Configuration files

All the configuration files are store in /etc/ajenti :

  • config.yml: the main configuration file with all important parameters,
  • smtp.yml: credentials to an email server relay, if you want to use some mail notifications or reset password functionality,
  • users.yml: the default file which contains user account for the user authentication provider.

All configuration files use the yaml format

config.yml in details

Ajenti will use the following parameters :

auth block

auth:
  allow_sudo: true
  emails: {}
  provider: os
  users_file: /etc/ajenti/users.yml

Explanations:

  • allow_sudo: true or false (allow users in the sudo group to elevate)
  • emails: {} (not currently used)
  • provider: authentication method to use, os (users from the os) or users
  • users_file: if the users authentication provider is used, path to the users file (default /etc/ajenti/users.yml)

bind block

bind:
  host: 0.0.0.0
  mode: tcp
  port: 8000

Explanations:

  • host: ip on which to listen (default 0.0.0.0)
  • mode: type of socket, tcp or unix
  • port: port on which to listen, default 8000

ssl block

ssl:
  enable: true
  certificate: /etc/ajenti/mycert.pem
  fqdn_certificate: /etc/letsencrypt/ajenti.pem
  force: false
  client_auth:
     enable: true
     force: true
     certificates:
       digest: 15:E8:5E:E5:D2:E8:75:0D:53:FF:22:A8:79:28:E5:BE:33:E0:37:07:FB:31:47:4D:61:69:AB:43:F8:5B:23:78
       name: C=NA,ST=NA,O=sajenti.mydomain.com,CN=root@ajenti.mydomain.com
       serial: 352674123960898230347891590646542168839110009016
       user: root

Explanations:

  • enable: true or false to provide support for https. It’s highly recommended to set it to true
  • certificate: full path to default global certificate, used to generate client certificates, and fot the https protocol, if the parameter fqdn_certificate is not set. The PEM file should contains the certificate itself, and the private key.
  • fqdn_certificate: full path certificate for your FQDN (e.g. /etc/ajenti/mycert.pem). The PEM file should contains the certificate itself, and the private key.
  • force: spawn a small listener on port 80 to enable a redirect from http://hostname to https://hostname:port.
  • client_auth:
    • enable: true or false to enable client authentication via certificates
    • force: if true, only allows login with client certificate. If false, also permit authentication with password
    • certificates: this entry contains all client certifcates for an automatic login. It will be filled through the settings in Ajenti with the following structure:
      • digest: digest of the certificat
      • name: name of the certificat
      • serial: serial of the certificat
      • user: username

email block

email:
  enable: true
  templates:
    reset_email : /etc/ajenti/email/mytemplate_for_reset_password.html

Explanations:

  • enable: true or false, if you want to enable the password reset function. But for this you need to set the smtp credentials in /etc/ajenti/smtp.yml
  • templates: * reset_email: full path to template email for reset password functionality

The default template used to reset email password is located here. The variables are automatically filled with jinja2.

Other global parameters

color: blue
language: en
logo: /srv/dev/ajenti/ajenti-panel/aj/static/images/Logo.png
max_sessions: 10
name: ajenti.mydomain.com
restricted_user: nobody
session_max_time: 1200

Explanations:

  • color: secundary color of the CSS theme (possibles values are default, bluegrey, red, deeporange, orange, green, teal, blue and purple)
  • language: language prefence for all users, default en
  • logo: full path to your own logo, default is the one from Ajenti
  • max_sessions: max number of simultaneously sessions, default is 99. If the max is reached, the older inactive session will be deactivated
  • name: your domain name
  • restricted_user: user to use for the restricted functionalities, like for the login page. It’s an important security parameter in order to limit the actions in restricted environments : all actions in restricted environments will be done with this user’s privileges. Default is nobody.
  • session_max_time: max validity time in seconds before automatic logout. Default is 3600 (one hour).

smtp.yml in details

This file contains all the credentials of an email server which can be used as email relay to send some notifications, like an email to reset a forgotten password.

smtp:
  password: MyVeryStrongStrongPassword
  port: starttls
  server: mail.mydomain.com
  user: mail@mydomain.com

Explanations:

  • port: starttls (will use 587) or ssl (will use 465)
  • server: server hostname, like mail.mydomain.com
  • user: user to authenticate
  • password: password of the mail user

users.yml in details

Ajenti gives the possibility to use two authentication methods : os or users. If users is used, all user informations are stored in users_file. It’s automatically filled with the user plugin.

The default path for the users_file is /etc/ajenti/users.yml with following structure:

users:
  arnaud:
    email: arnaud@mydomain.com
    fs_root: /home/arnaud
    password: 73637279707.....
    permissions:
      packages:install: false
      sidebar:view:/view/cron: false
    uid: 1002

Explanations:

  • password: hash of the password
  • permissions: list of permissions of the user
  • uid: related os uid to run the worker on
  • fs_root: root directory
  • email: email to use for password reset.

Comments

comments powered by Disqus