Home Explore Help
Sign In
chiappa
/
sprint_planer_web
mirror of https://git.snix.ch/chiappa/sprint_planer_web.git
1
0
Fork 0
Files Issues 0
Branch: main
Branches Tags
sprint_planer_w...
/
.env.example

.env.example 4.1 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182 
  1. # Entra ID / OIDC
    2. 

  2. ENTRA_TENANT_ID=
    3. 

  3. ENTRA_CLIENT_ID=
    4. 

  4. ENTRA_CLIENT_SECRET=
    5. 

  5. 

  6. # Hard switch to disable OIDC even when ENTRA_* are populated. Useful for
    7. 

  7. # dev / testing / on-prem deployments that want to keep the Entra creds in
    8. 

  8. # .env but route everyone through the LOCAL_ADMIN_* fallback below. Accepted
    9. 

  9. # disabling values: false / 0 / no / off (case-insensitive). Anything else,
    10. 

  10. # including blank, leaves OIDC enabled.
    11. 

  11. # In APP_ENV=production the bootstrap refuses to start when neither OIDC nor
    12. 

  12. # LOCAL_ADMIN_* is enabled — so disabling OIDC in prod requires a working
    13. 

  13. # local admin.
    14. 

  14. OIDC_ENABLED=true
    15. 

  15. 

  16. # Base URL the app is reachable at (no trailing slash).
    17. 

  17. # Used to build the OIDC redirect URI {APP_BASE_URL}/auth/callback
    18. 

  18. APP_BASE_URL=http://localhost:8080
    19. 

  19. 

  20. # Host port the docker-compose stack publishes (container side is fixed at
    21. 

  21. # Apache:80). Pick any free port on the host. Keep APP_BASE_URL in sync —
    22. 

  22. # the OIDC redirect URI registered in Entra must match exactly.
    23. 

  23. HTTP_PORT=8080
    24. 

  24. 

  25. # Path to the SQLite database file inside the container. Leave as-is unless
    26. 

  26. # you have a specific reason to change it. The parent dir is the mounted
    27. 

  27. # volume (/var/www/data).
    28. 

  28. DB_PATH=/var/www/data/app.sqlite
    29. 

  29. 

  30. # Session handler files directory.
    31. 

  31. SESSION_PATH=/var/www/data/sessions
    32. 

  32. 

  33. # 'production' disables verbose error output. Anything else is treated as dev.
    34. 

  34. APP_ENV=production
    35. 

  35. 

  36. # ---------------------------------------------------------------------------
    37. 

  37. # Reverse-proxy trust (R01-N05 / R01-N07). Comma-separated list of CIDRs of
    38. 

  38. # the proxies in front of the app. When the immediate peer (`REMOTE_ADDR`)
    39. 

  39. # matches one of these:
    40. 

  40. #   * `X-Forwarded-For` is walked to find the real client IP — used for the
    41. 

  41. #     audit log and the local-admin login throttle bucket;
    42. 

  42. #   * `X-Forwarded-Proto: https` is honoured for cookie `Secure` / HSTS
    43. 

  43. #     decisions, so a TLS-terminating proxy can mark requests as HTTPS.
    44. 

  44. # Leave blank when the app is exposed directly with no reverse proxy. Examples:
    45. 

  45. #   TRUSTED_PROXIES=10.0.0.0/8,192.168.0.0/16
    46. 

  46. #   TRUSTED_PROXIES=172.16.0.5,2001:db8::/32
    47. 

  47. # ---------------------------------------------------------------------------
    48. 

  48. TRUSTED_PROXIES=
    49. 

  49. 

  50. # ---------------------------------------------------------------------------
    51. 

  51. # OIDC bootstrap admin (optional) — nominate the very first administrator up
    52. 

  52. # front, so a public-facing first deploy can't be land-grabbed by another
    53. 

  53. # tenant member who happens to sign in before you. Auto-promotion to admin
    54. 

  54. # happens via OIDC iff no admin exists yet AND the signing user matches one
    55. 

  55. # of the values below (case-insensitive). With both variables blank, the
    56. 

  56. # OIDC path NEVER auto-promotes — seed the first admin via the local-admin
    57. 

  57. # fallback below, or by manually flipping is_admin in the database.
    58. 

  58. # Set BOOTSTRAP_ADMIN_OID to the Entra `oid` claim (a GUID, immutable) when
    59. 

  59. # you know it; BOOTSTRAP_ADMIN_EMAIL is accepted as a fallback when you only
    60. 

  60. # have the email.
    61. 

  61. # ---------------------------------------------------------------------------
    62. 

  62. BOOTSTRAP_ADMIN_OID=
    63. 

  63. BOOTSTRAP_ADMIN_EMAIL=
    64. 

  64. 

  65. # ---------------------------------------------------------------------------
    66. 

  66. # Local admin (optional) — lets you sign in without Entra, e.g. during initial
    67. 

  67. # setup or for a fully on-prem deployment. Set BOTH email and the password
    68. 

  68. # hash to enable; leave blank to disable. The password is verified with PHP's
    69. 

  69. # password_verify() against LOCAL_ADMIN_PASSWORD_HASH, so .env never contains
    70. 

  70. # the password itself. Generate the hash with:
    71. 

  71. #     docker run --rm php:8.3-cli php -r \
    72. 

  72. #       'echo password_hash(readline("Password: "), PASSWORD_DEFAULT), PHP_EOL;'
    73. 

  73. # (Or `php -r '...'` directly if you have PHP 8 on the host.) Paste the
    74. 

  74. # resulting `$2y$...` string verbatim. Single quotes recommended in .env so
    75. 

  75. # the `$` in the hash isn't interpreted by the shell.
    76. 

  76. # The resulting user is stored with entra_oid = "local:<email>" and is_admin=1.
    77. 

  77. # This path is itself an explicit env-bootstrap and does not require the
    78. 

  78. # BOOTSTRAP_ADMIN_* variables above.
    79. 

  79. # ---------------------------------------------------------------------------
    80. 

  80. LOCAL_ADMIN_EMAIL=
    81. 

  81. LOCAL_ADMIN_PASSWORD_HASH=
    82. 

  82. LOCAL_ADMIN_NAME=Local Admin
    83.