From 6c88a01123895280361efce398a440965bcd2231 Mon Sep 17 00:00:00 2001
From: Andrei Brebene <andrei.brebene@enevocyber.com>
Date: Tue, 31 Mar 2026 16:59:11 +0300
Subject: [PATCH] docs: document all env vars and remove SMTP/webhook from
 docker config

SMTP and webhook settings are configured via Admin UI only.

Made-with: Cursor
---
 README.md           | 37 +++++++++++++++++++++++++++++--------
 docker-compose.yml  | 36 +++++++++++-------------------------
 server/.env.example | 41 ++++++++++++++++-------------------------
 3 files changed, 56 insertions(+), 58 deletions(-)

diff --git a/README.md b/README.md
index 3de2e8f..f99efd5 100644
--- a/README.md
+++ b/README.md
@@ -120,23 +120,44 @@ services:
   app:
     image: mauriceboe/trek:latest
     container_name: trek
+    read_only: true
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETUID
+      - SETGID
+    tmpfs:
+      - /tmp:noexec,nosuid,size=64m
     ports:
       - "3000:3000"
     environment:
       - NODE_ENV=production
       - PORT=3000
-      - TZ=UTC
-      - LOG_LEVEL=info
-      # - ALLOWED_ORIGINS=https://trek.example.com
-      # - OIDC_ISSUER=https://auth.example.com
-      # - OIDC_CLIENT_ID=trek
-      # - OIDC_CLIENT_SECRET=supersecret
-      # - OIDC_DISPLAY_NAME=SSO
-      # - OIDC_ONLY=false
+      - JWT_SECRET=${JWT_SECRET:-} # Auto-generated if not set; persist across restarts for stable sessions
+      - TZ=${TZ:-UTC} # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin)
+      - LOG_LEVEL=${LOG_LEVEL:-info} # info = concise user actions; debug = verbose admin-level details
+      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-} # Comma-separated origins for CORS and email notification links
+      - FORCE_HTTPS=true # Redirect HTTP to HTTPS when behind a TLS-terminating proxy
+      - TRUST_PROXY=1 # Number of trusted proxies (for X-Forwarded-For / real client IP)
+      - OIDC_ISSUER=https://auth.example.com # OpenID Connect provider URL
+      - OIDC_CLIENT_ID=trek # OpenID Connect client ID
+      - OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret
+      - OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button
+      - OIDC_ONLY=false # Set true to disable local password auth entirely (SSO only)
     volumes:
       - ./data:/app/data
       - ./uploads:/app/uploads
     restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:3000/api/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+
 ```
 
 ```bash
diff --git a/docker-compose.yml b/docker-compose.yml
index 643019d..37e1123 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -18,31 +18,17 @@ services:
     environment:
       - NODE_ENV=production
       - PORT=3000
-      # Auto-generated if not set; persist across restarts for stable sessions
-      - JWT_SECRET=${JWT_SECRET:-}
-      # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin)
-      - TZ=${TZ:-UTC}
-      # info = concise user actions; debug = verbose admin-level details
-      - LOG_LEVEL=${LOG_LEVEL:-info}
-      # Comma-separated origins for CORS and email notification links
-      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-}
-      # Redirect HTTP to HTTPS when behind a TLS-terminating proxy
-      # - FORCE_HTTPS=true
-      # Number of trusted proxies (for X-Forwarded-For / real client IP)
-      # - TRUST_PROXY=1
-
-      ## ── OIDC / SSO ──────────────────────────────────────────────
-      # OpenID Connect provider URL
-      # - OIDC_ISSUER=https://auth.example.com
-      # - OIDC_CLIENT_ID=trek
-      # - OIDC_CLIENT_SECRET=supersecret
-      # Label shown on the SSO login button
-      # - OIDC_DISPLAY_NAME=SSO
-      # Set true to disable local password auth entirely (SSO only)
-      # - OIDC_ONLY=false
-
-      ## ── Demo mode (resets data hourly) ──────────────────────────
-      # - DEMO_MODE=false
+      - JWT_SECRET=${JWT_SECRET:-} # Auto-generated if not set; persist across restarts for stable sessions
+      - TZ=${TZ:-UTC} # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin)
+      - LOG_LEVEL=${LOG_LEVEL:-info} # info = concise user actions; debug = verbose admin-level details
+      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-} # Comma-separated origins for CORS and email notification links
+      - FORCE_HTTPS=true # Redirect HTTP to HTTPS when behind a TLS-terminating proxy
+      - TRUST_PROXY=1 # Number of trusted proxies (for X-Forwarded-For / real client IP)
+      - OIDC_ISSUER=https://auth.example.com # OpenID Connect provider URL
+      - OIDC_CLIENT_ID=trek # OpenID Connect client ID
+      - OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret
+      - OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button
+      - OIDC_ONLY=false # Set true to disable local password auth entirely (SSO only)
     volumes:
       - ./data:/app/data
       - ./uploads:/app/uploads
diff --git a/server/.env.example b/server/.env.example
index f577725..2aae179 100644
--- a/server/.env.example
+++ b/server/.env.example
@@ -1,28 +1,19 @@
-# ── Core ───────────────────────────────────────────────────────
-PORT=3001
-NODE_ENV=development
-JWT_SECRET=your-super-secret-jwt-key-change-in-production
-TZ=UTC
-# info = concise user actions; debug = verbose admin-level details
-LOG_LEVEL=info
+PORT=3001 # Port to run the server on
+NODE_ENV=development # development = development mode; production = production mode
+JWT_SECRET=your-super-secret-jwt-key-change-in-production # Auto-generated if not set; persist across restarts for stable sessions
+TZ=UTC # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin)
+LOG_LEVEL=info # info = concise user actions; debug = verbose admin-level details
 
-# ── Networking ─────────────────────────────────────────────────
-# Comma-separated origins for CORS and email links
-# ALLOWED_ORIGINS=https://trek.example.com
-# Redirect HTTP → HTTPS behind a TLS proxy
-# FORCE_HTTPS=false
-# Number of trusted proxies for X-Forwarded-For
-# TRUST_PROXY=1
+ALLOWED_ORIGINS=https://trek.example.com # Comma-separated origins for CORS and email links
+FORCE_HTTPS=false # Redirect HTTP → HTTPS behind a TLS proxy
+TRUST_PROXY=1 # Number of trusted proxies for X-Forwarded-For
 
-# ── OIDC / SSO ─────────────────────────────────────────────────
-# OIDC_ISSUER=https://auth.example.com
-# OIDC_CLIENT_ID=trek
-# OIDC_CLIENT_SECRET=supersecret
-# OIDC_DISPLAY_NAME=SSO
-# Disable local password auth entirely (SSO only)
-# OIDC_ONLY=false
-# OIDC_ADMIN_CLAIM=groups
-# OIDC_ADMIN_VALUE=app-trek-admins
+OIDC_ISSUER=https://auth.example.com # OpenID Connect provider URL
+OIDC_CLIENT_ID=trek # OpenID Connect client ID
+OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret
+OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button
+OIDC_ONLY=true # Disable local password auth entirely (SSO only)
+OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users
+OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role
 
-# ── Demo ───────────────────────────────────────────────────────
-# DEMO_MODE=false
+DEMO_MODE=false # Demo mode - resets data hourly