Secrets
Secrets configuration
Comentario retrieves sensitive data (secrets), which are part of the static backend configuration, from two main sources:
- A YAML file;
- Environment variables (or files they reference).
If both sources are provided, environment variables take precedence.
This approach simplifies deployments in a Docker container or a Kubernetes cluster.
Secrets file
The secrets file is a regular YAML file, which can be provided with the --secrets command-line option, or $SECRETS_FILE environment variable. There’s a sample secrets.postgres.yaml file in Comentario git repository, which you can use as a starting point for your production configuration.
Environment variables
You can also provide certain values via environment variables (see the table below for variable names). Each value can be set either directly or via a file by using the same variable name with a _FILE suffix.
For example:
- If
COMENTARIO_POSTGRES_USERNAMEis set, its value is used as the PostgreSQL username. - If
COMENTARIO_POSTGRES_USERNAME_FILEis set, it must point to a readable file. The file’s contents are used as the PostgreSQL username.
Secrets configuration
Below is a summary of the values in the secrets file, with their environment equivalents.
| Key | Type | Description | Default value | Environment variable |
|---|---|---|---|---|
| Database | ||||
postgres.host | string | Hostname or IP address of PostgreSQL DB | COMENTARIO_POSTGRES_HOST | |
postgres.port | integer | Port number of PostgreSQL DB | 5432 | COMENTARIO_POSTGRES_PORT |
postgres.database | string | Name of the PostgreSQL database | COMENTARIO_POSTGRES_DATABASE | |
postgres.username | string | Username to connect to PostgreSQL | COMENTARIO_POSTGRES_USERNAME | |
postgres.password | string | Password to connect to PostgreSQL | COMENTARIO_POSTGRES_PASSWORD | |
postgres.sslmode | string | Alias for sslMode (exists for backward compatibility) | ||
postgres.sslMode | string | SSL mode for PostgreSQL (disable, require, verify-ca, verify-full) | disable | COMENTARIO_POSTGRES_SSL_MODE |
postgres.sslCert | string | Path to the certificate file, containing PEM-encoded data | COMENTARIO_POSTGRES_SSL_CERT | |
postgres.sslKey | string | Path to the private key file, containing PEM-encoded data | COMENTARIO_POSTGRES_SSL_KEY | |
postgres.sslCert | string | Path to the root certificate file, containing PEM-encoded data | COMENTARIO_POSTGRES_SSL_CERT | |
postgres.connTimeout | string | Maximum wait for database connection, in seconds. 0 means wait indefinitely | 0 | COMENTARIO_POSTGRES_CONN_TIMEOUT |
sqlite3.file | string | Path to the SQLite3 database file | COMENTARIO_SQLITE3_FILE | |
| SMTP server | ||||
smtpServer.host | string | Hostname or IP address of SMTP server. Required for emailing to work | COMENTARIO_SMTP_HOST | |
smtpServer.port | integer | Port number of SMTP server | 587 (STARTTLS) | COMENTARIO_SMTP_PORT |
smtpServer.username | string | Username to connect to SMTP server | COMENTARIO_SMTP_USERNAME | |
smtpServer.password | string | Password to connect to SMTP server | COMENTARIO_SMTP_PASSWORD | |
smtpServer.encryption | string | Encryption used for sending mails: none, ssl, tls | Derived from port | COMENTARIO_SMTP_ENCRYPTION |
smtpServer.insecure | boolean | Whether to skip SMTP server’s SSL certificate verification | false | COMENTARIO_SMTP_INSECURE |
smtpServer.emailFrom | string | ‘From’ address in sent emails | Value of smtpServer.username | COMENTARIO_SMTP_EMAIL_FROM |
| Identity providers | ||||
idp.facebook.disable | boolean | Whether to forcefully disable Facebook authentication | ||
idp.facebook.key | string | Client ID for Facebook authentication | ||
idp.facebook.secret | string | Client secret for Facebook authentication | ||
idp.github.disable | boolean | Whether to forcefully disable GitHub authentication | ||
idp.github.key | string | Client ID for GitHub authentication | ||
idp.github.secret | string | Client secret for GitHub authentication | ||
idp.gitlab.disable | boolean | Whether to forcefully disable GitLab authentication | ||
idp.gitlab.key | string | Client ID for GitLab authentication | ||
idp.gitlab.secret | string | Client secret for GitLab authentication | ||
idp.google.disable | boolean | Whether to forcefully disable Google authentication | ||
idp.google.key | string | Client ID for Google authentication | ||
idp.google.secret | string | Client secret for Google authentication | ||
idp.twitter.disable | boolean | Whether to forcefully disable Twitter/X authentication | ||
idp.twitter.key | string | Client ID for Twitter/X authentication | ||
idp.twitter.secret | string | Client secret for Twitter/X authentication | ||
| OIDC identity providers | ||||
idp.oidc | array | Array of OIDC provider entries, each element is an object (see below) | ||
idp.oidc.[N].id | string | Unique ID of the OIDC provider, consisting of max. 32 lowercase letters, digits, and dashes | ||
idp.oidc.[N].name | string | OIDC provider display name | ||
idp.oidc.[N].url | string | OIDC provider server URL | ||
idp.oidc.[N].scopes | array | OIDC scopes to request (array of strings) | ||
idp.oidc.[N].disable | boolean | Whether to forcefully disable authentication via this provider | ||
idp.oidc.[N].key | string | OIDC client ID | ||
idp.oidc.[N].secret | string | OIDC client secret | ||
| Extensions | ||||
extensions.akismet.disable | boolean | Whether to globally disable Akismet API | ||
extensions.akismet.key | string | Akismet API key | ||
extensions.perspective.disable | boolean | Whether to globally disable Perspective API | ||
extensions.perspective.key | string | Perspective API key | ||
extensions.apiLayerSpamChecker.disable | boolean | Whether to globally disable APILayer SpamChecker API | ||
extensions.apiLayerSpamChecker.key | string | APILayer SpamChecker API key | ||
| Other | ||||
xsrfSecret | string | Random string to generate XSRF key from (30 or more chars recommended) | Random value | COMENTARIO_XSRF_SECRET |
Database
The only mandatory settings in the above table concern database configuration: Comentario requires a database for data storage.
- If
postgres.hostis specified, PostgreSQL database will be used. Then you’ll also need to providepostgres.database,postgres.username, andpostgres.password. - Otherwise, Comentario will use a local, file-based SQLite3 database: you have to specify a complete file path in
sqlite3.file. If the file doesn’t exist, it will be created, but the path must exist and be writable.
Email sending & SMTP server settings
Comentario can optionally send notification emails. In order for this to work, SMTP server settings need to be specified:
- If
smtpServer.hostis not provided, no emails will be sent. - If
smtpServer.usernameis not provided, Comentario will try to connect to the SMTP server without authentication.
You may also need to provide a correct SMTP server port number and the encryption used. Comentario will try to guess the encryption from the port number:
tls(a.k.a.STARTTLS) — if the port is587(the default),ssl(a.k.a. “implicit TLS”) — if the port is465,- or
noneotherwise.
If unsure, look up the corresponding values in your email service provider’s documentation. Below are a few examples for popular services.
Mailgun:
smtpServer:
host: smtp.mailgun.org
port: 587
username: '<your username@domain>'
password: '<your password>'
Mailtrap:
smtpServer:
host: live.smtp.mailtrap.io
port: 587
username: api
password: '<your API key>'
PrivateEmail:
smtpServer:
host: mail.privateemail.com
port: 587
username: '<your username@domain>'
password: '<your password>'
SendGrid:
smtpServer:
host: smtp.sendgrid.net
port: 587
username: apikey
password: '<your API key>'
External identity providers
Comentario supports federated authentication via external identity providers, such as Google and Facebook.
- If no configuration is given for a federated identity provider, this provider will not be available for user authentication.
- If you want to (temporarily) disable a fully-configured identity provider, set its
disableflag totrue.
You can also configure one or more OpenID Connect (OIDC) identity providers:
- The provider must support the OIDC discovery spec (i.e. serve a discovery document at
.well-known/openid-configuration). - Like other federated identity providers, any OIDC provider can be disabled using the corresponding
disableflag.
Extensions
Comentario supports external comment-checking services called extensions.
- If no extension (Akismet, Perspective, etc.) API key is provided, this extension will still be available for users, but they will need to configure the key at the domain level in order to activate it.
- To disable an extension altogether, set its
disableflag totrue.
XSRF secret
You can provide a value in xsrfSecret, which will be SHA256-hashed and used as an XSRF key for the frontend API calls. If you omit this value, a random key will be generated.
A preconfigured, non-random secret value should be used in setups with multiple Comentario instances serving the same website; it would guarantee an XSRF token issued by one instance is accepted by another. Even in this situation it’s sensible to rotate the secret once in a while, making sure all Comentario instances are restarted afterwards.
Example
SQLite
Here’s an example of a minimal secrets.yaml file to use a local file-based database:
sqlite3:
file: /tmp/my-comentario.db
/tmp directory gets cleaned on each reboot, so you’ll lose all data.PostgreSQL
Another example of a minimal secrets.yaml file for connecting to PostgreSQL:
postgres:
host: 127.0.0.1
database: comentario
username: postgres
password: postgres