Files
2026-05-18 23:35:37 +02:00

83 lines
5.0 KiB
Bash

# ─────────────────────────────────────────────────────────────────────────────
# TOTPVault — Environment Variables
#
# Quick start (local dev):
# cp .env.example .env
# docker compose up -d --build
#
# The defaults below start the stack for local development. Configure at least
# one login method (MailerSend or an OAuth provider) before signing in.
# Before deploying to production, replace every value marked ⚠ CHANGE ME.
# ─────────────────────────────────────────────────────────────────────────────
# ── Application ──────────────────────────────────────────────────────────────
APP_URL=http://localhost:8080
# ── Database ─────────────────────────────────────────────────────────────────
# DB_HOST must resolve inside the Compose network. Default: "db".
# If your Podman Compose setup cannot resolve "db", use "totpvault-db".
DB_HOST=db
DB_PORT=3306
DB_NAME=totpvault
DB_USER=totpvault
DB_PASSWORD=totpvault_local_dev # ⚠ CHANGE ME in production
DB_ROOT_PASSWORD=root_local_dev # ⚠ CHANGE ME in production
# ── Encryption ───────────────────────────────────────────────────────────────
# Pre-generated for local dev. Generate a fresh one for production with:
# php -r "echo base64_encode(random_bytes(32)) . PHP_EOL;"
# ⚠ CHANGE ME in production — and never change it after you have stored tokens.
# Rotating this key makes ALL existing encrypted secrets permanently unreadable.
ENCRYPTION_KEY=K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
# ── Session ──────────────────────────────────────────────────────────────────
SESSION_COOKIE_NAME=totpvault_session
SESSION_LIFETIME=2592000 # 30 days in seconds
# ── Mail (MailerSend) ────────────────────────────────────────────────────────
# Magic-link login requires a valid key. Leave blank to disable email login.
# Sign up at https://www.mailersend.com and create an API token.
MAILERSEND_KEY=
MAIL_FROM_EMAIL=noreply@localhost
MAIL_FROM_NAME=TOTPVault
# ── OAuth: Google ────────────────────────────────────────────────────────────
# Leave blank to disable this provider. https://console.cloud.google.com
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
# ── OAuth: Microsoft ─────────────────────────────────────────────────────────
# Leave blank to disable this provider. https://portal.azure.com
MICROSOFT_CLIENT_ID=
MICROSOFT_CLIENT_SECRET=
# ── OAuth: GitHub ────────────────────────────────────────────────────────────
# Leave blank to disable this provider. https://github.com/settings/developers
GITHUB_CLIENT_ID=
GITHUB_CLIENT_SECRET=
# ── OAuth/OIDC: Keycloak ─────────────────────────────────────────────────────
# Leave blank to disable this provider.
# Local callback URL: http://localhost:8080/auth/callback/keycloak
KEYCLOAK_CLIENT_ID=
KEYCLOAK_CLIENT_SECRET=
KEYCLOAK_BASE_URL=
KEYCLOAK_INTERNAL_BASE_URL=
KEYCLOAK_REALM=
KEYCLOAK_REDIRECT_URI=
KEYCLOAK_SCOPE=openid email profile
# ── Optional local Keycloak test container ───────────────────────────────────
# To test Keycloak locally without editing the blank provider settings above:
# docker compose -f docker-compose.yml -f docker-compose.keycloak.yml --profile keycloak up -d --build
# KEYCLOAK_CLIENT_ID=totpvault
# KEYCLOAK_CLIENT_SECRET=totpvault-dev-secret
# KEYCLOAK_BASE_URL=http://localhost:8081
# If your Podman Compose setup cannot resolve "keycloak", use
# http://totpvault-keycloak:8080 instead.
# KEYCLOAK_INTERNAL_BASE_URL=http://keycloak:8080
# KEYCLOAK_REALM=totpvault
# KEYCLOAK_REDIRECT_URI=http://localhost:8080/auth/callback/keycloak
KEYCLOAK_ADMIN_USERNAME=admin
KEYCLOAK_ADMIN_PASSWORD=admin