-
-
Notifications
You must be signed in to change notification settings - Fork 186
Expand file tree
/
Copy path.env.example
More file actions
75 lines (66 loc) · 3.16 KB
/
.env.example
File metadata and controls
75 lines (66 loc) · 3.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
# Arcane Environment Configuration
# Copy this file to .env and customize the values for your production setup
# Generate secure values with: openssl rand -base64 32
# Application Settings
GIN_MODE=release
ENVIRONMENT=production
PORT=3552
APP_URL=https://your-domain.com
# Optional direct TLS server mode (HTTP/2 over TLS)
# Leave disabled when running behind a reverse proxy that terminates TLS.
# TLS_ENABLED=false
# TLS_CERT_FILE=/path/to/fullchain.pem
# TLS_KEY_FILE=/path/to/privkey.pem
# Optional runtime UID/GID for published Docker images.
# When both are set, Arcane will run as that UID/GID and files it writes under
# /app/data will be owned by that user inside the container.
# Leave both unset to keep the current default runtime behavior.
# PUID=1000
# PGID=1000
# File and Directory Permissions (Octal)
# Default: 0644 for files, 0755 for directories
# FILE_PERM=0644
# DIR_PERM=0755
# Security Settings
# IMPORTANT: Generate unique values for production!
ENCRYPTION_KEY=your-32-char-encryption-key-here
JWT_SECRET=your-super-secret-jwt-key-change-this
# Optional: bootstrap a deterministic admin API key for IaC workflows (supports _FILE / __FILE variants)
# ADMIN_STATIC_API_KEY=arc_your_deterministic_admin_api_key
# JWT refresh token expiry duration (default: 168h = 7 days). Accepts Go duration format (e.g., 72h, 720h, 8760h).
# JWT_REFRESH_EXPIRY=168h
# Database Configuration
DATABASE_URL=file:data/arcane.db?_pragma=journal_mode(WAL)&_pragma=busy_timeout(2500)&_txlock=immediate
# Downgrades are blocked by default; enable only temporarily after taking a backup.
ALLOW_DOWNGRADE=false
# Optional: GitHub API token used for downgrade migration fetches to avoid rate limits.
# GITHUB_TOKEN=ghp_your_token_here
# Docker Configuration
# DOCKER_HOST=unix:///var/run/docker.sock # Default: direct socket access
# DOCKER_HOST=tcp://docker-socket-proxy:2375 # Example: via socket proxy for enhanced security
# Trivy scan container security options (optional, useful on SELinux hosts)
# Separate multiple entries with commas or new lines, for example: label=disable,label=type:container_runtime_t
# TRIVY_SECURITY_OPTS=label=disable
# Run Trivy scan containers in privileged mode only when security options alone are not enough
# TRIVY_PRIVILEGED=false
# Agent Configuration (optional)
# AGENT_MODE=true
# AGENT_TOKEN=api-token
# ============================================================================
# AUTO-LOGIN CONFIGURATION - FOR DEVELOPMENT/TESTING ONLY
# ============================================================================
# WARNING: Do NOT enable auto-login in production environments!
# This feature automatically logs in users without requiring credentials,
# which is a significant security risk if exposed publicly.
#
# Use cases:
# - Local development environments
# - Automated testing (e.g., Playwright E2E tests)
# - Demo environments with restricted network access
#
# When enabled, the frontend will automatically authenticate using the
# configured credentials on application startup (once per session).
# ============================================================================
# AUTO_LOGIN_ENABLE=false
# AUTO_LOGIN_USERNAME=arcane
# AUTO_LOGIN_PASSWORD=arcane-admin