159 lines
6.9 KiB
Plaintext
159 lines
6.9 KiB
Plaintext
# =============================================================================
|
|
# Organization Stack - Configuration Template
|
|
# =============================================================================
|
|
# Self-hosted authentication and collaboration stack with SSO
|
|
# Components: lldap (LDAP), Authelia (SSO/2FA), Gitea (Git), JSPWiki (Wiki)
|
|
#
|
|
# This is the single source of truth for all configuration.
|
|
# Copy this file to .env and customize for your deployment.
|
|
#
|
|
# Quick start (ALL FROM YOUR LOCAL MACHINE):
|
|
# 1. Copy: cp .env.example .env
|
|
# 2. Edit .env: BASE_DOMAIN, REMOTE_USER, REMOTE_HOST, SMTP settings
|
|
# 3. Run: ./deploy.sh (syncs to remote and starts services)
|
|
#
|
|
# The .env file stays on your local machine. deploy.sh syncs it to remote.
|
|
# =============================================================================
|
|
|
|
#=============================================================================
|
|
# DOMAIN CONFIGURATION
|
|
#=============================================================================
|
|
# Base domain for all services - CHANGE THIS TO YOUR ACTUAL DOMAIN
|
|
# All services will be accessible as subdomains of this domain
|
|
BASE_DOMAIN=example.com
|
|
|
|
# Service subdomains (creates: git.example.com, wiki.example.com, etc.)
|
|
GITEA_SUBDOMAIN=git
|
|
WIKI_SUBDOMAIN=wiki
|
|
AUTHELIA_SUBDOMAIN=auth
|
|
LLDAP_SUBDOMAIN=ldap
|
|
REGISTRATION_SUBDOMAIN=register
|
|
|
|
# LDAP Base DN - automatically derived from BASE_DOMAIN
|
|
# Leave as AUTO to generate from BASE_DOMAIN (example.com → dc=example,dc=com)
|
|
# Or manually specify: LDAP_BASE_DN=dc=myorg,dc=local
|
|
LDAP_BASE_DN=AUTO
|
|
|
|
#=============================================================================
|
|
# REMOTE SERVER CONFIGURATION
|
|
#=============================================================================
|
|
# SSH connection details for deployment
|
|
# The deploy script uses rsync over SSH to deploy files to your remote server
|
|
REMOTE_USER=deploy
|
|
REMOTE_HOST=example.com
|
|
REMOTE_PORT=22
|
|
|
|
# Remote installation path
|
|
# Recommended for multi-admin production: /opt/org-stack (requires sudo setup)
|
|
# Alternative for single admin: org-stack (relative to home, /home/$REMOTE_USER/org-stack)
|
|
REMOTE_PATH=/opt/org-stack
|
|
|
|
# Unix group for multi-admin access (optional)
|
|
# If set, deploy.sh will configure group ownership and permissions
|
|
# All admins should be members of this group (e.g., sudo usermod -aG orgstack admin1)
|
|
# Leave empty for single-user deployments
|
|
ADMIN_GROUP=orgstack
|
|
|
|
#=============================================================================
|
|
# TLS/SSL CONFIGURATION
|
|
#=============================================================================
|
|
# Certificate mode:
|
|
# false = Let's Encrypt (production) - Trusted certificates, requires DNS
|
|
# true = Self-signed (testing) - Browser warnings, no DNS required
|
|
#
|
|
# Recommended workflow:
|
|
# 1. Test with USE_SELF_SIGNED_CERTS=true (avoids Let's Encrypt rate limits)
|
|
# 2. Switch to false for production once everything works
|
|
USE_SELF_SIGNED_CERTS=false
|
|
|
|
#=============================================================================
|
|
# AUTHENTICATION CONFIGURATION
|
|
#=============================================================================
|
|
# Two-Factor Authentication (TOTP) requirement:
|
|
# true = Require 2FA for all services (recommended for production)
|
|
# false = Username/password only (easier for testing)
|
|
REQUIRE_2FA=true
|
|
|
|
#=============================================================================
|
|
# USER REGISTRATION CONFIGURATION
|
|
#=============================================================================
|
|
# Self-service user registration with admin approval
|
|
# Public users can submit registration requests at register.example.com
|
|
# Admins approve/reject requests at register.example.com/admin (requires Authelia login)
|
|
|
|
# Admin email for registration notifications
|
|
REGISTRATION_ADMIN_EMAIL="admin@yourdomain.com"
|
|
|
|
# Email notifications via SMTP
|
|
# When SMTP_ENABLED=false, emails are logged to /data/emails.log instead
|
|
# IMPORTANT: Always quote string values - handles any special characters automatically
|
|
SMTP_ENABLED=false
|
|
SMTP_HOST="smtp.example.com"
|
|
SMTP_PORT=587
|
|
SMTP_USER="your-username"
|
|
SMTP_PASSWORD="your-password"
|
|
SMTP_FROM="noreply@yourdomain.com"
|
|
SMTP_USE_TLS=true
|
|
|
|
#=============================================================================
|
|
# NETWORK CONFIGURATION
|
|
#=============================================================================
|
|
# External ports exposed on the host
|
|
# Security: All web services accessible ONLY through Caddy reverse proxy
|
|
# All services require Authelia authentication
|
|
HTTP_PORT=80
|
|
HTTPS_PORT=443
|
|
GITEA_SSH_PORT=2222 # Git SSH operations (git clone/push/pull)
|
|
|
|
# Timezone for all containers
|
|
TZ=Europe/Rome
|
|
|
|
#=============================================================================
|
|
# USER CONFIGURATION
|
|
#=============================================================================
|
|
# UID/GID for file permissions inside containers
|
|
# Set to match your remote server user's UID/GID (usually 1000:1000)
|
|
USER_UID=1000
|
|
USER_GID=1000
|
|
|
|
#=============================================================================
|
|
# SECRETS (auto-generated by deploy.sh)
|
|
#=============================================================================
|
|
# Secrets are stored as files in secrets/ directory for security best practices.
|
|
# The deploy script automatically generates all required secrets if they don't exist.
|
|
#
|
|
# File-based secrets (auto-generated in secrets/ directory):
|
|
# secrets/lldap/JWT_SECRET - lldap JWT token signing key
|
|
# secrets/lldap/LDAP_USER_PASS - lldap admin password
|
|
# secrets/authelia/JWT_SECRET - Authelia JWT signing key
|
|
# secrets/authelia/SESSION_SECRET - Session encryption key
|
|
# secrets/authelia/STORAGE_ENCRYPTION_KEY - Database encryption key
|
|
# secrets/authelia/OIDC_HMAC_SECRET - OIDC token HMAC key
|
|
# secrets/authelia/OIDC_PRIVATE_KEY - RSA private key for OIDC tokens
|
|
# secrets/authelia/RESET_PASSWORD_JWT_SECRET - JWT secret for password reset tokens
|
|
#
|
|
# Gitea OIDC client secret (stored in .env, auto-generated by deploy.sh)
|
|
# This is kept in .env because it needs to be hashed before use
|
|
GITEA_OIDC_CLIENT_SECRET=
|
|
|
|
#=============================================================================
|
|
# ADVANCED CONFIGURATION
|
|
#=============================================================================
|
|
# These settings have sensible defaults. Only change if you know what you're doing.
|
|
|
|
# Authelia session lifespans
|
|
SESSION_EXPIRATION=1h # Total session lifetime
|
|
SESSION_INACTIVITY=5m # Inactivity timeout
|
|
SESSION_REMEMBER_ME=1M # Remember-me duration (M = months)
|
|
|
|
# Brute force protection
|
|
MAX_RETRIES=3 # Failed login attempts before ban
|
|
FIND_TIME=2m # Time window for counting failed attempts
|
|
BAN_TIME=5m # Ban duration after MAX_RETRIES failures
|
|
|
|
# OIDC token lifespans (for Gitea SSO)
|
|
ACCESS_TOKEN_LIFESPAN=1h
|
|
AUTHORIZE_CODE_LIFESPAN=1m
|
|
ID_TOKEN_LIFESPAN=1h
|
|
REFRESH_TOKEN_LIFESPAN=90m
|