Cybersecurity-Projects/PROJECTS/beginner/canary-token-generator/.env.example

117 lines
5.2 KiB
Plaintext

# =============================================================================
# ©AngelaMos | 2026
# .env.example
# =============================================================================
# Copy this file to .env and fill in values. .env is gitignored.
# Run `just init` to auto-generate POSTGRES_PASSWORD + OPERATOR_TOKEN if empty.
# =============================================================================
# ---------------------------------------------------------------------------
# Public-facing
# ---------------------------------------------------------------------------
APP_NAME=canary-token-generator
# Production nginx host port (compose.yml). Dev compose has its own default
# of 58495 in dev.compose.yml; do not override NGINX_HOST_PORT in shared .env.
NGINX_HOST_PORT=22784
# Used to construct trigger URLs embedded in artifacts (e.g. canary docs).
# Must be the externally-reachable URL of the deployed service.
PUBLIC_BASE_URL=https://canary.your.domain
# Frontend build-time vars (baked into the bundle by Vite)
VITE_APP_TITLE="Canary Token Generator"
VITE_API_URL=/api
# ---------------------------------------------------------------------------
# Reverse proxy / client IP (load-bearing for detection)
# ---------------------------------------------------------------------------
# Comma-separated CIDRs whose X-Forwarded-For header is trusted. RealIP only
# reads XFF when the immediate peer is in this list. Too narrow and every event
# logs the proxy's IP (GeoIP + dedup break); too wide and a client can spoof its
# source IP. Set it to the CIDR your reverse proxy connects from.
# Default: 127.0.0.1/32,::1/128,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
TRUSTED_PROXY_CIDRS=127.0.0.1/32,::1/128,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
# ---------------------------------------------------------------------------
# Cloudflare Turnstile (free anti-bot)
# ---------------------------------------------------------------------------
# Get keys from https://dash.cloudflare.com/?to=/:account/turnstile
# Leave blank to disable Turnstile in development.
TURNSTILE_SITE_KEY=
TURNSTILE_SECRET=
# Mirror of TURNSTILE_SITE_KEY for frontend (must be the same value)
VITE_TURNSTILE_SITE_KEY=
# ---------------------------------------------------------------------------
# Operator (you) — for /api/admin/* endpoints
# ---------------------------------------------------------------------------
# Auto-generated by scripts/init.sh if blank.
# Send as `Authorization: Bearer <token>` to access admin endpoints.
OPERATOR_TOKEN=
# ---------------------------------------------------------------------------
# Postgres
# ---------------------------------------------------------------------------
# Auto-generated by scripts/init.sh if blank.
POSTGRES_PASSWORD=
# Dev-only Postgres host port (preserves randomized assignment across projects)
POSTGRES_DEV_PORT=5447
# ---------------------------------------------------------------------------
# Redis (dev host port)
# ---------------------------------------------------------------------------
REDIS_DEV_PORT=6022
# ---------------------------------------------------------------------------
# GeoIP (optional — geolocation enrichment of triggered events)
# ---------------------------------------------------------------------------
# Register free at https://www.maxmind.com/en/geolite2/signup
# scripts/init.sh fetches GeoLite2-City.mmdb when both vars are set.
MAXMIND_ACCOUNT_ID=
MAXMIND_LICENSE_KEY=
# ---------------------------------------------------------------------------
# Webhooks (optional)
# ---------------------------------------------------------------------------
# When set, webhook payloads are signed with HMAC-SHA256 and an
# X-Canary-Signature header is added.
WEBHOOK_HMAC_SECRET=
# ---------------------------------------------------------------------------
# Fake MySQL TCP server (optional)
# ---------------------------------------------------------------------------
# Cloudflare Tunnel does not carry raw TCP — only enable when the canary
# container's port 3306 is reachable directly (e.g. on a VPS).
MYSQL_FAKE_ENABLED=false
MYSQL_HOST_PORT=33606
# ---------------------------------------------------------------------------
# Logging
# ---------------------------------------------------------------------------
LOG_LEVEL=info
LOG_FORMAT=json
# ---------------------------------------------------------------------------
# OpenTelemetry (optional — dev compose runs Jaeger)
# ---------------------------------------------------------------------------
OTEL_ENABLED=false
OTEL_EXPORTER_OTLP_ENDPOINT=
# Dev port overrides for jaeger (preserve randomized values)
JAEGER_UI_PORT=16686
JAEGER_OTLP_GRPC_PORT=4317
JAEGER_OTLP_HTTP_PORT=4318
# ---------------------------------------------------------------------------
# Frontend dev (vite host port)
# ---------------------------------------------------------------------------
FRONTEND_HOST_PORT=15723
# ---------------------------------------------------------------------------
# Cloudflare Tunnel (overlay)
# ---------------------------------------------------------------------------
# Required if using cloudflared.compose.yml; obtain from Cloudflare Zero Trust dashboard.
CLOUDFLARE_TUNNEL_TOKEN=