us.

Available languages: ‘en-us’, ‘fr-fr’.

LICENSE_KEY

The license key can also be imported at runtime with the web interface, without restarting servers.

LISTEN_ADDRESS

Address listen by your web server.

Examples: ‘0.0.0.0:8000’, ‘:8000’.

LOCAL_CACHE_DIR

Base storage path for all cache/export/import operations.

The same volume must be mounted in the export workers and in the transfer worker

(when the selected transfer mode is UDP or TCP).

The same volume can be mounted on all containers and must be large enough.

Example: ‘/data/caches’.

LOG_DIR

Write all local logs to this directory, mounted in the container.

Default to empty string, meaning that logs are sent to stdout (warnings and below) and stderr (errors and above).

Example: ‘/var/log/interdiode’.

LOG_LEVEL

Log level.

Values: ‘debug’, ‘info’, ‘warn’, ‘error’ or ‘critical’.

LOG_REMOTE_ACCESS

Also logs HTTP connections to the remote collector, when defined in LOG_REMOTE_URL.

Values: ‘true’, ‘false’.

LOG_REMOTE_URL

Send logs to a remote log collector.

Examples: ‘syslog+tcp://localhost:514/user’, ‘syslog:///local7’ or ‘syslog:///dev/log/daemon’.

A Grafana Loki collector (https://grafana.com/oss/loki/) can also be used: ‘lokis://username:password@host:port?query’.

LOG_SLOW_QUERY_DURATION_IN_S

Log slow SQL database queries that take more than this time in seconds, for performance analysis.

Example: ‘0.1’.

MAIN_STORAGE_DIR

Directory for long-term storage of uploaded or downloaded media. Set the absolute path of the main storage directory, mounted on your container.

Can also be the URL of a S3 storage with credentials, using the ‘s3:http:’ scheme.

Examples: ‘/data/files/’,

‘s3:https://access-key:secret-key@domain.name:port/bucket’.

See S3_REGION.

MAX_SOURCE_ACTION_COUNT

Number of finished actions to keep for each source.

Example: ‘100’.

MAX_TRANSFERRED_SIZE

Total size of finished transfers before removing them.

The more reliable is your transfer method, the lower you can set this value.

Data can be transferred again without preparing the export again.

Example: ‘10000000000’.

PURGE_RETENTION_DAYS

Retention delay (in days) before actually cleaning old data from the database.

A transfer from the black side to the red one must happen before this purge to keep both sides synchronized.

Example: ‘100’.

REDIS_URL

Redis database URL, used for cache and task queues.

This URL can use authentication and SSL parameters (use ‘rediss’ protocol to use SSL encryption).

Example: ‘rediss://:interdiode@redis.interdiode.fr:6379/1?ssl_check_hostname=true&ssl_certfile=/secrets/localhost.crt&ssl_keyfile=/secrets/localhost.key&ssl_ca_certs=/secrets/CA.crt’.

SSL-related files must be mounted in all Docker containers.

RED_DESTINATION_IP

IP address of your red-side InterDiode server. This information is required to use UDP and TCP transfers.

Example: ‘12.12.12.12’.

RED_DESTINATION_MAC

MAC address of your red-side InterDiode server. This information is required to use UDP transfers.

The MAC address must be in the ARP cache of your black-side transfer host since no broadcast can be performed through a data-diode.

This informations is only required to check if the ARP cache is valid.

Example: ‘91:12:12:AC:81:92’.

RED_DESTINATION_PORT

Port number of your red-side InterDiode server. This information is required to use UDP transfers.

Example: ‘15124’.

REMOTE_USER_DEFAULT_GROUPS

Comma-separated list of group names to add to new users that are authenticated by HTTP header, when HTTP_REMOTE_GROUPS_HEADER setting is not used.

Example: ‘Users,New users’.

REQUIRE_NEW_USER_VALIDATION

Require new users to be validated by an administrator.

Values: ‘true’, ‘false’.

RUN_DATA_DIR

Directory for all process ID (pid) files.

Example: ‘/data/run’.

S3_REGION

S3 storage regions, if S3 storage is used for downloaded or uploaded media.

Example: ‘us-east-1’.

SENTRY_DSN

Sends errors to a Sentry collector (https://sentry.io/).

Example: ‘https://6eb600b24dd5@sentry.interdiode.fr/5543040’.

SERVER_BASE_URL

Public URL of your InterDiode instance, default to “http://{listen_address}/”.

Example: ‘https://black.interdiode.fr/’.

SHARED_TRANSFER_KEY

This secret key is used to sign transfers from the black server to the red one.

It must be identical on both servers: transfers signed with a different key will be rejected.

Example: ‘Qkg9cF-i0jbNa-zqOQao’.

TIME_ZONE

A timezone defined in the IANA Time Zone Database.

Default to ‘Europe/Paris’.

TRANSFER_EXPORT_CHECKSUMS

Verify the SHA3 checksum of all exported files.

All data prepared to the transfer will be checked before being actually transferred.

In any case, the SHA3 checksum can be verified upon import.

Values: ‘true’, ‘false’.

TRANSFER_IMPORT_CHECKSUMS

Verify the SHA3 checksum before importing files.

This is a safety check to ensure that the files have not been corrupted during transfer.

Values: ‘true’, ‘false’.

TRANSFER_INTERVAL

Time to wait (in seconds) between two UDP or TCP transfers.

Due to the unidirectional nature of the transfer, the black side cannot know if the red side is ready to receive a new transfer,

so it must wait a reasonable amount of time before sending the next file.

Example: ‘1.0’.

TRANSFER_KEEP_CORRUPTED_IMPORTS

Do not delete corrupted import data, e.g. for post-mortem analysis.

Values: ‘true’, ‘false’.

TRANSFER_KEEP_COUNT

Number of finished transfers to keep when removing data. The more reliable is your transfer method, the lower you can set this value.

Example: ‘100’.

TRANSFER_KEEP_FAILED_IMPORTS

Do not delete failed imports, e.g. for post-mortem analysis.

Values: ‘true’, ‘false’.

TRANSFER_KEEP_IMPORTS

Do not delete successfully imported exports.

Values: ‘true’, ‘false’.

TRANSFER_KEEP_TRANSFERS

Do not automatically remove temporary data used for network transfers.

Values: ‘true’, ‘false’.

TRANSFER_MODE

Transfer method:

- udp: use a UDP protocol with error checking protocol that can be used through a physical data-diode,

- tcp: use a unidirectional raw TCP connection, so a firewall can only accepts TCP acks from the internal network,

- file: let you transfer the files from the black side to the red one by your own.

Values: ‘udp’, ‘tcp’, ‘file’.

TRUSTED_PROXY_IPS

Comma-separated list of trusted reverse proxy IP addresses, used to trust forwarded headers.

Example: ‘127.0.0.1,::1,10.0.0.0/16,172.18.0.0/16’.

UDP_TRANSFER_ERROR_CHUNK_SIZE

Number of UDP packets in an error correction chunk. Default (and ideal) is 1000,

increasing it will make the transfer more robust to big loss bursts, but possibly slower. 2 <= NUM <= 64000.

Example: ‘1000’.

UDP_TRANSFER_MTU_B

Size in bytes of the UDP payloads to send, that must be inferior to the MTU of your network equipment.

Example: ‘1400’.

UDP_TRANSFER_REDUNDANCY

Redundancy factor of UDP transfers.

Due to the unidirectional nature of the transfer, no error checking can be done after the transfer, so a large redundancy factor is required to ensure a high probability of success.

Example: ‘3.0’.

UDP_TRANSFER_TIMEOUT_S

Once a transfer is started, if no packets are received for <timeout> seconds, the transfer is interrupted.

Example: ‘0.1’.

USER_DISABLED_ATTRIBUTES

Comma-separated list of user attributes that cannot be changed by the user nor an administrator.

Add ‘username’ to disable manual user creation/deletion, ‘password’ to disallow password changes.

Other attributes are ‘is_active’, ‘is_superuser’, ‘groups’, ‘user_permissions’, ‘first_name’, ‘last_name’,

‘email’, ‘black_username’, ‘black_email’.

‘black_username’, ‘black_email’ are only used on the red instance, to map external users to the internal ones.

Example: ‘is_active,user_permissions,black_email’.

USE_AUTHORIZATION_TOKEN

Allow users to use API tokens.

Values: ‘true’, ‘false’.

USE_HTTP_BASIC_AUTH

Allow HTTP basic auth using the user password: this can be required by some repositories.

Values: ‘true’, ‘false’.

WORKER_PROCESSES

Number of processes used by the worker command for background tasks.

Default to the number of available CPUs on the system.

Example: ‘2’.

http_proxy

HTTP proxy for all outgoing HTTP requests.

Example: ‘username:password@proxy.server.lan:3128’