# ============================================================================= # InsForge Environment Configuration # ============================================================================= # Copy this file to .env and fill in your values: # cp .env.example .env # # Security Notes: # - Never commit .env to version control # - Use strong, unique secrets in production # - Rotate secrets regularly # ============================================================================= # ----------------------------------------------------------------------------- # Server Configuration # ----------------------------------------------------------------------------- PORT=7130 # Max body size for JSON payloads (default: 100mb) # High default ensures "out-of-the-box" reliability for large metadata/storage requests. # Users can decrease this for hardened security on low-resource environments. MAX_JSON_BODY_SIZE=100mb # Max body size for URL-encoded payloads (default: 10mb) MAX_URLENCODED_BODY_SIZE=10mb # ----------------------------------------------------------------------------- # PostgreSQL Configuration # ----------------------------------------------------------------------------- # These are optional - defaults are shown below # In production, use strong passwords and consider external database services POSTGRES_USER=postgres POSTGRES_PASSWORD=postgres POSTGRES_DB=insforge # ----------------------------------------------------------------------------- # Ports (Configurable) # ----------------------------------------------------------------------------- # PostgreSQL POSTGRES_PORT=5432 # PostgREST API POSTGREST_PORT=5430 # Main application ports APP_PORT=7130 AUTH_PORT=7131 UI_PORT=7132 # Deno serverless runtime DENO_PORT=7133 # API Base URLs - Update if running on different host/port API_BASE_URL=http://localhost:7130 VITE_API_BASE_URL=http://localhost:7130 # ----------------------------------------------------------------------------- # Authentication & Security # ----------------------------------------------------------------------------- # JWT_SECRET: Must be at least 32 characters. Use a secure random generator! # Example: openssl rand -base64 32 JWT_SECRET=your-secret-key-here-must-be-32-char-or-above # Root admin credentials - CHANGE THESE IN PRODUCTION! ROOT_ADMIN_USERNAME=admin ROOT_ADMIN_PASSWORD=change-this-password # Encryption key for secrets and database encryption # IMPORTANT: Set this to a separate 32+ character secret from JWT_SECRET. # If not set, JWT_SECRET is used as fallback — but rotating JWT_SECRET will # permanently corrupt all stored secrets (API keys, OAuth tokens, etc.). # Generate with: openssl rand -base64 32 ENCRYPTION_KEY= # API Key for authenticated requests # Must start with 'ik_' prefix and be at least 32 characters # Optional - will be auto-generated if not provided ACCESS_API_KEY=ik_your-api-key-here-32-chars-minimum # Anon Key for public client requests (safe to embed in frontends) # Must start with 'anon_' prefix # Optional - will be auto-generated if not provided ACCESS_ANON_KEY=anon_your-anon-key-here # Cloud API Host (Optional) # Only needed if using cloud features CLOUD_API_HOST=https://api.insforge.dev # ----------------------------------------------------------------------------- # Deployment Configuration (Optional) # ----------------------------------------------------------------------------- # Required for self-hosted site deployments and custom domains. # Legacy deployments also require AWS_S3_BUCKET to be configured. VERCEL_TOKEN= VERCEL_TEAM_ID= VERCEL_PROJECT_ID= # ----------------------------------------------------------------------------- # AWS Config Bucket Configuration (Optional) # ----------------------------------------------------------------------------- # Used for loading remote configuration files from S3 # If not provided, defaults will be used AWS_CONFIG_BUCKET=insforge-config AWS_CONFIG_REGION=us-east-2 # ----------------------------------------------------------------------------- # Storage Configuration # ----------------------------------------------------------------------------- # Storage options: # - Local filesystem: Leave AWS_S3_BUCKET empty (default) # - AWS S3: Set AWS_S3_BUCKET, AWS_REGION, and AWS credentials # - S3-compatible (Wasabi, MinIO, etc.): Set S3_* variables # # Local storage directory (default: ./insforge-storage relative to cwd) # In Docker this is set to /insforge-storage automatically via the Dockerfile. # PaaS deployments (Zeabur, Render, etc.) should set this to match the # persistent volume mount path. # STORAGE_DIR=./insforge-storage # # AWS credentials (used by CloudWatch logging and as fallback for storage) AWS_ACCESS_KEY_ID= AWS_REGION= AWS_S3_BUCKET= AWS_SECRET_ACCESS_KEY= # Max upload file size in bytes (default: 52428800 = 50MB) # Examples: 10485760 = 10MB, 104857600 = 100MB MAX_FILE_SIZE= # S3-compatible storage credentials (for Wasabi, MinIO, R2, etc.) # These take precedence over AWS_* variables if set S3_ACCESS_KEY_ID= S3_ENDPOINT_URL= S3_SECRET_ACCESS_KEY= # Path-style addressing (default true, required by MinIO). Set to false for # providers that require virtual-hosted-style (Tencent COS, Aliyun OSS). S3_FORCE_PATH_STYLE=true # CloudFront signed URLs (Optional, AWS S3 only) # When AWS_CLOUDFRONT_URL is set, storage downloads are served through # CloudFront with signed URLs instead of S3 presigned URLs. Ignored when # S3_ENDPOINT_URL is set (CloudFront does not front S3-compatible providers). # Setup: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html # # AWS_CLOUDFRONT_URL: CloudFront distribution domain (e.g. https://d1234abcd.cloudfront.net) # AWS_CLOUDFRONT_KEY_PAIR_ID: Trusted key group key-pair ID (e.g. K2JCJMDEHXQW5F) # AWS_CLOUDFRONT_PRIVATE_KEY: PEM private key. Use \n for newlines when kept on one line. # If URL is set but key pair or private key is missing, downloads fall back to S3 presigned URLs. AWS_CLOUDFRONT_URL= AWS_CLOUDFRONT_KEY_PAIR_ID= AWS_CLOUDFRONT_PRIVATE_KEY= # ----------------------------------------------------------------------------- # Logging Configuration # ----------------------------------------------------------------------------- # CloudWatch Logging: Set AWS_REGION + AWS credentials above # File-based Logging: Configure LOGS_DIR below (used when AWS credentials not provided) # Directory where log files will be stored (defaults to ./logs) LOGS_DIR= # ----------------------------------------------------------------------------- # Anonymous Telemetry # ----------------------------------------------------------------------------- # InsForge sends anonymous self-host usage events so maintainers can understand # active deployments, version adoption, and deployment success. It never sends # secrets, environment variables, logs, domains, file paths, project names, or # database contents. # # Disable all telemetry: # INSFORGE_TELEMETRY_DISABLED=1 # ----------------------------------------------------------------------------- # AI/LLM Configuration # ----------------------------------------------------------------------------- # OpenRouter API - Get your API key from https://openrouter.ai/keys # Used for AI-powered features and model gateway OPENROUTER_API_KEY= # Maximum output tokens per chat completion request (default: 16384). # Increase this for models with larger output windows (e.g. 32768 for 32K-output models). # Must be a positive integer. Invalid values are silently ignored and the default is used. MAX_COMPLETION_TOKENS=16384 # ----------------------------------------------------------------------------- # Stripe Payments Configuration (Optional) # ----------------------------------------------------------------------------- # Developer-owned Stripe secret keys. Test key is used for implementation and # validation. Live key is used only for explicit go-live flows. STRIPE_LIVE_SECRET_KEY= STRIPE_TEST_SECRET_KEY= # ----------------------------------------------------------------------------- # Razorpay Payments Configuration (Optional) # ----------------------------------------------------------------------------- # Developer-owned Razorpay keys. Test keys are used for implementation and # validation. Live keys are used only for explicit go-live flows. RAZORPAY_LIVE_KEY_ID= RAZORPAY_LIVE_KEY_SECRET= RAZORPAY_TEST_KEY_ID= RAZORPAY_TEST_KEY_SECRET= # ----------------------------------------------------------------------------- # Analytics Configuration # ----------------------------------------------------------------------------- # PostHog - Only needed for local development # Get your key from https://posthog.com/settings/project VITE_PUBLIC_POSTHOG_KEY= # ----------------------------------------------------------------------------- # OAuth Configuration (Optional) # ----------------------------------------------------------------------------- # Enable social login by configuring one or more providers below. # Each provider requires registering an application in their developer console. # # Google OAuth # Console: https://console.cloud.google.com/ # Redirect URI: http://localhost:7130/auth/google/callback GOOGLE_CLIENT_ID= GOOGLE_CLIENT_SECRET= # GitHub OAuth # Console: https://github.com/settings/developers # Redirect URI: http://localhost:7130/auth/github/callback GITHUB_CLIENT_ID= GITHUB_CLIENT_SECRET= # Microsoft OAuth (Azure AD) # Console: https://portal.azure.com/ # Redirect URI: http://localhost:7130/auth/microsoft/callback MICROSOFT_CLIENT_ID= MICROSOFT_CLIENT_SECRET= # Discord OAuth # Console: https://discord.com/developers/applications # Redirect URI: http://localhost:7130/auth/discord/callback DISCORD_CLIENT_ID= DISCORD_CLIENT_SECRET= # LinkedIn OAuth # Console: https://www.linkedin.com/developers/apps # Redirect URI: http://localhost:7130/auth/linkedin/callback LINKEDIN_CLIENT_ID= LINKEDIN_CLIENT_SECRET= # X (Twitter) OAuth # Console: https://developer.twitter.com/en/portal/dashboard # Redirect URI: http://localhost:7130/auth/x/callback X_CLIENT_ID= X_CLIENT_SECRET= # Apple OAuth (Sign in with Apple) # Console: https://developer.apple.com/account/resources/identifiers/list # APPLE_CLIENT_ID: Your Services ID (e.g., com.yourapp.service) # APPLE_CLIENT_SECRET: JSON string with teamId, keyId, and privateKey # Format: {"teamId":"XXX","keyId":"YYY","privateKey":"-----BEGIN PRIVATE KEY-----\n..."} # Redirect URI: http://localhost:7130/auth/apple/callback APPLE_CLIENT_ID= APPLE_CLIENT_SECRET= # ----------------------------------------------------------------------------- # Multi-tenant Cloud Configuration # ----------------------------------------------------------------------------- # These are only used for the cloud-hosted solution # Leave empty for self-hosted deployments DEPLOYMENT_ID= PROJECT_ID= APP_KEY= # ----------------------------------------------------------------------------- # Serverless Functions Configuration # ----------------------------------------------------------------------------- # Deno Deploy - For hosting serverless edge functions # Get your token from: https://dash.deno.com/account#access-tokens # Get your org ID from: https://dash.deno.com/ DENO_DEPLOY_TOKEN= DENO_DEPLOY_ORG_ID= # ─── Compute Services (Fly.io) ────────────────────────────────────────────── # Deploy Docker containers with persistent URLs. # Full setup + architecture: https://docs.insforge.dev/core-concepts/compute/architecture # # Setup — both FLY_API_TOKEN and FLY_ORG are required. FLY_ORG must be YOUR # Fly org slug; leaving it blank or as "insforge" will fail with an opaque # Fly auth error because that's our internal org. Compute auto-enables when # both are set. # 1. Create a Fly.io account: https://fly.io # 2. Find your org slug: fly orgs list # 3. Create an API token scoped to that org: fly tokens create org -o # 4. Set FLY_API_TOKEN= and FLY_ORG= # # Optional: Set COMPUTE_DOMAIN only if you own a wildcard domain pointed at # Fly (e.g. *.compute.yourdomain.com CNAME'd to fly.dev). Leave unset to use # Fly's own .fly.dev hostname, which works out of the box. FLY_API_TOKEN= FLY_ORG= COMPUTE_DOMAIN= # Cloud-mode compute (provisioned automatically when PROJECT_ID + CLOUD_API_HOST # are set by insforge-cloud). Self-host users with FLY_API_TOKEN always take # priority and do not need to set PROJECT_ID. # ============================================================================= # End of Configuration # ============================================================================= # After configuring this file: # 1. Run: docker compose up -d # 2. Check logs: docker compose logs -f # 3. Access the dashboard at: http://localhost:7131 # # For more information, visit: https://insforge.dev/docs # =============================================================================