-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
106 lines (73 loc) · 3.22 KB
/
.env.example
File metadata and controls
106 lines (73 loc) · 3.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
# =============================================================================
# SimpleAuth — Environment Variables
# =============================================================================
# Copy to .env and customize. Used by docker-compose.yml and direct deployment.
#
# Usage:
# cp .env.example .env
# # Edit .env with your values
# docker compose --profile full up -d
# =============================================================================
# --- Required ----------------------------------------------------------------
# Master admin API key — shared between SimpleAuth and your app
# Generate one: openssl rand -hex 16
AUTH_ADMIN_KEY=
# FQDN that clients use to access SimpleAuth (used in TLS SANs, Kerberos SPN)
AUTH_HOSTNAME=auth.corp.local
# --- Identity ----------------------------------------------------------------
# Deployment name (1-6 letters, used in AD service account: svc-sauth-{name})
AUTH_DEPLOYMENT_NAME=sauth
# JWT issuer claim / OIDC realm name
# Full OIDC issuer URL: https://{hostname}:{port}/realms/{jwt_issuer}
AUTH_JWT_ISSUER=simpleauth
# --- Networking --------------------------------------------------------------
# Main listen port
AUTH_PORT=8080
# HTTP redirect port (set to "" to disable)
AUTH_HTTP_PORT=
# Disable TLS (set to "true" when behind nginx/Traefik/Caddy)
AUTH_TLS_DISABLED=true
# Trusted proxy CIDRs — only trust X-Forwarded-For from these networks
# Docker defaults: 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16
AUTH_TRUSTED_PROXIES=172.16.0.0/12,10.0.0.0/8,192.168.0.0/16
# Base path prefix for sub-path mounting behind reverse proxy (e.g., "/auth")
# Leave empty when SimpleAuth is at the root path (default)
# AUTH_BASE_PATH=
# --- JWT Lifetimes -----------------------------------------------------------
# Access token TTL (Go duration format: 30m, 8h, 24h)
AUTH_JWT_ACCESS_TTL=8h
# Refresh token TTL (default 30 days)
AUTH_JWT_REFRESH_TTL=720h
# Impersonation token TTL
AUTH_IMPERSONATE_TTL=1h
# --- OIDC Client -------------------------------------------------------------
# Client credentials for your application
AUTH_CLIENT_ID=simpleauth
AUTH_CLIENT_SECRET=
# Allowed redirect URIs (comma-separated)
AUTH_REDIRECT_URIS=
# --- TLS (only needed when AUTH_TLS_DISABLED is not "true") ------------------
# Paths to TLS certificate and key (auto-generated if empty)
# AUTH_TLS_CERT=/data/tls.crt
# AUTH_TLS_KEY=/data/tls.key
# --- Kerberos / SPNEGO (optional) -------------------------------------------
# AUTH_KRB5_KEYTAB=/data/krb5.keytab
# AUTH_KRB5_REALM=CORP.LOCAL
# --- Security ----------------------------------------------------------------
# Rate limiting: max attempts per IP within the window
AUTH_RATE_LIMIT_MAX=10
AUTH_RATE_LIMIT_WINDOW=1m
# Audit log retention (default 90 days)
AUTH_AUDIT_RETENTION=2160h
# CORS origins (comma-separated, or "*" for all)
AUTH_CORS_ORIGINS=
# Default roles for new users (comma-separated)
AUTH_DEFAULT_ROLES=
# --- Data --------------------------------------------------------------------
# Data directory (database, certs, keytabs)
AUTH_DATA_DIR=/data
# --- Docker-specific ---------------------------------------------------------
# Host port mapping for SimpleAuth container
SIMPLEAUTH_PORT=8080
# Build version tag
VERSION=latest