google-nomulus/java/google/registry/config/files/default-config.yaml

# This is the default configuration file for Nomulus. Do not make changes to it
# unless you are writing new features that requires you to. To customize an
# individual deployment or environment, create a nomulus-config.yaml file in the
# WEB-INF/ directory overriding only the values you wish to change. You may need
# to override some of these values to configure and enable some services used in
# production environments.

appEngine:
  # Globally unique App Engine project ID
  projectId: registry-project-id

  # whether to use local/test credentials when connecting to the servers
  isLocal: true
  # URLs of the services for the project.
  defaultServiceUrl: https://localhost
  backendServiceUrl: https://localhost
  toolsServiceUrl: https://localhost
  pubapiServiceUrl: https://localhost

gSuite:
  # Publicly accessible domain name of the running G Suite instance.
  domainName: domain-registry.example

  # Display name and email address used on outgoing emails through G Suite.
  outgoingEmailDisplayName: Example Registry
  outgoingEmailAddress: noreply@project-id.appspotmail.com

  # Email address of the admin account on the G Suite app. This is used for
  # logging in to perform administrative actions, not sending emails.
  adminAccountEmailAddress: admin@example.com

registryPolicy:
  # Repository identifier (ROID) suffix for contacts and hosts.
  contactAndHostRoidSuffix: ROID

  # Product name of the registry. Used throughout the registrar console.
  productName: Nomulus

  # Custom logic factory fully-qualified class name.
  # See flows/custom/CustomLogicFactory.java
  customLogicFactoryClass: google.registry.flows.custom.CustomLogicFactory

  # WHOIS command factory fully-qualified class name.
  # See whois/WhoisCommandFactory.java
  whoisCommandFactoryClass: google.registry.whois.WhoisCommandFactory

  # Custom logic class for handling allocation tokens.
  # See flows/domain/token/AllocationTokenCustomLogic.java
  allocationTokenCustomLogicClass: google.registry.flows.domain.token.AllocationTokenCustomLogic

  # Length of time after which contact transfers automatically conclude.
  contactAutomaticTransferDays: 5

  # Server ID used in the 'svID' element of an EPP 'greeting'.
  greetingServerId: Nomulus Registry

  # List of email addresses that notifications of registrar and/or registrar
  # contact updates should be sent to, or empty list for no notifications.
  registrarChangesNotificationEmailAddresses: []

  # Default WHOIS server used when not specified on a registrar.
  defaultRegistrarWhoisServer: whois.domain-registry.example

  # Mode TMCH should run in (PRODUCTION for production environments, PILOT for
  # all others including sandbox).
  tmchCaMode: PILOT

  # URL for the ICANN TMCH Certificate Revocation List.
  tmchCrlUrl: http://crl.icann.org/tmch_pilot.crl

  # URL for the MarksDB registry interface.
  tmchMarksDbUrl: https://test-ry.marksdb.org

  # Registry’s operations registrar, used for front-end availability/premium
  # domain checks.
  checkApiServletClientId: TheRegistrar

  # The registry admin's registrar. Admins are granted permission to log in
  # using this registrar automatically if they are not associated with any
  # registrar
  registryAdminClientId: TheRegistrar

  # Disclaimer at the top of the exported premium terms list.
  premiumTermsExportDisclaimer: |
    This list contains domains for the TLD offered at a premium price. This
    list is subject to change. The most up-to-date source is always the
    registry itself, by sending domain check EPP commands.

  # Disclaimer at the top of the exported reserved terms list.
  reservedTermsExportDisclaimer: |
    This list contains reserved terms for the TLD. Other terms may be reserved
    but not included in this list, including terms the registry chooses not
    to publish. This list is subject to change. The most up-to-date source
    is always the registry itself, by sending domain check EPP commands.

  # Disclaimer at the top of WHOIS results.
  whoisDisclaimer: |
    WHOIS information is provided by the registry solely for query-based,
    informational purposes. Any information provided is "as is" without any
    guarantee of accuracy. You may not use such information to (a) allow,
    enable, or otherwise support the transmission of mass unsolicited,
    commercial advertising or solicitations; (b) enable high volume, automated,
    electronic processes that access the registry's systems or any
    ICANN-Accredited Registrar, except as reasonably necessary to register
    domain names or modify existing registrations; or (c) engage in or support
    unlawful behavior. We reserve the right to restrict or deny your access to
    the WHOIS database, and may modify these terms at any time.

  # RDAP Terms of Service text displayed at the /rdap/help/tos endpoint.
  rdapTos: >
    By querying our Domain Database as part of the RDAP pilot program (RDAP
    Domain Database), you are agreeing to comply with these terms, so please
    read them carefully.

    Any information provided is 'as is' without any guarantee of accuracy.

    Please do not misuse the RDAP Domain Database. It is intended solely for
    query-based access on an experimental basis and should not be used for or
    relied upon for any other purpose.

    Don't use the RDAP Domain Database to allow, enable, or otherwise support
    the transmission of mass unsolicited, commercial advertising or
    solicitations.

    Don't access our RDAP Domain Database through the use of high volume,
    automated electronic processes that send queries or data to the systems
    of any ICANN-accredited registrar.

    You may only use the information contained in the RDAP Domain Database for
    lawful purposes.

    Do not compile, repackage, disseminate, or otherwise use the information
    contained in the RDAP Domain Database in its entirety, or in any
    substantial portion, without our prior written permission.

    We may retain certain details about queries to our RDAP Domain Database
    for the purposes of detecting and preventing misuse.

    We reserve the right to restrict or deny your access to the RDAP Domain
    Database if we suspect that you have failed to comply with these terms.

    We reserve the right to modify or discontinue our participation in the
    RDAP pilot program and suspend or terminate access to the RDAP Domain
    Database at any time and for any reason in our sole discretion.

    We reserve the right to modify this agreement at any time.

  # Body of the spec 11 email sent to registrars.
  # Items in braces are to be replaced.
  spec11EmailBodyTemplate: |
    Dear registrar partner,

    The registry conducts periodic technical analyses of all domains registered
    in its TLDs. As part of this analysis, the following domains that you
    manage were flagged for potential security concerns:

    {LIST_OF_THREATS}

    Please communicate these findings to the registrant and work with the
    registrant to mitigate any security issues and have the domains delisted.

    Some helpful sites for getting off a blocked list include:

      - Google Search Console (https://search.google.com/search-console/about)
        -- includes information and tools for webmasters to learn about and
        mitigate security threats and have their websites delisted
      - first.org -- a registry of Computer Emergency Response Teams (CERTs)
        that may be able to assist in mitigation
      - stopbadware.org -- a non-profit anti-malware organization that provides
        support and information for webmasters dealing with security threats

    If you have any questions regarding this notice, please contact
    {REPLY_TO_EMAIL}.

datastore:
  # Number of commit log buckets in Datastore. Lowering this after initial
  # install risks losing up to a days' worth of differential backups.
  commitLogBucketsNum: 397

  # Number of EPP resource index buckets in Datastore. Don’t change after
  # initial install.
  eppResourceIndexBucketsNum: 997

  # Milliseconds that Objectify waits to retry a Datastore transaction (this
  # doubles after each failure).
  baseOfyRetryMillis: 100

cloudDns:
  # The root url for the Cloud DNS API.  Set this to a non-null value to
  # override the default API server used by the googleapis library.
  rootUrl: null

  # The service endpoint path for the Cloud DNS API.  Set this to a non-null
  # value to override the default API path used by the googleapis library.
  servicePath: null

caching:
  # Length of time that a singleton should be cached before expiring.
  singletonCacheRefreshSeconds: 600

  # Length of time that a reserved/premium list should be cached before expiring.
  domainLabelCachingSeconds: 3600

  # Length of time that a long-lived singleton in persist mode should be cached.
  singletonCachePersistSeconds: 31557600 # This is one year.

  # Maximum total number of static premium list entry entities to cache in
  # memory, across all premium lists for all TLDs. Tuning this up will use more
  # memory (and might require using larger App Engine instances). Note that
  # premium list entries that are absent are cached in addition to ones that are
  # present, so the total cache size is not bounded by the total number of
  # premium price entries that exist.
  staticPremiumListMaxCachedEntries: 200000

  # Whether to enable caching of EPP resource entities and keys. Enabling this
  # caching allows for much higher domain create/update throughput when hosts
  # and/or contacts are being frequently used (which is commonly the case).
  # However, this may introduce transactional inconsistencies, such as allowing
  # hosts or contacts to be used that are actually deleted (though in practice
  # this will only happen for non-widely-used entities). Only set this to true
  # if you need the performance, i.e. if you need >10 domain mutations per
  # frequently used contact or host. This situation is typically caused by
  # registrars reusing the same contact/host across many operations, e.g. a
  # privacy/proxy contact or a common host pointing to a registrar-run
  # nameserver.
  eppResourceCachingEnabled: false

  # Length of time that EPP resource entities and keys are cached in memory
  # before expiring. This should always be shorter than asyncDeleteDelaySeconds,
  # to prevent deleted contacts or hosts from being used on domains.
  eppResourceCachingSeconds: 60

  # The maximum number of EPP resource entities and keys to cache in memory.
  # LoadingCache evicts rarely-used keys first, so in practice this does not
  # have to be very large to achieve the vast majority of possible gains.
  eppResourceMaxCachedEntries: 500

oAuth:
  # OAuth scopes to detect on access tokens. Superset of requiredOauthScopes.
  availableOauthScopes:
    - https://www.googleapis.com/auth/userinfo.email

  # OAuth scopes required for authenticating. Subset of availableOauthScopes.
  requiredOauthScopes:
    - https://www.googleapis.com/auth/userinfo.email

  # OAuth client IDs that are allowed to authenticate and communicate with
  # backend services, e. g. nomulus tool, EPP proxy, etc. All client_id values
  # used in client_secret.json files for associated tooling should be included
  # in this list. Client IDs are typically of the format
  # numbers-alphanumerics.apps.googleusercontent.com
  allowedOauthClientIds: []

credentialOAuth:
  # OAuth scopes required for accessing Google APIs using the default
  # credential.
  defaultCredentialOauthScopes:
    # View and manage data in all Google Cloud APIs.
    - https://www.googleapis.com/auth/cloud-platform
    # View and manage files in Google Drive, e.g., Docs and Sheets.
    - https://www.googleapis.com/auth/drive
  # OAuth scopes required for delegated admin access to G Suite domain.
  # Deployment of changes to this list must be coordinated with G Suite admin
  # configuration, which can be managed in the admin console:
  # - New scopes must be added to the G Suite domain configuration before the
  #   release is deployed.
  # - Removed scopes must remain on G Suite domain configuration until the
  #   release is deployed.
  delegatedCredentialOauthScopes:
    # View and manage groups on your domain in Directory API.
    - https://www.googleapis.com/auth/admin.directory.group
    # View and manage group settings in Group Settings API.
    - https://www.googleapis.com/auth/apps.groups.settings


icannReporting:
  # URL we PUT monthly ICANN transactions reports to.
  icannTransactionsReportingUploadUrl: https://ry-api.icann.org/report/registrar-transactions

  # URL we PUT monthly ICANN activity reports to.
  icannActivityReportingUploadUrl: https://ry-api.icann.org/report/registry-functions-activity

billing:
  invoiceEmailRecipients: []

rde:
  # URL prefix of ICANN's server to upload RDE reports to. Nomulus adds /TLD/ID
  # to the end of this to construct the full URL.
  reportUrlPrefix: https://test-ry-api.icann.org:8543/report/registry-escrow-report

  # SFTP URL to which RDE deposits are uploaded. This should contain a username
  # but not the password.
  uploadUrl: sftp://username@rde-provider.example

  # Identity of the SSH keys (stored in the Keyring) used for RDE SFTP uploads.
  sshIdentityEmailAddress: rde@example.com

registrarConsole:
  # Filename of the logo to use in the header of the console. This filename is
  # relative to ui/assets/images/
  logoFilename: logo.png

  # Contact phone number for support with the registry.
  supportPhoneNumber: +1 (888) 555 0123

  # Contact email address for support with the registry.
  supportEmailAddress: support@example.com

  # From: email address used to send announcements from the registry.
  announcementsEmailAddress: announcements@example.com

  # Contact email address for questions about integrating with the registry.
  integrationEmailAddress: integration@example.com

  # URL linking to directory of technical support docs on the registry.
  technicalDocsUrl: http://example.com/your_support_docs/

monitoring:
  # Max queries per second for the Google Cloud Monitoring V3 (aka Stackdriver)
  # API. The limit can be adjusted by contacting Cloud Support.
  stackdriverMaxQps: 30

  # Max number of points that can be sent to Stackdriver in a single
  # TimeSeries.Create API call.
  stackdriverMaxPointsPerRequest: 200

  # How often metrics are exported to BigQuery.
  writeIntervalSeconds: 60

misc:
  # The ID of the Google Sheet (as found in the URL) to export registrar details
  # to. Leave this null to disable syncing.
  sheetExportId: null

  # Address we send alert summary emails to.
  alertRecipientEmailAddress: email@example.com

  # Address to which the Spec 11 emails to registrars should be replied. This needs
  # to be a deliverable email address in case the registrars want to contact us.
  spec11ReplyToEmailAddress: reply-to@example.com

  # Domain for the email address we send alert summary emails from.
  alertEmailSenderDomain: appspotmail.com

  # How long to delay processing of asynchronous deletions. This should always
  # be longer than eppResourceCachingSeconds, to prevent deleted contacts or
  # hosts from being used on domains.
  asyncDeleteDelaySeconds: 90

cloudDns:
  # CloudDns testing config. Set both properties to null in Production.
  rootUrl: https://staging-www.sandbox.googleapis.com
  servicePath: dns/v2beta1_staging/projects/

beam:
  # The default zone to run Apache Beam (Cloud Dataflow) jobs in.
  defaultJobZone: us-east1-c

keyring:
  # The name of the active keyring, either "KMS" or "Dummy".
  activeKeyring: Dummy

  # Configuration options specific to Google Cloud KMS.
  kms:
    # GCP project containing the KMS keyring. Should only be used for KMS in
    # order to keep a simple locked down IAM configuration.
    projectId: registry-kms-project-id

    # The name to use for the Cloud KMS KeyRing which will store encryption keys
    # for Nomulus secrets.
    keyringName: nomulus

# Configuration options relevant to the "nomulus" registry tool.
registryTool:
  # Name of the client secret file used for authenticating with App Engine.
  clientSecretFilename: /google/registry/tools/resources/client_secret.json