server settings

file-server/nginx.Dockerfile

@@ -6,5 +6,8 @@ COPY nginx/nginx-ssl.site.default.conf /etc/nginx/conf.d/default.conf
 COPY nginx/certs/snakeoil.cert.pem /etc/nginx/certs/snakeoil.cert.pem
 COPY nginx/certs/snakeoil.key.pem  /etc/nginx/certs/snakeoil.key.pem
 
+COPY nginx/certs/nhiro-fullchain.pem  /etc/nginx/certs/nhiro-fullchain.pem
+COPY nginx/certs/nhiro-privkey.pem /etc/nginx/certs/nhiro-privkey.pem
+
 EXPOSE 80
 EXPOSE 443

file-server/nginx/nginx-ssl.site.default.conf

@@ -3,8 +3,9 @@ server {
     listen      [::]:443 ipv6only=off ssl http2;
     server_name _;
 
-    ssl_certificate /etc/nginx/certs/snakeoil.cert.pem;
-    ssl_certificate_key /etc/nginx/certs/snakeoil.key.pem;
+    ssl_certificate /etc/nginx/certs/nhiro-fullchain.pem;
+    ssl_certificate_key /etc/nginx/certs/nhiro-privkey.pem;
+
     ssl_session_timeout 10m;
     ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
     # See: https://github.com/dev-sec/nginx-baseline/blob/af883f35d86ed95a6f41ef7fdfdfc1b25a249273/controls/nginx_spec.rb#L227-L239

prod.env

@@ -0,0 +1,138 @@
+# Copy this file to .env and fill in the values, # or set the values in your environment as needed.
+# docker compose (if used) will read from .env. This file is also used by the server app.
+
+
+###### GENERAL SETTINGS ######
+ADMIN_UIDS=[]
+# Options: maildev, aws-ses, mailgun
+# Example: `aws-ses,mailgun` would try sending via AWS SES first, and fallback to Mailgun on error.
+EMAIL_TRANSPORT_TYPES=maildev
+# Optionally set this manually or use `git rev-parse HEAD`. It can be useful for debugging.
+GIT_HASH=
+# Options: prod, preprod, dev:
+MATH_ENV=prod
+# Optionally give the server container a distinct env_file. Useful for CI tests.
+SERVER_ENV_FILE=prod.env
+# Used by winston via server/utils/logger. Defaults to "info".
+SERVER_LOG_LEVEL=
+
+
+###### DATABASE ######
+# Optional DB replica for reads:
+READ_ONLY_DATABASE_URL=
+POSTGRES_DB=polis-dev
+POSTGRES_PORT=5432
+POSTGRES_HOST=postgres:${POSTGRES_PORT}
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=oiPorg3Nrz0yqDLE
+DATABASE_URL=postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}/${POSTGRES_DB}
+
+
+###### DOCKER CONCERNS ######
+# Optionally set this to whatever you want. It is a convenience for docker assets.
+TAG=
+COMPOSE_PROJECT_NAME=polis-${TAG}
+
+
+###### PORTS ######
+API_SERVER_PORT=5000
+HTTP_PORT=80
+HTTPS_PORT=443
+STATIC_FILES_PORT=8080
+# These ports could actually be different in development or if you are hosting clint-admin,
+# client-participation, and file-server on different servers or containers.
+STATIC_FILES_ADMIN_PORT=${STATIC_FILES_PORT}
+STATIC_FILES_PARTICIPATION_PORT=${STATIC_FILES_PORT}
+
+
+###### EMAIL ADDRESSES ######
+ADMIN_EMAIL_DATA_EXPORT_TEST=
+ADMIN_EMAIL_DATA_EXPORT=
+ADMIN_EMAIL_EMAIL_TEST=
+ADMIN_EMAILS=[]
+POLIS_FROM_ADDRESS="Example <team@example.com>"
+
+
+###### BOOLEAN FLAGS ######
+# Instructs the API server to cache the results from the math service. Default is true if not set.
+CACHE_MATH_RESULTS=
+# The following flags will all default to false if not set.
+BACKFILL_COMMENT_LANG_DETECTION=
+# Set to `false` for production:
+DEV_MODE=false
+RUN_PERIODIC_EXPORT_TESTS=
+# When true, logs are written to server/logs in addition to stdout.
+# If docker compose is used, the logs directory is mounted as a persistent volume.
+SERVER_LOG_TO_FILE=
+SHOULD_USE_TRANSLATION_API=
+
+
+###### CUSTOM URL/HOSTNAME SETTINGS ######
+# If you are running a development server anywhere other than localhost:80 or localhost:5000,
+# you need to update API_DEV_HOSTNAME and EMBED_SERVICE_HOSTNAME.
+API_DEV_HOSTNAME=localhost
+# If you are running polis on a custom domain, set both API_PROD_HOSTNAME and DOMAIN_OVERRIDE
+# to the same value. In the future these will be combined into one setting.
+API_PROD_HOSTNAME=polis.nhiro.org
+DOMAIN_OVERRIDE=polis.nhiro.org
+DOMAIN_WHITELIST_ITEM_01=
+DOMAIN_WHITELIST_ITEM_02=
+DOMAIN_WHITELIST_ITEM_03=
+DOMAIN_WHITELIST_ITEM_04=
+DOMAIN_WHITELIST_ITEM_05=
+DOMAIN_WHITELIST_ITEM_06=
+DOMAIN_WHITELIST_ITEM_07=
+DOMAIN_WHITELIST_ITEM_08=
+# In production, should match API_PROD_HOSTNAME or DOMAIN_OVERRIDE, if set:
+EMBED_SERVICE_HOSTNAME=localhost
+# Full hostname with protocol of your API server:
+# (Optional. Currently only used in client-report development.)
+SERVICE_URL=
+STATIC_FILES_HOST=file-server
+
+
+###### THIRD PARTY API CREDENTIALS ######
+# These are all optional, but some features will not work without them.
+AKISMET_ANTISPAM_API_KEY=
+# Used for S3 data import/export:
+AWS_REGION=
+# Set to true to enable the twitter widgets in the client:
+ENABLE_TWITTER_WIDGETS=
+# Must register with facebook and get a facebook app id to use the facebook auth features:
+FB_APP_ID=
+# To enable Google Analytics, set this to your tracking id:
+GA_TRACKING_ID=
+# One of the following is required if SHOULD_USE_TRANSLATION_API is true:
+GOOGLE_CREDENTIALS_BASE64=
+GOOGLE_CREDS_STRINGIFIED=
+MAILGUN_API_KEY=
+MAILGUN_DOMAIN=
+MAXMIND_LICENSEKEY=
+MAXMIND_USERID=
+TWITTER_CONSUMER_KEY=
+TWITTER_CONSUMER_SECRET=
+# Read from process.env by aws-sdk, if using SES for email transport
+# https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-environment.html
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
+# This value is written by the server app if SHOULD_USE_TRANSLATION_API is true.
+GOOGLE_APPLICATION_CREDENTIALS=
+
+
+###### DEPRECATED ######
+# (Deprecated) Used internally by Node.Crypto to encrypt/decrypt IP addresses.
+ENCRYPTION_PASSWORD_00001=
+# (Deprecated) Basic Auth settings for certain requests between math and api services.
+WEBSERVER_PASS=ws-pass
+WEBSERVER_USERNAME=ws-user
+
+
+###### CLIENT SIDE CONFIG ######
+# If building client assets, only the following variables are needed:
+# * EMBED_SERVICE_HOSTNAME
+# * FB_APP_ID
+# * GA_TRACKING_ID
+# * ENABLE_TWITTER_WIDGETS
+# * SERVICE_URL (if static assests are served from a separate domain than API, as described above)
+
+