198 lines
10 KiB
Bash
198 lines
10 KiB
Bash
# Copy to .env and edit. docker-compose reads .env automatically.
|
|
|
|
# ── Postgres ─────────────────────────────────────────────
|
|
# Required. The omnigent container connects via the docker network
|
|
# as host=postgres, so this password is internal-only — but still set
|
|
# something non-trivial. Run `./bootstrap.sh` to auto-generate, or
|
|
# replace the placeholder manually.
|
|
POSTGRES_PASSWORD=change-me-please
|
|
|
|
# Optional — defaults below match the compose file.
|
|
# POSTGRES_USER=omnigent
|
|
# POSTGRES_DB=omnigent
|
|
|
|
# ── Server ───────────────────────────────────────────────
|
|
# Host port the omnigent container is published on. Default 8000.
|
|
# OMNIGENT_PORT=8000
|
|
|
|
# ── Image ────────────────────────────────────────────────
|
|
# The compose stack pulls a pre-built image from GHCR (built by CI on
|
|
# every main-branch merge). Default: ghcr.io/omnigent-ai/omnigent-server.
|
|
#
|
|
# While the GHCR package is private, authenticate the pull first:
|
|
# echo $GHCR_TOKEN | docker login ghcr.io -u <user> --password-stdin
|
|
# (token needs read:packages). Once the package is public, no login needed.
|
|
#
|
|
# Pin to a specific commit's image (`sha-abc1234`) for reproducible
|
|
# deploys, or leave as `latest` for rolling.
|
|
# OMNIGENT_IMAGE=ghcr.io/omnigent-ai/omnigent-server
|
|
# OMNIGENT_IMAGE_TAG=latest
|
|
|
|
# ── Auth ─────────────────────────────────────────────────
|
|
# Default deploy is single-user, no auth, identity = "local".
|
|
# Leave everything below as-is unless you're standing up a shared
|
|
# instance.
|
|
#
|
|
# A) Built-in accounts (DEFAULT — no env needed for laptop testing).
|
|
# First boot auto-creates an admin user (named after the OS
|
|
# user, falling back to "admin"), prints the password to
|
|
# `docker compose logs omnigent`, and saves it to
|
|
# /data/admin-credentials on the persistent volume. Admin
|
|
# invites teammates via the web UI Members page.
|
|
# For any deploy behind a public domain you MUST set
|
|
# OMNIGENT_ACCOUNTS_BASE_URL — see below.
|
|
#
|
|
# B) Native OIDC (for shops with an existing IdP).
|
|
# Set the OMNIGENT_OIDC_* vars below (at minimum
|
|
# OMNIGENT_OIDC_ISSUER) — with auth enabled, the presence of
|
|
# an issuer switches mode B on automatically, no separate
|
|
# provider flag needed. The server handles login itself
|
|
# (/auth/login, /auth/callback, /auth/logout) with a signed
|
|
# session cookie.
|
|
#
|
|
# C) Header proxy (for deploys behind oauth2-proxy, AWS ALB
|
|
# OIDC, Cloudflare Access, Databricks Apps, Tailscale Funnel,
|
|
# etc.). Set OMNIGENT_AUTH_PROVIDER=header. The proxy is
|
|
# responsible for injecting the identity header on every request
|
|
# and stripping any inbound copy from the client. The header is
|
|
# X-Forwarded-Email by default; set OMNIGENT_AUTH_HEADER for
|
|
# proxies that use another name, e.g.
|
|
# Cf-Access-Authenticated-User-Email for Cloudflare Access.
|
|
# For proxies that namespace the value (Google IAP forwards
|
|
# X-Goog-Authenticated-User-Email as accounts.google.com:<email>)
|
|
# set OMNIGENT_AUTH_HEADER_STRIP_PREFIX=accounts.google.com: to
|
|
# recover the bare email.
|
|
#
|
|
# OMNIGENT_AUTH_ENABLED is the master switch (defaults to 1 in
|
|
# docker-compose.yaml). Set it to 0 to disable auth entirely (header
|
|
# mode, single "local" user). OMNIGENT_AUTH_PROVIDER is the explicit
|
|
# escape hatch — set it to accounts/oidc/header to force a mode and
|
|
# bypass the issuer-based auto-selection above.
|
|
# OMNIGENT_AUTH_PROVIDER=accounts # uncomment to force a specific mode
|
|
|
|
# ── Accounts (active when auth is on and no OIDC issuer is set) ───
|
|
# 32-byte hex cookie secret. `./bootstrap.sh` mints this on
|
|
# first run; or generate manually with `openssl rand -hex 32`.
|
|
# OMNIGENT_ACCOUNTS_COOKIE_SECRET=<64-hex-chars>
|
|
#
|
|
# Public base URL where users reach the server. Used to build
|
|
# magic-redeem URLs and to decide whether session cookies use
|
|
# the secure __Host- prefix. MUST be the URL the browser sees
|
|
# (i.e. behind your Caddy / ALB / Cloudflare), not the
|
|
# omnigent:8000 container address.
|
|
# OMNIGENT_ACCOUNTS_BASE_URL=https://omnigent.example.com
|
|
#
|
|
# Optional: pre-seed the initial admin password instead of the
|
|
# auto-generated one. Useful for headless / CI deploys where
|
|
# the operator can't read `docker compose logs`.
|
|
# OMNIGENT_ACCOUNTS_INIT_ADMIN_PASSWORD=
|
|
#
|
|
# Optional: session/invite/magic TTLs. Defaults shown.
|
|
# OMNIGENT_ACCOUNTS_SESSION_TTL_HOURS=8
|
|
# OMNIGENT_ACCOUNTS_INVITE_TTL_HOURS=72
|
|
# OMNIGENT_ACCOUNTS_MAGIC_TTL_MINUTES=10
|
|
#
|
|
# Optional: skip the auto-open-browser step on first boot.
|
|
# Default is to open; set to 0 for headless / SSH deploys.
|
|
# Inside Docker the browser open is always a no-op since the
|
|
# server has no display, but the value also disables the
|
|
# stderr "open this URL" announcement when 0.
|
|
# OMNIGENT_ACCOUNTS_AUTO_OPEN=1
|
|
|
|
# ── OIDC (active when auth is on and OMNIGENT_OIDC_ISSUER is set) ──
|
|
# 32-byte random cookie secret in hex. `./bootstrap.sh` mints this
|
|
# for you on first run; or generate manually with `openssl rand -hex 32`.
|
|
# OMNIGENT_OIDC_COOKIE_SECRET=<64-hex-chars>
|
|
#
|
|
# Redirect URI: you do NOT set OMNIGENT_OIDC_REDIRECT_URI directly — set
|
|
# OMNIGENT_DOMAIN (which the Caddy HTTPS overlay also uses) and the server
|
|
# derives https://<OMNIGENT_DOMAIN>/auth/callback. Register that exact URL
|
|
# as the callback in your IdP app. (Raw-IP/no-domain deploys: add an
|
|
# OMNIGENT_OIDC_REDIRECT_URI passthrough line to docker-compose.yaml — the
|
|
# domain stack is the supported path.)
|
|
|
|
# ── Example: GitHub OAuth ────────────────────────────────
|
|
# 1. Register an OAuth app at https://github.com/settings/developers
|
|
# - Authorization callback URL: https://<OMNIGENT_DOMAIN>/auth/callback
|
|
# 2. Copy the client id + secret here. Setting the issuer (with auth
|
|
# enabled) is what selects OIDC mode — no provider flag needed.
|
|
# OMNIGENT_DOMAIN=omnigent.example.com
|
|
# OMNIGENT_OIDC_ISSUER=https://github.com
|
|
# OMNIGENT_OIDC_CLIENT_ID=Iv1.abc123…
|
|
# OMNIGENT_OIDC_CLIENT_SECRET=…
|
|
|
|
# ── Example: Google Workspace ────────────────────────────
|
|
# 1. Create OAuth credentials at console.cloud.google.com → APIs & Services → Credentials.
|
|
# - Application type: Web application
|
|
# - Authorized redirect URI: https://<OMNIGENT_DOMAIN>/auth/callback
|
|
# 2. Restrict logins to your company domain(s) via ALLOWED_DOMAINS.
|
|
# OMNIGENT_DOMAIN=omnigent.example.com
|
|
# OMNIGENT_OIDC_ISSUER=https://accounts.google.com
|
|
# OMNIGENT_OIDC_CLIENT_ID=…apps.googleusercontent.com
|
|
# OMNIGENT_OIDC_CLIENT_SECRET=…
|
|
# OMNIGENT_OIDC_ALLOWED_DOMAINS=example.com,subsidiary.example.com
|
|
|
|
# ── Example: Generic OIDC (Okta, Auth0, Keycloak, Entra) ─
|
|
# Issuer just needs to publish /.well-known/openid-configuration.
|
|
# OMNIGENT_DOMAIN=omnigent.example.com
|
|
# OMNIGENT_OIDC_ISSUER=https://your-tenant.okta.com
|
|
# OMNIGENT_OIDC_CLIENT_ID=…
|
|
# OMNIGENT_OIDC_CLIENT_SECRET=…
|
|
# OMNIGENT_OIDC_SCOPES=openid email profile # default — override only if needed
|
|
|
|
# ── Optional OIDC tuning ─────────────────────────────────
|
|
# OMNIGENT_OIDC_SESSION_TTL_HOURS=8
|
|
# OMNIGENT_OIDC_LOGOUT_REDIRECT_URI=https://omnigent.example.com/
|
|
#
|
|
# Skip the email_verified claim check on id_tokens. Some IdPs (e.g.
|
|
# Okta without custom API Access Management) omit the claim for
|
|
# directory-provisioned users, which otherwise fails login with
|
|
# "Could not determine user email". Only enable when the issuer is a
|
|
# trusted enterprise directory — it makes any signed email claim the
|
|
# user's identity. Off by default.
|
|
# OMNIGENT_OIDC_SKIP_EMAIL_VERIFICATION=1
|
|
|
|
# ── Server config file (admins, allowed domains, …) ──────
|
|
# Non-secret settings live in a YAML config file — the same one
|
|
# `omnigent server -c` reads. Default location is <data_dir>/config.yaml
|
|
# (so /data/config.yaml in this compose stack); override with:
|
|
# OMNIGENT_CONFIG=/data/config.yaml
|
|
# See config.yaml.example for the full set (admins, allowed_domains,
|
|
# artifact_location, policy_modules, …). Secrets stay HERE in .env.
|
|
#
|
|
# Admins: OIDC doesn't tell us who's an operator, so name them in the
|
|
# config's `admins:` list (canonical). A listed identity is promoted to
|
|
# admin on login (email for OIDC, username for accounts). Promotion is
|
|
# ADDITIVE — removing an entry never demotes (demote from the Members
|
|
# page). For a no-restart change you can also append to the
|
|
# <data_dir>/admins file (union'd with config); override its path with
|
|
# OMNIGENT_ADMIN_LIST_PATH.
|
|
#
|
|
# Allowed domains: the config's `allowed_domains:` list, OMNIGENT_OIDC_
|
|
# ALLOWED_DOMAINS (env), and a <data_dir>/allowed_domains file are all
|
|
# UNION'd. Admin-listed and invited identities bypass the domain check.
|
|
# Override the file path with OMNIGENT_OIDC_ALLOWED_DOMAINS_PATH.
|
|
|
|
# ── OIDC invites (opt-in) ────────────────────────────────
|
|
# Off by default. When on, an admin can mint a single-use invite link
|
|
# (POST /auth/invite) that pre-authorizes whoever redeems it — letting
|
|
# one external collaborator in past ALLOWED_DOMAINS without widening
|
|
# the allowlist for everyone. The pre-authorization is recorded and
|
|
# persists for that email's future logins.
|
|
# OMNIGENT_OIDC_ALLOW_INVITES=1
|
|
|
|
# ── Switching accounts → OIDC (one-time data migration) ──
|
|
# accounts keys users by username (alice); OIDC by email
|
|
# (alice@example.com). Before flipping AUTH_PROVIDER, remap identities
|
|
# so admin + permissions carry over (dry run first, then --commit):
|
|
# omnigent accounts migrate-to-oidc <DB_URL> --domain example.com
|
|
# omnigent accounts migrate-to-oidc <DB_URL> --domain example.com --commit
|
|
# Then add your email to the config `admins:` (or /data/admins) and set
|
|
# AUTH_PROVIDER=oidc.
|
|
|
|
# ── Build-time ───────────────────────────────────────────
|
|
# Override only if your network blocks pypi.org (e.g. behind a
|
|
# corporate proxy). Don't ship a built image that bakes a private
|
|
# index — the layer will reference unreachable URLs for other users.
|
|
# PYPI_INDEX_URL=https://pypi.org/simple
|