-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
111 lines (100 loc) · 4.71 KB
/
.env.example
File metadata and controls
111 lines (100 loc) · 4.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# ── 基本 ──
SECRET_KEY=change-me-to-random-string
ADMIN_USER=admin
ADMIN_PASS=admin
# ── 路徑 ──
# Resolved relative to the process cwd (repo root for `make dev-backend`).
# Docker overrides these to /app/data/... in docker-compose.yml.
DATA_DIR=./backend/data
DB_PATH=./backend/data/just-wiki.db
MEDIA_DIR=./backend/data/media
# ── Security ──
COOKIE_SECURE=false # Set to true in production with HTTPS
# Extra origins allowed for CSRF/CORS (comma-separated). localhost:5173 and
# localhost:3000 are always allowed. Set your public URL here in prod.
ALLOWED_ORIGINS=
# Trust X-Forwarded-For from a reverse proxy when computing rate-limit keys.
# The shipped docker-compose runs nginx in front of the backend and sets this
# to true via the compose env block; only enable here if you put a different
# trusted proxy in front. Leaving this off behind a proxy collapses every
# client to the proxy's IP.
TRUST_PROXY=false
# ── Anonymous Read (Demo / Public Wiki Mode) ──
# When true, visitors without a valid session are treated as a synthetic
# "guest" viewer (role=viewer) instead of being redirected to /login.
# They can browse the page tree, search, graph, recent activity, and any
# page whose ACL chain has no anchor (the open-default set). Writes,
# personal endpoints (bookmarks, watch, comments POST, profile, tokens),
# AI chat, and admin endpoints all stay login-required.
# Default off so existing private deployments are unaffected.
ANONYMOUS_READ=false
# ── AI Chat (optional) ──
# Defaults target Gemini. Get an API key at https://aistudio.google.com/apikey
# Any OpenAI-compatible provider works — just change AI_BASE_URL + AI_MODEL.
AI_ENABLED=false
AI_BASE_URL=https://generativelanguage.googleapis.com/v1beta/openai
AI_API_KEY=
AI_MODEL=gemini-2.0-flash
AI_MAX_CONTEXT_PAGES=5
AI_EXCERPT_CHARS=1500
AI_RATE_LIMIT_PER_HOUR=20
# Other providers:
# OpenAI: AI_BASE_URL=https://api.openai.com/v1 AI_MODEL=gpt-4o-mini
# Ollama: AI_BASE_URL=http://localhost:11434/v1 AI_API_KEY=ollama AI_MODEL=llama3.1
# Groq: AI_BASE_URL=https://api.groq.com/openai/v1 AI_MODEL=llama-3.3-70b-versatile
# DeepSeek: AI_BASE_URL=https://api.deepseek.com AI_MODEL=deepseek-chat
# ── OIDC / OAuth SSO (optional) ──
# Public URL the browser can reach — used to build OIDC redirect_uri.
# Non-docker dev (Vite proxy): set PUBLIC_BASE_URL=http://localhost:5173
# Plain `make dev-backend`: leave as http://localhost:8000
# Docker: ignore this — compose hardcodes
# http://localhost:3000. Override the docker
# value with PUBLIC_BASE_URL_DOCKER below.
# Prod behind your domain: set PUBLIC_BASE_URL_DOCKER=https://wiki.example.com
PUBLIC_BASE_URL=http://localhost:8000
# PUBLIC_BASE_URL_DOCKER=https://wiki.example.com
OIDC_ENABLED=false
# Comma-separated. Only providers listed here AND with a client_id+secret below are offered.
OIDC_PROVIDERS=google,github,generic
# Who can sign in (any rule that is set must pass):
# invitation-only (default): admin pre-creates user via Admin → Invite (SSO).
# Set OIDC_ALLOW_SIGNUP=true to auto-create on first login (still gated by rules below).
OIDC_ALLOW_SIGNUP=false
OIDC_ALLOWED_EMAILS=
OIDC_ALLOWED_EMAIL_DOMAINS=
OIDC_REQUIRED_GROUPS=
OIDC_DEFAULT_ROLE=editor
# Google
# Redirect URI to register in Google Cloud Console:
# {PUBLIC_BASE_URL}/api/auth/oauth/google/callback
OIDC_GOOGLE_CLIENT_ID=
OIDC_GOOGLE_CLIENT_SECRET=
OIDC_GOOGLE_DISCOVERY=https://accounts.google.com/.well-known/openid-configuration
# GitHub — OAuth2 (not OIDC). The app needs `user:email` scope to read the
# primary email when it's set to private in GitHub settings.
# Redirect URI: {PUBLIC_BASE_URL}/api/auth/oauth/github/callback
OIDC_GITHUB_CLIENT_ID=
OIDC_GITHUB_CLIENT_SECRET=
# Generic OIDC — Keycloak, Authentik, Okta, Auth0, any compliant provider.
# Redirect URI: {PUBLIC_BASE_URL}/api/auth/oauth/generic/callback
OIDC_GENERIC_NAME=Company SSO
OIDC_GENERIC_CLIENT_ID=
OIDC_GENERIC_CLIENT_SECRET=
OIDC_GENERIC_DISCOVERY=
# ── LDAP / Active Directory (optional) ──
LDAP_ENABLED=false
# Must be ldaps:// — plain ldap:// is rejected to avoid sending passwords in clear.
LDAP_SERVER=ldaps://ldap.example.com
LDAP_TLS_VERIFY=true
LDAP_BIND_DN=cn=svc-wiki,ou=services,dc=example,dc=com
LDAP_BIND_PASSWORD=
LDAP_USER_BASE=ou=people,dc=example,dc=com
LDAP_USER_FILTER=(&(objectClass=person)(uid={username}))
LDAP_ATTR_EMAIL=mail
LDAP_ATTR_DISPLAY_NAME=displayName
LDAP_DEFAULT_ROLE=editor
# Group sync (optional)
LDAP_SYNC_GROUPS=false
LDAP_GROUP_BASE=ou=groups,dc=example,dc=com
LDAP_GROUP_FILTER=(&(objectClass=groupOfNames)(member={user_dn}))
LDAP_ADMIN_GROUPS=wiki-admins