alexei.dolgolyov/web-app-launcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Files
16c667ca150a1524c58b652d52546054b8aa30d1
web-app-launcher/.env.example
T
alexei.dolgolyov 555ac9ea63 feat(backup): tar.gz format with uploads + manifest, restore guard 
- New tar.gz backup format bundling SQLite snapshot + uploads tree + manifest.json (version, app+schema versions, checksums, dbSize)
- BACKUPS_DIR env override; defaults to /app/data/backups in prod, <cwd>/data/backups in dev (matches uploads convention)
- 503 guard in hooks.server.ts while restore is mid-flight (DB file is being swapped); excludes static assets + /api/health; sets Retry-After: 15
- Legacy .db restore still supported (DB-only)
- Restore endpoint adds schema-mismatch detection + force flag; download/schedule endpoints updated
- 256 MiB free-disk safety margin before backup
- tar dep added to package.json; 18 new backupService tests
- i18n labels (en + ru) for new restore/format states
2026-05-28 14:39:24 +03:00

65 lines
2.3 KiB
Bash
Raw Blame History

# --- Database ---
DATABASE_URL="file:../data/launcher.db"
# --- Authentication (REQUIRED) ---
# Generate a strong secret with: openssl rand -hex 32
# The server refuses to start with placeholder or short values (< 32 chars).
JWT_SECRET=""
JWT_EXPIRY="15m"
REFRESH_TOKEN_EXPIRY="7d"
# --- Integration credential encryption (REQUIRED if any integration is configured) ---
# Must be DIFFERENT from JWT_SECRET so rotating one does not invalidate the other.
# Generate a strong secret with: openssl rand -hex 32
INTEGRATION_ENCRYPTION_KEY=""
# --- Application ---
APP_PORT=3000
APP_HOST="0.0.0.0"
# ORIGIN must match the public URL users visit. When it begins with https://,
# session cookies are issued with the Secure flag. Set this when running behind
# a reverse proxy that terminates TLS, e.g. ORIGIN="https://launcher.example.com"
ORIGIN="http://localhost:3000"
# Legacy alias — keep for older docs; not used internally.
APP_URL="http://localhost:3000"
# --- OAuth / OIDC (optional — configure here or in Admin > Settings) ---
OAUTH_CLIENT_ID=""
OAUTH_CLIENT_SECRET=""
OAUTH_DISCOVERY_URL=""
OAUTH_REDIRECT_URI=""
# Guest mode (true = allow unauthenticated dashboard access to guest-accessible boards)
GUEST_MODE="true"
# Healthcheck cron expression — default every 5 minutes
HEALTHCHECK_CRON="*/5 * * * *"
HEALTHCHECK_TIMEOUT_MS="5000"
# Service Discovery (optional — configure here or in Admin > Settings)
DOCKER_SOCKET_PATH="/var/run/docker.sock"
TRAEFIK_API_URL=""
# Allow outbound fetches to private/internal hosts. Default is "false" which
# blocks SSRF (loopback, RFC1918, link-local, cloud-metadata). Self-hosted
# users monitoring services on a LAN typically want this set to "true".
ALLOW_PRIVATE_NETWORK_FETCH="false"
# Run background jobs (healthcheck, backup) in THIS process. Set to "false" when
# scaling horizontally so only one node runs schedulers.
RUN_SCHEDULERS="true"
# Directory where backup archives are written. Defaults to /app/data/backups
# in production and <repo>/data/backups in development. Override if you want
# backups on a separate mount.
BACKUPS_DIR=""
# Optional bearer token for /api/metrics. When set, scrapers must send
# `Authorization: Bearer <token>`. When unset, the endpoint is open (typical
# when the scraper lives on the same private network).
METRICS_TOKEN=""
# Node environment
NODE_ENV="production"
Reference in New Issue View Git Blame Copy Permalink