-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.env.selfhost.example
More file actions
91 lines (78 loc) · 4.86 KB
/
Copy path.env.selfhost.example
File metadata and controls
91 lines (78 loc) · 4.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Copy to .env.selfhost or run scripts/install-selfhost.sh to generate one.
# The installer writes real secrets and refuses to overwrite an existing file.
#
# NOTE: `docker compose up` does NOT auto-load .env.selfhost (Compose only
# auto-loads a file literally named .env). Bring the stack up with the
# installer, or pass the file explicitly — and use the same --project-name the
# installer/scripts use, or the stack runs under a different project (separate
# volumes) than backup/restore/upgrade expect:
# docker compose --project-name codemagic-patch-selfhost --env-file .env.selfhost -f docker-compose.selfhost.yml up -d
CODEMAGIC_PATCH_API_DOMAIN=updates.example.com
CODEMAGIC_PATCH_STORAGE_DOMAIN=storage.updates.example.com
ACME_EMAIL=admin@example.com
SERVER_URL=https://updates.example.com
PUBLIC_BASE_URL=https://storage.updates.example.com/codemagic-patch
CODEMAGIC_PATCH_SERVER_IMAGE=codemagic-patch-server:selfhost
# Caddy image bundling the web dashboard; pin to a previous image to roll back.
CODEMAGIC_PATCH_CADDY_IMAGE=codemagic-patch-caddy:selfhost
# ── SECRETS ──────────────────────────────────────────────────────────────────
# Every REPLACE_ME_* value below MUST be replaced before you start the stack.
# These are placeholders, NOT usable defaults: this file is committed to the
# public repo, so a verbatim copy would run with publicly-known secrets.
# `scripts/install-selfhost.sh` generates strong random values for you — only set
# these by hand if you are not using the installer. As a guard against forgetting,
# the server REFUSES TO BOOT while WORKER_SHARED_SECRET or
# OAUTH_DEVICE_POLL_TOKEN_SECRET are shorter than 32 chars (the placeholders are),
# so a verbatim copy fails fast instead of running with a known secret.
POSTGRES_DB=codemagic_patch
POSTGRES_USER=codemagic_patch
POSTGRES_PASSWORD=REPLACE_ME_postgres_password
MINIO_ROOT_USER=codemagicpatchminio
MINIO_ROOT_PASSWORD=REPLACE_ME_minio_password
WORKER_SHARED_SECRET=REPLACE_ME_worker_secret
MODE=all
RUN_MIGRATIONS=true
LOGGER=true
STORAGE_ADAPTER=s3
S3_REGION=us-east-1
S3_FORCE_PATH_STYLE=true
MANIFEST_CACHE_CONTROL="no-cache, must-revalidate"
# Delivery / CDN. Default (base-url): clients fetch artifacts straight from
# PUBLIC_BASE_URL. Set DELIVERY_ADAPTER=cloudflare to front the storage domain
# with Cloudflare (proxy that same domain) and have the server purge the edge
# cache after each release. When enabled, CLOUDFLARE_API_TOKEN (an API Token
# scoped to Zone > Cache Purge — NOT the legacy Global API Key) and
# CLOUDFLARE_ZONE_ID (the zone containing the storage domain) are REQUIRED;
# CLOUDFLARE_API_BASE_URL is an optional override.
# DELIVERY_ADAPTER=cloudflare
# CLOUDFLARE_API_TOKEN=REPLACE_ME_cloudflare_cache_purge_token
# CLOUDFLARE_ZONE_ID=REPLACE_ME_cloudflare_zone_id
# CLOUDFLARE_API_BASE_URL=https://api.cloudflare.com/client/v4
# GitHub OAuth — REQUIRED. The server refuses to boot without it. One OAuth App
# serves both sign-in paths: the CLI device flow (`cmpatch login`; enable
# "Device Flow" on the app) and the web dashboard sign-in, which ALSO needs an
# Authorization callback URL of https://<API domain>/auth/callback plus a
# client secret generated on the same OAuth App.
# OAUTH_DEVICE_POLL_TOKEN_SECRET is a local random secret (at least 32 chars).
GITHUB_OAUTH_CLIENT_ID=Iv1.0123456789abcdef
GITHUB_OAUTH_CLIENT_SECRET=REPLACE_ME_github_client_secret
OAUTH_DEVICE_POLL_TOKEN_SECRET=REPLACE_ME_oauth_poll_secret
GITHUB_OAUTH_SCOPES="read:user user:email"
# Optional server-side hardening: allowlist for the web flow's redirect URI
# (comma-separated exact matches). Left unset (the default below), the check is
# skipped and web sign-in works. `scripts/install-selfhost.sh` sets this to your
# API domain for you. If you enable it by hand, the value MUST exactly match the
# callback the dashboard sends — https://<your API domain>/auth/callback — or web
# sign-in fails with an opaque `invalid_grant`. Replace updates.example.com first.
# GITHUB_OAUTH_ALLOWED_REDIRECT_URIS=https://updates.example.com/auth/callback
# Comma-separated allowlist of admin emails. Under invite-only registration,
# these emails may create their account on first GitHub sign-in (the rest need a
# pending invitation). Each must match the verified primary email of the admin's
# GitHub account. Required under invite-only registration: the server refuses
# to start without it, since otherwise no one could ever sign in.
INITIAL_ADMIN_EMAILS=admin@example.com
# Account registration mode. Defaults to invite_only: a GitHub sign-in only
# creates an account if the email is in INITIAL_ADMIN_EMAILS or has a pending team
# invitation. Set to "open" to let any verified GitHub user self-register. Does
# not affect admin-driven `member provision` / `member invite`.
# REGISTRATION_MODE=invite_only