-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
99 lines (81 loc) · 4.67 KB
/
Copy path.env.example
File metadata and controls
99 lines (81 loc) · 4.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# ═══════════════════════════════════════════════════════
# Deft — Environment Configuration
# Copy this to .env and fill in your values.
#
# Required for first boot: POSTGRES_PASSWORD, JWT_SECRET, JWT_REFRESH_SECRET
# AI features need at least one provider key (see section 3) or per-org BYOK.
# Everything else is optional unless noted.
# ═══════════════════════════════════════════════════════
# ── 1. Database & Redis ───────────────────────────────
# REQUIRED. Password the docker-compose stack uses and Deft authenticates with.
# NEVER ship 'postgres' or any common password in production — port 5432 is the
# most-scanned port on the internet. Generate with: openssl rand -hex 32
POSTGRES_PASSWORD=
# DATABASE_URL / REDIS_URL only matter when running Deft AGAINST an external
# Postgres / Redis (not the bundled compose stack). With the compose stack:
# - Inside containers: docker-compose.yml builds DATABASE_URL from POSTGRES_PASSWORD.
# - Host-side (pnpm db:push, pnpm db:seed): the scripts do the same fallback
# when DATABASE_URL is unset or still carries the CHANGE_ME placeholder.
# Uncomment and fill in only when pointing at an external DB / Redis.
# DATABASE_URL=postgres://user:password@host:5432/deft
# REDIS_URL=redis://host:6379
# ── 2. Auth secrets ───────────────────────────────────
# Both REQUIRED. Generate each with: openssl rand -hex 32
JWT_SECRET=change-me-to-a-random-string
JWT_REFRESH_SECRET=change-me-to-another-random-string
# Symmetric key for encrypting per-org BYOK API keys at rest in orgs.ai_config.
# Defaults to a dev value — override before production. Must be exactly 32 chars.
ENCRYPTION_KEY=deft-dev-encryption-key-32ch
# ── 3. AI provider keys (optional fallbacks) ──────────
# Per-org BYOK is the recommended path — admins paste keys in Settings → AI.
# These env values are used as fallbacks when an org hasn't configured its own.
# The app boots without any key; AI features stay disabled until at least one
# provider is configured (env or org).
ANTHROPIC_API_KEY=
# OpenAI: used by the agent (when an org picks OpenAI), embeddings (semantic
# search), and OpenAI Whisper transcription.
OPENAI_API_KEY=
# OpenRouter: one key, many models. Used when an org picks OpenRouter.
OPENROUTER_API_KEY=
# Self-hosted Ollama. Uncomment only when an Ollama server is actually running;
# otherwise fresh installs should correctly show AI features as off.
# OLLAMA_URL=http://localhost:11434
# ── 3a. Voice transcription (optional) ────────────────
# Default: 'local' — calls a Whisper container on $WHISPER_URL.
# Spin one up with:
# docker run -d -p 9000:9000 --name deft-whisper \
# onerahmet/openai-whisper-asr-webservice:latest-cpu
# Set TRANSCRIPTION_PROVIDER=openai (uses OPENAI_API_KEY) or 'deepgram' for
# managed alternatives. Org-level config in Settings → AI takes precedence.
# TRANSCRIPTION_PROVIDER=local
# WHISPER_URL=http://localhost:9000
DEEPGRAM_API_KEY=
# ── 4. URLs & ports ───────────────────────────────────
# Change when deploying behind a custom domain or reverse proxy.
NEXT_PUBLIC_API_URL=http://localhost:3001
NEXT_PUBLIC_WS_URL=http://localhost:3001
NEXT_PUBLIC_APP_URL=http://localhost:3000
API_PORT=3001
# Optional Docker host port overrides. The app still listens on 3000/3001
# inside the container; these control the host-side published ports.
DEFT_WEB_PORT=3000
DEFT_API_PORT=3001
DEFT_BIND_HOST=127.0.0.1
DEFT_POSTGRES_PORT=5432
DEFT_REDIS_PORT=6379
# Optional local-only helper for heavy audit/certification runs.
# When set outside production, requests with x-deft-audit-token matching this
# value bypass API rate-limit middleware. Leave unset in normal dev and prod.
DEFT_AUDIT_BYPASS_TOKEN=
# ── 5. File storage ───────────────────────────────────
# Default: local filesystem at ./uploads (persisted via Docker volume).
# For Cloudflare R2, uncomment and fill in all four vars:
# R2_ENDPOINT=
# R2_ACCESS_KEY=
# R2_SECRET_KEY=
# R2_BUCKET=deft-uploads
# Section 6. Metrics scrape token (optional)
# Static bearer token Prometheus / Grafana Agent sends to GET /api/metrics.
# Leave unset to disable the scrape endpoint (returns 503).
# Generate with: openssl rand -hex 32
METRICS_SCRAPE_TOKEN=