AI-Cognitive-Leap/agnes-the-ai-analyst
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
agnes-the-ai-analyst/config/.env.template
ZdenekSrotyr b7a1795834
feat(scheduler): re-wire sync_schedule + script.schedule; tune via env; OpenMetadata TLS (#135) 
Bundles 4 issues:
- #79 — table_registry.sync_schedule honored at runtime (API-side filter + Pydantic validators)
- #78 — script_registry.schedule honored via new POST /api/scripts/run-due (atomic claim, BackgroundTask exec, deploy-time safety validation)
- #77 — sidecar JOBS env-driven (SCHEDULER_DATA_REFRESH_INTERVAL/HEALTH_CHECK_INTERVAL/SCRIPT_RUN_INTERVAL/TICK_SECONDS)
- #89 — OpenMetadataClient verify=True default (BREAKING for self-signed)

Cuts release 0.19.0. See CHANGELOG for full notes incl. Known Limitations.
2026-04-29 22:06:30 +02:00

98 lines
4.8 KiB
Text
Raw Blame History

# Agnes AI Data Analyst - Environment Variables
# =============================================
# Copy to .env: cp config/.env.template .env
# .env is gitignored - NEVER commit it.
# ── REQUIRED ────────────────────────────────────────
JWT_SECRET_KEY= # python -c "import secrets; print(secrets.token_hex(32))"
SESSION_SECRET= # python -c "import secrets; print(secrets.token_hex(32))"
# ── GOOGLE OAUTH (required for Google login) ────────
# GOOGLE_CLIENT_ID=
# GOOGLE_CLIENT_SECRET=
# ── KEBOOLA (required for Keboola data source) ──────
# KEBOOLA_STORAGE_TOKEN=
# KEBOOLA_STACK_URL=https://connection.keboola.com
# ── BIGQUERY (required for BigQuery data source) ─────
# BIGQUERY_PROJECT=
# BIGQUERY_LOCATION=us
# ── BOOTSTRAP (first deploy only) ───────────────────
# SEED_ADMIN_EMAIL=admin@example.com
# SEED_ADMIN_PASSWORD= # Dev helper only — sets password_hash on seed.
# # Never overwrites an existing password.
# ── EMAIL / SMTP (required for magic link auth) ─────
# SMTP_HOST=smtp.gmail.com
# SMTP_PORT=587
# SMTP_USER=
# SMTP_PASSWORD=
# ── OPTIONAL SERVICES ───────────────────────────────
# TELEGRAM_BOT_TOKEN=
# JIRA_WEBHOOK_SECRET=
# JIRA_API_TOKEN=
# ANTHROPIC_API_KEY=
# LLM_API_KEY=
# ── DESKTOP APP ─────────────────────────────────────
# DESKTOP_JWT_SECRET= # Separate secret for desktop app tokens
# ── DEPLOYMENT ──────────────────────────────────────
# DATA_DIR=/data # Default: /data in Docker, ./data locally
# LOG_LEVEL=info # debug, info, warning, error
# CORS_ORIGINS=http://localhost:3000,http://localhost:8000
# ── SCHEDULER (sidecar tuning) ──────────────────────
# All values are in seconds and must be positive integers. SCHEDULER_TICK_SECONDS
# must be <= the smallest job interval below.
# SCHEDULER_DATA_REFRESH_INTERVAL=900 # default 15 min — POST /api/sync/trigger
# SCHEDULER_HEALTH_CHECK_INTERVAL=300 # default 5 min — GET /api/health
# SCHEDULER_SCRIPT_RUN_INTERVAL=60 # default 1 min — POST /api/scripts/run-due
# SCHEDULER_TICK_SECONDS=30 # default 30 s — loop polling cadence
# ── HTTPS / REVERSE PROXY ───────────────────────────
# Set these when the app runs behind a TLS terminator (Caddy, Cloudflare
# Tunnel, nginx, GCP LB, etc.). The app itself speaks plain HTTP on :8000;
# the terminator is responsible for TLS.
#
# DOMAIN: public hostname. When set, session cookies get the `Secure` flag
# (browser only sends them over HTTPS). Also used by the Caddy
# profile to auto-provision Let's Encrypt certs.
# DOMAIN=data.yourcompany.com
#
# SERVER_URL: absolute base URL used to build OAuth callback URLs and other
# external links. Set this to avoid relying on the incoming
# request's Host header (which a misconfigured proxy can get
# wrong). Must match the redirect URI registered in OAuth apps.
# SERVER_URL=https://data.yourcompany.com
#
# Uvicorn is started with `--proxy-headers --forwarded-allow-ips='*'` so it
# trusts X-Forwarded-Proto / X-Forwarded-For from the reverse proxy.
# ── TLS TERMINATION (Caddy in cert-file mode) ───────
# When TLS_FULLCHAIN_URL is set, scripts/ops/agnes-tls-rotate.sh fetches
# the cert daily from this URL and reloads Caddy on diff (zero downtime).
# Empty -> no TLS, app serves plain HTTP on :8000. See docs/DEPLOYMENT.md
# -> TLS for the full bring-up flow.
#
# Supported URL schemes (all four scripts/tls-fetch.sh resolves):
# sm://<secret-name> Google Secret Manager (latest version)
# gs://<bucket>/<obj> GCS object
# https://<url> Plain HTTPS download (no redirects allowed)
# file://<path> Local file (dev/testing only)
#
# TLS_FULLCHAIN_URL=
#
# TLS_PRIVKEY_URL: optional. Empty -> on-VM RSA-2048 key + CSR auto-
# generated on first rotate tick (key never leaves the host; CSR at
# /data/state/certs/cert.csr to submit to your CA). Set to a URL when
# you want VM-replace resilience (e.g. sm://<secret>).
# TLS_PRIVKEY_URL=
#
# TLS_CSR_SUBJECT: stamped on auto-generated CSRs and on the self-signed
# bring-up cert that Caddy serves until your CA publishes the real chain.
# Defaults to /CN=$DOMAIN when unset.
# TLS_CSR_SUBJECT=/C=US/ST=California/L=San Francisco/O=Your Org/CN=data.yourcompany.com
Reference in a new issue View git blame Copy permalink