-
Notifications
You must be signed in to change notification settings - Fork 18
/
config.lua
278 lines (220 loc) · 12.4 KB
/
config.lua
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
local common_config = require("tptmp.common.config")
local have_secret_config, secret_config = pcall(require, "tptmp.server.secret_config")
secret_config = have_secret_config and secret_config
local function prefer_secret_config(key, default)
if secret_config and secret_config[key] ~= nil then
return secret_config[key]
end
return default
end
local config = {
-- ***********************************************************************
-- *** The following options should be customized in accordance with ***
-- *** your environment. ***
-- ***********************************************************************
-- * Local interface to listen on for player connections. Use "0.0.0.0" for
-- "all interfaces", "localhost" for localhost, etc.
iface = prefer_secret_config("iface", "0.0.0.0"),
-- * Port to listen on for player connections.
port = prefer_secret_config("port", common_config.port),
-- * Local interface to listen on for remote console connection, similar to
-- iface. The server does not authenticate remote control clients, so make
-- sure to not let connections to this port through your firewall. If you
-- want to connect from another host, use a TLS termination proxy with
-- peer authentication, and have the proxy connect to this port.
rcon_iface = prefer_secret_config("rcon_iface", "localhost"),
-- * Local port to listen on for remote console connections.
rcon_port = prefer_secret_config("rcon_port", 34406),
-- * Authenticate clients via the backend specified by auth_backend_* (see
-- below). secure = true isn't necessary for this, although secure = false
-- may let authentication tokens be sniffed and used for impersonation.
-- * WARNING: Running the server with auth = false is currently very poorly
-- supported by plugins.
auth = true,
-- * Max age in seconds for authentication tokens. Only relevant if
-- auth = true. Specifies the maximum amount of time in seconds between
-- someone being banned from the authentication backend and being unable
-- to authenticate with this server.
token_max_age = prefer_secret_config("token_max_age", 300), -- * Only relevant if auth = true.
-- * Username to UID cache entry max age in seconds. Only relevant if
-- auth = true. Specifies the maximum amount of time in seconds between
-- someone changing usernames on the authentication backend and the first
-- time authenticating with this server reflects that change.
offline_user_cache_max_age = prefer_secret_config("offline_user_cache_max_age", 300),
-- * Specifies whether guests are allowed on the server. Only relevant if
-- auth = true.
guests_allowed = prefer_secret_config("guests_allowed", true),
-- * Encrypt traffic between player clients and the server. Requires some
-- experience with TLS. Should match the common setting, but it is fine
-- to change for a custom server.
secure = prefer_secret_config("secure", common_config.secure),
-- * Hostname to check the SNI field in the TLS handshake against. Required
-- if auth = true. Makes it possible to detect and drop stray, non-TPTMP
-- connections earlier than via the protocol handshake if secure = true,
-- which would otherwise have to time out in the worst case. Should match
-- the common host setting, but it is fine to change for a custom server.
-- If your server is externally reachable on a port different from the one
-- specified by config.port, combine it with this setting like so: "example.com:1337".
host = prefer_secret_config("host", common_config.host),
-- * Path to the public server certificate. Only relevant if secure = true.
-- This file should not include the intermediary certificates, i.e. the
-- chain of trust.
secure_cert_path = prefer_secret_config("secure_cert_path", "cert.pem"),
-- * Path to the chain of trust behind the server certificate. Only relevant
-- if secure = true. This file should not include the server certificate.
secure_chain_path = prefer_secret_config("secure_chain_path", "chain.pem"),
-- * Path to the server private key. Only relevant if secure = true. Common
-- sense regarding the handling of this file applies.
secure_pkey_path = prefer_secret_config("secure_pkey_path", "pkey.pem"),
-- * Path to main dynamic configuration store.
dynamic_config_main = prefer_secret_config("dynamic_config_main", "config.json"),
-- * Path to backup dynamic configuration store.
dynamic_config_xchg = prefer_secret_config("dynamic_config_xchg", "config.json~"),
-- ***********************************************************************
-- *** The following options should be customised in accordance with ***
-- *** the policies in effect on your server. ***
-- ***********************************************************************
-- * Maximum amount of clients connected to the server at any given time.
-- This does not include clients that have not registered, although new
-- client connections are dropped if this limit would be violated upon
-- their registering successfully.
max_clients = 500,
-- * Maximum amount of active rooms on the server at any given time. This
-- does not include inactive rooms with no clients in them but in the
-- dynamic configuration store.
max_rooms = 100,
-- * Maximum amount of rooms in whose owner lists a UID may appear. Only
-- relevant if auth = true (but auth = false is not supported by the
-- owner plugin).
max_rooms_per_owner = 10,
-- * Maximum amount of UIDs in the owner list of a room. Only relevant if
-- auth = true (but auth = false is not supported by the owner plugin).
max_owners_per_room = 10,
-- * Maximum amount of UIDs in the invite list of a room. Only relevant if
-- auth = true (but auth = false is not supported by the private plugin).
max_invites_per_room = 20,
-- * Maximum amount of UIDs in the block list associated with a UID. Only
-- relevant if auth = true (but auth = false is not supported by the
-- block plugin).
max_blocks_per_user = 100,
-- * Maximum amount of clients in any room at any given time. Upper
-- limit is 255, imposed by the protocol.
max_clients_per_room = 20,
-- * Maximum amount of connections made from any given peer. This does not
-- include clients that have not registered, although new client
-- connections are dropped if this limit would be violated upon their
-- registering successfully.
-- * WARNING: Must be at least 2 for ghosting to work. This is when a
-- connection has already ceased to exist on the client side but still
-- exists on the server side. In this case, a second client connecting
-- and registering the same UID drops the first, dead connection. This
-- only works if auth = true.
max_clients_per_peer = 4,
-- * Specifies the number of times a client may violate anit-spam policies
-- being dropped for spam.
max_spam_violations = 10,
-- * Maximum number of characters in the name of a room.
max_room_name_length = 32,
-- * Maximum number of characters in the name of a client. If auth = true,
-- should align with the limit imposed by the authentication backend.
max_nick_length = 32,
-- * Minimum account age in seconds, for a client that is trying to
-- register a UID. If the account's age is below this limit, the client
-- is downgraded to a guest with a message explaining the policy,
-- including how long the user should wait until they attempt to connect
-- again to successfully register a UID. This only works if auth = true.
-- Use 0 for no limit.
min_account_age = 86400,
-- ***********************************************************************
-- *** The following options should be changed in ***
-- *** tptmp/common/config.lua instead. Since these options should ***
-- *** align with the equivalent options on the client side, you ***
-- *** will most likely have to ship your own version of the client ***
-- *** if you intend to change these. ***
-- ***********************************************************************
-- * Protocol version.
version = common_config.version,
-- * Client-to-server message size limit.
message_size = common_config.message_size,
-- * Client-to-server message rate limit.
message_interval = common_config.message_interval,
-- * Authentication backend URL. Only relevant if auth = true.
auth_backend = common_config.auth_backend,
-- * Authentication backend timeout in seconds. Only relevant if
--- auth = true.
auth_backend_timeout = common_config.auth_backend_timeout,
-- * Username to UID backend URL. Only relevant if auth = true.
uid_backend = common_config.uid_backend,
-- * Username to UID backend timeout in seconds. Only relevant if
--- auth = true.
uid_backend_timeout = common_config.uid_backend_timeout,
-- ***********************************************************************
-- *** The following options should only be changed if you know what ***
-- *** you are doing. This usually involves consulting with the ***
-- *** developers. Otherwise, these are sane values you should trust. ***
-- ***********************************************************************
-- * Print stack tracebacks every specified number of instructions. The
-- counter is per-coroutine. An integer number enables, while a false-y
-- value disables the feature.
periodic_tracebacks = 100000000,
-- * Size of the buffer passed to the recv system call. Bigger values
-- consume more memory, smaller ones incur larger system call overhead.
read_size = 0x10000,
-- * Receive queue limit. Specifies the maximum amount of data a client
-- is allowed to have sent but which the server has not yet had time to
-- process. A client is dropped if the size of its receive queue exceeds
-- this limit.
recvq_limit = 0x200000,
-- * Send queue limit. Specifies the maximum amount of data a client
-- is allowed to have not yet processed but which the server has already
-- queued. A client is dropped if the size of its send queue exceeds
-- this limit.
sendq_limit = 0x2000000,
-- * Amount of time in seconds after which the connection attempt should be
-- deemed a failure, unless at least a byte is received. If secure = true
-- and the first byte suggests that a TLS connection is being made, this
-- timeout also covers the TLS handshake that follows and receiving the
-- first useful byte in TLS mode.
first_byte_timeout = 10,
-- * Send queue flush timeout. Specifies the maximum amount of time in
-- seconds the server waits for the send queue of a client that is being
-- dropped to flush. The server makes an effort to send everything from
-- its send queue (most importantly, the reason for the client being
-- dropped), but it drops the client earlier if this fails in the
-- amount of time specified.
sendq_flush_timeout = 10,
-- * Send queue flush timeout for the remote console. Similar to
-- sendq_flush_timeout, except applies to the remote console.
rcon_sendq_flush_timeout = 3,
-- * Amount of time in seconds between pings being sent to the client.
-- Should be half of the ping_timeout option on the client side or less.
ping_interval = 60,
-- * Amount of time in seconds a client is allowed to stay connected without
-- sending a ping. Should be twice the ping_interval option on the client
-- side or more.
ping_timeout = 120,
-- * Amount of time in seconds between pings being sent to the remote
-- console client. Should be half of the ping timeout on the client side
-- or less.
rcon_ping_interval = 60,
-- * Amount of time in seconds a remote console client is allowed to stay
-- connected without sending a ping. Should be twice the ping interval on
-- the client side or more.
rcon_ping_timeout = 120,
-- ***********************************************************************
-- *** The following options should not be changed as their values ***
-- *** are tightly coupled with the server implementation. ***
-- ***********************************************************************
-- * Minimum required TPT version.
tpt_version_min = 356,
-- * Maximum accepted TPT version. TODO[opt]: something better
tpt_version_max = math.huge,
}
local hhost, hport = config.host:match("^([^:]+):([0-9]+)$")
if hhost then
config.audience = config.host
config.host = hhost
else
config.audience = config.host .. ":" .. config.port
end
return config