316 lines
13 KiB
Bash
316 lines
13 KiB
Bash
# =============================================================================
|
|
# InsForge Environment Configuration
|
|
# =============================================================================
|
|
# Copy this file to .env and fill in your values:
|
|
# cp .env.example .env
|
|
#
|
|
# Security Notes:
|
|
# - Never commit .env to version control
|
|
# - Use strong, unique secrets in production
|
|
# - Rotate secrets regularly
|
|
# =============================================================================
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Server Configuration
|
|
# -----------------------------------------------------------------------------
|
|
PORT=7130
|
|
|
|
# Max body size for JSON payloads (default: 100mb)
|
|
# High default ensures "out-of-the-box" reliability for large metadata/storage requests.
|
|
# Users can decrease this for hardened security on low-resource environments.
|
|
MAX_JSON_BODY_SIZE=100mb
|
|
|
|
# Max body size for URL-encoded payloads (default: 10mb)
|
|
MAX_URLENCODED_BODY_SIZE=10mb
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# PostgreSQL Configuration
|
|
# -----------------------------------------------------------------------------
|
|
# These are optional - defaults are shown below
|
|
# In production, use strong passwords and consider external database services
|
|
POSTGRES_USER=postgres
|
|
POSTGRES_PASSWORD=postgres
|
|
POSTGRES_DB=insforge
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Ports (Configurable)
|
|
# -----------------------------------------------------------------------------
|
|
|
|
# PostgreSQL
|
|
POSTGRES_PORT=5432
|
|
|
|
# PostgREST API
|
|
POSTGREST_PORT=5430
|
|
|
|
# Main application ports
|
|
APP_PORT=7130
|
|
AUTH_PORT=7131
|
|
UI_PORT=7132
|
|
|
|
# Deno serverless runtime
|
|
DENO_PORT=7133
|
|
|
|
# API Base URLs - Update if running on different host/port
|
|
API_BASE_URL=http://localhost:7130
|
|
VITE_API_BASE_URL=http://localhost:7130
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Authentication & Security
|
|
# -----------------------------------------------------------------------------
|
|
# JWT_SECRET: Must be at least 32 characters. Use a secure random generator!
|
|
# Example: openssl rand -base64 32
|
|
JWT_SECRET=your-secret-key-here-must-be-32-char-or-above
|
|
|
|
# Root admin credentials - CHANGE THESE IN PRODUCTION!
|
|
ROOT_ADMIN_USERNAME=admin
|
|
ROOT_ADMIN_PASSWORD=change-this-password
|
|
|
|
# Encryption key for secrets and database encryption
|
|
# IMPORTANT: Set this to a separate 32+ character secret from JWT_SECRET.
|
|
# If not set, JWT_SECRET is used as fallback — but rotating JWT_SECRET will
|
|
# permanently corrupt all stored secrets (API keys, OAuth tokens, etc.).
|
|
# Generate with: openssl rand -base64 32
|
|
ENCRYPTION_KEY=
|
|
|
|
# API Key for authenticated requests
|
|
# Must start with 'ik_' prefix and be at least 32 characters
|
|
# Optional - will be auto-generated if not provided
|
|
ACCESS_API_KEY=ik_your-api-key-here-32-chars-minimum
|
|
|
|
# Anon Key for public client requests (safe to embed in frontends)
|
|
# Must start with 'anon_' prefix
|
|
# Optional - will be auto-generated if not provided
|
|
ACCESS_ANON_KEY=anon_your-anon-key-here
|
|
|
|
# Cloud API Host (Optional)
|
|
# Only needed if using cloud features
|
|
CLOUD_API_HOST=https://api.insforge.dev
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Deployment Configuration (Optional)
|
|
# -----------------------------------------------------------------------------
|
|
# Required for self-hosted site deployments and custom domains.
|
|
# Legacy deployments also require AWS_S3_BUCKET to be configured.
|
|
VERCEL_TOKEN=
|
|
VERCEL_TEAM_ID=
|
|
VERCEL_PROJECT_ID=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# AWS Config Bucket Configuration (Optional)
|
|
# -----------------------------------------------------------------------------
|
|
# Used for loading remote configuration files from S3
|
|
# If not provided, defaults will be used
|
|
AWS_CONFIG_BUCKET=insforge-config
|
|
AWS_CONFIG_REGION=us-east-2
|
|
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Storage Configuration
|
|
# -----------------------------------------------------------------------------
|
|
# Storage options:
|
|
# - Local filesystem: Leave AWS_S3_BUCKET empty (default)
|
|
# - AWS S3: Set AWS_S3_BUCKET, AWS_REGION, and AWS credentials
|
|
# - S3-compatible (Wasabi, MinIO, etc.): Set S3_* variables
|
|
#
|
|
# Local storage directory (default: ./insforge-storage relative to cwd)
|
|
# In Docker this is set to /insforge-storage automatically via the Dockerfile.
|
|
# PaaS deployments (Zeabur, Render, etc.) should set this to match the
|
|
# persistent volume mount path.
|
|
# STORAGE_DIR=./insforge-storage
|
|
#
|
|
# AWS credentials (used by CloudWatch logging and as fallback for storage)
|
|
AWS_ACCESS_KEY_ID=
|
|
AWS_REGION=
|
|
AWS_S3_BUCKET=
|
|
AWS_SECRET_ACCESS_KEY=
|
|
|
|
# Max upload file size in bytes (default: 52428800 = 50MB)
|
|
# Examples: 10485760 = 10MB, 104857600 = 100MB
|
|
MAX_FILE_SIZE=
|
|
|
|
# S3-compatible storage credentials (for Wasabi, MinIO, R2, etc.)
|
|
# These take precedence over AWS_* variables if set
|
|
S3_ACCESS_KEY_ID=
|
|
S3_ENDPOINT_URL=
|
|
S3_SECRET_ACCESS_KEY=
|
|
# Path-style addressing (default true, required by MinIO). Set to false for
|
|
# providers that require virtual-hosted-style (Tencent COS, Aliyun OSS).
|
|
S3_FORCE_PATH_STYLE=true
|
|
|
|
# CloudFront signed URLs (Optional, AWS S3 only)
|
|
# When AWS_CLOUDFRONT_URL is set, storage downloads are served through
|
|
# CloudFront with signed URLs instead of S3 presigned URLs. Ignored when
|
|
# S3_ENDPOINT_URL is set (CloudFront does not front S3-compatible providers).
|
|
# Setup: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html
|
|
#
|
|
# AWS_CLOUDFRONT_URL: CloudFront distribution domain (e.g. https://d1234abcd.cloudfront.net)
|
|
# AWS_CLOUDFRONT_KEY_PAIR_ID: Trusted key group key-pair ID (e.g. K2JCJMDEHXQW5F)
|
|
# AWS_CLOUDFRONT_PRIVATE_KEY: PEM private key. Use \n for newlines when kept on one line.
|
|
# If URL is set but key pair or private key is missing, downloads fall back to S3 presigned URLs.
|
|
AWS_CLOUDFRONT_URL=
|
|
AWS_CLOUDFRONT_KEY_PAIR_ID=
|
|
AWS_CLOUDFRONT_PRIVATE_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Logging Configuration
|
|
# -----------------------------------------------------------------------------
|
|
# CloudWatch Logging: Set AWS_REGION + AWS credentials above
|
|
# File-based Logging: Configure LOGS_DIR below (used when AWS credentials not provided)
|
|
# Directory where log files will be stored (defaults to ./logs)
|
|
LOGS_DIR=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Anonymous Telemetry
|
|
# -----------------------------------------------------------------------------
|
|
# InsForge sends anonymous self-host usage events so maintainers can understand
|
|
# active deployments, version adoption, and deployment success. It never sends
|
|
# secrets, environment variables, logs, domains, file paths, project names, or
|
|
# database contents.
|
|
#
|
|
# Disable all telemetry:
|
|
# INSFORGE_TELEMETRY_DISABLED=1
|
|
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# AI/LLM Configuration
|
|
# -----------------------------------------------------------------------------
|
|
# OpenRouter API - Get your API key from https://openrouter.ai/keys
|
|
# Used for AI-powered features and model gateway
|
|
OPENROUTER_API_KEY=
|
|
|
|
# Maximum output tokens per chat completion request (default: 16384).
|
|
# Increase this for models with larger output windows (e.g. 32768 for 32K-output models).
|
|
# Must be a positive integer. Invalid values are silently ignored and the default is used.
|
|
MAX_COMPLETION_TOKENS=16384
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Stripe Payments Configuration (Optional)
|
|
# -----------------------------------------------------------------------------
|
|
# Developer-owned Stripe secret keys. Test key is used for implementation and
|
|
# validation. Live key is used only for explicit go-live flows.
|
|
STRIPE_LIVE_SECRET_KEY=
|
|
STRIPE_TEST_SECRET_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Razorpay Payments Configuration (Optional)
|
|
# -----------------------------------------------------------------------------
|
|
# Developer-owned Razorpay keys. Test keys are used for implementation and
|
|
# validation. Live keys are used only for explicit go-live flows.
|
|
RAZORPAY_LIVE_KEY_ID=
|
|
RAZORPAY_LIVE_KEY_SECRET=
|
|
RAZORPAY_TEST_KEY_ID=
|
|
RAZORPAY_TEST_KEY_SECRET=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Analytics Configuration
|
|
# -----------------------------------------------------------------------------
|
|
# PostHog - Only needed for local development
|
|
# Get your key from https://posthog.com/settings/project
|
|
VITE_PUBLIC_POSTHOG_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# OAuth Configuration (Optional)
|
|
# -----------------------------------------------------------------------------
|
|
# Enable social login by configuring one or more providers below.
|
|
# Each provider requires registering an application in their developer console.
|
|
#
|
|
# Google OAuth
|
|
# Console: https://console.cloud.google.com/
|
|
# Redirect URI: http://localhost:7130/auth/google/callback
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
|
|
# GitHub OAuth
|
|
# Console: https://github.com/settings/developers
|
|
# Redirect URI: http://localhost:7130/auth/github/callback
|
|
GITHUB_CLIENT_ID=
|
|
GITHUB_CLIENT_SECRET=
|
|
|
|
# Microsoft OAuth (Azure AD)
|
|
# Console: https://portal.azure.com/
|
|
# Redirect URI: http://localhost:7130/auth/microsoft/callback
|
|
MICROSOFT_CLIENT_ID=
|
|
MICROSOFT_CLIENT_SECRET=
|
|
|
|
# Discord OAuth
|
|
# Console: https://discord.com/developers/applications
|
|
# Redirect URI: http://localhost:7130/auth/discord/callback
|
|
DISCORD_CLIENT_ID=
|
|
DISCORD_CLIENT_SECRET=
|
|
|
|
# LinkedIn OAuth
|
|
# Console: https://www.linkedin.com/developers/apps
|
|
# Redirect URI: http://localhost:7130/auth/linkedin/callback
|
|
LINKEDIN_CLIENT_ID=
|
|
LINKEDIN_CLIENT_SECRET=
|
|
|
|
# X (Twitter) OAuth
|
|
# Console: https://developer.twitter.com/en/portal/dashboard
|
|
# Redirect URI: http://localhost:7130/auth/x/callback
|
|
X_CLIENT_ID=
|
|
X_CLIENT_SECRET=
|
|
|
|
# Apple OAuth (Sign in with Apple)
|
|
# Console: https://developer.apple.com/account/resources/identifiers/list
|
|
# APPLE_CLIENT_ID: Your Services ID (e.g., com.yourapp.service)
|
|
# APPLE_CLIENT_SECRET: JSON string with teamId, keyId, and privateKey
|
|
# Format: {"teamId":"XXX","keyId":"YYY","privateKey":"-----BEGIN PRIVATE KEY-----\n..."}
|
|
# Redirect URI: http://localhost:7130/auth/apple/callback
|
|
APPLE_CLIENT_ID=
|
|
APPLE_CLIENT_SECRET=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Multi-tenant Cloud Configuration
|
|
# -----------------------------------------------------------------------------
|
|
# These are only used for the cloud-hosted solution
|
|
# Leave empty for self-hosted deployments
|
|
DEPLOYMENT_ID=
|
|
PROJECT_ID=
|
|
APP_KEY=
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Serverless Functions Configuration
|
|
# -----------------------------------------------------------------------------
|
|
# Deno Deploy - For hosting serverless edge functions
|
|
# Get your token from: https://dash.deno.com/account#access-tokens
|
|
# Get your org ID from: https://dash.deno.com/
|
|
DENO_DEPLOY_TOKEN=
|
|
DENO_DEPLOY_ORG_ID=
|
|
|
|
# ─── Compute Services (Fly.io) ──────────────────────────────────────────────
|
|
# Deploy Docker containers with persistent URLs.
|
|
# Full setup + architecture: https://docs.insforge.dev/core-concepts/compute/architecture
|
|
#
|
|
# Setup — both FLY_API_TOKEN and FLY_ORG are required. FLY_ORG must be YOUR
|
|
# Fly org slug; leaving it blank or as "insforge" will fail with an opaque
|
|
# Fly auth error because that's our internal org. Compute auto-enables when
|
|
# both are set.
|
|
# 1. Create a Fly.io account: https://fly.io
|
|
# 2. Find your org slug: fly orgs list
|
|
# 3. Create an API token scoped to that org: fly tokens create org -o <your-org>
|
|
# 4. Set FLY_API_TOKEN=<token> and FLY_ORG=<your-org>
|
|
#
|
|
# Optional: Set COMPUTE_DOMAIN only if you own a wildcard domain pointed at
|
|
# Fly (e.g. *.compute.yourdomain.com CNAME'd to fly.dev). Leave unset to use
|
|
# Fly's own .fly.dev hostname, which works out of the box.
|
|
|
|
FLY_API_TOKEN=
|
|
FLY_ORG=
|
|
COMPUTE_DOMAIN=
|
|
|
|
# Cloud-mode compute (provisioned automatically when PROJECT_ID + CLOUD_API_HOST
|
|
# are set by insforge-cloud). Self-host users with FLY_API_TOKEN always take
|
|
# priority and do not need to set PROJECT_ID.
|
|
|
|
# =============================================================================
|
|
# End of Configuration
|
|
# =============================================================================
|
|
# After configuring this file:
|
|
# 1. Run: docker compose up -d
|
|
# 2. Check logs: docker compose logs -f
|
|
# 3. Access the dashboard at: http://localhost:7131
|
|
#
|
|
# For more information, visit: https://insforge.dev/docs
|
|
# =============================================================================
|