.env.dist

################################################################################
## Akeeba Panopticon – .env configuration file
##
## WARNING! Using .env files to configure Akeeba Panopticon has the following
## side-effects:
##
## - The config.php file is ignored
## - The System Configuration page is no longer available
## - You will not go through the Setup page
##
## You should only use .env files with Akeeba Panoption if you are doing an
## unattended, command-line installation. Everyone else is strongly recommended
## to follow the regular installation and configuration procedure.
##
## -----------------------------------------------------------------------------
##
## To use this file, copy it to .env and edit it.
##
## -----------------------------------------------------------------------------
##
## You can use environment-specific .env files. Set the
## PANOPTICON_ENVIRONMENT environemnt variable to a string (if undefined, it is
## assumed to be "production") and Panopticon will **also** try to load the file
## .env.$(PANOPTICON_ENVIRONMENT) e.g. .env.production
##
## You can store your .env files either in the Panopticon installation root, or
## the user_code folder of your site.
##
################################################################################

## =============================================================================
## System
## =============================================================================

# Installation Secret
# A randomly generated 32 to 64 character string using the characters 0-9, A-Z,
# a-z, underscore (_) and dash (-). This is used to improve the security of
# your Panopticon installation.
# You can generate a random secret at
# https://www.random.org/passwords/?num=1&len=32&format=plain&rnd=new
PANOPTICON_SECRET=00CHANGEme00changeME00ChangeMe00

# Use Default PHP Session Save Path
# Set true to use the configure PHP session save path on your server. Set false
# to always use `tmp/session`.
PANOPTICON_SESSION_USE_DEFAULT_PATH=true

# Session Path Levels
# Sessions will be stored in this many directory levels. Set to 1 or 2 if you
# have thousands of concurrent sessions. Only applies when the option above
# (PANOPTICON_SESSION_USE_DEFAULT_PATH) is set to false.
PANOPTICON_SESSION_SAVE_LEVELS=0

# Encrypt Session Data
# Set to true (default) to encrypt the session data using the Installation
# Secret.
PANOPTICON_SESSION_ENCRYPT=1

# Session Timeout
# How long is a login session valid for [minutes].
PANOPTICON_SESSION_TIMEOUT=1440

# Default language
# The language to use by default for displaying the Panopticon interface.
# Valid range: the name, without the .ini extension, of any language file found
# in the languages folder.
PANOPTICON_LANGUAGE=en-GB

# Time Zone
# The timezone to use for displaying information in the interface
PANOPTICON_TIMEZONE=UTC

# Debug system
# Should system debugging be enabled? Displays more detailed error messages at
# runtime and enabled very detailed logging. Only enable if you are asked to.
PANOPTICON_DEBUG=false

# Error reporting level
# How verbose should error reporting to the browser output be? The valid
# options are:
# * default. Use the PHP configuration.
# * none. No error reporting to the browser
# * simple. Only fatal error and warnings (core PHP or user-defined) are
#   output to the browser.
# * maximum. All fatal errors, warnings, notices, and deprecation notices
#   are output.
PANOPTICON_ERROR_REPORTING=default

# Panopticon installation URL
# The URL Panopticon is installed on. Used when sending emails through a CLI
# CRON job.
PANOPTICON_LIVE_SITE=

# Anti-CSRF Token Algorithm
# The hash algorithm for creating an anti-CSRF token. SHA-512 offers the
# best security, but may not work on some hosts because it's very long. MD5
# offers the least security but is compatible with all hosts. Only change if
# you have problems when clicking action buttons in Panopticon.
PANOPTICON_SESSION_TOKEN_ALGORITHM=sha512

# Behind Load Balancer
# Set to true if the site is behind a load balancer or reverse proxy which
# conveys the visitor's IP address in the X-Forwarded-For HTTP header. Also set
# to true if you are behind CloudFlare, Sucuri, or other similar CDN acting as
# a reverse proxy.
PANOPTICON_BEHIND_LOAD_BALANCER=false

# Collect Anonymous Usage Statistics
# Should Akeeba Panopticon send anonymous information about the Panopticon, PHP,
# and database server you are using? This information is used to help Akeeba
# determine which versions of PHP and database servers to support in future
# releases of the software.
PANOPTICON_STATS_COLLECTION=true

## =============================================================================
## Security
## =============================================================================
# Forbid using leaked passwords
# Prevent users from using passwords which are found in online password leaks.
# Powered by the third party service Have I Been Pwned
# (https://haveibeenpwned.com)
PANOPTICON_PASSWORD_HIBP=true

# Allow self-service password reset
# Should users be allowed to reset their own password?
PANOPTICON_PWRESET=true

# Minimum time between password reset requests
# Minimum amount of time (in seconds) between successive password reset requests.
# Default: 300 seconds (5 minutes)
PANOPTICON_PWRESET_MINTIME=300

# Maximum failed password reset attempts
# Maximum number of failed password reset attempts before canceling the request.
PANOPTICON_PWRESET_MAXFAILS=3

# Password reset removes MFA
# Show the self-service password reset disable MFA in the user account?
PANOPTICON_PWRESET_MFA=false

# Password reset removes passkeys
# Should the self-service password reset remove passkeys in the user account?
PANOPTICON_PWRESET_PASSKEYS=false

# Password reset allowed for Superusers
# Should users with the Superuser privilege be allowed to reset their password?
PANOPTICON_PWRESET_SUPERUSER=false

# Password reset allowed for Administrators
# Should users with the Administrator privilege be allowed to reset their
# password?
PANOPTICON_PWRESET_ADMIN=false

# Password reset allowed for these groups
# Only users in these groups will be allowed to reset their password. Leave
# empty to let any user (with the possible exceptions of superusers and
# administrators, see above) to reset their password. This is a comma-separated
# list of group IDs.
PANOPTICON_PWRESET_GROUPS=

# Force MFA for these Groups
# Comma-separated list of group IDs for which Multi-factor Authentication is
# mandatory. If they log into the Panopticon installation before they had the
# chance to enable MFA they will be redirected to a cut-down version of the
# user profile edit page where they must set up MFA. Only then will they be
# allowed to use other pages in the Panopticon installation.
PANOPTICON_MFA_FORCE_GROUPS=

# Force MFA for Superusers
# Should users with the Superuser privilege be forced to use MFA? The same
# process for enforcing MFA as "Force MFA for these Groups" will apply to any
# user with the Superuser privilege, regardless of their user group
# participation.
PANOPTICON_MFA_SUPERUSER=false

# Force MFA for Administrators
# Should users with the Administrator privilege be forced to use MFA? The same
# process for enforcing MFA as "Force MFA for these Groups" will apply to any
# user with the Administrator privilege, regardless of their user group
# participation.
PANOPTICON_MFA_ADMIN=false

# Maximum MFA tries
# The maximum number of MFA login attempts a user has before they are logged
# out of the application. This is meant to slow down attackers to the point
# they cannot simply “guess” an authenticator code within the 90 seconds time
# window. Passkeys are generally immune to such attacks, but we apply this
# setting on them as well for consistency reasons.
PANOPTICON_MFA_MAX_TRIES=3

# Automatic IP block on failed login attempts
# Set to true to have Panopticon automatically block an IP address if more than
# a certain number of failed login attempts come from it in a specific period.
PANOPTICON_LOGIN_FAILURE_ENABLE=true

# MFA failure counts as login failure
# Should Multi-factor Authentication failures count as login failures for the
# purpose of automatic IP blocking on failed login attempts?
PANOPTICON_MFA_COUNTS_AS_LOGIN_FAILURE=false

# Maximum login failures
# Automatic, but temporary, IP blocking will be effected if there are this many
# failed login attempts coming from an IP address within the "Login failure
# window".
PANOPTICON_LOGIN_MAX_FAILURES=5

# Login failure window (seconds)
# Automatic, but temporary, IP blocking will be effected if there are at least
# "Maximum login failures" failed login attempts coming from an IP address
# within the number of seconds set in this option.
PANOPTICON_LOGIN_FAILURE_WINDOW=60

# IP lockout time (seconds)
# When an automatic block is placed on an IP address it will last this many
# seconds.
PANOPTICON_LOGIN_LOCKOUT=900

# Extend IP lockout time
# When enabled, every time a blocked IP address tries to access Akeeba
# Panopticon it will have its lockout time reset, i.e. the lockout will be
# extended for another “IP lockout time” seconds. This penalises some bots, but
# it comes at the expense of slowing down legitimate access to Panopticon.
PANOPTICON_LOGIN_LOCKOUT_EXTEND=false

# Login with passkey
# Should passkeys be allowed as a login method?
PANOPTICON_PASSKEY_LOGIN=true

# Bypass MFA when using a passkey
# Should Multi-factor Authentication be bypassed when using passkeys to log in?
PANOPTICON_PASSKEY_LOGIN_NO_MFA=true

# Disable password login when login with passkey is set up
# Should password logins be disabled for users with passkey login set up?
# Options:
# - user    Let the user decide
# - always  Password login disabled for all users with passkey login
# - never   Password login is never disabled for any user with passkey login
PANOPTICON_PASSKEY_LOGIN_NO_PASSWORD=user

# Force passkey login for these groups
# These user groups will be forced to use passkey login
PANOPTICON_PASSKEY_LOGIN_FORCE_GROUPS=

# Force passkey login for Superusers
# Should superusers be forced to use passkeys to log in?
PANOPTICON_PASSKEY_LOGIN_FORCE_SUPERUSER=false

# Force passkey login for Administrators
# Should administrators be forced to use passkeys to log in?
PANOPTICON_PASSKEY_LOGIN_FORCE_ADMIN=false

## =============================================================================
## HTTP(s) Proxy
## =============================================================================

# Use a Proxy Server for Outgoing Connections
# Should I use an HTTP(S) proxy for connections made to remote hosts?
PANOPTICON_PROXY_ENABLED=false

# Proxy hostname or IP Address
PANOPTICON_PROXY_HOST=localhost

# Proxy Port
PANOPTICON_PROXY_PORT=3128

# Proxy Username (optional)
PANOPTICON_PROXY_USER=

# Proxy Password (optional)
PANOPTICON_PROXY_PASS=

# Do Not Proxy These Domains
# Enter a comma–separated list of full, or partial domain names which should
# not go through the proxy, e.g.: www.example.com, .mit.edu, .dev
PANOPTICON_PROXY_NO=

## =============================================================================
## Display Preferences
## =============================================================================

# Custom template
# The template to use. Must be installed under the templates directory.
PANOPTICON_TEMPLATE=default

# Custom CSS File
# Which CSS file should be loaded from media/css?
PANOPTICON_THEME=theme

# Dark Mode
# Should the application automatically switch to dark mode?
# Valid settings: 1 (auto; use browser), 2 (always light), 3 (always dark)
PANOPTICON_DARKMODE=1

# Font size [pt]
# If set, it overrides the body font size. Blank to let the browser decide.
PANOPTICON_FONTSIZE=

# PHP Version Messages in Main Page
# Should I display the PHP version messages (End of Life, approaching End of
# Life, out of date) in the main page of the application?
PANOPTICON_PHPWARNINGS=true

# Enable user avatars
# Should I display Gravatar avatars? Disabled by default and unavailable in the user interface because people are dumb.
PANOPTICON_AVATARS=false

## =============================================================================
## Automation
## =============================================================================

# Web CRON key
# This key must be provided in the Web CRON URL for it to work.
# YOU MUST CHANGE THIS KEY! Best way to generate a random key:
# https://www.random.org/passwords/?num=1&len=32&format=html&rnd=new
PANOPTICON_WEBCRON_KEY=2pSdWfX9h6dfkDCsPwx4R4YNMR6eeHhA

# Stuck Task Threshold [minutes]
# After how many minutes is a task considered to be “stuck”. Must be at least
# 3 minutes.
PANOPTICON_CRON_STUCK_THRESHOLD=3

# Maximum Execution Time [seconds]
# The maximum time allowed for task execution.
PANOPTICON_MAX_EXECUTION=60

# Execution Time Bias [5]
# When the current execution time exceeds this percentage of the Maximum
# Execution Time we will not try to execute another task to avoid a timeout.
PANOPTICON_EXECUTION_BIAS=75

# Accurate PHP-CLI path
# Enable to have Akeeba Panopticon try to detect the accurate PHP-CLI path on
# your server. Disable if your server does not allow you to do that, locking
# your IP address out of your site for several minutes to hours when this
# happens (for example IONOS).
PANOPTICON_ACCURATE_PHP_CLI=1

## =============================================================================
## Site Operations
## =============================================================================

# Site information update frequency [minutes]
# The site information (Joomla version, update availability, PHP version) will
# be automatically updated after at least this many minutes since the last time.
PANOPTICON_SITEINFO_FREQ=60

# When An Update Is Found (Joomla! Updates)
# Do nothing: no action is taken. Send email: An email is sent, nothing is
# installed. Patch: Only patch versions (e.g. 1.2.3 to 1.2.4) is installed; an
# email is sent otherwise. Minor: Only patch and minor versions (e.g. 1.2.x to
# 1.3.x) are installed; an email is sent otherwise. Any version: installs all
# updates, even if the major version changes (e.g. 1.x to 2.x).
# Valid options: none, email, patch, minor, major
PANOPTICON_TASKS_COREUPDATE_INSTALL=patch

# When An Extension Update Is Found
# Same as tasks_coreupdate_install, but for extension updates
PANOPTICON_TASKS_EXTUPDATE_INSTALL=none

## =============================================================================
## Caching
## =============================================================================

# Cache Time [minutes]
# How long to cache data by default. Individual features may use a different
# cache time.
PANOPTICON_CACHING_TIME=60

# Cache Adapter
# Valid settings:
# * filesystem (Files) Files in the cache directory. Safest and slowest option.
# * linuxfs (Files and Symlinks) Files and symlinks in the cache directory.
#     Only usable on Linux and macOS, as long as PHP can create symlinks.
# * db (Database) Uses the database table #__cache in your database (it's
#     created on the fly). If your dbdriver configuration option is anything
#     other than pdomysql you will have two or more concurrent database
#     connections to your database server per execution thread which might be
#     problematic for some servers.
# * memcached (memcached) Use a memcached server. Requires the PHP memcached
#     extension. Note that Panopticon only supports using a single server. If
#     you want to use a cluster you'll have to override the cacheFactory
#     service in the container using user-provided code.
# * redis (Redis) Use a Redis server. Requires the PHP redis extension. Note
#     that Panopticon only supports using a single server. If you want to use a
#     cluster you'll have to override the cacheFactory service in the container
#     using user-provided code.
PANOPTICON_CACHE_ADAPTER=filesystem

# Redis Data Source Name (DSN)
# How to connect to the Redis server. See the Symfony Cache Redis adapter
# documentation. Required when cache_adapter is set to redis.
# See: https://symfony.com/doc/current/components/cache/adapters/redis_adapter.html#configure-the-connection
PANOPTICON_CACHING_REDIS_DSN=

# Memcached Data Source Name (DSN)
# How to connect to the Memcached server. See the Symfony Cache Memcached
# adapter documentation. Required when cache_adapter is set to memcached.
# See: https://symfony.com/doc/current/components/cache/adapters/memcached_adapter.html#configure-the-connection
PANOPTICON_CACHING_MEMCACHED_DSN=

## =============================================================================
## Logging
## =============================================================================

# Minimum log level
# What is the minimum severity level for messages to be kept in the logs.
# Please note that enabling Debug System will always result in all messages to
# be logged, as if you had set this option to Debug.
# Valid settings: emergency, alert, critical, error, warning, notice, info,
#   debug
PANOPTICON_LOG_LEVEL=warning

# Compress rotated logs
# Should the log files which have been rotated be compressed with Gzip?
PANOPTICON_LOG_ROTATE_COMPRESS=true

# Rotated log files to keep
# How many rotated log files should I keep?
# Range: 0 to 100
PANOPTICON_LOG_ROTATE_FILES=3

# Backup log files deletion after this many days
# Backup log files will be deleted, instead of rotated, after this many days.
# 0 means keep forever (NOT RECOMMENDED!).
# Range: 0 to 65535 (that is almost 179 1/2 years…)
PANOPTICON_LOG_BACKUP_THRESHOLD=14

## =============================================================================
## Database
## =============================================================================

# Database Driver
# The PHP MySQL database driver to use
# Valid settings: mysqli, pdomysql
PANOPTICON_DBDRIVER=mysqli

# Database Hostname
# The hostname of the MYSQL database
PANOPTICON_DBHOST=localhost

# Database Username
# The username to connect to your database
PANOPTICON_DBUSER=

# Database Password
# The password to connect to your database
PANOPTICON_DBPASS=

# Database Name
# The name of the MySQL database
PANOPTICON_DBNAME=

# Database Prefix
# A naming prefix to use for Akeeba Panopticon tables. Ideally 2 to 5 characters
# long, followed by an underscore.
PANOPTICON_PREFIX=pnptc_

# Database Connection Character Set
# Only applies to the pdomysql driver. The character set of the connection to
# the database. This must always be utf8mb4 on all supported database server versions.
PANOPTICON_DBCHARSET=utf8mb4

# Database Encryption
# Should I use an encrypted connection to the MySQL database server?
PANOPTICON_DBENCRYPTION=false

# Path to the SSL/TLS CA certificate
# Absolute path to the SSL CA for encrypted database connections
# Empty yo use the default Certification Authority store configured in PHP
# itself.
PANOPTICON_DBSSLCA=

# Path to the SSL/TLS key file
# Absolute path to the SSL/TLS key file (PEM format) for encrypted database
# connections
PANOPTICON_DBSSLKEY=

# Path to the SSL/TLS certificate file
# Absolute path to the SSL/TLS certificate file (PEM format) for encrypted
# database connections
PANOPTICON_DBSSLCERT=

# Verify SSL/TLS Server Certificates
# Should I verify the SSL/TLS server certificates against the SSL/TLS CA?
PANOPTICON_DBSSLVERIFYSERVERCERT=true

## =============================================================================
## Database Backups
## =============================================================================

# Automatic Database Backups
# Should I take daily, automatic backups of the important database tables?
PANOPTICON_DBBACKUP_AUTO=true

# Compress Database Backups
# Should I compress the database backups with Gzip?
PANOPTICON_DBBACKUP_COMPRESS=true

# Maximum Number Of Database Backups
# How many database backup files should I keep? Only applies to backups taken
# automatically, backups taken manually from the Database Backups page, and
# backups taken from the CLI to the default directory.
PANOPTICON_DBBACKUP_MAXFILES=15

## =============================================================================
## Email
## =============================================================================

# Mail Sending
# Is Panopticon allowed to send email?
PANOPTICON_MAIL_ONLINE=true

# Immedate Email Sending
# True (default) to send all emails immediately. False to enqueue emails for batch sending.
PANOPTICON_IMMEDIATE_EMAIL=true

# Inline Images in Email
# Should Panopticon try to attach images in the emails it sends? When disabled
# the images will be linked to. When enabled the images are included in the
# email as inline attachments.
PANOPTICON_MAIL_INLINE_IMAGES=false

# Mail handler
# How will Panopticon send emails?
# One of:
#
# * smtp Use the configured SMTP server.
# * sendmail Use sendmail, as configured in PHP (see sendmail_path).
# * mail Use the built-in PHP mail() function. For its configuration please
#     consult PHP's Mail configuration options page.
PANOPTICON_MAILER=mail

# Sender address
# The sender email address for any email sent by Panopticon, for example
# panopticon@example.com
PANOPTICON_MAILFROM=

# Sender name
# The sender email name for any email sent by Panopticon.
PANOPTICON_FROMNAME=Panopticon

# SMTP Host
# Only when you use the SMTP mail handler. The host name of your SMTP server,
# e.g. mail.example.com
PANOPTICON_SMTPHOST=localhost

# SMTP Port
# Only when you use the SMTP mail handler. The TCP/IP port used to connect to
# your SMTP server. Usual ports are 25 (unencrypted SMTP), 587 (SMTP over TLS),
# and 465 (SMTP over SSL).
PANOPTICON_SMTPPORT=25

# SMTP Security
# Only when you use the SMTP mail handler. Should an encryption method be
# applied when contacting your SMTP server?
#
# One of:
#
# * none No security. Usernames, passwords, and the emails themselves are
#     transmitted unencrypted to the SMTP server. Not recommended.
# * ssl Use SMTP over SSL. The SSL encryption standard has been obsolete since
#     1996. Some odd hosts may still use it. Not recommended.
# * tls Use SMTP over TLS. The most modern encryption standard, used by most
#     commercial hosts.
PANOPTICON_SMTPSECURE=none

# SMTP Authentication
# Only when you use the SMTP mail handler. Does your SMTP server require
# authentication?
PANOPTICON_SMTPAUTH=false

# SMTP Username
# Only when you use the SMTP mail handler and SMTP Authentication is enabled.
# The username to connect to your SMTP server. Usually it's the same as your
# email address.
PANOPTICON_SMTPUSER=

# SMTP Password
# Only when you use the SMTP mail handler and SMTP Authentication is enabled.
# The password to connect to your SMTP server. Usually it's the same as the
# password you use to receive email from the same address.
PANOPTICON_SMTPPASS=