# ============================================================================= # Organization Stack - Configuration Template # ============================================================================= # Self-hosted authentication and collaboration stack with SSO # Components: lldap (LDAP), Authelia (SSO/2FA), Gitea (Git), JSPWiki (Wiki) # # This is the single source of truth for all configuration. # Copy this file to .env and customize for your deployment. # # Quick start (ALL FROM YOUR LOCAL MACHINE): # 1. Copy: cp .env.example .env # 2. Edit .env: BASE_DOMAIN, REMOTE_USER, REMOTE_HOST, SMTP settings # 3. Run: ./deploy.sh (syncs to remote and starts services) # # The .env file stays on your local machine. deploy.sh syncs it to remote. # ============================================================================= #============================================================================= # DOMAIN CONFIGURATION #============================================================================= # Base domain for all services - CHANGE THIS TO YOUR ACTUAL DOMAIN # All services will be accessible as subdomains of this domain BASE_DOMAIN=example.com # Service subdomains (creates: git.example.com, wiki.example.com, etc.) GITEA_SUBDOMAIN=git WIKI_SUBDOMAIN=wiki AUTHELIA_SUBDOMAIN=auth LLDAP_SUBDOMAIN=ldap REGISTRATION_SUBDOMAIN=register # LDAP Base DN - automatically derived from BASE_DOMAIN # Leave as AUTO to generate from BASE_DOMAIN (example.com → dc=example,dc=com) # Or manually specify: LDAP_BASE_DN=dc=myorg,dc=local LDAP_BASE_DN=AUTO #============================================================================= # REMOTE SERVER CONFIGURATION #============================================================================= # SSH connection details for deployment # The deploy script uses rsync over SSH to deploy files to your remote server REMOTE_USER=deploy REMOTE_HOST=example.com REMOTE_PORT=22 # Remote installation path # Recommended for multi-admin production: /opt/org-stack (requires sudo setup) # Alternative for single admin: org-stack (relative to home, /home/$REMOTE_USER/org-stack) REMOTE_PATH=/opt/org-stack # Unix group for multi-admin access (optional) # If set, deploy.sh will configure group ownership and permissions # All admins should be members of this group (e.g., sudo usermod -aG orgstack admin1) # Leave empty for single-user deployments ADMIN_GROUP=orgstack #============================================================================= # TLS/SSL CONFIGURATION #============================================================================= # Certificate mode: # false = Let's Encrypt (production) - Trusted certificates, requires DNS # true = Self-signed (testing) - Browser warnings, no DNS required # # Recommended workflow: # 1. Test with USE_SELF_SIGNED_CERTS=true (avoids Let's Encrypt rate limits) # 2. Switch to false for production once everything works USE_SELF_SIGNED_CERTS=false #============================================================================= # AUTHENTICATION CONFIGURATION #============================================================================= # Two-Factor Authentication (TOTP) requirement: # true = Require 2FA for all services (recommended for production) # false = Username/password only (easier for testing) REQUIRE_2FA=true #============================================================================= # USER REGISTRATION CONFIGURATION #============================================================================= # Self-service user registration with admin approval # Public users can submit registration requests at register.example.com # Admins approve/reject requests at register.example.com/admin (requires Authelia login) # Admin email for registration notifications REGISTRATION_ADMIN_EMAIL="admin@yourdomain.com" # Email notifications via SMTP # When SMTP_ENABLED=false, emails are logged to /data/emails.log instead # IMPORTANT: Always quote string values - handles any special characters automatically SMTP_ENABLED=false SMTP_HOST="smtp.example.com" SMTP_PORT=587 SMTP_USER="your-username" SMTP_PASSWORD="your-password" SMTP_FROM="noreply@yourdomain.com" SMTP_USE_TLS=true #============================================================================= # NETWORK CONFIGURATION #============================================================================= # External ports exposed on the host # Security: All web services accessible ONLY through Caddy reverse proxy # All services require Authelia authentication HTTP_PORT=80 HTTPS_PORT=443 GITEA_SSH_PORT=2222 # Git SSH operations (git clone/push/pull) # Timezone for all containers TZ=Europe/Rome #============================================================================= # USER CONFIGURATION #============================================================================= # UID/GID for file permissions inside containers # Set to match your remote server user's UID/GID (usually 1000:1000) USER_UID=1000 USER_GID=1000 #============================================================================= # SECRETS (auto-generated by deploy.sh) #============================================================================= # Secrets are stored as files in secrets/ directory for security best practices. # The deploy script automatically generates all required secrets if they don't exist. # # File-based secrets (auto-generated in secrets/ directory): # secrets/lldap/JWT_SECRET - lldap JWT token signing key # secrets/lldap/LDAP_USER_PASS - lldap admin password # secrets/authelia/JWT_SECRET - Authelia JWT signing key # secrets/authelia/SESSION_SECRET - Session encryption key # secrets/authelia/STORAGE_ENCRYPTION_KEY - Database encryption key # secrets/authelia/OIDC_HMAC_SECRET - OIDC token HMAC key # secrets/authelia/OIDC_PRIVATE_KEY - RSA private key for OIDC tokens # secrets/authelia/RESET_PASSWORD_JWT_SECRET - JWT secret for password reset tokens # # Gitea OIDC client secret (stored in .env, auto-generated by deploy.sh) # This is kept in .env because it needs to be hashed before use GITEA_OIDC_CLIENT_SECRET= #============================================================================= # ADVANCED CONFIGURATION #============================================================================= # These settings have sensible defaults. Only change if you know what you're doing. # Authelia session lifespans SESSION_EXPIRATION=1h # Total session lifetime SESSION_INACTIVITY=5m # Inactivity timeout SESSION_REMEMBER_ME=1M # Remember-me duration (M = months) # Brute force protection MAX_RETRIES=3 # Failed login attempts before ban FIND_TIME=2m # Time window for counting failed attempts BAN_TIME=5m # Ban duration after MAX_RETRIES failures # OIDC token lifespans (for Gitea SSO) ACCESS_TOKEN_LIFESPAN=1h AUTHORIZE_CODE_LIFESPAN=1m ID_TOKEN_LIFESPAN=1h REFRESH_TOKEN_LIFESPAN=90m