-
Notifications
You must be signed in to change notification settings - Fork 1
/
.env
128 lines (104 loc) · 8.01 KB
/
.env
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
# The DB URL is mandatory and has no default. Format: postgresql://username:password@host:port/database'
# Note: The 'DATABASE_URL' is only used during development to connect to a local test db and use the
# sqlx CLI tool as well as for pre-compile query! macro checking.
# The app itself will use the DB_* values are used to allow password with special characters too.
#DATABASE_URL=postgresql://nioca:123SuperSafe@localhost:5432/nioca
# Production values for the DB connection
DB_HOST=localhost
# default: 5432
DB_PORT=5432
DB_USER=nioca
DB_PASSWORD=123SuperSafe
# default: error
DATABASE_LOG_LEVEL=error
# Max DB connections (default: 10)
DATABASE_MAX_CONN=10
# log level (default: info)
LOG_LEVEL=debug
# The public url for Nioca
PUB_URL=localhost
# The full public url without the scheme for directly accessing an instance in a HA deployment.
# Unsealing behind a loadbalancer currently needs this or unsealing can only be done with the CLI locally.
# If you set this variable, it must not be loadbalanced to other instances!
#
# IMPORTANT: Do only set this variable, if the instance can be access directly with it!
#
# NOTE: Only if this variable is set, the automatic unsealing of restarting or HA modes will be done. If not, you
# have to manually unseal every other HA node.
# The certificate for this node and url MUST BE VALID.
DIRECT_ACCESS_PUB_URL=192.168.14.50:8443
# Will spawn a second web server with automatic redirect to https based on these ports (default: 8080)
PORT_HTTP=8080
# default: 443
PORT_HTTPS=443
# This is the public https port. Needed if the service is running behind a reverse proxy (default: 443)
PORT_HTTPS_PUB=443
#############################
######## Dev Mode ###########
#############################
# Set to true for local dev. This will always start an http server, which is strictly forbidden in prod.
DEV_MODE=true
# If nioca should auto-unseal (default: false)
# CAUTION: NEVER USE THIS OPTION IN PRODUCTION
AUTO_UNSEAL=true
# The values for auto unsealing in DEV_MODE
# These will be printed into the log output when doing automatic unsealing with DEV_MODE == true
AUTO_UNSEAL_SHARD_1=8TZvKACB0uhY2l3RX0FdDpMG0peSba947a2cr1lsLtwvfnDd
AUTO_UNSEAL_SHARD_2=8bNDTBj6NVCzw8qnMey3DP5vwK2EPNZNz5FevsPqPCX8acJL
AUTO_UNSEAL_ENC_UUID=7aa5066e-39d2-4de7-aeb0-e7a411afa5d9
AUTO_UNSEAL_ENC_VALUE=58183998d3ac08a0296cbc5a2ccc30efe285f7fbfbb21fb087075d68b305d7e8
#############################
######## Unsealing ##########
#############################
# CAUTION: NEVER USE THESE KEYS IN PRODUCTION
# Generate your own safe values! These are only used during local development!
# The unseal certificate chain as b64 encoded PEM
UNSEAL_CERT_B64="LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNGekNDQVoyZ0F3SUJBZ0lCQVRBS0JnZ3Foa2pPUFFRREF6QXVNUnN3R1FZRFZRUUREQkpPYVc5allTQkoKYm5SbGNtMWxaR2xoZEdVeER6QU5CZ05WQkFvTUJrMTVJRTl5WnpBZUZ3MHlNekE0TWpNeE5UUTJNak5hRncweQpOREE1TURFeE5UVTJNak5hTUNFeERqQU1CZ05WQkFNTUJVNXBiMk5oTVE4d0RRWURWUVFLREFaTmVTQlBjbWN3CmRqQVFCZ2NxaGtqT1BRSUJCZ1VyZ1FRQUlnTmlBQVNicGVUOHNWZW5QSEJ1N09GSm1jc0haOVNNZVNmUDU4Q0wKcHBTVzA0Y1BGS2FMaXArNldCaU9EejBJR3BFNzhVREdqVkNQajJmaUZ3bGgwSCtXdTdDdTlheDUyYS9TdDZYMAplQ1haTHU2T3lybVJPSjJoVjZRTlByamxkNDRVMDZDamdac3dnWmd3SHdZRFZSMGpCQmd3Rm9BVVN2bUJoKzF1CkdIOVNpeGFtWnk4TGMzUkRJdmN3SUFZRFZSMFJCQmt3RjRjRWZ3QUFBWWNFd0tnT01vSUpiRzlqWVd4b2IzTjAKTUE0R0ExVWREd0VCL3dRRUF3SUhnREFUQmdOVkhTVUVEREFLQmdnckJnRUZCUWNEQVRBZEJnTlZIUTRFRmdRVQo2RkhoMlFHSlBLR2JsdGV6NE84ZXE0NWFjWFF3RHdZRFZSMFRBUUgvQkFVd0F3RUJBREFLQmdncWhrak9QUVFECkF3Tm9BREJsQWpFQXZ2Yk1RVnFKWGZGejhyTVAvcHdCRUpDNmJheGpuMzUvVTN3aWplYmNncEFVbnkwbFFNU0YKcUNjYms4L21wTXkzQWpBaWZDZnJyVVVxbGJWaVRTSlVlanBScEZMaUpldlliZDdhZ0dGaHVMOWNtakowa0srQQpqT1hMcFpBU3ZkWGxPakk9Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUIrVENDQVgrZ0F3SUJBZ0lVU3ZtQmgrMXVHSDlTaXhhbVp5OExjM1JESXZjd0NnWUlLb1pJemowRUF3TXcKSmpFVE1CRUdBMVVFQXd3S1RtbHZZMkVnVW05dmRERVBNQTBHQTFVRUNnd0dUWGtnVDNKbk1CNFhEVEl6TURVegpNREE1TVRReE1Wb1hEVE16TURneU1ERTFOVFl4TVZvd0xqRWJNQmtHQTFVRUF3d1NUbWx2WTJFZ1NXNTBaWEp0ClpXUnBZWFJsTVE4d0RRWURWUVFLREFaTmVTQlBjbWN3ZGpBUUJnY3Foa2pPUFFJQkJnVXJnUVFBSWdOaUFBU3IKbnNjTXB4M1JwMVZjSDJvOHNyYmlNWDRSNEsyUEJTRlBJdHFUcng2YmVOUk9XTHM5VDkzeEZHUUFwMWJZQTQ4SgplckQ5cm1OeEZ3TGh4TGQxQm41eHRRcXpVQ2VYamYvYUNnbmx2eVZtMDduMUVqOWZGYWRlMlZ5cS84ZXNiaXFqClpqQmtNQjhHQTFVZEl3UVlNQmFBRkJ4Q0I5RmFPRlBIRnhzOTNUQzFMeVB0RmQrME1BNEdBMVVkRHdFQi93UUUKQXdJQmhqQWRCZ05WSFE0RUZnUVVTdm1CaCsxdUdIOVNpeGFtWnk4TGMzUkRJdmN3RWdZRFZSMFRBUUgvQkFndwpCZ0VCL3dJQkFEQUtCZ2dxaGtqT1BRUURBd05vQURCbEFqQm5seDc1ZGtUbE5KOXBmWmVkYThsbTJ0dU0zcGxVCk5PZ05OQlJsK3dlWjl4ajIrc2NPSmZHZFNEdm1RaHFaV1c0Q01RQ01EVlBmOFRyL0dGQ0FLS2ttQWJqcFN4ejEKOTczT0dzeVpFWE0rK2tHQWNwLzQyRzd3TGZFMnd3U2tqYWRRTkdnPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpNSUlCOFRDQ0FYYWdBd0lCQWdJVUhFSUgwVm80VThjWEd6M2RNTFV2SSswVjM3UXdDZ1lJS29aSXpqMEVBd013CkpqRVRNQkVHQTFVRUF3d0tUbWx2WTJFZ1VtOXZkREVQTUEwR0ExVUVDZ3dHVFhrZ1QzSm5NQ0FYRFRJeU1EWXcKTmpFNU5UZzBOVm9ZRHpJd05UTXdPREUxTVRVMU5UUTFXakFtTVJNd0VRWURWUVFEREFwT2FXOWpZU0JTYjI5MApNUTh3RFFZRFZRUUtEQVpOZVNCUGNtY3dkakFRQmdjcWhrak9QUUlCQmdVcmdRUUFJZ05pQUFSTUZ3cVprVG1ZCjJYZUtSSm5iK3FkS1Z6WWtYa3ovZjRnZFF4dmRnZkRDanlPTjJqN3hwU2ttZTNnL09ZeGhtTjFwbnRJY2JmUWIKenJZNHdLNUl6SFV6M2x5SEppZkE2L0RWa3dwdGFBa0x2UEhRVko1NytCaHRVM0pTaERVeEI1MmpZekJoTUI4RwpBMVVkSXdRWU1CYUFGQnhDQjlGYU9GUEhGeHM5M1RDMUx5UHRGZCswTUE0R0ExVWREd0VCL3dRRUF3SUJoakFkCkJnTlZIUTRFRmdRVUhFSUgwVm80VThjWEd6M2RNTFV2SSswVjM3UXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QUsKQmdncWhrak9QUVFEQXdOcEFEQm1BakVBZ0x5dXE2SGE1NmJUdzBYMko3ODNhalFDa1Z5dTJ3NUlYQnVPNk9vaApkeFdmUDhRQ0N3UzBUZFFkc0JrMGM1QmVBakVBdUE3ekViZXViMVpKSVRZQm9nMFhmb3pUbG5iSWlEcEFndEFhCnR5TzVjcDBVSld4RXB1NGdhZ1JUTDYyRldXVVcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo="
# The unseal Key as b64 encoded PEM
UNSEAL_KEY_B64="LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JRzJBZ0VBTUJBR0J5cUdTTTQ5QWdFR0JTdUJCQUFpQklHZU1JR2JBZ0VCQkRBaVdxNWFKb1FRTHRZS3VCUGoKc3BrdU5McHhQMEthNHhheW02b0oySTl6Y2dsbkxncVg4ZFllOEpZQXp5K1lXQ09oWkFOaUFBU2JwZVQ4c1ZlbgpQSEJ1N09GSm1jc0haOVNNZVNmUDU4Q0xwcFNXMDRjUEZLYUxpcCs2V0JpT0R6MElHcEU3OFVER2pWQ1BqMmZpCkZ3bGgwSCtXdTdDdTlheDUyYS9TdDZYMGVDWFpMdTZPeXJtUk9KMmhWNlFOUHJqbGQ0NFUwNkE9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K"
# The timeout in seconds between adding / trying master key shards for the unsealing operation.
# default: 10
UNSEAL_RATE_LIMIT=10
# Needed for the very first setup. Does not need to be extremely secure. It only exists to prevent someone else from
# initializing with "just being faster than you". This value can be fully removed again once the first initialization
# has been done.
INIT_KEY=SuperSecret1337
#############################
#### Nioca Server Cert ######
#############################
# If nioca should generate its own server certificate after unsealing.
# Currently, an external source is not yet support - will always be true.
NIOCA_CERT_GENERATE=true
# These are the values for the server certificate that Nioca generates for itself after unsealing.
# The server will panic directly after unsealing, if any of these values are incorrect and would not generate a
# valid certificate.
NIOCA_CERT_CN=localhost
NIOCA_CERT_C=DE
NIOCA_CERT_L=Dusseldorf
NIOCA_CERT_OU="My Org Section"
NIOCA_CERT_O="My Org"
NIOCA_CERT_ST=NRW
NIOCA_CERT_ALT_NAMES_DNS="localhost, nioca.exmpale.com"
NIOCA_CERT_ALT_NAMES_IP="127.0.0.1, 192.168.14.50, 192.168.14.20"
#############################
##### Password Hashing #####
#############################
# Note: M_COST should never be below 32768 in production
# default: 262144
ARGON2_M_COST=32768
#ARGON2_M_COST=262144
# default: 3
ARGON2_T_COST=3
# default: number of available cpus
ARGON2_P_COST=2
# The time in ms when to log a warning, if a request waited longer than this time.
# This is an indicator, that you have more concurrent logins than allowed and may need config adjustments,
# if this happens more often. (default: 2000)
HASH_AWAIT_WARN_TIME=2000
#############################
## Schedulers / Cron Jobs ##
#############################
# Cron job for automatic remote unsealing of HA nodes. Value given in seconds.
# If this value it not set, auto unsealing will be disabled.
INTERVAL_AUTO_UNSEAL=60
# sec min hour day_of_month month day_of_week year