mirror of
https://github.com/lukaszraczylo/gohoarder.git
synced 2026-06-05 22:53:53 +00:00
185 lines
4.6 KiB
Plaintext
185 lines
4.6 KiB
Plaintext
# GoHoarder Configuration Example
|
|
#
|
|
# Port Configuration:
|
|
# - Backend server port is configured below (server.port)
|
|
# - Frontend dev server uses frontend/.env (VITE_PORT and VITE_BACKEND_URL)
|
|
# - When running `make run`, both will start with their configured ports
|
|
# - The frontend automatically proxies /api and /ws requests to the backend
|
|
|
|
server:
|
|
host: "0.0.0.0"
|
|
port: 8080 # Backend API server port
|
|
read_timeout: "5m"
|
|
write_timeout: "5m"
|
|
idle_timeout: "2m"
|
|
tls:
|
|
enabled: false
|
|
cert_file: ""
|
|
key_file: ""
|
|
|
|
storage:
|
|
backend: "filesystem" # filesystem, s3, smb, nfs
|
|
path: "/var/cache/gohoarder"
|
|
|
|
filesystem:
|
|
base_path: "/var/cache/gohoarder"
|
|
|
|
s3:
|
|
endpoint: "s3.amazonaws.com"
|
|
region: "us-east-1"
|
|
bucket: "gohoarder-cache"
|
|
access_key_id: ""
|
|
secret_access_key: ""
|
|
use_ssl: true
|
|
|
|
smb:
|
|
host: ""
|
|
share: ""
|
|
username: ""
|
|
password: ""
|
|
domain: ""
|
|
|
|
metadata:
|
|
backend: "sqlite" # sqlite, postgresql, file
|
|
connection: "file:gohoarder.db?cache=shared&mode=rwc"
|
|
|
|
sqlite:
|
|
path: "gohoarder.db"
|
|
wal_mode: true
|
|
|
|
postgresql:
|
|
host: "localhost"
|
|
port: 5432
|
|
database: "gohoarder"
|
|
user: "gohoarder"
|
|
password: ""
|
|
ssl_mode: "disable"
|
|
|
|
cache:
|
|
default_ttl: "168h" # 7 days
|
|
cleanup_interval: "1h"
|
|
max_size_bytes: 536870912000 # 500GB
|
|
per_project_quota: 53687091200 # 50GB
|
|
ttl_overrides:
|
|
npm: "168h"
|
|
pip: "168h"
|
|
go: "168h"
|
|
|
|
security:
|
|
enabled: false
|
|
block_on_severity: "high" # none, low, medium, high, critical
|
|
scan_on_download: true # Scan packages on first download
|
|
rescan_interval: "24h" # How often to re-scan packages (e.g., 24h, 168h for weekly)
|
|
update_db_on_startup: false # Update vulnerability databases on startup
|
|
allowed_packages: [] # Packages that bypass security checks (format: "registry/name@version")
|
|
ignored_cves: [] # CVE IDs to ignore globally (e.g., "CVE-2021-23337")
|
|
|
|
block_thresholds:
|
|
critical: 0 # Max critical vulns (0 = block any)
|
|
high: -1 # Max high vulns (-1 = unlimited)
|
|
medium: -1 # Max medium vulns
|
|
low: -1 # Max low vulns
|
|
|
|
scanners:
|
|
# Trivy - Comprehensive vulnerability scanner from Aqua Security
|
|
# Supports: containers, OS packages, language packages
|
|
trivy:
|
|
enabled: false
|
|
timeout: "5m"
|
|
cache_db: "/var/lib/trivy"
|
|
|
|
# OSV - Google's Open Source Vulnerabilities database
|
|
# Supports: npm, PyPI, Go, Maven, NuGet, etc.
|
|
osv:
|
|
enabled: false
|
|
api_url: "https://api.osv.dev"
|
|
timeout: "30s"
|
|
|
|
# Grype - Multi-ecosystem vulnerability scanner from Anchore
|
|
# Supports: all package types, containers, SBOMs
|
|
grype:
|
|
enabled: false
|
|
timeout: "5m"
|
|
|
|
# govulncheck - Official Go vulnerability scanner from the Go team
|
|
# Supports: Go modules only
|
|
govulncheck:
|
|
enabled: false
|
|
timeout: "5m"
|
|
|
|
# npm-audit - npm's built-in vulnerability scanner
|
|
# Supports: npm packages only
|
|
npm_audit:
|
|
enabled: false
|
|
timeout: "2m"
|
|
|
|
# pip-audit - Python package vulnerability scanner
|
|
# Supports: PyPI packages only
|
|
pip_audit:
|
|
enabled: false
|
|
timeout: "2m"
|
|
|
|
# GitHub Advisory Database - GitHub's security advisory database
|
|
# Supports: npm, pip, go, maven, nuget, cargo, pub
|
|
# Optional: Set token for higher API rate limits (60 req/hour unauthenticated, 5000 req/hour authenticated)
|
|
ghsa:
|
|
enabled: false
|
|
timeout: "30s"
|
|
token: "" # Optional: GitHub personal access token (ghp_...)
|
|
|
|
# Static Analysis - Basic static analysis and package validation
|
|
static:
|
|
enabled: true
|
|
max_package_size: 2147483648 # 2GB
|
|
check_checksums: true
|
|
block_suspicious: false
|
|
allowed_licenses: []
|
|
|
|
auth:
|
|
enabled: true
|
|
key_expiration: "0" # Never expire (0), or duration like "8760h" for 1 year
|
|
bcrypt_cost: 10
|
|
audit_log: true
|
|
|
|
network:
|
|
connect_timeout: "10s"
|
|
read_timeout: "5m"
|
|
write_timeout: "5m"
|
|
max_idle_conns: 100
|
|
max_conns_per_host: 10
|
|
|
|
rate_limit:
|
|
per_api_key: 1000
|
|
per_ip: 100
|
|
burst_size: 50
|
|
|
|
circuit_breaker:
|
|
threshold: 5
|
|
timeout: "30s"
|
|
reset_interval: "60s"
|
|
|
|
retry:
|
|
max_attempts: 3
|
|
initial_backoff: "1s"
|
|
max_backoff: "30s"
|
|
|
|
logging:
|
|
level: "info" # debug, info, warn, error
|
|
format: "json" # json, pretty
|
|
|
|
handlers:
|
|
go:
|
|
enabled: true
|
|
upstream_proxy: "https://proxy.golang.org"
|
|
checksum_db: "https://sum.golang.org"
|
|
verify_checksums: true
|
|
|
|
npm:
|
|
enabled: true
|
|
upstream_registry: "https://registry.npmjs.org"
|
|
|
|
pypi:
|
|
enabled: true
|
|
upstream_url: "https://pypi.org"
|
|
simple_api_url: "https://pypi.org/simple"
|