Most of Bayanat's system settings can now be configured from the front-end. However, there are a few configuration that are needed to be set in .env file.
For interactive creation of the .env, you can use the gen-env.sh in the root directory:
./gen-env.sh
To manually configuring your bayanat server, make a copy of the .env-sample file to .env file in the root directory of the bayanat installation and check below for more information about the available settings.
Bayanat uses secure cookies by default which requires HTTPS. If you're working in a development environment, you can disable this by setting SECURE_COOKIES=False in .env.
Changing this default setting is not recommended in production environments.
SECRET_KEY is used to keep the sessions secure. You need to generate a strong key and keep it safe. For more information you can check the Flask documentation.
You can use the following command to generate a new secret key:
openssl rand -base64 16
Or:
python -c 'import os; print(os.urandom(16))'
Changing the secret key will result in all users being logged of the system.
Bayanat should by default work without the following settings if installed natively with PostgreSQL on the same host. They are required for Docker deployment.
The following settings are to allow Bayanat to connect to PostgreSQL database:
POSTGRES_DB: name of the database. Bayanat will use bayanat by default.POSTGRES_HOST: PostgreSQL host. Leave empty if PostgreSQL is installed locally, or use postgres if you're deploying on Docker.POSTGRES_PASSWORD: password for the PostgreSQL database. Not required if Bayanat and PostgreSQL are installed on the same host.POSTGRES_USER: username for the PostgreSQL database. Not required if Bayanat and PostgreSQL are installed on the same host.Bayanat should by default work without the following settings if installed natively with Redis on the same host. They are required for Docker deployment.
REDIS_HOST: Redis host. Leave empty if Redis is installed locally, or use redis if you're deploying on Docker.REDIS_PASSWORD: Redis password, if set.SECURITY_PASSWORD_SALT salt needs to be generated and kept a secret. You can use the following command to generate a new salt:
openssl rand -base64 32
Or:
python -c 'import secrets; print(secrets.SystemRandom().getrandbits(128))'
Changing the password salt will invalidate all current passwords in the system and users won't be able to use their passwords to log in.
You need to generate a secret for encrypting/decrypting stored TOTP keys and add it to SECURITY_TOTP_SECRETS. A good secret can be generated with the following command:
python -c 'import passlib.totp; print(passlib.totp.generate_secret())'
Or:
openssl rand -base64 32
You can read more about two factor configuration on the Flask Security documentation website.
Changing this secret will invalidate all TOTP keys and users who activated 2FA won't be able to log into the system.
Bayanat will use the enferno/media/ folder to store media files.
Bayanat is designed to work with Amazon's S3 storage.
You'll need to setup the bucket with the correct policy and permissions for the aws user. Public access should be blocked.
Cors Policy is also required on the bucket. Allowed Origin can be set to the domain of the system.
{
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account:user/username"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::bucket_name"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::account:user/user"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectRetention",
"s3:PutObjectRetention"
],
"Resource": "arn:aws:s3:::bucket_name/*"
}
]
}
[
{
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": []
}
]
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:GetObjectRetention",
"s3:PutObjectRetention",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket_name",
"arn:aws:s3:::bucket_name/*"
]
}
]
}
To enable path scanning feature, an allowed path needs to be set using ETL_ALLOWED_PATH.
Path scanning should only be used when it's needed and otherwise be disabled.
To run your own Open Street Maps tile server in offline servers or increased privacy, check https://github.com/Overv/openstreetmap-tile-server.
You can then update the Maps API Endpoint setting in the Maps sections of Bayanat's system settings dashboard to point to your local tile server.