38 lines
2.6 KiB
Plaintext
38 lines
2.6 KiB
Plaintext
PORT=3001 # Port to run the server on
|
|
NODE_ENV=development # development = development mode; production = production mode
|
|
# ENCRYPTION_KEY=<random-256-bit-hex> # Separate key for encrypting stored secrets (API keys, MFA, SMTP, OIDC, etc.)
|
|
# Auto-generated and persisted to ./data/.encryption_key if not set.
|
|
# Upgrade from a version that used JWT_SECRET for encryption: set to your old JWT_SECRET value so
|
|
# existing encrypted data remains readable, then re-save credentials via the admin panel.
|
|
# Generate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
|
|
TZ=UTC # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin)
|
|
LOG_LEVEL=info # info = concise user actions; debug = verbose admin-level details
|
|
|
|
ALLOWED_ORIGINS=https://trek.example.com # Comma-separated origins for CORS and email links
|
|
FORCE_HTTPS=false # Redirect HTTP → HTTPS behind a TLS proxy
|
|
COOKIE_SECURE=true # Set to false to allow session cookies over HTTP (e.g. plain-IP or non-HTTPS setups). Defaults to true in production.
|
|
TRUST_PROXY=1 # Number of trusted proxies for X-Forwarded-For
|
|
ALLOW_INTERNAL_NETWORK=false # Allow outbound requests to private/RFC1918 IPs (e.g. Immich hosted on your LAN). Loopback and link-local addresses are always blocked.
|
|
|
|
APP_URL=https://trek.example.com # Base URL of this instance — required when OIDC is enabled; must match the redirect URI registered with your IdP
|
|
|
|
OIDC_ISSUER=https://auth.example.com # OpenID Connect provider URL
|
|
OIDC_CLIENT_ID=trek # OpenID Connect client ID
|
|
OIDC_CLIENT_SECRET=supersecret # OpenID Connect client secret
|
|
OIDC_DISPLAY_NAME=SSO # Label shown on the SSO login button
|
|
OIDC_ONLY=true # Disable local password auth entirely (SSO only)
|
|
OIDC_ADMIN_CLAIM=groups # OIDC claim used to identify admin users
|
|
OIDC_ADMIN_VALUE=app-trek-admins # Value of the OIDC claim that grants admin role
|
|
OIDC_DISCOVERY_URL= # Override the auto-constructed OIDC discovery endpoint. Useful for providers (e.g. Authentik) that expose it at a non-standard path. Example: https://auth.example.com/application/o/trek/.well-known/openid-configuration
|
|
OIDC_SCOPE=openid email profile # Fully overrides the default. Add extra scopes as needed (e.g. add groups if using OIDC_ADMIN_CLAIM)
|
|
|
|
DEMO_MODE=false # Demo mode - resets data hourly
|
|
|
|
# MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
|
|
|
|
# Initial admin account — only used on first boot when no users exist yet.
|
|
# If both are set the admin account is created with these credentials.
|
|
# If either is omitted a random password is generated and printed to the server log.
|
|
# ADMIN_EMAIL=admin@trek.local
|
|
# ADMIN_PASSWORD=changeme
|