# Variables for postinstall.sh automation.
#
# Before use, set the variables for your deployment.
# Remove either the local or remote section,
# depending on the type of the used database.
# You can then export the variables with:
#
# source postinstall_env

###################################
# Skip automatic postinstallation #
# during upgrades                 #
###################################

# postinstall.sh would be run automatically during upgrades
# For HA setups and scenarios where postinstall.sh needs to be run
# manually export this env variable to "TRUE" or "true" or "1" and start the upgrades
# process.
# For cases where you want to run postinstall.sh automatically during upgrades
# do not set this env variable or set it to "FALSE", "false", "0" (or unset this env variable if set previously)

# Instructs to skip automatic postinstallation steps during upgrade.
# If enabled during rpm upgrade, admin needs to run /opt/privx/scripts/postinstall.sh manually afterwards to migrate.
# See https://privx.docs.ssh.com/docs/privx-high-availability-deployment#additional-privx-nodes
export SKIP_POSTINSTALL=TRUE

#######################
# appliance addresses #
#######################

# Space-separated DNS names
# DNS name is mandatory. For HA setups, include load balancer FQDN here.
export PRIVX_DNS_NAMES="example.com privx.example.com"
# Space-separated IP addresses
# IP address is optional. Set to " " to disable interactive IP address prompt.
export PRIVX_IP_ADDRESSES="192.0.2.100 192.0.2.101"
# Number of trusted load balancers in front of PrivX node
# Used for setting "strip_how_many_x_forwarded_for_client_ips" in /opt/privx/etc/shared-config.toml.
export PRIVX_NUM_TRUSTED_LB=0

#########################
# superuser credentials #
#########################

# Superuser name
export PRIVX_SUPERUSER=superuser
# Superuser password
export PRIVX_SUPERUSER_PASSWORD=example_password
# Superuser email address
export PRIVX_SUPERUSER_EMAIL=superuser@example.com
# Set to any non-null value to require superuser-password change on first login
export PRIVX_SUPERUSER_CHANGE_PASSWORD=""

####################
# database (local) #
####################

# Set PrivX to use local database. Useful for testing or single-node installations.
#export PRIVX_USE_EXTERNAL_DATABASE=0
# Database name
#export PRIVX_DATABASE_NAME=privx
# Database-user name
#export PRIVX_DATABASE_USERNAME=privx
# Database-user password
#export PRIVX_DATABASE_PASSWORD=privx

#######################
# database (external) #
#######################

# Set PrivX to use external database. Required for HA installations.
export PRIVX_USE_EXTERNAL_DATABASE=1
# PostgreSQL-server address
export PRIVX_POSTGRES_ADDRESS=postgres.example.com
# PostgreSQL-service port number
export PRIVX_POSTGRES_PORT=5432

# Postgres superuser is only used for creating user.
# If the user exists, these values can be omitted. Needed only for initial installation.
# Postgres superuser username.
export PRIVX_POSTGRES_USER=postgres
# Postgres superuser password.
export PRIVX_POSTGRES_PASSWORD=secret

# Create user.
export DB_EXTERNAL_CREATE_PSQL_USER=true
# Database-user name
export PRIVX_DATABASE_USERNAME=privx
# Database-user password
export PRIVX_DATABASE_PASSWORD=privx

# Create database.
export DB_EXTERNAL_CREATE_PSQL_DATABASE=true
# Database name
export PRIVX_DATABASE_NAME=privx

# Database-connection SSL mode: disable, require, verify-ca, verify-full
# verify-full recommended for production use
export PRIVX_DATABASE_SSLMODE=verify-full

# Notification backend, "db"
export PRIVX_NOTIFICATION_BACKEND=db

# Postgres version >= 11.X is supported. In case PrivX fails to check the DB
# server version, PRIVX_SKIP_DB_VERSION_CHECK=false will fail the installation
# or upgrade. Conversely PRIVX_SKIP_DB_VERSION_CHECK=true will continue with
# the installation/upgrade.
export PRIVX_SKIP_DB_VERSION_CHECK=false

###################
# pkcs11 keyvault #
###################

# Set to 1 to enable pkcs11 keyvault
# NOTE: This cannot be changed after installation.
export PRIVX_KEYVAULT_PKCS11_ENABLE=0
# pkcs11 provider type: one of the following types
#    amazon-cloudhsm, safenet-network-hsm, softhsm, ncipher-hsm,
#    thales-ciphertrust, generic-pkcs11
export PRIVX_KEYVAULT_PKCS11_TYPE=""
# pkcs11 provider library file path
export PRIVX_KEYVAULT_PKCS11_PROVIDER=""
# pkcs11 slot
export PRIVX_KEYVAULT_PKCS11_SLOT=0
# pkcs11 user pin
export PRIVX_KEYVAULT_PKCS11_PIN=0000
# pkcs11 features: comma separated list of following keywords
# These are used only with type "generic-pkcs11"
#   aes-gcm-zero-iv         Supply zero IV for aes gcm encrypt
#   aes-gcm-luna-random-iv  Use SafeNet Luna AES-GCM random IV
#   aes-gcm-padding         Pad aes-gcm input to aes blocksize
#   sym-key-size-in-bits    Symmetric key size is reported in bits
#   fips-mode               Restrict supported algorithms and key sizes
#                           according to FIPS 140-2 level 3 requirements
#   serialize-ops           Serialize all pkcs#11 operations
#   disable-object-cache    Disable object handle caching
#   ncipher-mode            nCipher HSM support
export PRIVX_KEYVAULT_PKCS11_FEATURES=""
# pkcs11 session cache lifetime
# This variable determines the lifetime of cached session handles. If empty,
# session caching will be disabled. Accepts a duration string with seconds,
# minutes and hours. If set to "default", will choose the default option based
# on the chosen provider.
#   Examples: "30m", "336h", "2h30m", "9h59m59s", "2000m"
export PRIVX_KEYVAULT_PKCS11_SESSION_CACHE="default"
# fsvault.encryption_algorithm
# If left as "default", will select one based on the provider.
# Supported algorithms:
#   AES128withGCM
#   AES256withGCM
#   AES128withGCMPkcs7Pad
#   AES256withGCMPkcs7Pad
export PRIVX_KEYVAULT_ENCRYPTION_ALG="default"

# Other
export PRIVX_NTP_SERVER=pool.ntp.org

# Default asymmetric key type (for creating CA keys)
# Default value: "RSA" in normal mode, "ECDSA" in FIPS mode
#export PRIVX_DEFAULT_KEY_TYPE=""

# Default asymmetric key size (for creating CA keys)
# Default value: "4096" for RSA, "384" for ECDSA
# Also valid: "3072" for RSA, "521" for ECDSA
#export PRIVX_DEFAULT_KEY_SIZE=""

# Specify password hashing algorithm and cost as "<algo>/<cost>"
# Supported algorithms and allowed cost values:
#   "bcrypt", cost:       11-16
#   "pbkdf2", iterations: 300000-1000000
# Default values:
#   Normal mode: "bcrypt/11"
#   FIPS mode: "pbkdf2/300000"
#export PRIVX_PASSWORD_HASH=""

# Set to 1 to disable SELinux, if enabled
#export PRIVX_DISABLE_SELINUX=1

# Set to 1 to disable firewall-cmd, if you're using iptables or some other firewall instead
#export PRIVX_DISABLE_FIREWALLD=1

# Set to 1 to disable systemd
#PRIVX_DISABLE_SYSTEMD=1
