-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathenv.example
More file actions
152 lines (129 loc) · 6.08 KB
/
env.example
File metadata and controls
152 lines (129 loc) · 6.08 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
# =============================================================================
# IGLOO SERVER ENVIRONMENT CONFIGURATION
# =============================================================================
# Copy this file to .env and customize the values for your deployment
# Never commit your .env file to version control!
# =============================================================================
# OPERATION MODE
# =============================================================================
# HEADLESS mode: When true, uses environment variables for configuration (traditional mode)
# When false (default), uses database for user management and credential storage
HEADLESS=false
# =============================================================================
# DATABASE MODE CONFIGURATION (HEADLESS=false)
# =============================================================================
# Admin secret for initial setup (required for first user creation)
# Generate a secure secret: openssl rand -hex 32
# REQUIRED in HEADLESS=false. Server should refuse to start if unset or left as a placeholder.
# ---
# SECURITY WARNING: DO NOT LEAVE THIS AS THE DEFAULT VALUE.
# The server will refuse to start in database mode if this is not set to a secure, unique secret.
ADMIN_SECRET=REQUIRED_ADMIN_SECRET_NOT_SET
# Database path (optional, defaults to ./data)
# DB_PATH=/path/to/database
# =============================================================================
# HEADLESS MODE CONFIGURATION (HEADLESS=true)
# =============================================================================
# FROSTR credentials - Only used when HEADLESS=true
# Your FROSTR group and share credentials from Igloo Desktop
# Leave empty to start server in configuration-only mode
GROUP_CRED=
SHARE_CRED=
# Optional: Display name for your signing group (HEADLESS mode only)
GROUP_NAME=
# Optional: Directional peer policies for headless mode (JSON array or single object)
# Only overrides that block a direction are persisted (defaults are allow/allow)
# Example: PEER_POLICIES=[{"pubkey":"abcdef...","allowSend":false}] # blocks outbound, leaves inbound default
PEER_POLICIES=
# =============================================================================
# SERVER CONFIGURATION
# =============================================================================
# Server host and port settings
# Use 'localhost' for local development, '0.0.0.0' for Docker deployments
HOST_NAME=localhost
HOST_PORT=8002
# Nostr relay URLs for FROSTR protocol communication
# Can be JSON array or comma-separated string
# Examples:
# JSON: ["wss://relay.primal.net","wss://relay.damus.io"]
# CSV: wss://relay.primal.net,wss://relay.damus.io
RELAYS=["wss://relay.primal.net"]
# =============================================================================
# SECURITY CONFIGURATION
# =============================================================================
# Enable/disable authentication (set to 'false' for local development only)
# SECURITY WARNING: Never set to 'false' in production!
AUTH_ENABLED=true
# CORS (Cross-Origin Resource Sharing) Configuration
# Comma-separated list of allowed origins for API requests
# Examples:
# Development: http://localhost:3000,http://localhost:8002
# Production: https://yourdomain.com,https://admin.yourdomain.com
# If not set, defaults to '*' (all origins) - NOT RECOMMENDED for production
ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8002
# API Key Authentication
# Generate with: openssl rand -hex 32
# Used with header: X-API-Key: your-key or Authorization: Bearer your-key
API_KEY=your-secure-api-key-here
# Basic Authentication (username/password)
# Used for web UI login and HTTP basic auth
BASIC_AUTH_USER=admin
BASIC_AUTH_PASS=your-secure-password-here
# Session Management
# Generate session secret with: openssl rand -hex 32
# REQUIRED in production to prevent session invalidation on server restarts
# Used for web UI session cookies
SESSION_SECRET=your-random-session-secret-here
SESSION_TIMEOUT=3600 # Session timeout in seconds (3600 = 1 hour)
# =============================================================================
# RATE LIMITING
# =============================================================================
# Enable/disable rate limiting protection
RATE_LIMIT_ENABLED=true
# Rate limit window in seconds (900 = 15 minutes)
RATE_LIMIT_WINDOW=900
# Maximum requests per window per IP address
RATE_LIMIT_MAX=600
# NIP-46 session creation limits (per user)
# Defaults: 1 hour window across modes
NIP46_SESSION_RATE_LIMIT_WINDOW=3600
# Defaults: 30 sessions/hour in HEADLESS mode, 120 sessions/hour when DB backed
NIP46_SESSION_RATE_LIMIT_MAX=120
# =============================================================================
# ENVIRONMENT MODE
# =============================================================================
# Set to 'production' for production deployments
# This affects cookie security flags and other settings
NODE_ENV=development
# =============================================================================
# SECURITY EXAMPLES BY DEPLOYMENT TYPE
# =============================================================================
# DEVELOPMENT (Local testing - minimal security)
# AUTH_ENABLED=false
# NODE_ENV=development
# PERSONAL (Home server - medium security)
# AUTH_ENABLED=true
# API_KEY=personal-server-key-2024
# SESSION_SECRET=personal-session-secret-32chars
# SESSION_TIMEOUT=7200
# RATE_LIMIT_MAX=50
# TEAM (Shared server - good security)
# AUTH_ENABLED=true
# BASIC_AUTH_USER=teamadmin
# BASIC_AUTH_PASS=SecureTeamPassword123!
# API_KEY=team-automation-key-64chars
# SESSION_SECRET=team-session-secret-32plus-chars
# SESSION_TIMEOUT=3600
# RATE_LIMIT_MAX=100
# PRODUCTION (Public/cloud - high security)
# AUTH_ENABLED=true
# ALLOWED_ORIGINS=https://yourdomain.com,https://admin.yourdomain.com
# BASIC_AUTH_USER=prodadmin
# BASIC_AUTH_PASS=VerySecurePassword456!
# API_KEY=prod-api-key-with-64-random-chars-abcdef123456789
# SESSION_SECRET=prod-session-secret-256-bits-of-entropy-required-for-production
# SESSION_TIMEOUT=1800
# RATE_LIMIT_ENABLED=true
# RATE_LIMIT_WINDOW=300
# RATE_LIMIT_MAX=30
# NODE_ENV=production