Files
sciagent/.env.example
T
Thinh Lam 688fac73e9
CI/CD / backend (push) Failing after 2m8s
CI/CD / frontend (push) Failing after 1m40s
CI/CD / deploy (push) Has been skipped
sciagent code + Gitea Actions CI/CD
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-30 09:38:30 +07:00

106 lines
5.1 KiB
Bash

# ============================================================
# Production / docker-compose.prod.yml
# -----------------------------------------------------------
# 1. Copy: cp .env.example .env
# 2. Fill every value below (never commit .env — it is gitignored).
# 3. Prefer strong random secrets:
# openssl rand -base64 32
#
# Before deploy: ./scripts/verify-prod-env.sh
# Full deploy: ./scripts/deploy-prod.sh
# Stack map (FE→BE→DB→MinIO): docs/deploy-stack-overview.md
# Postgres / volume quirks: docs/deploy-production-docker.md
#
# If .env was ever committed to git, rotate ALL secrets below.
# ============================================================
# Public hostname or IP that browsers use to reach this machine.
PUBLIC_HOST=your-public-hostname-or-ip.example.com
FE_PORT=8081
# Optional: admin/council SPA port. Bound to 127.0.0.1 only in docker-compose.prod.yml
# (reach it via SSH tunnel or an authenticated reverse-proxy vhost). Defaults to 8082.
# FE_ADMIN_PORT=8082
# Optional: principal-investigator SPA port (research proposals + project cockpit). Defaults to 8083.
# FE_INV_PORT=8083
# Optional: publisher SPA port (research-result publication). Defaults to 8084.
# FE_PUB_PORT=8084
# Optional: extra CORS Allowed-Origins for be0 (comma-separated, no spaces). Production compose sets
# CORS_ORIGINS to http://${PUBLIC_HOST}:${FE_PORT} plus these extras automatically.
# CORS_ORIGINS_EXTRA=https://app.example.com,http://internal:8081
MINIO_API_PORT=19000
MINIO_CONSOLE_PORT=19001
MINIO_ROOT_USER=minio_root_change_me
MINIO_ROOT_PASSWORD=replace_with_long_random_secret
# --- HTTPS for MinIO presigned URLs (required if the SPA is https://…) ------------
# Mixed content blocks http://PUBLIC_HOST:19000 embedded from an HTTPS UI. Options:
# A) Proxied viewer only (already in-app) — no change needed for preview.
# B) HTTPS for direct MinIO links (iframe / “open presigned URL”) — put TLS in front
# of the S3 API port and align these with that public URL. See docs/minio-behind-https.md .
# Example subdomain (recommended):
# S3_PUBLIC_ENDPOINT_URL=https://minio-api.your-domain.com
# MINIO_SERVER_URL=https://minio-api.your-domain.com
# Optionally point the console at HTTPS too:
# MINIO_BROWSER_REDIRECT_URL=https://minio-console.your-domain.com
# If omitted, Compose keeps using http://${PUBLIC_HOST}:${MINIO_API_PORT} for both.
# Username + password are fixed the first time the Postgres volume is created (see comment below).
# Identifier only (letters, digits, underscore) — avoids URL / healthcheck pitfalls.
POSTGRES_USER=postgres_app_user
POSTGRES_PASSWORD=replace_with_long_random_secret
# Optional: only for scripts/sync-postgres-app-password.sh when the app role is not superuser
# or you must connect as a different DB superuser (e.g. postgres) to run ALTER ROLE.
# POSTGRES_SUPERUSER=postgres
# Database name created on first init (normally keep "initiatives").
POSTGRES_DB=initiatives
# --- Auth (required for production) ------------------------------------------------
# Generate: openssl rand -base64 48
JWT_SECRET=replace_with_openssl_rand_base64_48
# MinIO browser CORS — your public SPA origin (scheme + host, no trailing slash).
MINIO_API_CORS_ALLOW_ORIGIN=https://www.example.com
# Postgres + password caveat:
# Changing POSTGRES_USER/POSTGRES_PASSWORD here later does NOT change an existing Docker volume —
# Postgres only reads them when /var/lib/postgresql/data is empty. If login fails after editing .env:
# • Use the same password as first boot (e.g. dev stack used initiative / initiative_secret), or
# • With docker-compose.prod.yml stopped: docker volume rm …_initiative_pg_data then up again (drops DB), or
# • Run ./scripts/sync-postgres-app-password.sh to set the DB role password from this file (no wipe), or
# ---------------------------------------------------------------------------
# SMTP — outbound mail from be0 (registration OTP, password reset)
# ---------------------------------------------------------------------------
# docker-compose / docker-compose.prod passes these into the be0 container.
# Compose substitutes ${SMTP_*} from THIS file (repo-root `.env`), not from be0/.env alone.
# Omit AUTH_MAIL_LOG_ONLY (or set 0/false) when using real SMTP.
#
# SMTP_HOST=smtp.your-mail-provider.com
# SMTP_PORT=587
# SMTP_USER=your_smtp_username
# SMTP_PASSWORD=your_smtp_password
# AUTH_MAIL_FROM=noreply@your-institution.edu.vn
# SMTP_USE_TLS=1
#
# Public URL of the web app (password-reset / verify links in email). Production example:
# AUTH_PUBLIC_WEB_ORIGIN=https://your-app.example.com
#
# Dev-only: print OTP in be0 logs instead of sending mail
# AUTH_MAIL_LOG_ONLY=1
#
# Microsoft 365 / Outlook (smtp.office365.com), log shows 535 Authentication unsuccessful:
# • SMTP_USER = full mailbox address; SMTP_PASSWORD = correct app password if MFA is enabled
# (not your normal web-login password unless basic auth is allowed — many tenants require app passwords).
# • Exchange admin: enable "Authenticated SMTP" for the mailbox; security defaults may block SMTP AUTH.
# • After editing .env: docker compose up -d be0 (so the container reloads env).