update configuration files with docs (#3135)

packages/config/src/conf/default.yaml

@@ -1,16 +1,20 @@
 #
-# This is the default config file. It allows all users to do anything,
+# This is the default configuration file. It allows all users to do anything,
-# so don't use it on production systems.
+# please read carefully the documentation and best practices to
+# improve security.
 #
 # Look here for more config file examples:
-# https://github.com/verdaccio/verdaccio/tree/master/packages/config/src/conf
+# https://github.com/verdaccio/verdaccio/tree/5.x/packages/config/src/conf/default.yaml
 #
+# Read about the best practices
+# https://verdaccio.org/docs/best
 
 # path to a directory with all packages
 storage: ./storage
 # path to a directory with plugins to include
 plugins: ./plugins
 
+# https://verdaccio.org/docs/webui
 web:
   title: Verdaccio
   # comment out to disable gravatar support
@@ -43,11 +47,8 @@ web:
   #    - '<div id="myId">html before webpack scripts</div>'
   #  Public path for template manifest scripts (only manifest)
   #  publicPath: http://somedomain.org/
-# translate your registry, api i18n not available yet
-# i18n:
-# list of the available translations https://github.com/verdaccio/ui/tree/master/i18n/translations
-#   web: en-US
 
+# https://verdaccio.org/docs/configuration#authentication
 auth:
   htpasswd:
     file: ./htpasswd
@@ -55,11 +56,15 @@ auth:
     # You can set this to -1 to disable registration.
     # max_users: 1000
 
+# https://verdaccio.org/docs/configuration#uplinks
 # a list of other known repositories we can talk to
 uplinks:
   npmjs:
     url: https://registry.npmjs.org/
 
+# Learn how to protect your packages
+# https://verdaccio.org/docs/protect-your-dependencies/
+# https://verdaccio.org/docs/configuration#packages
 packages:
   '@*/*':
     # scoped packages
@@ -76,7 +81,7 @@ packages:
     # and three keywords: "$all", "$anonymous", "$authenticated"
     access: $all
 
-    # allow all known users to publish/unpublish packages
+    # allow all known users to publish/publish packages
     # (anyone can register by default, remember?)
     publish: $authenticated
     unpublish: $authenticated
@@ -84,32 +89,104 @@ packages:
     # if package is not available locally, proxy requests to 'npmjs' registry
     proxy: npmjs
 
+# To improve your security configuration and  avoid dependency confusion
+# consider removing the proxy property for private packages
+# https://verdaccio.org/docs/best#remove-proxy-to-increase-security-at-private-packages
+
+# https://verdaccio.org/docs/configuration#server
+# You can specify HTTP/1.1 server keep alive timeout in seconds for incoming connections.
+# A value of 0 makes the http server behave similarly to Node.js versions prior to 8.0.0, which did not have a keep-alive timeout.
+# WORKAROUND: Through given configuration you can workaround following issue https://github.com/verdaccio/verdaccio/issues/301. Set to 0 in case 60 is not enough.
 server:
-  # deprecated
   keepAliveTimeout: 60
-#  rateLimit:
+
-#    windowMs: 1000
+# https://verdaccio.org/docs/configuration#offline-publish
-#    max: 10000
+# publish:
+#   allow_offline: false
+
+# https://verdaccio.org/docs/configuration#url-prefix
+# url_prefix: /verdaccio/
+# VERDACCIO_PUBLIC_URL='https://somedomain.org';
+# url_prefix: '/my_prefix'
+# // url -> https://somedomain.org/my_prefix/
+# VERDACCIO_PUBLIC_URL='https://somedomain.org';
+# url_prefix: '/'
+# // url -> https://somedomain.org/
+# VERDACCIO_PUBLIC_URL='https://somedomain.org/first_prefix';
+# url_prefix: '/second_prefix'
+# // url -> https://somedomain.org/second_prefix/'
+
+# https://verdaccio.org/docs/configuration#security
+# security:
+#   api:
+#     legacy: true
+#     jwt:
+#       sign:
+#         expiresIn: 29d
+#       verify:
+#         someProp: [value]
+#    web:
+#      sign:
+#        expiresIn: 1h # 1 hour by default
+#      verify:
+#         someProp: [value]
+
+# https://verdaccio.org/docs/configuration#user-rate-limit
+# userRateLimit:
+#   windowMs: 50000
+#   max: 1000
+
+# https://verdaccio.org/docs/configuration#max-body-size
+# max_body_size: 10mb
+
+# https://verdaccio.org/docs/configuration#listen-port
+# listen:
+# - localhost:4873            # default value
+# - http://localhost:4873     # same thing
+# - 0.0.0.0:4873              # listen on all addresses (INADDR_ANY)
+# - https://example.org:4873  # if you want to use https
+# - "[::1]:4873"                # ipv6
+# - unix:/tmp/verdaccio.sock    # unix socket
+
+# The HTTPS configuration is useful if you do not consider use a HTTP Proxy
+# https://verdaccio.org/docs/configuration#https
+# https:
+#   key: ./path/verdaccio-key.pem
+#   cert: ./path/verdaccio-cert.pem
+#   ca: ./path/verdaccio-csr.pem
+
+# https://verdaccio.org/docs/configuration#proxy
+# http_proxy: http://something.local/
+# https_proxy: https://something.local/
+
+# https://verdaccio.org/docs/configuration#notifications
+# notify:
+#   method: POST
+#   headers: [{ "Content-Type": "application/json" }]
+#   endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
+#   content: '{"color":"green","message":"New package published: * {{ name }}*","notify":true,"message_format":"text"}'
 
 middlewares:
   audit:
     enabled: true
 
+# https://verdaccio.org/docs/logger
 # log settings
-log:
+log: { type: stdout, format: pretty, level: http }
-  # Logger as STDOUT
+#experiments:
-  { type: stdout, format: pretty, level: http }
+#  # support for npm token command
-  # Logger as STDOUT as JSON
+#  token: false
-  # { type: stdout, format: json, level: http }
+#  # disable writing body size to logs, read more on ticket 1912
-  # Logger as STDOUT as JSON
+#  bytesin_off: false
-  # { type: stdout, format: pretty-timestamped, level: http }
+#  # enable tarball URL redirect for hosting tarball with a different server, the tarball_url_redirect can be a template string
-  # Logger as STDOUT as custom prettifier
+#  tarball_url_redirect: 'https://mycdn.com/verdaccio/${packageName}/${filename}'
-  # { type: stdout, plugin: { dest: '@verdaccio/logger-prettify' : options: { foo: 1, bar: 2}}, level: http }
+#  # the tarball_url_redirect can be a function, takes packageName and filename and returns the url, when working with a js configuration file
-  # Logger as file
+#  tarball_url_redirect(packageName, filename) {
-  # { type: file, path: verdaccio.log, level: http}
+#    const signedUrl = // generate a signed url
-  # FIXME: this should be documented
+#    return signedUrl;
-  # More info about log rotation https://github.com/pinojs/pino/blob/master/docs/help.md#log-rotation
+#  }
 
-# This affect the web and api (not developed yet)
+# translate your registry, api i18n not available yet
 i18n:
+  # list of the available translations https://github.com/verdaccio/verdaccio/blob/master/packages/plugins/ui-theme/src/i18n/ABOUT_TRANSLATIONS.md
   web: en-US

packages/config/src/conf/docker.yaml

@@ -1,23 +1,25 @@
 #
-# This is the config file used for the docker images.
+# This is the default configuration file. It allows all users to do anything,
-# It allows all users to do anything, so don't use it on production systems.
+# please read carefully the documentation and best practices to
+# improve security.
 #
 # Do not configure host and port under `listen` in this file
 # as it will be ignored when using docker.
 # see https://verdaccio.org/docs/en/docker#docker-and-custom-port-configuration
 #
 # Look here for more config file examples:
-# https://github.com/verdaccio/verdaccio/tree/master/packages/config/src/conf
+# https://github.com/verdaccio/verdaccio/tree/5.x/packages/config/src/conf/docker.yaml
 #
+# Read about the best practices
+# https://verdaccio.org/docs/best
 
 # path to a directory with all packages
 storage: /verdaccio/storage/data
 # path to a directory with plugins to include
 plugins: /verdaccio/plugins
 
+# https://verdaccio.org/docs/webui
 web:
-  # WebUI is enabled as default, if you want disable it, just uncomment this line
-  #enable: false
   title: Verdaccio
   # comment out to disable gravatar support
   # gravatar: false
@@ -50,11 +52,7 @@ web:
   #  Public path for template manifest scripts (only manifest)
   #  publicPath: http://somedomain.org/
 
-# translate your registry, api i18n not available yet
+# https://verdaccio.org/docs/configuration#authentication
-# i18n:
-# list of the available translations https://github.com/verdaccio/ui/tree/master/i18n/translations
-#   web: en-US
-
 auth:
   htpasswd:
     file: /verdaccio/storage/htpasswd
@@ -62,11 +60,15 @@ auth:
     # You can set this to -1 to disable registration.
     # max_users: 1000
 
+# https://verdaccio.org/docs/configuration#uplinks
 # a list of other known repositories we can talk to
 uplinks:
   npmjs:
     url: https://registry.npmjs.org/
 
+# Learn how to protect your packages
+# https://verdaccio.org/docs/protect-your-dependencies/
+# https://verdaccio.org/docs/configuration#packages
 packages:
   '@*/*':
     # scoped packages
@@ -83,7 +85,7 @@ packages:
     # and three keywords: "$all", "$anonymous", "$authenticated"
     access: $all
 
-    # allow all known users to publish/unpublish packages
+    # allow all known users to publish/publish packages
     # (anyone can register by default, remember?)
     publish: $authenticated
     unpublish: $authenticated
@@ -91,31 +93,102 @@ packages:
     # if package is not available locally, proxy requests to 'npmjs' registry
     proxy: npmjs
 
+# To improve your security configuration and  avoid dependency confusion
+# consider removing the proxy property for private packages
+# https://verdaccio.org/docs/best#remove-proxy-to-increase-security-at-private-packages
+
+# https://verdaccio.org/docs/configuration#server
+# You can specify HTTP/1.1 server keep alive timeout in seconds for incoming connections.
+# A value of 0 makes the http server behave similarly to Node.js versions prior to 8.0.0, which did not have a keep-alive timeout.
+# WORKAROUND: Through given configuration you can workaround following issue https://github.com/verdaccio/verdaccio/issues/301. Set to 0 in case 60 is not enough.
+server:
+  keepAliveTimeout: 60
+
+# https://verdaccio.org/docs/configuration#offline-publish
+# publish:
+#   allow_offline: false
+
+# https://verdaccio.org/docs/configuration#url-prefix
+# url_prefix: /verdaccio/
+# VERDACCIO_PUBLIC_URL='https://somedomain.org';
+# url_prefix: '/my_prefix'
+# // url -> https://somedomain.org/my_prefix/
+# VERDACCIO_PUBLIC_URL='https://somedomain.org';
+# url_prefix: '/'
+# // url -> https://somedomain.org/
+# VERDACCIO_PUBLIC_URL='https://somedomain.org/first_prefix';
+# url_prefix: '/second_prefix'
+# // url -> https://somedomain.org/second_prefix/'
+
+# https://verdaccio.org/docs/configuration#security
+# security:
+#   api:
+#     legacy: true
+#     jwt:
+#       sign:
+#         expiresIn: 29d
+#       verify:
+#         someProp: [value]
+#    web:
+#      sign:
+#        expiresIn: 1h # 1 hour by default
+#      verify:
+#         someProp: [value]
+
+# https://verdaccio.org/docs/configuration#user-rate-limit
+# userRateLimit:
+#   windowMs: 50000
+#   max: 1000
+
+# https://verdaccio.org/docs/configuration#max-body-size
+# max_body_size: 10mb
+
+# https://verdaccio.org/docs/configuration#listen-port
+# listen:
+# - localhost:4873            # default value
+# - http://localhost:4873     # same thing
+# - 0.0.0.0:4873              # listen on all addresses (INADDR_ANY)
+# - https://example.org:4873  # if you want to use https
+# - "[::1]:4873"                # ipv6
+# - unix:/tmp/verdaccio.sock    # unix socket
+
+# The HTTPS configuration is useful if you do not consider use a HTTP Proxy
+# https://verdaccio.org/docs/configuration#https
+# https:
+#   key: ./path/verdaccio-key.pem
+#   cert: ./path/verdaccio-cert.pem
+#   ca: ./path/verdaccio-csr.pem
+
+# https://verdaccio.org/docs/configuration#proxy
+# http_proxy: http://something.local/
+# https_proxy: https://something.local/
+
+# https://verdaccio.org/docs/configuration#notifications
+# notify:
+#   method: POST
+#   headers: [{ "Content-Type": "application/json" }]
+#   endpoint: https://usagge.hipchat.com/v2/room/3729485/notification?auth_token=mySecretToken
+#   content: '{"color":"green","message":"New package published: * {{ name }}*","notify":true,"message_format":"text"}'
+
 middlewares:
   audit:
     enabled: true
 
+# https://verdaccio.org/docs/logger
 # log settings
-# log settings
+log: { type: stdout, format: pretty, level: http }
-log:
+#experiments:
-  # Logger as STDOUT
+#  # support for npm token command
-  { type: stdout, format: pretty, level: http }
+#  token: false
-  # Logger as STDOUT as JSON
+#  # enable tarball URL redirect for hosting tarball with a different server, the tarball_url_redirect can be a template string
-  # { type: stdout, format: json, level: http }
+#  tarball_url_redirect: 'https://mycdn.com/verdaccio/${packageName}/${filename}'
-  # Logger as STDOUT as JSON
+#  # the tarball_url_redirect can be a function, takes packageName and filename and returns the url, when working with a js configuration file
-  # { type: stdout, format: pretty-timestamped, level: http }
+#  tarball_url_redirect(packageName, filename) {
-  # Logger as STDOUT as custom prettifier
+#    const signedUrl = // generate a signed url
-  # { type: stdout, plugin: { dest: '@verdaccio/logger-prettify' : options: { foo: 1, bar: 2}}, level: http }
+#    return signedUrl;
-  # Logger as file
+#  }
-  # { type: file, path: verdaccio.log, level: http}
-  # FIXME: this should be documented
-# More info about log rotation https://github.com/pinojs/pino/blob/master/docs/help.md#log-rotation
 
-flags:
+# translate your registry, api i18n not available yet
-  # support for npm token command
+# i18n:
-  token: false
+# list of the available translations https://github.com/verdaccio/verdaccio/blob/master/packages/plugins/ui-theme/src/i18n/ABOUT_TRANSLATIONS.md
-  # support for the new v1 search endpoint, functional by incomplete read more on ticket 1732
+#   web: en-US
-  search: false
-# This affect the web and api (not developed yet)
-#i18n:
-#web: en-US