9e19fb5219
* chore(deploy): trust proxy headers + document HTTPS env vars - uvicorn: add --proxy-headers --forwarded-allow-ips='*' so the app honors X-Forwarded-Proto/Host from a TLS-terminating reverse proxy (Caddy, Cloudflare Tunnel, nginx, LB). Without this the app saw every request as plain HTTP and built redirect/OAuth URLs from the raw Host, which is fragile behind a proxy. - .env.template: document DOMAIN (enables Secure cookie flag) and new SERVER_URL (deterministic base URL for OAuth callbacks and external links). Grouped under a dedicated HTTPS / REVERSE PROXY section. * chore(deploy): add proxy header flags to Dockerfile CMD and Kamal config Matches the docker-compose changes so non-compose deployments (docker run, Kubernetes, ECS, Kamal) also trust X-Forwarded-Proto/X-Forwarded-For. * fix(auth): align Google OAuth cookie Secure flag with password/email providers Google OAuth set the access_token cookie Secure flag based on the TESTING env var, while password and email providers use DOMAIN. This meant the DOMAIN env var (now documented in config/.env.template) did not actually control Secure for Google cookies. Align all three providers on DOMAIN so the documented behavior holds consistently.
65 lines
3 KiB
Text
65 lines
3 KiB
Text
# Agnes AI Data Analyst - Environment Variables
|
|
# =============================================
|
|
# Copy to .env: cp config/.env.template .env
|
|
# .env is gitignored - NEVER commit it.
|
|
|
|
# ── REQUIRED ────────────────────────────────────────
|
|
JWT_SECRET_KEY= # python -c "import secrets; print(secrets.token_hex(32))"
|
|
SESSION_SECRET= # python -c "import secrets; print(secrets.token_hex(32))"
|
|
|
|
# ── GOOGLE OAUTH (required for Google login) ────────
|
|
# GOOGLE_CLIENT_ID=
|
|
# GOOGLE_CLIENT_SECRET=
|
|
|
|
# ── KEBOOLA (required for Keboola data source) ──────
|
|
# KEBOOLA_STORAGE_TOKEN=
|
|
# KEBOOLA_STACK_URL=https://connection.keboola.com
|
|
|
|
# ── BIGQUERY (required for BigQuery data source) ─────
|
|
# BIGQUERY_PROJECT=
|
|
# BIGQUERY_LOCATION=us
|
|
|
|
# ── BOOTSTRAP (first deploy only) ───────────────────
|
|
# SEED_ADMIN_EMAIL=admin@example.com
|
|
# SEED_ADMIN_PASSWORD= # Dev helper only — sets password_hash on seed.
|
|
# # Never overwrites an existing password.
|
|
|
|
# ── EMAIL / SMTP (required for magic link auth) ─────
|
|
# SMTP_HOST=smtp.gmail.com
|
|
# SMTP_PORT=587
|
|
# SMTP_USER=
|
|
# SMTP_PASSWORD=
|
|
|
|
# ── OPTIONAL SERVICES ───────────────────────────────
|
|
# TELEGRAM_BOT_TOKEN=
|
|
# JIRA_WEBHOOK_SECRET=
|
|
# JIRA_API_TOKEN=
|
|
# ANTHROPIC_API_KEY=
|
|
# LLM_API_KEY=
|
|
|
|
# ── DESKTOP APP ─────────────────────────────────────
|
|
# DESKTOP_JWT_SECRET= # Separate secret for desktop app tokens
|
|
|
|
# ── DEPLOYMENT ──────────────────────────────────────
|
|
# DATA_DIR=/data # Default: /data in Docker, ./data locally
|
|
# LOG_LEVEL=info # debug, info, warning, error
|
|
# CORS_ORIGINS=http://localhost:3000,http://localhost:8000
|
|
|
|
# ── HTTPS / REVERSE PROXY ───────────────────────────
|
|
# Set these when the app runs behind a TLS terminator (Caddy, Cloudflare
|
|
# Tunnel, nginx, GCP LB, etc.). The app itself speaks plain HTTP on :8000;
|
|
# the terminator is responsible for TLS.
|
|
#
|
|
# DOMAIN: public hostname. When set, session cookies get the `Secure` flag
|
|
# (browser only sends them over HTTPS). Also used by the Caddy
|
|
# profile to auto-provision Let's Encrypt certs.
|
|
# DOMAIN=data.yourcompany.com
|
|
#
|
|
# SERVER_URL: absolute base URL used to build OAuth callback URLs and other
|
|
# external links. Set this to avoid relying on the incoming
|
|
# request's Host header (which a misconfigured proxy can get
|
|
# wrong). Must match the redirect URI registered in OAuth apps.
|
|
# SERVER_URL=https://data.yourcompany.com
|
|
#
|
|
# Uvicorn is started with `--proxy-headers --forwarded-allow-ips='*'` so it
|
|
# trusts X-Forwarded-Proto / X-Forwarded-For from the reverse proxy.
|