-
Notifications
You must be signed in to change notification settings - Fork 102
Expand file tree
/
Copy pathenv.example
More file actions
107 lines (94 loc) · 3.26 KB
/
Copy pathenv.example
File metadata and controls
107 lines (94 loc) · 3.26 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# Passwall Server Environment Variables
# Copy this file to .env and fill in your actual values
# NEVER commit .env to git!
# NOTE:
# The server uses the "PW_" prefix by default (see internal/config/config.go).
# Keep the PW_* variables below for production deployments.
# ===================================
# SERVER CONFIGURATION
# ===================================
PW_SERVER_PORT=3625
PW_ENV=production
PW_SERVER_DOMAIN=https://your-domain.com
PW_SERVER_TIMEOUT=30
PW_SERVER_FRONTEND_URL=https://vault.your-domain.com
# CRITICAL: Generate a strong random secret for JWT tokens
# Example: openssl rand -base64 64
PW_SERVER_SECRET=your-super-secret-jwt-key-here-use-openssl-rand-base64-64
# CRITICAL: Generate a strong passphrase for encryption
# Example: openssl rand -base64 32
PW_SERVER_PASSPHRASE=your-encryption-passphrase-here
# Token expiration durations (examples: 15m, 1h, 24h, 7d)
PW_SERVER_ACCESS_TOKEN_EXPIRE_DURATION=15m
PW_SERVER_REFRESH_TOKEN_EXPIRE_DURATION=24h
# Generated password length for password manager
PW_SERVER_GENERATED_PASSWORD_LENGTH=16
# ===================================
# DATABASE CONFIGURATION
# ===================================
PW_DB_NAME=passwall
PW_DB_USERNAME=postgres
PW_DB_PASSWORD=your-database-password
PW_DB_HOST=localhost
PW_DB_PORT=5432
PW_DB_SSL_MODE=disable
PW_DB_LOG_MODE=false
# ===================================
# EMAIL CONFIGURATION
# ===================================
# SMTP Settings
PW_EMAIL_HOST=smtp.example.com
PW_EMAIL_PORT=587
PW_EMAIL_USERNAME=your-email@example.com
PW_EMAIL_PASSWORD=your-email-password
PW_EMAIL_FROM_EMAIL=no-reply@passwall.io
PW_EMAIL_FROM_NAME=Passwall
# ===================================
# STRIPE CONFIGURATION (Web payments)
# ===================================
PW_STRIPE_SECRET_KEY=sk_live_...
PW_STRIPE_PUBLISHABLE_KEY=pk_live_...
PW_STRIPE_WEBHOOK_SECRET=whsec_...
# ===================================
# REVENUECAT CONFIGURATION (Mobile in-app purchases)
# ===================================
# Webhook authorization secret (set in RevenueCat dashboard)
# This is the value that RevenueCat sends in the Authorization header
PW_REVENUECAT_WEBHOOK_SECRET=your-revenuecat-webhook-secret
# ===================================
# AI CONFIGURATION (Telemetry Analysis)
# ===================================
# Enable AI-powered telemetry analysis (admin endpoint)
PW_AI_ENABLED=false
# Provider: "openai", "anthropic", or "custom"
PW_AI_PROVIDER=openai
# API key (also reads OPENAI_API_KEY as fallback)
PW_AI_API_KEY=
# Base URL for OpenAI-compatible API
PW_AI_BASE_URL=https://api.openai.com/v1
# Model name (e.g. gpt-4o, claude-sonnet-4-20250514)
PW_AI_MODEL=gpt-4o
# Request timeout in seconds
PW_AI_TIMEOUT=60
# ===================================
# BACKUP CONFIGURATION
# ===================================
BACKUP_FOLDER=./store/backup
BACKUP_ROTATION=7
BACKUP_PERIOD=1440
# ===================================
# SECURITY NOTES
# ===================================
# 1. Generate strong random secrets:
# - JWT Secret: openssl rand -base64 64
# - Passphrase: openssl rand -base64 32
#
# 2. Use environment variables in production
#
# 3. Enable SSL/TLS in production:
# - DATABASE_SSL_MODE=require
# - Use HTTPS domain
#
# 4. Change all default passwords
#
# 5. Revoke and regenerate email API keys if compromised