fdroidserver/examples/config.yml

---
# Copy this file to config.yml, then amend the settings below according to
# your system configuration.

# Custom path to the Android SDK, defaults to $ANDROID_HOME
# sdk_path: $ANDROID_HOME

# Paths to installed versions of the Android NDK.  This will be
# automatically filled out from well known sources like
# $ANDROID_HOME/ndk-bundle and $ANDROID_HOME/ndk/*.  If a required
# version is missing in the buildserver VM, it will be automatically
# downloaded and installed into the standard $ANDROID_HOME/ndk/
# directory.  Manually setting it here will override the auto-detected
# values.  The keys can either be the "release" (e.g. r21e) or the
# "revision" (e.g. 21.4.7075529).
#
# ndk_paths:
#   r10e: $ANDROID_HOME/android-ndk-r10e
#   r17: ""
#   21.4.7075529: ~/Android/Ndk
#   r22b: null

# Directory to store downloaded tools in (i.e. gradle versions)
# By default, these are stored in ~/.cache/fdroidserver
# cachedir: cache

# Specify paths to each major Java release that you want to support
# java_paths:
#   8: /usr/lib/jvm/java-8-openjdk

# Command or path to binary for running Ant
# ant: ant

# Command or path to binary for running maven 3
# mvn3: mvn

# Command or path to binary for running Gradle
# Defaults to using an internal gradle wrapper (gradlew-fdroid).
# gradle: gradle

# Always scan the APKs produced by `fdroid build` for known non-free classes
# scan_binary: true

# Set the maximum age (in days) of an index that a client should accept from
# this repo. Setting it to 0 or not setting it at all disables this
# functionality. If you do set this to a non-zero value, you need to ensure
# that your index is updated much more frequently than the specified interval.
# The same policy is applied to the archive repo, if there is one.
# repo_maxage: 0

# Canonical URL of the repositoy, needs to end in /repo. Is is used to identity
# the repo in the client, as well.
# repo_url: https://example.com/fdroid/repo
#
# Base URL for per-package pages on the website of this repo,
# i.e. https://f-droid.org/packages/<appid>/ This should be accessible
# with a browser. Setting it to null or not setting this disables the
# feature.
# repo_web_base_url: https://example.com/packages/
#
# repo_name: My First F-Droid Repo Demo
# repo_description: >-
#   This is a repository of apps to be used with F-Droid. Applications
#   in this repository are either official binaries built by the
#   original application developers, or are binaries built from source
#   by the admin of f-droid.org using the tools on
#   https://gitlab.com/fdroid.

# As above, but for the archive repo.
#
# archive_url: https://example.com/fdroid/archive
# archive_web_base_url:
# archive_name: My First F-Droid Archive Demo
# archive_description: >-
#   The repository of older versions of packages from the main demo repository.

# archive_older sets the number of versions kept in the main repo, with all
# older ones going to the archive. Set it to 0, and there will be no archive
# repository, and no need to define the other archive_ values.
#
# archive_older: 3

# The repo's icon defaults to a file called 'icon.png' in the 'icons'
# folder for each section, e.g. repo/icons/icon.png and
# archive/icons/icon.png.  To use a different filename for the icons,
# set the filename here.  You must still copy it into place in
# repo/icons/ and/or archive/icons/.
#
# repo_icon: myicon.png
# archive_icon: myicon.png

# This allows a specific kind of insecure APK to be included in the
# 'repo' section.  Since April 2017, APK signatures that use MD5 are
# no longer considered valid, jarsigner and apksigner will return an
# error when verifying.  `fdroid update` will move APKs with these
# disabled signatures to the archive.  This option stops that
# behavior, and lets those APKs stay part of 'repo'.
#
# allow_disabled_algorithms: true

# Normally, all apps are collected into a single app repository, like on
# https://f-droid.org. For certain situations, it is better to make a repo
# that is made up of APKs only from a single app. For example, an automated
# build server that publishes nightly builds.
# per_app_repos: true

# `fdroid update` will create a link to the current version of a given app.
# This provides a static path to the current APK. To disable the creation of
# this link, uncomment this:
# make_current_version_link: false

# By default, the "current version" link will be based on the "Name" of the
# app from the metadata. You can change it to use a different field from the
# metadata here:
# current_version_name_source: packageName

# Optionally, override home directory for gpg
# gpghome: /home/fdroid/somewhere/else/.gnupg

# The ID of a GPG key for making detached signatures for APKs. Optional.
# gpgkey: 1DBA2E89

# The key (from the keystore defined below) to be used for signing the
# repository itself. This is the same name you would give to keytool or
# jarsigner using -alias. (Not needed in an unsigned repository).
# repo_keyalias: fdroidrepo

# Optionally, the public key for the key defined by repo_keyalias above can
# be specified here. There is no need to do this, as the public key can and
# will be retrieved from the keystore when needed. However, specifying it
# manually can allow some processing to take place without access to the
# keystore.
# repo_pubkey: ...

# The keystore to use for release keys when building. This needs to be
# somewhere safe and secure, and backed up!  The best way to manage these
# sensitive keys is to use a "smartcard" (aka Hardware Security Module). To
# configure F-Droid to use a smartcard, set the keystore file using the keyword
# "NONE" (i.e. keystore: "NONE"). That makes Java find the keystore on the
# smartcard based on 'smartcardoptions' below.
# keystore: ~/.local/share/fdroidserver/keystore.jks

# You should not need to change these at all, unless you have a very
# customized setup for using smartcards in Java with keytool/jarsigner
# smartcardoptions: |
#   -storetype PKCS11 -providerName SunPKCS11-OpenSC
#   -providerClass sun.security.pkcs11.SunPKCS11
#   -providerArg opensc-fdroid.cfg

# The password for the keystore (at least 6 characters). If this password is
# different than the keypass below, it can be OK to store the password in this
# file for real use. But in general, sensitive passwords should not be stored
# in text files!
# keystorepass: password1

# The password for keys - the same is used for each auto-generated key as well
# as for the repository key. You should not normally store this password in a
# file since it is a sensitive password.
# keypass: password2

# The distinguished name used for all keys.
# keydname: CN=Birdman, OU=Cell, O=Alcatraz, L=Alcatraz, S=California, C=US

# Use this to override the auto-generated key aliases with specific ones
# for particular applications. Normally, just leave it empty.
#
# keyaliases:
#   com.example.app: example
#
# You can also force an app to use the same key alias as another one, using
# the @ prefix.
#
# keyaliases:
#   com.example.another.plugin: "@com.example.another"


# The full path to the root of the repository. It must be specified in
# rsync/ssh format for a remote host/path. This is used for syncing a locally
# generated repo to the server that is it hosted on. It must end in the
# standard public repo name of "/fdroid", but can be in up to three levels of
# sub-directories (i.e. /var/www/packagerepos/fdroid). You can include
# multiple servers to sync to by wrapping the whole thing in {} or [], and
# including the serverwebroot strings in a comma-separated list.
#
# serverwebroot: user@example:/var/www/fdroid
# serverwebroot:
#   - foo.com:/usr/share/nginx/www/fdroid
#   - bar.info:/var/www/fdroid
#
# There is a special mode to only deploy the index file:
#
# serverwebroot:
#   - url: 'me@b.az:/srv/fdroid'
#     index_only: true


# When running fdroid processes on a remote server, it is possible to
# publish extra information about the status.  Each fdroid sub-command
# can create repo/status/running.json when it starts, then a
# repo/status/<sub-command>.json when it completes.  The builds logs
# and other processes will also get published, if they are running in
# a buildserver VM.  The build logs name scheme is:
# .../repo/$APPID_$VERCODE.log.gz.  These files are also pushed to all
# servers configured in 'serverwebroot'.
#
# deploy_process_logs: true

# The full URL to a git remote repository. You can include
# multiple servers to mirror to by adding strings to a YAML list or map.
# Servers listed here will also be automatically inserted in the mirrors list.
#
# servergitmirrors: https://github.com/user/repo
# servergitmirrors:
#   - https://github.com/user/repo
#   - https://gitlab.com/user/repo
#
# servergitmirrors:
#   - url: https://github.com/user/repo
#   - url: https://gitlab.com/user/repo
#     index_only: true


# These settings allow using `fdroid deploy` for publishing APK files from
# your repository to GitHub Releases. (You should also run `fdroid update`
# every time before deploying to GitHub releases to update index files.) Here's
# an example for this deployment automation:
# https://github.com/f-droid/fdroidclient/releases/
#
# Currently, versions which are assigned to a release channel (e.g. alpha or
# beta releases) are ignored.
#
# In the example below, tokens are read from environment variables. Putting
# tokens directly into the config file is also supported but discouraged. It is
# highly recommended to use a "Fine-grained personal access token", which is
# restricted to the minimum required permissions, which are:
#  * Metadata - read
#  * Contents - read/write
# (https://github.com/settings/personal-access-tokens/new)
#
# github_token: {env: GITHUB_TOKEN}
# github_releases:
#   - projectUrl: https://github.com/f-droid/fdroidclient
#     packageNames:
#       - org.fdroid.basic
#       - org.fdroid.fdroid
#     release_notes_prepend: |
#       Re-post of official F-Droid App release from https://f-droid.org
#   - projectUrl: https://github.com/example/app
#     packageNames: com.example.app
#     token: {env: GITHUB_TOKEN_EXAMPLE}


# Most git hosting services have hard size limits for each git repo.
# `fdroid deploy` will delete the git history when the git mirror repo
# approaches this limit to ensure that the repo will still fit when
# pushed.  GitHub recommends 1GB, gitlab.com recommends 10GB.
#
# git_mirror_size_limit: 10GB

# Any mirrors of this repo, for example all of the servers declared in
# serverwebroot and all the servers declared in servergitmirrors,
# will automatically be used by the client.  If one
# mirror is not working, then the client will try another.  If the
# client has Tor enabled, then the client will prefer mirrors with
# .onion addresses. This base URL will be used for both the main repo
# and the archive, if it is enabled.  So these URLs should end in the
# 'fdroid' base of the F-Droid part of the web server like serverwebroot.
#
# mirrors:
#   - https://foo.bar/fdroid
#   - http://foobarfoobarfoobar.onion/fdroid
#
# Or additional metadata can also be included by adding key/value pairs:
#
# mirrors:
#   - url: https://foo.bar/fdroid
#     countryCode: BA
#   - url: http://foobarfoobarfoobar.onion/fdroid
#
# The list of mirrors can also be maintained in config/mirrors.yml, a
# standalone YAML file in the optional configuration directory.  In
# that case, mirrors: should be removed from this file (config.yml).


# optionally specify which identity file to use when using rsync or git over SSH
#
# identity_file: ~/.ssh/fdroid_id_rsa


# If you are running the repo signing process on a completely offline machine,
# which provides the best security, then you can specify a folder to sync the
# repo to when running `fdroid deploy`. This is most likely going to
# be a USB thumb drive, SD Card, or some other kind of removable media. Make
# sure it is mounted before running `fdroid deploy`. Using the
# standard folder called 'fdroid' as the specified folder is recommended, like
# with serverwebroot.
#
# local_copy_dir: /media/MyUSBThumbDrive/fdroid


# If you are using local_copy_dir on an offline build/signing server, once the
# thumb drive has been plugged into the online machine, it will need to be
# synced to the copy on the online machine. To make that happen
# automatically, set sync_from_local_copy_dir to True:
#
# sync_from_local_copy_dir: true

# To deploy to an AWS S3 "bucket" in the US East region, set the
# bucket name in the config, then set the environment variables
# AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY using the values from
# the AWS Management Console. See
# https://rclone.org/s3/#authentication
#
# awsbucket: myawsfdroidbucket


# For extended options for syncing to cloud drive and object store
# services, `fdroid deploy' wraps Rclone. Rclone is a full featured
# sync tool for a huge variety of cloud services. Set up your services
# using `rclone config`, then specify each config name to deploy the
# awsbucket: to.  Using rclone_config: overrides the default AWS S3 US
# East setup, and will only sync to the services actually specified.
#
# awsbucket: myawsfdroidbucket
# rclone_config:
#   - aws-sample-config
#   - rclone-supported-service-config


# By default Rclone uses the user's default configuration file at
# ~/.config/rclone/rclone.conf To specify a custom configuration file,
# please add the full path to the configuration file as below.
#
# path_to_custom_rclone_config: /home/mycomputer/somedir/example.conf


# If you want to force 'fdroid server' to use a non-standard serverwebroot.
# This will allow you to have 'serverwebroot' entries which do not end in
# '/fdroid'. (Please note that some client features expect repository URLs
# to end in '/fdroid/repo'.)
#
# nonstandardwebroot: false


# If you want to upload the release APK file to androidobservatory.org
#
# androidobservatory: false


# If you want to upload the release APK file to virustotal.com
# You have to enter your profile apikey to enable the upload.
#
# virustotal_apikey: 9872987234982734
#
# Or get it from an environment variable:
#
# virustotal_apikey: {env: virustotal_apikey}


# Keep a log of all generated index files in a git repo to provide a
# "binary transparency" log for anyone to check the history of the
# binaries that are published.  This is in the form of a "git remote",
# which this machine where `fdroid update` is run has already been
# configured to allow push access (e.g. ssh key, username/password, etc)
# binary_transparency_remote: git@gitlab.com:fdroid/binary-transparency-log.git

# Set this to true to always use a build server. This saves specifying the
# --server option on dedicated secure build server hosts.
# build_server_always: true

# Limit in number of characters that fields can take up
# Only the fields listed here are supported, defaults shown
# char_limits:
#   author: 256
#   name: 50
#   summary: 80
#   description: 4000
#   video: 256
#   whatsNew: 500

# It is possible for the server operator to specify lists of apps that
# must be installed or uninstalled on the client (aka "push installs).
# If the user has opted in, or the device is already setup to respond
# to these requests, then F-Droid will automatically install/uninstall
# the packageNames listed.  This is protected by the same signing key
# as the app index metadata.
#
# install_list:
#   - at.bitfire.davdroid
#   - com.fsck.k9
#   - us.replicant
#
# uninstall_list:
#   - com.facebook.orca
#   - com.android.vending

# `fdroid lint` checks licenses in metadata against a built white list.  By
# default we will require license metadata to be present and only allow
# licenses approved either by FSF or OSI.  We're using the standardized SPDX
# license IDs.  (https://spdx.org/licenses/)
#
# We use `python3 -m spdx-license-list print --filter-fsf-or-osi` for
# generating our default list.  (https://pypi.org/project/spdx-license-list)
#
# You can override our default list of allowed licenes by setting this option.
# Just supply a custom list of licene names you would like to allow. To disable
# checking licenses by the linter, assign an empty value to lint_licenses.
#
# lint_licenses:
#   - Custom-License-A
#   - Another-License

# `fdroid scanner` can scan for signatures from various sources. By default
# it's configured to only use F-Droids official SUSS collection. We have
# support for these special collections:
#  * 'exodus' - official exodus-privacy.org signatures
#  * 'etip' - exodus privacy investigation platfrom community contributed
#           signatures
#  * 'suss' - official F-Droid: Suspicious or Unwanted Software Signatures
# You can also configure scanner to use custom collections of signatures here.
# They have to follow the format specified in the SUSS readme.
# (https://gitlab.com/fdroid/fdroid-suss/#cache-file-data-format)
#
# scanner_signature_sources:
#   - suss
#   - exodus
#   - https://example.com/signatures.json

# The scanner can use signature sources from the internet. These are
# cached locally.  To force them to be refreshed from the network on
# every run, set this to true:
#
# refresh_scanner: true