Properties.yml
  • 09 Mar 2023
  • Dark
    Light
  • PDF

Properties.yml

  • Dark
    Light
  • PDF

Article Summary

Sample Properties YAML File

An example properties.yml file is shown below. Note that the configuration is highly self-documenting and ordered by general webserver categories as well as one category per integration (Ansible, Nornir, etc).

---
# Notes:
#
# While many customizations can be made based on your environment and which integrations you
# would like enabled, this file is meant to mimic the installation process found at
# https://docs.itential.io/ as closely as possible so the user can use as many defaults as possible.
#
# This configuration file accepts any valid YAML syntax including the bash-like syntax for lists, etc.

##########
# System #
##########

# The port on which Automation Gateway server will listen for requests.
# Mutually exclusive with bind_list
port: 8083

# The gunicorn bind_address string..
# For ipv4 only use "0.0.0.0", for ipv6 and ipv4 use "[::]"
# Mutually exclusive with bind_list
#
# You can also bind to a linux socket using "unix://<path to unix socket>"
# if you want to front-end automation-gateway with nginx or another proxy server.
#
# bind_address: "unix:///tmp/gunicorn.sock"
# bind_address: "[::]"

# List of addresses and ports to bind to.
# This setting will override both 'port' and 'bind_address'
#bind_list:
#  - "0.0.0.0:8083"

# Base of url for external proxy, used for generating redirects:
# external_address: 'http://automation-gateway.example.com:8080'

# The number of http server threads for handling requests.
# A good starting point is 2-4 x NUM_CORES then adjust based on observed workload.
#http_server_threads: 8

# A flag that determines whether authentication is disabled or not.
# Warning: only disable authentication for temporary, non production testing.
authentication_disabled: False

# The maximum number of concurrent sessions allowed.
authentication_max_sessions: 5000

# The idle timeout of each session (in seconds).
authentication_idle_timeout: 600

# A boolean flag that enables password reset support (default=False if absent/misconfigured).
password_reset_enabled: False

# Directory to write global log files to
global_log_directory: '/var/lib/automation-gateway'

# Maximum log files kept in rotation
# Valid range of values is 1-100. If value is set to 1, log file will not be limited in size.
max_log_files: 5

# NOTE: Log levels for Automation Gateway Server are as follows.
# In order of ascending severity: DEBUG, INFO, WARNING, ERROR, or CRITICAL.
# Log messages of equal and greater severity will be displayed in the relevant log.
# Example: logging_level INFO will display log messages with a severity of INFO -> CRITICAL.
# (default=INFO if absent/misconfigured)

# Automation Gateway Server Logging Level
logging_level: INFO

# Automation Gateway HTTP Server Logging Level
# NOTE: request details are DEBUG level log messages, it may be useful to set this to DEBUG
http_logging_level: INFO

# A flag that enables/disables parameter schema validation for content decorations.
# Generally enabled when using multiple types per parameter, or when testing decorations.
# Example: "commands" could be a literal list of commands, or a string representing a jinja
#          variable from your host's variables "{{commands}}", etc.
strict_args: True

################
# SSL Settings #
################

# To start the server using SSL/TLS please fill out the following properties.
#server_certfile: "/app/cert.pem"

# Note: gunicorn does not currently support encrypted key files.
#server_keyfile: "/app/key.pem"

# server_cabundle: "~/cabundle.crt" 

# TLSv1_2
#server_ssl_version: "TLSv1_2"

# You may also set custom SSL Ciphers.
#
# https://docs.gunicorn.org/en/20.x/settings.html#ciphers
#
# server_ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:...""

#############
# Databases #
#############

# Path to the main Automation Gateway sqlite database file.
data_file: 'sqlite:////var/lib/automation-gateway/automation-gateway.db'

# A flag which determines whether or not audit logging is enabled. (default=True if absent/misconfigured)
audit: True

# The number of days (days >= 0) worth of data to retain in the audit log database
# Records earlier than the specified days will be deleted. (default=None if absent/misconfigured)
audit_retention_days: 30

# Path to the auxillary Automation Gateway sqlite database file for audit logs.
audit_db_file: 'sqlite:////var/lib/automation-gateway/automation-gateway_audit.db'

# Path to the auxillary Automation Gateway sqlite database file for execution logs.
exec_history_db_file: 'sqlite:////var/lib/automation-gateway/automation-gateway_exec_history.db'

#######################
# LDAP Authentication #
#######################

#
# LDAP Basic SETTINGS
#

# Enable LDAP authentication globally
ldap_auth_enabled: False

# LDAP server hostname or IP address
ldap_server: 'ldap.example.com'

# LDAP BASE DN
ldap_base_dn: 'DC=example,DC=com'

# LDAP BIND Username
ldap_bind_user_dn: 'CN=admin,CN=users,DC=example,DC=com'

# LDAP BIND Password
ldap_bind_user_password: '<password>'

#
# LDAP Securitry
#

# Enable LDAPS
ldap_secure_enabled: False

# Validate the servers TLS certificate
ldap_secure_validation_enabled: True

# TLS version to use when connection to LDAP server (default: TLSv1.2)
# Options ["1", "1.1", "1.2"]
ldap_secure_validation_tls_version: '1.2'

# Location of local CA certificate file for server validation
ldap_ca_certs_file: '/etc/ssl/certs/ca.crt'

#
# LDAP User Search
#

# Search LDAP for the username before doing a bind
ldap_always_search_bind: True

# LDAP user search filter
ldap_user_search_filter: '(objectclass=person)'

# LDAP user search scope
# Options "LEVEL" or "SUBTREE"
ldap_user_search_scope: 'SUBTREE'

# User login attribute
ldap_user_login_attr: 'sAMAccountName'

# User login RDN (relative directory name) attribute
# uid=testuser,ou=users,dc=example,dc=com = 'uid'
# cn=testuser,ou=users,dc=example,dc=com = 'cn'
ldap_user_rdn_attr: 'cn'

# LDAP user DN used to be prepended to the base DN to limit the scope when searching for users
ldap_user_dn : '' # OU=users

#
# LDAP GROUP OPTIONS
#

# Group search filter
ldap_group_search_filter: '(objectClass=group)'

# Group search scope
# Options "LEVEL" or "SUBTREE"
ldap_group_search_scope: 'SUBTREE'

# Group members attribute
ldap_group_members_attr: 'member'

# LDAP group DN used to be prepended to the base DN to limit the scope when searching for groups
ldap_group_dn : '' # OU=groups

###########
# Ansible #
###########

# A boolean flag that enables Ansible support (default=True if absent/misconfigured).
ansible_enabled: True

# A boolean which logs additional debug messages when executing Ansible modules, roles, or playbooks.
# Set the ansible_debug property to True to log additional debug messages when
# executing Ansible modules, roles, or playbooks. (default=False if absent/misconfigured)
ansible_debug: False

# A flag to prevent deletion of the temporary files generated by executing
# Ansible content (modules, collections, roles, playbooks). (default=False if absent/misconfigured)
no_cleanup: False

# Path of the file that contains a password used by ansible-vault to encrypt sensitive data.
# Uncomment this property if you will be using Ansible vault encrypted variables.
# Be sure to secure this file with permissions of 0200 or 0400.
#vault_password_file: "/opt/automation-gateway/conf/.vault_password_file"

# Path to the Ansible external inventory file (folders not valid).
# A valid file will disable Ansible Internal inventory and instead use only this Ansible External inventory.
inventory_file: '/opt/automation-gateway/ansible/inventory/hosts'

# Path(s) to the Ansible modules that should be discovered by Automation Gateway and appended to Ansible's execution environment.
# All non-collection paths (see Ansible 2.10 notes below) known to Ansible are already included and do not need to be specified.
# Additionally, this parameter needs to be configured if the path reported by 'ansible --version' is incorrect
# or you would like to customize/trim down the set of Ansible modules that will be discovered (see Ansible<=2.9 notes below).
# Trim example for ansible 2.9: "/usr/local/lib/python3.9/site-packages/ansible/modules/network"
# NOTE: Use only the site-packages paths you need for your installation to avoid
#       cross environment issues in the case where multiple of these paths exist
module_path:
  # System installed Python, Ansible installed globally:
  - '/usr/local/lib/python3.9/site-packages/ansible/modules/network'
  - '/usr/local/lib/python3.9/site-packages/ansible_collections'
  # Manually installed Python, Ansible installed by the itential user
  - '/home/itential/.local/lib/python3.9/site-packages/ansible/modules/network'
  - '/home/itential/.local/lib/python3.9/site-packages/ansible_collections'
  # Any installation method for Python, Ansible installed inside of a virtualenv at $HOME/automation-gateway
  - '/home/itential/automation-gateway/lib/python3.9/site-packages/ansible/modules/network'
  - '/home/itential/automation-gateway/lib/python3.9/site-packages/ansible_collections'
  # Default location for custom content per the setup script
  - '/usr/share/automation-gateway/ansible/modules'

# Path(s) to the Ansible collections that should be discovered by Automation Gateway and exclusively used in Ansible's execution environment.
# Due to differences in collections before/after Ansible 2.9, these will be the only paths relevant during discovery AND execution.
collection_path:
  # The first path will be the default location for additional collection installations via the API/GUI
  - '/opt/automation-gateway/.ansible/collections'
  ## The remaining paths will be used only for discovery and execution
  # Default location for custom content per the setup script
  - '/usr/share/automation-gateway/ansible/collections'

# Path(s) to the Ansible roles that should be discovered by Automation Gateway and appended to Ansible's execution environment.
role_path:
  # The first path will be the default location for additional role installations (via the API or ansible-galaxy)
  - '/opt/automation-gateway/.ansible/roles'
  # Default location for custom content per the setup script
  - '/usr/share/automation-gateway/ansible/roles'

# Path(s) to customized roles that extend device support of the Itential roles found in the release, i.e., itential_cli, itential_get_config.
#extended_device_role_path:
#This is a sample path to roles that extend device support
#- /usr/share/device_support/roles

# Discovery behavior for Ansible playbooks. Determines whether or not to
# recursively search the directories found in the 'playbook_path' parameter, or
# to only search those directories and no deeper. (default=True if absent/misconfigured)
playbook_recursive: True

# Path(s) to the Ansible playbooks that should be discovered by Automation Gateway and appended to Ansible's execution environment.
playbook_path:
  # Default location for custom content per the setup script
  - '/usr/share/automation-gateway/ansible/playbooks'
  ## Default Itential custom content locations - uncomment to display some sample playbooks
  # - "/usr/local/lib/python3.9/site-packages/automation_gateway/integrations/playbooks"
  # System installed Python, Automation Gateway installed globally:
  # - "/usr/local/lib/python3.9/site-packages/automation_gateway/integrations/playbooks"
  # Manually installed Python, Automation Gateway installed by the itential user
  # - "/home/itential/.local/lib/python3.9/site-packages/automation_gateway/integrations/playbooks"
  # Any installation method for Python, Automation Gateway installed inside of a virtualenv
  # - "/home/itential/automation-gateway/lib/python3.9/site-packages/automation_gateway/integrations/playbooks"

#################
# HTTP_Requests #
#################

# A boolean flag that enables HTTP_Requests support (default=True if absent/misconfigured).
http_requests_enabled: True

###########
# NETCONF #
###########

# A boolean flag that enables Netconf support (default=True if absent/misconfigured).
netconf_enabled: True

###########
# Netmiko #
###########

# A boolean flag that enables Netmiko support (default=False if absent/misconfigured).
netmiko_enabled: True

##########
# Nornir #
##########

# A boolean flag that enables Nornir support (default=False if absent/misconfigured).
nornir_enabled: True

# Path to the Nornir configuration file.
# A valid file will allows the use of Nornir External inventory.
nornir_config_file: '/opt/automation-gateway/nornir/config.yaml'

# Discovery behavior for Nornir modules. Determines whether or not to
# recursively search the directories found in the 'nornir_module_path' parameter, or
# to only search those directories and no deeper. (default=True if absent/misconfigured)
nornir_module_recursive: True

# Path(s) to the Nornir modules that should be discovered by Automation Gateway.
nornir_module_path:
  # Default location for custom content per the setup script
  - '/usr/share/automation-gateway/nornir/modules'

###########
# Scripts #
###########

# A boolean flag that enables Scripts support (default=True if absent/misconfigured).
scripts_enabled: True

# Discovery behavior for standalone scripts. Determines whether or not to
# recursively search the directories found in the 'script_path' parameter, or
# to only search those directories and no deeper. (default=True if absent/misconfigured)
script_recursive: True

# Path(s) to the standalone scripts that should be discovered by Automation Gateway.
script_path:
  # Default location for custom content per the setup script
  - '/usr/share/automation-gateway/scripts'
  # Legacy path for backwards compatibility
  - '/usr/share/automation-gateway/ansible/scripts'

#############
# Terraform #
#############

# A boolean flag that enables Terraform support (default=False if absent/misconfigured).
terraform_enabled: True

# Discovery behavior for Terraform modules. Determines whether or not to
# recursively search the directories found in the 'terraform_path' parameter, or
# to only search those directories and no deeper. (default=True if absent/misconfigured)
terraform_recursive: True

# Path(s) to the Terraform modules that should be discovered by Automation Gateway.
terraform_path:
  # Default location for custom content per the setup script
  - '/usr/share/automation-gateway/terraform'
  # Legacy path for backwards compatibility
  - '/usr/share/automation-gateway/terraform/scripts'

###################
# Hashicorp Vault #
###################

# A flag that enables Hashicorp Vault support. (default=False if absent/misconfigured)
vault_enabled: False

# The URL to the Hashicorp Vault server.
#vault_server: "https://localhost:8200"

# The mount point on which the Hashicorp Vault KV-V2 secret engine is enabled.
#vault_mount_point: secret

# The path to a file containing the vault access token used by the AG Server for
# Hashicorp Vault operations. The file should be secured with 0400 permissions.
#vault_access_token: "/opt/automation-gateway/conf/.vault_token_file"

# A flag that enables TLS certificate verification when sending reqests to the Hashicorp
# Vault Server. (default=False if absent/misconfigured)
#vault_cert_verification: False

# The path to a CA (Certificate Authority) file.  This file is used to perform TLS certificate
# verification when sending requests to a Hashicorp Vault Server configured with a self-signed
# certificate. This parameter is not required when sending requests to a Hashicorp Vault Server
# configured with a certificate signed by a trusted authority.
#vault_ca_file: "/opt/automation-gateway/conf/certs/cert.pem"

# The path to a client certificate PEM file used for performing TLS authentication of the AG
# vault client with the Hashicorp Vault Server. Both a client certificate file and a key file
# must be configured for TLS authentication to be utilized.
#vault_client_cert_file: "/opt/automation-gateway/conf/certs/cert.pem"

# The path to a client key PEM file used for performing TLS authentication of the AG vault
# client with the Hashicorp Vault Server. Both a client certificate file and a key file
# must be configured for TLS authentication to be utilized.
#vault_client_key_file: "/opt/automation-gateway/conf/certs/key.pem"

Was this article helpful?

What's Next
Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.