nexgen_mirrors
d90a06437e
Add production-ready Docker setup with multi-stage Dockerfile, docker-compose orchestration for API, PostgreSQL, Redis, and Nginx services. Includes health checks, non-root user execution, and proper networking. - Add multi-stage Dockerfile with gunicorn/gevent workers - Add docker-compose.yml with api, db, redis, nginx services - Add nginx reverse proxy configuration with security headers - Update .env.example with Docker and production variables - Add email provider configuration (Mailgun, SendGrid) - Add requests dependency for HTTP client support - Update documentation with Docker deployment guide - Rebrand project name from Gatehouse to Secuird
147 lines
9.1 KiB
Bash
147 lines
9.1 KiB
Bash
FLASK_APP=manage.py
|
|
FLASK_ENV=development
|
|
FLASK_DEBUG=1
|
|
|
|
# ═════════════════════════════════════════════════════════════════════════════
|
|
# Docker / Production
|
|
# ═════════════════════════════════════════════════════════════════════════════
|
|
COMPOSE_PROJECT_NAME=authy2
|
|
FLASK_ENV=production
|
|
POSTGRES_USER=authy2
|
|
POSTGRES_PASSWORD=changeme-in-production
|
|
POSTGRES_DB=authy2
|
|
DATABASE_URL=postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB}
|
|
SQLALCHEMY_DATABASE_URI=${DATABASE_URL}
|
|
REDIS_URL=redis://redis:6379/0
|
|
SESSION_REDIS_URL=redis://redis:6379/0
|
|
RATELIMIT_STORAGE_URL=redis://redis:6379/1
|
|
HTTP_PORT=80
|
|
HTTPS_PORT=443
|
|
API_PORT=5000
|
|
|
|
# Database (overridden by Docker values above)
|
|
SQLALCHEMY_ECHO=False
|
|
SQLALCHEMY_LOG_LEVEL=WARNING
|
|
|
|
# Security / Encryption
|
|
SECRET_KEY=change-me-in-production
|
|
ENCRYPTION_KEY=change-me-in-production-32-bytes!!
|
|
# Used to encrypt SSH CA private keys stored in the database
|
|
CA_ENCRYPTION_KEY=change-me-in-production
|
|
BCRYPT_LOG_ROUNDS=12
|
|
|
|
# Session cookies
|
|
SESSION_COOKIE_SECURE=True
|
|
SESSION_COOKIE_SAMESITE=Lax
|
|
# Only needed when sharing cookies across subdomains (e.g. api.example.com + ui.example.com)
|
|
# SESSION_COOKIE_DOMAIN=example.com
|
|
MAX_SESSION_DURATION=86400
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# JWT
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
JWT_SECRET_KEY=change-me-in-production
|
|
JWT_ACCESS_TOKEN_EXPIRES=3600
|
|
JWT_REFRESH_TOKEN_EXPIRES=2592000
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Redis (session storage + rate limiting)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
REDIS_URL=redis://localhost:6379/0
|
|
SESSION_REDIS_URL=redis://localhost:6379/0
|
|
RATELIMIT_STORAGE_URL=redis://localhost:6379/1
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# CORS
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
CORS_ORIGINS=http://localhost:8080,http://localhost:5173
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Frontend / App URLs
|
|
# All three should point at the browser-facing SPA. They are used for:
|
|
# FRONTEND_URL → OAuth callback redirects after provider auth
|
|
# APP_URL → Password-reset and email-verify links in emails
|
|
# OIDC_UI_URL → OIDC /authorize redirects to the React consent/login UI
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
FRONTEND_URL=http://localhost:8080
|
|
APP_URL=http://localhost:8080
|
|
OIDC_UI_URL=http://localhost:8080
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# OIDC / OAuth issuer
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
OIDC_ISSUER_URL=http://localhost:5000
|
|
OIDC_BASE_URL=http://localhost:5000
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# WebAuthn
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
WEBAUTHN_RP_ID=localhost
|
|
WEBAUTHN_RP_NAME=Secuird
|
|
WEBAUTHN_ORIGIN=http://localhost:8080
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# SSH CA (pick one)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
SSH_CA_KEY_PATH=/path/to/ca-users
|
|
# SSH_CA_PRIVATE_KEY= # raw key content; takes priority over SSH_CA_KEY_PATH
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Email / SMTP
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
EMAIL_ENABLED=False
|
|
SMTP_HOST=smtp.gmail.com
|
|
SMTP_PORT=587
|
|
SMTP_USE_TLS=True
|
|
SMTP_USERNAME=
|
|
SMTP_PASSWORD=
|
|
FROM_ADDRESS=noreply@gatehouse.local
|
|
|
|
# Email Provider (smtp, mailgun, sendgrid)
|
|
# Note: SMTP is the default. Set to "mailgun" or "sendgrid" to use those providers
|
|
EMAIL_PROVIDER=smtp
|
|
|
|
# Mailgun Configuration (used when EMAIL_PROVIDER=mailgun)
|
|
# MAILGUN_API_KEY=your-mailgun-api-key
|
|
# MAILGUN_DOMAIN=mg.yourdomain.com
|
|
# MAILGUN_API_URL=https://api.mailgun.net/v3
|
|
|
|
# SendGrid Configuration (used when EMAIL_PROVIDER=sendgrid)
|
|
# SENDGRID_API_KEY=SG.your-sendgrid-api-key
|
|
# SENDGRID_FROM_EMAIL=noreply@yourdomain.com
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Logging
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
LOG_LEVEL=INFO
|
|
LOG_TO_STDOUT=True
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# Rate Limiting
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
RATELIMIT_ENABLED=True
|
|
# Per-endpoint auth limits (optional — defaults shown)
|
|
# RATELIMIT_AUTH_REGISTER=10 per minute; 50 per hour
|
|
# RATELIMIT_AUTH_LOGIN=20 per minute; 100 per hour
|
|
# RATELIMIT_AUTH_TOTP_VERIFY=20 per minute; 100 per hour
|
|
# RATELIMIT_AUTH_FORGOT_PASSWORD=5 per minute; 20 per hour
|
|
# RATELIMIT_AUTH_RESET_PASSWORD=10 per minute; 30 per hour
|
|
|
|
ZEROTIER_API_TOKEN=
|
|
ZEROTIER_API_URL=
|
|
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# OIDC token lifetimes & security (optional — defaults shown)
|
|
# ─────────────────────────────────────────────────────────────────────────────
|
|
# OIDC_ACCESS_TOKEN_LIFETIME=3600
|
|
# OIDC_REFRESH_TOKEN_LIFETIME=2592000
|
|
# OIDC_ID_TOKEN_LIFETIME=3600
|
|
# OIDC_AUTHORIZATION_CODE_LIFETIME=600
|
|
# OIDC_REQUIRE_PKCE=True
|
|
# OIDC_ALLOW_IMPLICIT_FLOW=False
|
|
# OIDC_KEY_ROTATION_DAYS=90
|
|
# OIDC_KEY_GRACE_PERIOD_DAYS=30
|
|
# OIDC_RATE_LIMIT_AUTHORIZE=10/minute
|
|
# OIDC_RATE_LIMIT_TOKEN=20/minute
|
|
# OIDC_RATE_LIMIT_USERINFO=60/minute
|