Configuration

The configuration of the various Components is tightly coupled and must be kept consistent with regard to each other. The the Celery worker, the DBus deputy, the FreeRADIUS server, and the Flask app for example must talk to the PostgreSQL database, the nginx web server must talk to the uWSGI server etc.

All of these components have their own custom configuration file format. To relieve the administrators from learning all the different configuration file formats, all the necessary options of the various components and making sure that the configuration is consistent, Hades defines its own configuration file and performs the configuration of the other components automatically for the administrator and does basic error and consistency checking. The default location of the central configuration file is /etc/hades/config.py.

Hades can't fully abstract away the components, so some basic knowledge about the components of Hades, or at least willingness to acquire it if necessary, is required, especially if errors occur. Monitoring the systemd journal is usually sufficient for debugging problems.

Syntax

The configuration file is a Python file, that should contain a series of variable assignments for the various options listed below. Most of the configuration options expect primitive data types as values such as strings, integers or booleans, while some require more complex types such as list and dict or special data types such as datetime.timedelta or netaddr.IPNetwork. You are free to use all the features of the Python programming, but complex control flow or functions and classes should probably be avoided in a configuration file. For detailed information about Python syntax, please see the The Python Tutorial and The Python Language Reference.

Importing Python modules other than the special data types from the standard library or direct dependencies of Hades should also be avoided. One can however use relative imports to spread options among multiple files.

secrets.py
HADES_VRRP_PASSWORD = 'hunter2'
config.py
from .secrets import HADES_VRRP_PASSWORD

Because you're using Python's built-in import system, you have to adhere to its rules. In particular, if you're trying to import files from other directories, those directories must contain a file named __init__.py to denote that this directory is a Python package.

Warning

You can't import from parent or sibling directories with respect to your root configuration file. Doing from ..parent import file from your root configuration file won't work as you intended, if it all.

Specifying the Config File

There are various ways to specify the configuration file for Hades. By default Hades uses the file /etc/hades/config.py. The Hades command-line tools support the -c/--config switch to specify a different file. In addition, Hades supports the environment variable HADES_CONFIG. The environment variable is especially useful for the various Hades systemd services. All Hades systemd service units source the EnvironmentFile /etc/default/hades.

The command-line switch -c/--config takes precedence over the environment variable HADES_CONFIG, which takes precedence over the default value.

Templates

The various third-party components of Hades, like nginx, are obviously not able to read Python configuration files. The Hades components, that are written in Python, don't require this template mechanism. This covers hades-agent, hades-deputy, hades-unauth-portal, and the various helper scripts.

The Hades systemd services generate the appropriate configuration for each third-party component before the actual service daemon is executed. The configuration files are also regenerated, if the services are restarted. Reloading a service, if it supports it, does not regenerate the configuration file. You have to manually regenerate the configuration, if you don't want to restart service. For services that support it, the generated configuration is checked before the service is started or reloaded. These are the services based on dnsmasq, FreeRADIUS, and unbound.

The generated configuration files are stored in the hades subdirectory of the system's runtime directory, /run/hades by default.

The configuration files are generated from Jinja2 templates. For information about the syntax of Jinja2 templates, see the Jinja2 documentation.

Manual Generation

You might be in a situation, where you want to manually generate the third-party config files. Doing this is very easy:

hades-generate-config nginx/nginx.conf.j2 /tmp/my-nginx.conf

This will compile the template nginx/nginx.conf.j2 and output its result to /tmp/my-nginx.conf.

The configuration of nginx however requires more than a file to work. If the first argument passed to hades-generate-config refers to a directory, the command will recursively compile all files ending with .j2 into files with the same name without the .j2 extension and copy all other files and directories as-is.

hades-generic-config nginx /tmp/my-nginx-config

Search Path

The templates and other files and directories are looked up in a set of directories on the template search path. By default, the template search path is comprised of the two directories /etc/hades/templates and /usr/share/hades/templates in this order.

The directory /usr/share/hades/templates contains the default templates shipped with Hades, the directory /etc/hades/templates is intended for use by the administrator to override the default templates, if deemed necessary.

The lookup algorithm is analogous to how systemd looks for its unit files or how the shell finds executables on the PATH.

Deletion Markers

Instead of overriding the contents of a file, it may be necessary or convenient to omit files or directories from the generated configuration files. The mechanism is again analogous to how systemd allows you to mask with symbolic links to /dev/null.

Options Reference

The following list of available options is automatically generated from the Python classes that represent the options internally.

class hades.config.options.HadesOption[source]
abstract = True
default: Any
HADES_SITE_NAME

Name of the site

Required:

This option is required.

Type:

str

Static Check:

Must match regular expression: '\\A[a-z][a-z0-9-]*\\Z'

HADES_SITE_NODE_ID

ID of the site node

Required:

This option is required.

Type:

str

Static Check:

Must match regular expression: '\\A[a-z][a-z0-9-]*\\Z'

HADES_MAIL_DESTINATION_ADDRESSES

Automatic notification mails will be send to this address.

Type:

collections.abc.Sequence

Static Check:

Must satisfy all of the following:

  • Must not be empty

  • All elements must satisfy: Type must be str

HADES_MAIL_SENDER_ADDRESS

Automatic notification mails will use this address as sender.

Type:

str

HADES_MAIL_SMTP_SERVER

Name or IP address of SMTP relay server.

Type:

str

HADES_REAUTHENTICATION_INTERVAL

RADIUS periodic reauthentication interval

Default:

datetime.timedelta(seconds=300)

Type:

datetime.timedelta

Static Check:

Must be greater than datetime.timedelta(0)

HADES_RETENTION_INTERVAL

RADIUS postauth and accounting data retention interval

Default:

datetime.timedelta(days=1)

Type:

datetime.timedelta

Static Check:

Must be greater than datetime.timedelta(0)

HADES_CONTACT_ADDRESSES

Contact addresses displayed on the captive portal page

Required:

This option is required.

Type:

collections.abc.Mapping

HADES_USER_NETWORKS

Public networks of authenticated users.

Dictionary of networks. Keys are unique identifiers of the network, values are netaddr.IPNetwork objects

Required:

This option is required.

Type:

collections.abc.Mapping

Static Check:

Must satisfy all of the following:

  • Must not be empty

  • All values must satisfy: Must not be network or broadcast address (except if /31)

HADES_CUSTOM_IPTABLES_INPUT_RULES

Additional iptables rules for INPUT chain.

A list of valid iptables-restore rule lines with leading -A INPUT.

Default:

[]

Type:

collections.abc.Sequence

HADES_NETNS_MAIN_AUTH_LISTEN
Default:

IPNetwork('172.18.0.0/31')

Static Check:

Must not be network or broadcast address (except if /31)

Runtime Check:

IP address must be configured

HADES_NETNS_AUTH_LISTEN
Default:

IPNetwork('172.18.0.1/31')

Static Check:

Must not be network or broadcast address (except if /31)

Runtime Check:

IP address must be configured

HADES_NETNS_MAIN_UNAUTH_LISTEN
Default:

IPNetwork('172.18.0.2/31')

Static Check:

Must not be network or broadcast address (except if /31)

Runtime Check:

IP address must be configured

HADES_NETNS_UNAUTH_LISTEN
Default:

IPNetwork('172.18.0.3/31')

Static Check:

Must not be network or broadcast address (except if /31)

Runtime Check:

IP address must be configured

HADES_POSTGRESQL_PORT

Port and socket name of the PostgresSQL database

Default:

5432

Type:

int

Static Check:

Must be between 1 and 65535 inclusively

HADES_POSTGRESQL_LISTEN

A list of addresses PostgreSQL should listen on.

Default:

(IPNetwork('127.0.0.1/8'),)

Type:

collections.abc.Sequence

Static Check:

All elements must satisfy: Must not be network or broadcast address (except if /31)

Runtime Check:

All elements must satisfy: IP address must be configured

HADES_POSTGRESQL_FOREIGN_SERVER_FDW

Name of the foreign data wrapper extensions that should be used.

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

'postgres_fdw'

Type:

str

HADES_POSTGRESQL_FOREIGN_SERVER_OPTIONS

Foreign data wrapper specific server options

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_SERVER_TYPE

Foreign data wrapper specific server type

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Type:

str

HADES_POSTGRESQL_FOREIGN_SERVER_VERSION

Foreign data wrapper specific server version

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Type:

str

HADES_POSTGRESQL_FOREIGN_TABLE_GLOBAL_OPTIONS

Foreign data wrapper options that are set on each foreign table. The options can be overridden with table specific options.

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_TABLE_ALTERNATIVE_DNS_IPADDRESS_STRING

Whether the IPAddress column of the foreign alternative_dns table has a string type

Default:

False

Type:

bool

HADES_POSTGRESQL_FOREIGN_TABLE_ALTERNATIVE_DNS_OPTIONS

Foreign data wrapper options for the alternative_dns table

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{'table_name': 'alternative_dns'}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_TABLE_AUTH_DHCP_HOST_IPADDRESS_STRING

Whether the IPAddress column of the foreign auth_dhcp_host table has a string type

Default:

False

Type:

bool

HADES_POSTGRESQL_FOREIGN_TABLE_AUTH_DHCP_HOST_MAC_STRING

Whether the MAC column of the foreign auth_dhcp_host table has a string type

Default:

False

Type:

bool

HADES_POSTGRESQL_FOREIGN_TABLE_AUTH_DHCP_HOST_OPTIONS

Foreign data wrapper options for the auth_dhcp_host table

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{'table_name': 'auth_dhcp_host'}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_TABLE_NAS_OPTIONS

Foreign data wrapper options for the nas table

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{'table_name': 'nas'}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_TABLE_RADCHECK_NASIPADDRESS_STRING

Whether the NASIPAddress column of the foreign radcheck table has a string type.

Default:

False

Type:

bool

HADES_POSTGRESQL_FOREIGN_TABLE_RADCHECK_OPTIONS

Foreign data wrapper options for the radcheck table

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{'table_name': 'radcheck'}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_TABLE_RADGROUPCHECK_OPTIONS

Foreign data wrapper options for the radgroupcheck table

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{'table_name': 'radgroupcheck'}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_TABLE_RADGROUPREPLY_OPTIONS

Foreign data wrapper options for the radgroupreply table

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{'table_name': 'radgroupreply'}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_TABLE_RADREPLY_NASIPADDRESS_STRING

Whether the NASIPAddress column of the foreign radgroupcheck table has a string type

Default:

False

Type:

bool

HADES_POSTGRESQL_FOREIGN_TABLE_RADREPLY_OPTIONS

Foreign data wrapper options for the radreply table

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{'table_name': 'radreply'}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_FOREIGN_TABLE_RADUSERGROUP_NASIPADDRESS_STRING

Whether the NASIPAddress column of the foreign radgroupcheck table has a string type

Default:

False

Type:

bool

HADES_POSTGRESQL_FOREIGN_TABLE_RADUSERGROUP_OPTIONS

Foreign data wrapper options for the radusergroup table

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Default:

{'table_name': 'radusergroup'}

Type:

collections.abc.Mapping

HADES_POSTGRESQL_USER_MAPPINGS

User mappings from local database users to users on the foreign database server

If HADES_LOCAL_MASTER_DATABASE is set, this option is ignored.

Type:

collections.abc.Mapping

Static Check:

Must have contain a mapping for hades-database or PUBLIC

HADES_PORTAL_DOMAIN

Fully qualified domain name of the captive portal

Default:

'captive-portal.agdsn.de'

Type:

str

HADES_PORTAL_URL

URL of the landing page of the captive portal

Default:

Will be computed from the format string 'http://{}/', with HADES_PORTAL_DOMAIN as positional argument.

Type:

str

HADES_PORTAL_NGINX_WORKERS

Number of nginx worker processes

Default:

4

Type:

int

Static Check:

Must be greater than 0

HADES_PORTAL_SSL_CERTIFICATE

Path to the SSL certificate of the captive portal

Default:

'/etc/ssl/certs/ssl-cert-snakeoil.pem'

Runtime Check:

Must be an existing file

HADES_PORTAL_SSL_CERTIFICATE_KEY

Path to the SSL certificate key of the captive portal

Default:

'/etc/ssl/private/ssl-cert-snakeoil.key'

Runtime Check:

Must be an existing file

HADES_PORTAL_UWSGI_WORKERS

Number of uWSGI worker processes

Default:

4

Type:

int

Static Check:

Must be greater than 0

HADES_AUTH_DHCP_DOMAIN

DNS domain of authenticated users

Default:

'users.agdsn.de'

Type:

str

HADES_AUTH_DHCP_LEASE_LIFETIME

DHCP lease lifetime for authenticated users

Default:

datetime.timedelta(days=1)

Type:

datetime.timedelta

Static Check:

Must be greater than datetime.timedelta(0)

HADES_AUTH_DHCP_LEASE_RENEW_TIMER

DHCP lease renew timer for authenticated users

Default:

Half of HADES_AUTH_DHCP_LEASE_LIFETIME

Type:

datetime.timedelta

Static Check:

Must be greater than datetime.timedelta(0)

HADES_AUTH_DHCP_LEASE_REBIND_TIMER

DHCP lease rebind timer for authenticated users

Default:

0.875 of HADES_AUTH_DHCP_LEASE_LIFETIME

Type:

datetime.timedelta

Static Check:

Must be greater than datetime.timedelta(0)

HADES_AUTH_LISTEN

Sequence of IPs and networks to listen on for requests from authenticated users.

The first IP in the sequence will be the main IP, e.g. it will be advertised as IP of DNS server in DHCP responses.

Default:

(IPNetwork('10.66.67.10/24'),)

Type:

collections.abc.Sequence

Static Check:

Must satisfy all of the following:

  • Must not be empty

  • All elements must satisfy: Must not be network or broadcast address (except if /31)

Runtime Check:

All elements must satisfy: IP address must be configured

HADES_AUTH_INTERFACE

Interface where requests of authenticated users arrive.

This interface will be moved into the auth namespace and IP addresses on this interface are managed by the keepalived hades-auth VRRP instance.

This interface should therefore be managed completely by Hades. Aside from its creation other tools, e.g. ifupdown, systemd-networkd, should not interfere. No other daemons should listen on or bind to this interface.

Required:

This option is required.

Type:

str

Runtime Check:

Network interface must exists

HADES_AUTH_BRIDGE

Name of the auth bridge interface

Default:

'br-auth'

Type:

str

Static Check:

Must match regular expression: '\\A[A-Za-z0-9_-]{1,15}\\Z'

HADES_AUTH_NEXT_HOP

The next hop, where packets to user networks (e.g. DHCP replies, DNS replies) should be forwarded to.

Default:

IPNetwork('10.66.67.1/24')

Type:

netaddr.ip.IPNetwork

Static Check:

Must not be network or broadcast address (except if /31)

HADES_AUTH_ALLOWED_TCP_PORTS

Allowed TCP destination ports for unauthenticated users

Default:

(53, 80, 443, 9053)

Type:

collections.abc.Sequence

HADES_AUTH_ALLOWED_UDP_PORTS

Allowed UDP destination ports for unauthenticated users

Default:

(53, 67, 9053)

Type:

collections.abc.Sequence

HADES_AUTH_DNS_ALTERNATIVE_IPSET

Name of ipset for alternative DNS resolving.

Default:

'hades_alternative_dns'

Type:

str

HADES_AUTH_DNS_ALTERNATIVE_ZONES

DNS zones that are transparently spoofed if alternative DNS is enabled.

Default:

{}

Type:

collections.abc.Mapping

HADES_UNAUTH_DHCP_LEASE_TIME

DHCP lease time for unauth users

This lease time should be set rather short, so that unauthenticated will quickly obtain a new address if they become authenticated.

Default:

datetime.timedelta(seconds=120)

Type:

datetime.timedelta

Static Check:

Must be greater than datetime.timedelta(0)

HADES_UNAUTH_INTERFACE

Interface attached to the unauth VLAN

Required:

This option is required.

Type:

str

Runtime Check:

Network interface must exists

HADES_UNAUTH_BRIDGE

Name of the unauth bridge interface

Default:

'br-unauth'

Type:

str

Static Check:

Must match regular expression: '\\A[A-Za-z0-9_-]{1,15}\\Z'

HADES_UNAUTH_LISTEN

Sequence of IPs and networks to listen for unauthenticated users.

The first IP in the sequence will be the main IP, e.g. it will be advertised as IP of DNS server in DHCP responses.

Default:

(IPNetwork('10.66.0.1/19'),)

Type:

collections.abc.Sequence

Static Check:

Must satisfy all of the following:

  • Must not be empty

  • All elements must satisfy: Must not be network or broadcast address (except if /31)

Runtime Check:

All elements must satisfy: IP address must be configured

HADES_UNAUTH_ALLOWED_TCP_PORTS

Allowed TCP destination ports for unauthenticated users

Default:

(53, 80, 443)

Type:

collections.abc.Sequence

HADES_UNAUTH_ALLOWED_UDP_PORTS

Allowed UDP destination ports for unauthenticated users

Default:

(53, 67)

Type:

collections.abc.Sequence

HADES_UNAUTH_CAPTURED_TCP_PORTS

All traffic destined to these TCP ports is transparently redirected (captured) to the unauth listen address of the site node

Default:

(53, 80, 443)

Type:

collections.abc.Sequence

HADES_UNAUTH_CAPTURED_UDP_PORTS

All traffic destined to these UDP ports is transparently redirected (captured) to the unauth listen address of the site node

Default:

(53,)

Type:

collections.abc.Sequence

HADES_UNAUTH_DHCP_RANGE

DHCP range for the unauth VLAN. Must be contained within the HADES_UNAUTH_LISTEN network.

Default:

IPRange('10.66.0.10', '10.66.31.254')

Type:

netaddr.ip.IPRange

Static Check:

Must be contained in the networks configured with HADES_UNAUTH_LISTEN

HADES_UNAUTH_WHITELIST_DNS

List of DNS names which are whitelisted for unauthenticated users.

Default:

()

Type:

collections.abc.Sequence

HADES_UNAUTH_WHITELIST_IPSET

Name of ipset for whitelisted IPs.

Default:

'hades_unauth_whitelist'

Type:

str

HADES_RADIUS_LISTEN

Sequence of IPs and networks the RADIUS server is listening on.

Default:

(IPNetwork('10.66.68.10/24'),)

Type:

collections.abc.Sequence

Static Check:

Must satisfy all of the following:

  • Must not be empty

  • All elements must satisfy: Must not be network or broadcast address (except if /31)

Runtime Check:

All elements must satisfy: IP address must be configured

HADES_RADIUS_INTERFACE

Interface the RADIUS server is listening on

Required:

This option is required.

Type:

str

Runtime Check:

Network interface must exists

HADES_RADIUS_AUTHENTICATION_PORT

RADIUS authentication port

Default:

1812

Type:

int

HADES_RADIUS_ACCOUNTING_PORT

RADIUS accounting port

Default:

1813

Type:

int

HADES_RADIUS_LOCALHOST_SECRET

Shared secret for the localhost RADIUS client

Type:

str

HADES_RADIUS_DATABASE_FAIL_ACCEPT

Send Access-Accept packets if the RADIUS sql module fails

Default:

True

Type:

bool

HADES_RADIUS_DATABASE_FAIL_REPLY_ATTRIBUTES

Reply attributes that will be set in Access-Accept packets if the RADIUS sql module fails.

The attribute value must be specified in proper FreeRADIUS syntax. That means that string replies should be enclosed in single quotes.

Default:

{'Reply-Message': "'database_down'"}

Type:

collections.abc.Mapping

HADES_RADIUS_UNKNOWN_USER

The User-Name, that is used as fallback if the MAC address was not found in the database.

Default:

'unknown'

Type:

str

HADES_GRATUITOUS_ARP_INTERVAL

Period in which gratuitous ARP requests are broadcasted to notify

  1. clients of the MAC address of current master site node instance

  2. clients switching from the auth to the unauth VLAN of the new gateway MAC

Default:

datetime.timedelta(seconds=1)

Type:

datetime.timedelta

Static Check:

Must be greater than datetime.timedelta(0)

HADES_PRIORITY

Priority of the site node instance.

The available instance with the highest priority becomes master.

Default:

100

Type:

int

Static Check:

Must be between 1 and 254 inclusively

HADES_INITIAL_MASTER

Flag that indicates if the site node instance starts in master state

Default:

False

Type:

bool

HADES_VRRP_INTERFACE

Interface for VRRP communication

Type:

str

Runtime Check:

Network interface must exists

HADES_VRRP_BRIDGE

Interface name for VRRP bridge (created if necessary)

Default:

'br-vrrp'

Type:

str

Static Check:

Must not be empty

HADES_VRRP_LISTEN_AUTH

IP and network for VRRP communication (auth instance)

Type:

netaddr.ip.IPNetwork

Static Check:

Must not be network or broadcast address (except if /31)

Runtime Check:

IP address must be configured

HADES_VRRP_LISTEN_ROOT

IP and network for VRRP communication (root instance)

Type:

netaddr.ip.IPNetwork

Static Check:

Must not be network or broadcast address (except if /31)

Runtime Check:

IP address must be configured

HADES_VRRP_LISTEN_UNAUTH

IP and network for VRRP communication (unauth instance)

Type:

netaddr.ip.IPNetwork

Static Check:

Must not be network or broadcast address (except if /31)

Runtime Check:

IP address must be configured

HADES_VRRP_PASSWORD

Shared secret to authenticate VRRP messages between site node instances.

Required:

This option is required.

Type:

str

HADES_VRRP_VIRTUAL_ROUTER_ID_AUTH

Virtual router ID used by Hades (auth instance)

Default:

66

Type:

int

Static Check:

Must be between 0 and 255 inclusively

HADES_VRRP_VIRTUAL_ROUTER_ID_ROOT

Virtual router ID used by Hades (root instance)

Default:

67

Type:

int

Static Check:

Must be between 0 and 255 inclusively

HADES_VRRP_VIRTUAL_ROUTER_ID_UNAUTH

Virtual router ID used by Hades (unauth instance)

Default:

68

Type:

int

Static Check:

Must be between 0 and 255 inclusively

HADES_VRRP_ADVERTISEMENT_INTERVAL

Interval between VRRP advertisements

Default:

datetime.timedelta(seconds=5)

Type:

datetime.timedelta

Static Check:

Must be greater than datetime.timedelta(0)

HADES_VRRP_PREEMPTION_DELAY

Delay before a MASTER transitions to BACKUP when a node with a higher priority comes online

Default:

datetime.timedelta(seconds=30)

Type:

datetime.timedelta

Static Check:

Must be between datetime.timedelta(0) and datetime.timedelta(seconds=1000) inclusively

HADES_CREATE_DUMMY_INTERFACES

Create dummy interfaces if interfaces do not exist

Default:

False

Type:

bool

HADES_LOCAL_MASTER_DATABASE

Create and use a local “foreign” database.

Default:

False

Type:

bool

HADES_BRIDGE_SERVICE_INTERFACES

Link the service interface of the auth and unauth network namespaces through bridges and veth interfaces rather than moving the interface directly into the network namespace.

This allows to attach other interfaces to the bridge to e.g. test DHCP.

Default:

False

Type:

bool

DEBUG

Flask debug mode flag

Type:

bool

BABEL_DEFAULT_LOCALE

Default locale of the portal application

Default:

'de_DE'

Type:

str

BABEL_DEFAULT_TIMEZONE

Default timezone of the portal application

Default:

'Europe/Berlin'

Type:

str

SQLALCHEMY_DATABASE_URI
Default:

A URI targeting the default postgresql socket in the pkgrunstatedir.

The port is set to HADES_POSTGRESQL_PORT and the user is the default database user.

Type:

str

HADES_CELERY_PREFIX
Default:

'hades.'

Type:

str

HADES_CELERY_WORKER_HOSTNAME

Hostname of the hades-agent Celery worker.

Default:

Will be computed from the format string '{}.{}', with HADES_SITE_NAME, HADES_SITE_NODE_ID as positional arguments.

Type:

str

HADES_CELERY_RPC_EXCHANGE
Default:

Will be computed from the format string '{}rpc-call', with HADES_CELERY_PREFIX as positional argument.

Type:

str

HADES_CELERY_RPC_EXCHANGE_TYPE
Default:

'topic'

Type:

str

HADES_CELERY_NOTIFY_EXCHANGE
Default:

Will be computed from the format string '{}notify', with HADES_CELERY_PREFIX as positional argument.

Type:

str

HADES_CELERY_NOTIFY_EXCHANGE_TYPE
Default:

'topic'

Type:

str

HADES_CELERY_NODE_QUEUE
Default:

Will be computed from the format string '{}{}.{}', with HADES_CELERY_PREFIX, HADES_SITE_NAME, HADES_SITE_NODE_ID as positional arguments.

Type:

str

HADES_CELERY_NODE_QUEUE_TTL

TTL of the node's queue in seconds

Default:

5.0

Type:

float

HADES_CELERY_NODE_QUEUE_MAX_LENGTH

Maximum length (in messages) of the node's queue

Default:

1000

Type:

int

HADES_CELERY_ROUTING_KEY_NODES_ALL
Default:

'nodes'

Type:

str

HADES_CELERY_ROUTING_KEY_NODES_SITE
Default:

Will be computed from the format string 'nodes.{}', with HADES_SITE_NAME as positional argument.

Type:

str

HADES_CELERY_ROUTING_KEY_NODES_SELF
Default:

Will be computed from the format string 'nodes.{}.{}', with HADES_SITE_NAME, HADES_SITE_NODE_ID as positional arguments.

Type:

str

HADES_CELERY_ROUTING_KEY_MASTERS_ALL
Default:

Will be computed from the format string 'masters', with HADES_SITE_NAME as positional argument.

Type:

str

HADES_CELERY_ROUTING_KEY_MASTERS_SITE
Default:

Will be computed from the format string 'masters.all.{}', with HADES_SITE_NAME as positional argument.

Type:

str

HADES_CELERY_ROUTING_KEY_MASTERS_SITE_AUTH
Default:

Will be computed from the format string 'masters.auth.{}', with HADES_SITE_NAME as positional argument.

Type:

str

HADES_CELERY_ROUTING_KEY_MASTERS_SITE_ROOT
Default:

Will be computed from the format string 'masters.root.{}', with HADES_SITE_NAME as positional argument.

Type:

str

HADES_CELERY_ROUTING_KEY_MASTERS_SITE_UNAUTH
Default:

Will be computed from the format string 'masters.unauth.{}', with HADES_SITE_NAME as positional argument.

Type:

str

HADES_CELERY_STATE_DB

Path of Celery node state database

Default:

'/usr/local/var/run/hades/agent/state.db'

Type:

str

BROKER_URL
Type:

str

BROKER_CONNECTION_MAX_RETRIES

Maximum number of retries before giving up re-establishing the connection to the broker.

Set to zero to retry forever in case of longer partitions between sites and the main database.

Default:

0

Type:

int

CELERY_ENABLE_UTC
Default:

True

Type:

bool

CELERY_DEFAULT_DELIVERY_MODE
Default:

'transient'

Type:

str

CELERY_QUEUES
Default:

Declare two exchanges, one for RPCs and one for notifications.

RPCs return results and should therefore only be answered by a single agent. Notifications have no results and are processed by potentially multiple agents.

Each agent/site node has a single queue specific to this node. This queue is bound to the RPC exchange with a node-specific routing key and to the notify exchange with the site-specific, node-specific, and empty routing key. The agent on a site node, where the root VRRP instance has become MASTER, will also bind its queue to the RPC exchange with the site-specific routing key and remove this binding as soon as the sites leaves the MASTER state.

This setup ensures that RPC messages can be sent to a specific agent/node, by using the node-specific routing key and to the agent on the master by using the site-specific routing key. Notifications can be sent to all agents/nodes by using the empty routing key, to all agents/nodes of a site by using the site-specific routing key, and to a specific node by using the node-specific routing key.

Type:

collections.abc.Sequence

CELERYD_PREFETCH_MULTIPLIER
Default:

1

Type:

int

CELERY_TIMEZONE
Default:

'UTC'

Type:

str

CELERY_DEFAULT_QUEUE
Default:

Equal to HADES_CELERY_NODE_QUEUE

Type:

str

CELERY_DEFAULT_ROUTING_KEY
Default:

Equal to HADES_CELERY_ROUTING_KEY_MASTERS_SITE_ROOT

Type:

str

CELERY_DEFAULT_EXCHANGE
Default:

Equal to HADES_CELERY_RPC_EXCHANGE

Type:

str

CELERY_ACCEPT_CONTENT
Default:

['json']

Type:

collections.abc.Sequence

CELERY_EVENT_SERIALIZER
Default:

'json'

Type:

str

CELERY_RESULT_EXCHANGE_TYPE
Default:

'direct'

Type:

str

CELERY_RESULT_PERSISTENT
Default:

False

Type:

bool

CELERY_RESULT_SERIALIZER
Default:

'json'

Type:

str

CELERY_TASK_SERIALIZER
Default:

'json'

Type:

str

CELERY_RESULT_BACKEND
Default:

'rpc://'

Type:

str

CELERY_RESULT_EXCHANGE
Default:

Will be computed from the format string '{}rpc-result', with HADES_CELERY_PREFIX as positional argument.

Type:

str

CELERY_IMPORTS
Default:

()

Type:

collections.abc.Sequence

CELERY_TASK_RESULT_EXPIRES
Default:

datetime.timedelta(seconds=300)

Type:

datetime.timedelta