-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
157 lines (143 loc) · 6 KB
/
.env.example
File metadata and controls
157 lines (143 loc) · 6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
# ========================
# Network / Docker Compose
# ========================
# These two variables live in the PROJECT ROOT .env file (next to docker-compose.yaml).
# Docker Compose reads them for port binding. They are NOT passed into the container.
#
# Network binding — controls whether T'Day is accessible from external IPs.
# 127.0.0.1 = localhost only (DEFAULT, RECOMMENDED)
# Access the app through a reverse proxy or Cloudflare Tunnel for HTTPS.
# 0.0.0.0 = allow external access over HTTP (NOT RECOMMENDED for production)
# Only use for local development or trusted LAN environments.
# TDAY_HOST_BIND=127.0.0.1
#
# Host port mapped to the backend container's port 8080.
# TDAY_HOST_PORT=2525
# ========================
# Environment & App Config
# ========================
# Generate with: openssl rand -base64 32
CRONJOB_SECRET=CHANGE_ME_WITH_A_RANDOM_32_BYTE_SECRET
# Application environment. Controls production-only behavior such as secure cookies and HSTS.
TDAY_ENV=development
# Optional comma-separated origins to allow for credentialed cross-origin browser requests.
# Leave empty for same-origin only.
CORS_ALLOWED_ORIGINS=
# Optional: load secrets from files (Docker/Kubernetes secret mounts).
# AUTH_SECRET_FILE=/run/secrets/auth_secret
# CRONJOB_SECRET_FILE=/run/secrets/cronjob_secret
# DATABASE_URL_FILE=/run/secrets/database_url
# ========================
# Sentry Telemetry
# ========================
# Backend Sentry DSN — set to the DSN from your tday-backend Sentry project.
SENTRY_DSN=
# Auth token for source-context / source-map uploads during CI builds.
# SENTRY_AUTH_TOKEN=
# ========================
# AI Summaries (Local)
# ========================
# Docker default uses the compose service name.
OLLAMA_URL=http://ollama:11434
# Tiny model recommended for fast task summaries.
OLLAMA_MODEL=qwen2.5:0.5b
# Timeout for model requests in milliseconds.
OLLAMA_TIMEOUT_MS=15000
# ========================
# Authentication
# ========================
# please generate your own secure 32-byte secret using openssl rand -base64 32
AUTH_SECRET=CHANGE_ME_WITH_A_RANDOM_32_BYTE_SECRET
# PBKDF2 iterations used for credential hashing.
AUTH_PBKDF2_ITERATIONS=310000
# Rolling inactivity window for persistent web auth (seconds). Default 30 days.
AUTH_SESSION_MAX_AGE_SEC=2592000
# Absolute session cap from the original login time (seconds). Default 90 days.
AUTH_SESSION_ABSOLUTE_MAX_AGE_SEC=7776000
# Renew the session cookie when this many seconds or fewer remain. Default 7 days.
AUTH_SESSION_RENEW_THRESHOLD_SEC=604800
# Optional RSA private key (PKCS8 PEM) for client-side credential envelope encryption.
# When unset, the server generates an ephemeral key at startup (works on single-instance setups).
AUTH_CREDENTIALS_PRIVATE_KEY=
# AUTH_CREDENTIALS_PRIVATE_KEY_FILE=/run/secrets/auth_credentials_private_key
# ========================
# Database (Docker-ready)
# ========================
# JDBC-format URL used by Ktor / HikariCP.
# Keep as is unless docker-compose.yml is changed.
DATABASE_URL=postgresql://myuser:mypass@database:5432/mydb
# ========================
# Auth Hardening (Rate Limits / Lockout)
# ========================
# CSRF endpoint limiter (GET /api/auth/csrf)
AUTH_LIMIT_CSRF_WINDOW_SEC=60
AUTH_LIMIT_CSRF_MAX=40
# Credentials callback limiter (POST /api/auth/callback/credentials)
AUTH_LIMIT_CREDENTIALS_WINDOW_SEC=300
AUTH_LIMIT_CREDENTIALS_MAX=12
# Session and credential-key limiter (GET /api/auth/session, GET /api/auth/credentials-key)
AUTH_LIMIT_SESSION_WINDOW_SEC=60
AUTH_LIMIT_SESSION_MAX=60
# Registration limiter (POST /api/auth/register)
AUTH_LIMIT_REGISTER_WINDOW_SEC=3600
AUTH_LIMIT_REGISTER_MAX=6
# Exponential lockout settings for repeated credential failures
AUTH_LOCKOUT_FAIL_THRESHOLD=5
AUTH_LOCKOUT_BASE_SEC=30
AUTH_LOCKOUT_MAX_SEC=1800
AUTH_LOCKOUT_RESET_SEC=86400
# Trigger CAPTCHA after repeated failures.
AUTH_CAPTCHA_TRIGGER_FAILURES=3
# Optional Turnstile secret; when set, repeated auth failures require CAPTCHA.
AUTH_CAPTCHA_SECRET=
# AUTH_CAPTCHA_SECRET_FILE=/run/secrets/auth_captcha_secret
# Optional frontend site key for clients.
AUTH_CAPTCHA_SITE_KEY=
# Alerting thresholds (event log only; wire to external monitoring for paging).
AUTH_ALERT_IP_FAILURE_THRESHOLD=12
AUTH_ALERT_LOCKOUT_BURST_SEC=900
AUTH_SIGNAL_ANOMALY_WINDOW_SEC=86400
# One-time password-proof challenge TTL (seconds) for non-WebCrypto browser fallback.
AUTH_PASSWORD_PROOF_CHALLENGE_TTL_SEC=120
# Max in-memory active challenges before oldest entries are evicted.
AUTH_PASSWORD_PROOF_MAX_ACTIVE=5000
# ========================
# OAuth Providers (Optional)
# ========================
AUTH_GOOGLE_ID=
AUTH_GOOGLE_SECRET=
AUTH_DISCORD_ID=
AUTH_DISCORD_SECRET=
# ========================
# AWS (Optional - Notes & Encrypted File Storage)
# ========================
AWS_BUCKET_NAME=
AWS_ACCESSKEYID=
AWS_SECRETACCESSKEY=
AWS_REGION=
# ========================
# Field Encryption At Rest (Server-side)
# ========================
# Active key id + key material. Key can be base64 (32 bytes) or 64-char hex.
DATA_ENCRYPTION_KEY_ID=primary
DATA_ENCRYPTION_KEY=
# DATA_ENCRYPTION_KEY_FILE=/run/secrets/data_encryption_key
# Optional key ring for rotation support: keyId:base64,keyId2:base64
DATA_ENCRYPTION_KEYS=
# DATA_ENCRYPTION_KEYS_FILE=/run/secrets/data_encryption_keys
# Optional Additional Authenticated Data tag.
DATA_ENCRYPTION_AAD=tday:v1
# DATA_ENCRYPTION_AAD_FILE=/run/secrets/data_encryption_aad
# ========================
# App-Backend Version Sync
# ========================
# The app version the server is compatible with (e.g. "1.12.0").
# When set (along with the encryption key), clients receive an encrypted
# compatibility payload in the probe response.
TDAY_APP_VERSION=1.23.0
# Set to true to block older/newer app versions from connecting.
TDAY_UPDATE_REQUIRED=true
# 32-byte AES key, base64url-encoded. Same key must be compiled into the apps.
# Generate with: openssl rand -base64 32 | tr '+/' '-_' | tr -d '='
TDAY_PROBE_ENCRYPTION_KEY=
# TDAY_PROBE_ENCRYPTION_KEY_FILE=/run/secrets/tday_probe_encryption_key