# ============================================================================ # FEUERWEHR DASHBOARD - ENVIRONMENT CONFIGURATION # ============================================================================ # This file contains all environment variables needed for the application. # Copy this file to .env and fill in your actual values. # # IMPORTANT SECURITY NOTES: # - Never commit .env file to version control # - Use strong, randomly generated passwords for production # - Rotate secrets regularly # - Keep this file secure with restricted permissions (chmod 600 .env) # ============================================================================ # ============================================================================ # DATABASE CONFIGURATION # ============================================================================ # Database name # Default: feuerwehr_prod # Development: feuerwehr_dev POSTGRES_DB=feuerwehr_prod # Database user # Default: prod_user # Development: dev_user POSTGRES_USER=prod_user # Database password # REQUIRED in production! # Generate with: openssl rand -base64 24 # WARNING: Never use simple passwords in production! POSTGRES_PASSWORD=your_secure_password_here # Database port # Default: 5432 (PostgreSQL default) # Change if port 5432 is already in use POSTGRES_PORT=5432 # ============================================================================ # BACKEND CONFIGURATION # ============================================================================ # Backend API port # Default: 3000 # The port where the Node.js backend API will listen BACKEND_PORT=3000 # Node environment # Options: development | production | test # Production: Enables optimizations and security features # Development: Enables debug logging and hot reload NODE_ENV=production # Database connection URL # Auto-constructed in docker-compose.yml, but can be overridden # Format: postgresql://USER:PASSWORD@HOST:PORT/DATABASE # For Docker: Use service name (postgres) as host # For local dev: Use localhost # DATABASE_URL=postgresql://prod_user:your_secure_password_here@postgres:5432/feuerwehr_prod # ============================================================================ # JWT CONFIGURATION # ============================================================================ # JWT Secret Key # REQUIRED in production! # Used to sign and verify JWT tokens # Generate with: openssl rand -base64 32 # WARNING: Keep this secret! Never share or commit this value! # SECURITY: Change this value if it's ever compromised JWT_SECRET=your_jwt_secret_here # JWT Token Expiration (optional) # Access token expiration in seconds # Default: 3600 (1 hour) # JWT_ACCESS_EXPIRATION=3600 # Refresh token expiration in seconds # Default: 86400 (24 hours) # JWT_REFRESH_EXPIRATION=86400 # ============================================================================ # CORS CONFIGURATION # ============================================================================ # CORS Allowed Origin # The frontend URL that is allowed to make requests to the backend # IMPORTANT: Must match your frontend URL exactly! # Development: http://localhost:5173 (Vite dev server) # Production: https://dashboard.yourdomain.com # Multiple origins: Use comma-separated values (if supported by your setup) CORS_ORIGIN=http://localhost:80 # ============================================================================ # FRONTEND CONFIGURATION # ============================================================================ # Frontend port # Default: 80 (HTTP) # Use 443 for HTTPS (requires SSL certificate) FRONTEND_PORT=80 # API URL for frontend # The URL where the frontend will send API requests # Development: http://localhost:3000 # Production: https://api.yourdomain.com # IMPORTANT: Must be accessible from the user's browser! VITE_API_URL=http://localhost:3000 # Authentik URL for frontend # The base URL of your Authentik instance (without application path) # Development: http://localhost:9000 # Production: https://auth.yourdomain.com # IMPORTANT: Used for OAuth redirect URL construction VITE_AUTHENTIK_URL=https://auth.yourdomain.com # ============================================================================ # AUTHENTIK OAUTH CONFIGURATION # ============================================================================ # Get these values from your Authentik instance # See AUTHENTIK_SETUP.md for detailed configuration guide # OAuth Client ID # From Authentik: Applications → Providers → Your Provider # REQUIRED for authentication to work! AUTHENTIK_CLIENT_ID=your_client_id_here # OAuth Client Secret # From Authentik: Applications → Providers → Your Provider # REQUIRED for authentication to work! # WARNING: Keep this secret! Never share or commit this value! AUTHENTIK_CLIENT_SECRET=your_client_secret_here # OAuth Issuer URL # From Authentik: Applications → Providers → Your Provider → OpenID Configuration # Format: https://auth.yourdomain.com/application/o/your-app-slug/ # IMPORTANT: Must end with a trailing slash (/) # Development: http://localhost:9000/application/o/feuerwehr-dashboard/ # Production: https://auth.yourdomain.com/application/o/feuerwehr-dashboard/ AUTHENTIK_ISSUER=https://auth.yourdomain.com/application/o/feuerwehr-dashboard/ # OAuth Redirect URI # The URL where Authentik will redirect after successful authentication # Must match EXACTLY what you configured in Authentik # Development: http://localhost:5173/auth/callback # Production: https://dashboard.yourdomain.com/auth/callback AUTHENTIK_REDIRECT_URI=https://dashboard.yourdomain.com/auth/callback # OAuth Scopes (optional, has defaults) # Default: openid profile email # AUTHENTIK_SCOPES=openid profile email # ============================================================================ # LOGGING CONFIGURATION (Optional) # ============================================================================ # Log level # Options: error | warn | info | debug # Production: info or warn # Development: debug # LOG_LEVEL=info # Log file path (optional) # Default: logs/app.log # LOG_FILE_PATH=logs/app.log # ============================================================================ # RATE LIMITING CONFIGURATION (Optional) # ============================================================================ # Rate limit window in milliseconds # Default: 900000 (15 minutes) # RATE_LIMIT_WINDOW_MS=900000 # Maximum requests per window # Default: 100 # RATE_LIMIT_MAX=100 # ============================================================================ # DEVELOPMENT OVERRIDES # ============================================================================ # Uncomment these for local development outside Docker # Development database connection (when running backend locally) # DATABASE_URL=postgresql://dev_user:dev_password@localhost:5432/feuerwehr_dev # Development Authentik configuration # AUTHENTIK_ISSUER=http://localhost:9000/application/o/feuerwehr-dashboard/ # AUTHENTIK_REDIRECT_URI=http://localhost:5173/auth/callback # Development CORS (allow Vite dev server) # CORS_ORIGIN=http://localhost:5173 # Development API URL (for frontend .env) # VITE_API_URL=http://localhost:3000 # ============================================================================ # EXAMPLE: COMPLETE DEVELOPMENT CONFIGURATION # ============================================================================ # # POSTGRES_DB=feuerwehr_dev # POSTGRES_USER=dev_user # POSTGRES_PASSWORD=dev_password # POSTGRES_PORT=5432 # BACKEND_PORT=3000 # NODE_ENV=development # JWT_SECRET=dev_secret_do_not_use_in_production # CORS_ORIGIN=http://localhost:5173 # FRONTEND_PORT=80 # VITE_API_URL=http://localhost:3000 # AUTHENTIK_CLIENT_ID=dev_client_id # AUTHENTIK_CLIENT_SECRET=dev_client_secret # AUTHENTIK_ISSUER=http://localhost:9000/application/o/feuerwehr-dashboard/ # AUTHENTIK_REDIRECT_URI=http://localhost:5173/auth/callback # LOG_LEVEL=debug # # ============================================================================ # ============================================================================ # EXAMPLE: COMPLETE PRODUCTION CONFIGURATION # ============================================================================ # # POSTGRES_DB=feuerwehr_prod # POSTGRES_USER=prod_user # POSTGRES_PASSWORD= # POSTGRES_PORT=5432 # BACKEND_PORT=3000 # NODE_ENV=production # JWT_SECRET= # CORS_ORIGIN=https://dashboard.yourdomain.com # FRONTEND_PORT=80 # VITE_API_URL=https://api.yourdomain.com # AUTHENTIK_CLIENT_ID= # AUTHENTIK_CLIENT_SECRET= # AUTHENTIK_ISSUER=https://auth.yourdomain.com/application/o/feuerwehr-dashboard/ # AUTHENTIK_REDIRECT_URI=https://dashboard.yourdomain.com/auth/callback # LOG_LEVEL=info # # ============================================================================ # ============================================================================ # QUICK SETUP GUIDE # ============================================================================ # # 1. Copy this file: # cp .env.example .env # # 2. Generate secure secrets: # JWT_SECRET=$(openssl rand -base64 32) # POSTGRES_PASSWORD=$(openssl rand -base64 24) # # 3. Configure Authentik: # - Follow AUTHENTIK_SETUP.md # - Copy Client ID and Client Secret # - Set correct redirect URIs # # 4. Update URLs: # - Replace yourdomain.com with your actual domain # - Ensure CORS_ORIGIN matches frontend URL # - Ensure VITE_API_URL is accessible from browser # # 5. Secure the file: # chmod 600 .env # # 6. Deploy: # make prod # # ============================================================================ # ============================================================================ # TROUBLESHOOTING # ============================================================================ # # - CORS errors: Ensure CORS_ORIGIN exactly matches frontend URL # - Auth errors: Verify all AUTHENTIK_* variables are correct # - Database errors: Check POSTGRES_* credentials match docker-compose.yml # - Token errors: Ensure JWT_SECRET is set and not changed # - Redirect errors: AUTHENTIK_REDIRECT_URI must match Authentik exactly # # For more help, see: # - README.md - General troubleshooting # - DEPLOYMENT.md - Production deployment # - AUTHENTIK_SETUP.md - Authentik configuration # - DEVELOPMENT.md - Development setup # # ============================================================================