mirror of
https://github.com/token2/TOTPVault.git
synced 2026-06-22 23:42:25 -07:00
83 lines
5.0 KiB
Bash
83 lines
5.0 KiB
Bash
# ─────────────────────────────────────────────────────────────────────────────
|
|
# TOTPVault — Environment Variables
|
|
#
|
|
# Quick start (local dev):
|
|
# cp .env.example .env
|
|
# docker compose up -d --build
|
|
#
|
|
# The defaults below start the stack for local development. Configure at least
|
|
# one login method (MailerSend or an OAuth provider) before signing in.
|
|
# Before deploying to production, replace every value marked ⚠ CHANGE ME.
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
|
|
# ── Application ──────────────────────────────────────────────────────────────
|
|
APP_URL=http://localhost:8080
|
|
|
|
# ── Database ─────────────────────────────────────────────────────────────────
|
|
# DB_HOST must resolve inside the Compose network. Default: "db".
|
|
# If your Podman Compose setup cannot resolve "db", use "totpvault-db".
|
|
DB_HOST=db
|
|
DB_PORT=3306
|
|
DB_NAME=totpvault
|
|
DB_USER=totpvault
|
|
DB_PASSWORD=totpvault_local_dev # ⚠ CHANGE ME in production
|
|
DB_ROOT_PASSWORD=root_local_dev # ⚠ CHANGE ME in production
|
|
|
|
# ── Encryption ───────────────────────────────────────────────────────────────
|
|
# Pre-generated for local dev. Generate a fresh one for production with:
|
|
# php -r "echo base64_encode(random_bytes(32)) . PHP_EOL;"
|
|
# ⚠ CHANGE ME in production — and never change it after you have stored tokens.
|
|
# Rotating this key makes ALL existing encrypted secrets permanently unreadable.
|
|
ENCRYPTION_KEY=K7gNU3sdo+OL0wNhqoVWhr3g6s1xYv72ol/pe/Unols=
|
|
|
|
# ── Session ──────────────────────────────────────────────────────────────────
|
|
SESSION_COOKIE_NAME=totpvault_session
|
|
SESSION_LIFETIME=2592000 # 30 days in seconds
|
|
|
|
# ── Mail (MailerSend) ────────────────────────────────────────────────────────
|
|
# Magic-link login requires a valid key. Leave blank to disable email login.
|
|
# Sign up at https://www.mailersend.com and create an API token.
|
|
MAILERSEND_KEY=
|
|
MAIL_FROM_EMAIL=noreply@localhost
|
|
MAIL_FROM_NAME=TOTPVault
|
|
|
|
# ── OAuth: Google ────────────────────────────────────────────────────────────
|
|
# Leave blank to disable this provider. https://console.cloud.google.com
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
|
|
# ── OAuth: Microsoft ─────────────────────────────────────────────────────────
|
|
# Leave blank to disable this provider. https://portal.azure.com
|
|
MICROSOFT_CLIENT_ID=
|
|
MICROSOFT_CLIENT_SECRET=
|
|
|
|
# ── OAuth: GitHub ────────────────────────────────────────────────────────────
|
|
# Leave blank to disable this provider. https://github.com/settings/developers
|
|
GITHUB_CLIENT_ID=
|
|
GITHUB_CLIENT_SECRET=
|
|
|
|
# ── OAuth/OIDC: Keycloak ─────────────────────────────────────────────────────
|
|
# Leave blank to disable this provider.
|
|
# Local callback URL: http://localhost:8080/auth/callback/keycloak
|
|
KEYCLOAK_CLIENT_ID=
|
|
KEYCLOAK_CLIENT_SECRET=
|
|
KEYCLOAK_BASE_URL=
|
|
KEYCLOAK_INTERNAL_BASE_URL=
|
|
KEYCLOAK_REALM=
|
|
KEYCLOAK_REDIRECT_URI=
|
|
KEYCLOAK_SCOPE=openid email profile
|
|
|
|
# ── Optional local Keycloak test container ───────────────────────────────────
|
|
# To test Keycloak locally without editing the blank provider settings above:
|
|
# docker compose -f docker-compose.yml -f docker-compose.keycloak.yml --profile keycloak up -d --build
|
|
# KEYCLOAK_CLIENT_ID=totpvault
|
|
# KEYCLOAK_CLIENT_SECRET=totpvault-dev-secret
|
|
# KEYCLOAK_BASE_URL=http://localhost:8081
|
|
# If your Podman Compose setup cannot resolve "keycloak", use
|
|
# http://totpvault-keycloak:8080 instead.
|
|
# KEYCLOAK_INTERNAL_BASE_URL=http://keycloak:8080
|
|
# KEYCLOAK_REALM=totpvault
|
|
# KEYCLOAK_REDIRECT_URI=http://localhost:8080/auth/callback/keycloak
|
|
KEYCLOAK_ADMIN_USERNAME=admin
|
|
KEYCLOAK_ADMIN_PASSWORD=admin
|