# Agnes AI Data Analyst - Environment Variables # ============================================= # Copy to .env: cp config/.env.template .env # .env is gitignored - NEVER commit it. # ── REQUIRED ──────────────────────────────────────── JWT_SECRET_KEY= # python -c "import secrets; print(secrets.token_hex(32))" SESSION_SECRET= # python -c "import secrets; print(secrets.token_hex(32))" # ── GOOGLE OAUTH (required for Google login) ──────── # GOOGLE_CLIENT_ID= # GOOGLE_CLIENT_SECRET= # ── KEBOOLA (required for Keboola data source) ────── # KEBOOLA_STORAGE_TOKEN= # KEBOOLA_STACK_URL=https://connection.keboola.com # ── BIGQUERY (required for BigQuery data source) ───── # BIGQUERY_PROJECT= # BIGQUERY_LOCATION=us # ── BOOTSTRAP (first deploy only) ─────────────────── # SEED_ADMIN_EMAIL=admin@example.com # SEED_ADMIN_PASSWORD= # Dev helper only — sets password_hash on seed. # # Never overwrites an existing password. # ── EMAIL / SMTP (required for magic link auth) ───── # SMTP_HOST=smtp.gmail.com # SMTP_PORT=587 # SMTP_USER= # SMTP_PASSWORD= # ── OPTIONAL SERVICES ─────────────────────────────── # TELEGRAM_BOT_TOKEN= # JIRA_WEBHOOK_SECRET= # JIRA_API_TOKEN= # ANTHROPIC_API_KEY= # LLM_API_KEY= # ── DESKTOP APP ───────────────────────────────────── # DESKTOP_JWT_SECRET= # Separate secret for desktop app tokens # ── DEPLOYMENT ────────────────────────────────────── # DATA_DIR=/data # Default: /data in Docker, ./data locally # LOG_LEVEL=info # debug, info, warning, error # CORS_ORIGINS=http://localhost:3000,http://localhost:8000 # ── HTTPS / REVERSE PROXY ─────────────────────────── # Set these when the app runs behind a TLS terminator (Caddy, Cloudflare # Tunnel, nginx, GCP LB, etc.). The app itself speaks plain HTTP on :8000; # the terminator is responsible for TLS. # # DOMAIN: public hostname. When set, session cookies get the `Secure` flag # (browser only sends them over HTTPS). Also used by the Caddy # profile to auto-provision Let's Encrypt certs. # DOMAIN=data.yourcompany.com # # SERVER_URL: absolute base URL used to build OAuth callback URLs and other # external links. Set this to avoid relying on the incoming # request's Host header (which a misconfigured proxy can get # wrong). Must match the redirect URI registered in OAuth apps. # SERVER_URL=https://data.yourcompany.com # # Uvicorn is started with `--proxy-headers --forwarded-allow-ips='*'` so it # trusts X-Forwarded-Proto / X-Forwarded-For from the reverse proxy. # ── TLS TERMINATION (Caddy in cert-file mode) ─────── # When TLS_FULLCHAIN_URL is set, scripts/grpn/agnes-tls-rotate.sh fetches # the cert daily from this URL and reloads Caddy on diff (zero downtime). # Empty -> no TLS, app serves plain HTTP on :8000. See docs/DEPLOYMENT.md # -> TLS for the full bring-up flow. # # Supported URL schemes (all four scripts/tls-fetch.sh resolves): # sm:// Google Secret Manager (latest version) # gs:/// GCS object # https:// Plain HTTPS download (no redirects allowed) # file:// Local file (dev/testing only) # # TLS_FULLCHAIN_URL= # # TLS_PRIVKEY_URL: optional. Empty -> on-VM RSA-2048 key + CSR auto- # generated on first rotate tick (key never leaves the host; CSR at # /data/state/certs/cert.csr to submit to your CA). Set to a URL when # you want VM-replace resilience (e.g. sm://). # TLS_PRIVKEY_URL= # # TLS_CSR_SUBJECT: stamped on auto-generated CSRs and on the self-signed # bring-up cert that Caddy serves until your CA publishes the real chain. # Defaults to /CN=$DOMAIN when unset. # TLS_CSR_SUBJECT=/C=US/ST=California/L=San Francisco/O=Your Org/CN=data.yourcompany.com