117 lines
5.2 KiB
Plaintext
117 lines
5.2 KiB
Plaintext
# =============================================================================
|
|
# ©AngelaMos | 2026
|
|
# .env.example
|
|
# =============================================================================
|
|
# Copy this file to .env and fill in values. .env is gitignored.
|
|
# Run `just init` to auto-generate POSTGRES_PASSWORD + OPERATOR_TOKEN if empty.
|
|
# =============================================================================
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Public-facing
|
|
# ---------------------------------------------------------------------------
|
|
APP_NAME=canary-token-generator
|
|
|
|
# Production nginx host port (compose.yml). Dev compose has its own default
|
|
# of 58495 in dev.compose.yml; do not override NGINX_HOST_PORT in shared .env.
|
|
NGINX_HOST_PORT=22784
|
|
|
|
# Used to construct trigger URLs embedded in artifacts (e.g. canary docs).
|
|
# Must be the externally-reachable URL of the deployed service.
|
|
PUBLIC_BASE_URL=https://canary.your.domain
|
|
|
|
# Frontend build-time vars (baked into the bundle by Vite)
|
|
VITE_APP_TITLE="Canary Token Generator"
|
|
VITE_API_URL=/api
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Reverse proxy / client IP (load-bearing for detection)
|
|
# ---------------------------------------------------------------------------
|
|
# Comma-separated CIDRs whose X-Forwarded-For header is trusted. RealIP only
|
|
# reads XFF when the immediate peer is in this list. Too narrow and every event
|
|
# logs the proxy's IP (GeoIP + dedup break); too wide and a client can spoof its
|
|
# source IP. Set it to the CIDR your reverse proxy connects from.
|
|
# Default: 127.0.0.1/32,::1/128,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
|
TRUSTED_PROXY_CIDRS=127.0.0.1/32,::1/128,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Cloudflare Turnstile (free anti-bot)
|
|
# ---------------------------------------------------------------------------
|
|
# Get keys from https://dash.cloudflare.com/?to=/:account/turnstile
|
|
# Leave blank to disable Turnstile in development.
|
|
TURNSTILE_SITE_KEY=
|
|
TURNSTILE_SECRET=
|
|
# Mirror of TURNSTILE_SITE_KEY for frontend (must be the same value)
|
|
VITE_TURNSTILE_SITE_KEY=
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Operator (you) — for /api/admin/* endpoints
|
|
# ---------------------------------------------------------------------------
|
|
# Auto-generated by scripts/init.sh if blank.
|
|
# Send as `Authorization: Bearer <token>` to access admin endpoints.
|
|
OPERATOR_TOKEN=
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Postgres
|
|
# ---------------------------------------------------------------------------
|
|
# Auto-generated by scripts/init.sh if blank.
|
|
POSTGRES_PASSWORD=
|
|
|
|
# Dev-only Postgres host port (preserves randomized assignment across projects)
|
|
POSTGRES_DEV_PORT=5447
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Redis (dev host port)
|
|
# ---------------------------------------------------------------------------
|
|
REDIS_DEV_PORT=6022
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# GeoIP (optional — geolocation enrichment of triggered events)
|
|
# ---------------------------------------------------------------------------
|
|
# Register free at https://www.maxmind.com/en/geolite2/signup
|
|
# scripts/init.sh fetches GeoLite2-City.mmdb when both vars are set.
|
|
MAXMIND_ACCOUNT_ID=
|
|
MAXMIND_LICENSE_KEY=
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Webhooks (optional)
|
|
# ---------------------------------------------------------------------------
|
|
# When set, webhook payloads are signed with HMAC-SHA256 and an
|
|
# X-Canary-Signature header is added.
|
|
WEBHOOK_HMAC_SECRET=
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Fake MySQL TCP server (optional)
|
|
# ---------------------------------------------------------------------------
|
|
# Cloudflare Tunnel does not carry raw TCP — only enable when the canary
|
|
# container's port 3306 is reachable directly (e.g. on a VPS).
|
|
MYSQL_FAKE_ENABLED=false
|
|
MYSQL_HOST_PORT=33606
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Logging
|
|
# ---------------------------------------------------------------------------
|
|
LOG_LEVEL=info
|
|
LOG_FORMAT=json
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# OpenTelemetry (optional — dev compose runs Jaeger)
|
|
# ---------------------------------------------------------------------------
|
|
OTEL_ENABLED=false
|
|
OTEL_EXPORTER_OTLP_ENDPOINT=
|
|
|
|
# Dev port overrides for jaeger (preserve randomized values)
|
|
JAEGER_UI_PORT=16686
|
|
JAEGER_OTLP_GRPC_PORT=4317
|
|
JAEGER_OTLP_HTTP_PORT=4318
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Frontend dev (vite host port)
|
|
# ---------------------------------------------------------------------------
|
|
FRONTEND_HOST_PORT=15723
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Cloudflare Tunnel (overlay)
|
|
# ---------------------------------------------------------------------------
|
|
# Required if using cloudflared.compose.yml; obtain from Cloudflare Zero Trust dashboard.
|
|
CLOUDFLARE_TUNNEL_TOKEN=
|