notplants
9f68524046
Add env vars introduced upstream across v4.6 → v5.0: - CONVERSION_UPLOAD_ENABLED (v4.8.5) — recipe override true (upstream default false) - CONVERSION_FILE_MAX_SIZE / _EXTENSIONS_ALLOWED / _API_* (v4.5.0 source) - DB_PSYCOPG_POOL_ENABLED (v4.8.1) - DJANGO_EMAIL_URL_APP (v4.6.0) — recipe sets to https://${DOMAIN} - MEDIA_AUTH_ORIGINAL_URL_HEADER (v5.0.0) All except CONVERSION_UPLOAD_ENABLED and DJANGO_EMAIL_URL_APP use the bare-key defer-to-upstream pattern (like existing LOGGING_LEVEL_*), so upstream defaults apply unless the operator sets them in .env. Document all 10 vars (commented) in .env.sample.
109 lines
4.4 KiB
Plaintext
109 lines
4.4 KiB
Plaintext
TYPE=lasuite-docs
|
|
|
|
DOMAIN=lasuite-docs.example.com
|
|
|
|
## Domain aliases
|
|
#EXTRA_DOMAINS=', `www.lasuite-docs.example.com`'
|
|
|
|
LETS_ENCRYPT_ENV=production
|
|
|
|
##############################################################################
|
|
# SECRETS
|
|
##############################################################################
|
|
# abbreviations are to fit abra 12 char secret recommendation
|
|
# DJANGO_SECRET_KEY
|
|
SECRET_DJANGO_SK_VERSION=v1
|
|
# ODIC_RP_CLIENT_SECRET
|
|
SECRET_OIDC_RPCS_VERSION=v1
|
|
# DJANGO_SUPERUSER_PASSWORD
|
|
SECRET_DJANGO_SP_VERSION=v1
|
|
# MINIO_ROOT_PASSWORD
|
|
SECRET_MINIO_RP_VERSION=v1
|
|
# MINIO_ROOT_USER
|
|
SECRET_MINIO_RU_VERSION=v1
|
|
# COLLABORATION_SERVER_SECRET
|
|
SECRET_COLLAB_SS_VERSION=v1
|
|
# POSTGRES_PASSWORD
|
|
SECRET_POSTGRES_P_VERSION=v1
|
|
# Y_PROVIDER_API_KEY
|
|
SECRET_Y_API_KEY_VERSION=v1
|
|
# DJANGO_HOST_EMAIL_PASSWORD
|
|
SECRET_EMAIL_PASS_VERSION=v1
|
|
|
|
##############################################################################
|
|
# EMAIL
|
|
##############################################################################
|
|
DJANGO_EMAIL_BRAND_NAME="La Suite Numérique"
|
|
DJANGO_EMAIL_HOST="mail.example.com"
|
|
DJANGO_EMAIL_LOGO_IMG="http://$DOMAIN/assets/logo-suite-numerique.png"
|
|
DJANGO_EMAIL_PORT=1025
|
|
DJANGO_EMAIL_USE_SSL=True
|
|
DJANGO_EMAIL_USE_TLS=False
|
|
DJANGO_EMAIL_FROM=mail@example.com
|
|
|
|
##############################################################################
|
|
# SINGLE SIGN ON
|
|
##############################################################################
|
|
# NOTE: OpenID Connect (OIDC) single sign-on is **required**, see recipe README
|
|
OIDC_REALM=yourkeycloakrealm
|
|
AUTH_DOMAIN=yourkeycloakdomain
|
|
OIDC_OP_JWKS_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/certs
|
|
OIDC_OP_AUTHORIZATION_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/auth
|
|
OIDC_OP_TOKEN_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/token
|
|
OIDC_OP_USER_ENDPOINT=https://${AUTH_DOMAIN}/realms/${OIDC_REALM}/protocol/openid-connect/userinfo
|
|
OIDC_RP_CLIENT_ID=yourkeycloakclientid
|
|
OIDC_RP_SIGN_ALGO=RS256
|
|
OIDC_RP_SCOPES="openid email"
|
|
LOGIN_REDIRECT_URL=https://${DOMAIN}
|
|
LOGIN_REDIRECT_URL_FAILURE=https://${DOMAIN}
|
|
LOGOUT_REDIRECT_URL=https://${DOMAIN}
|
|
OIDC_REDIRECT_ALLOWED_HOSTS='["https://auth.${DOMAIN}", "https://${DOMAIN}"]'
|
|
OIDC_AUTH_REQUEST_EXTRA_PARAMS='{"acr_values": "eidas1"}'
|
|
|
|
##############################################################################
|
|
# LOGGING
|
|
##############################################################################
|
|
LOGGING_LEVEL_HANDLERS_CONSOLE=INFO
|
|
LOGGING_LEVEL_LOGGERS_ROOT=INFO
|
|
LOGGING_LEVEL_LOGGERS_APP=INFO
|
|
|
|
##############################################################################
|
|
# MIGRATIONS
|
|
##############################################################################
|
|
# Set to false to disable automatic migrations on backend startup
|
|
# AUTO_MIGRATIONS=true
|
|
|
|
##############################################################################
|
|
# CONVERSION (file upload → Yjs via y-provider)
|
|
##############################################################################
|
|
# Allow uploading .docx/.md files for conversion to Yjs.
|
|
# Recipe sets this to true (upstream default is false).
|
|
# CONVERSION_UPLOAD_ENABLED=true
|
|
# Upstream defaults (uncomment to override):
|
|
# CONVERSION_FILE_MAX_SIZE=20971520
|
|
# CONVERSION_FILE_EXTENSIONS_ALLOWED=.docx,.md
|
|
# CONVERSION_API_ENDPOINT=convert
|
|
# CONVERSION_API_CONTENT_FIELD=content
|
|
# CONVERSION_API_TIMEOUT=30
|
|
# CONVERSION_API_SECURE=false
|
|
|
|
##############################################################################
|
|
# DATABASE CONNECTION POOL
|
|
##############################################################################
|
|
# Upstream default (uncomment to override):
|
|
# DB_PSYCOPG_POOL_ENABLED=false
|
|
|
|
##############################################################################
|
|
# EMAIL APP URL
|
|
##############################################################################
|
|
# DJANGO_EMAIL_URL_APP is set automatically in compose.yml to https://${DOMAIN}.
|
|
# Override is not exposed via .env — edit compose.yml directly if needed.
|
|
# (Upstream default falls back to Django's Site framework, not configured here.)
|
|
|
|
##############################################################################
|
|
# MEDIA AUTH HEADER
|
|
##############################################################################
|
|
# Header the backend reads for media auth subrequests.
|
|
# Upstream default matches the recipe's nginx config (X-Original-URL).
|
|
# MEDIA_AUTH_ORIGINAL_URL_HEADER=HTTP_X_ORIGINAL_URL
|