-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy path.env.example
More file actions
180 lines (146 loc) · 6.61 KB
/
Copy path.env.example
File metadata and controls
180 lines (146 loc) · 6.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
# =============================================================================
# SafeOS Guardian - Environment Configuration
# =============================================================================
#
# Copy this file to .env (or .env.production for prod) and fill in the values
# that apply to your deployment. The PWA itself runs entirely offline; this
# file only matters if you deploy the optional API server.
#
# Required (only if running the API server):
# - SAFEOS_DOMAIN: Your API domain for HTTPS
# - CORS_ORIGIN: Your GitHub Pages / PWA host URL
#
# Optional integrations (all opt-in):
# - Resend API key for transactional + alert email
# - Twilio / Telegram credentials for fan-out alerts
# - VAPID keys for browser push notifications
# - Ollama host for local LLM scene analysis
# - OpenRouter / OpenAI / Anthropic for cloud fallback
#
# =============================================================================
# Server Configuration
# =============================================================================
NODE_ENV=production
# API server port (internal, Caddy handles external)
SAFEOS_PORT=3001
# SQLite database path (persistent volume)
SAFEOS_DB_PATH=/app/db_data/safeos.sqlite3
# =============================================================================
# Domain & CORS Configuration
# =============================================================================
# Your API domain (for Caddy HTTPS)
# Example: safeos-api.yourdomain.com
SAFEOS_DOMAIN=safeos-api.yourdomain.com
# Frontend origin for CORS
# For GitHub Pages: https://yourusername.github.io
# For custom domain: https://safeos.yourdomain.com
CORS_ORIGIN=https://yourusername.github.io
# =============================================================================
# Ollama AI Configuration
# =============================================================================
# Ollama server (internal Docker network)
OLLAMA_HOST=http://ollama:11434
# Models to pre-pull and cache on `docker compose up` (space or comma separated).
# Tiers (see src/lib/ollama/models.ts):
# moondream triage ~1.7 GB download, ~2 GB RAM
# llava:7b analysis ~4 GB download, ~8 GB RAM
# llama3.2-vision:11b complex ~7 GB download, ~16 GB RAM
# The 11B model needs a 16 GB host; add it only if you have the RAM.
OLLAMA_MODELS=moondream llava:7b
# =============================================================================
# Frontend (UI) - baked into the static export at build time
# =============================================================================
#
# The browser uses these to reach the API. They are inlined when the ui image
# is built, so change them and rebuild ui if the API is not on localhost:3001.
# For a site served over HTTPS, use your API origin with https:// and wss://
# (matching SAFEOS_DOMAIN / CORS_ORIGIN above), for example:
# NEXT_PUBLIC_API_URL=https://safeos-api.yourdomain.com
# NEXT_PUBLIC_WS_URL=wss://safeos-api.yourdomain.com
NEXT_PUBLIC_API_URL=http://localhost:3001
NEXT_PUBLIC_WS_URL=ws://localhost:3001
# =============================================================================
# Web Push Notifications (VAPID Keys)
# =============================================================================
#
# Generate with: npx web-push generate-vapid-keys
#
# Required for browser push notifications to work
VAPID_PUBLIC_KEY=
VAPID_PRIVATE_KEY=
VAPID_EMAIL=admin@yourdomain.com
# =============================================================================
# SMS Alerts via Twilio (Optional)
# =============================================================================
#
# Sign up at: https://www.twilio.com/
# Pricing: ~$0.01 per SMS
TWILIO_ACCOUNT_SID=
TWILIO_AUTH_TOKEN=
TWILIO_PHONE_NUMBER=
# =============================================================================
# Telegram Alerts (Optional)
# =============================================================================
#
# Create bot with @BotFather: https://t.me/BotFather
# Free unlimited messages
TELEGRAM_BOT_TOKEN=
# =============================================================================
# Email Alerts via Resend (Optional, but recommended)
# =============================================================================
#
# Resend is used for two things:
# 1. Transactional auth email — account verification, password reset.
# 2. Alert email — high/critical severity events when the user opts in.
#
# Sign up at https://resend.com (free tier: 3,000 emails/month).
# Verify a sending domain or use Resend's onboarding sandbox domain.
#
# Users can BYO their own Resend key on the Settings → Notifications page;
# this server-level value is the fallback used for transactional auth mail.
RESEND_API_KEY=
EMAIL_FROM="SafeOS Guardian <alerts@yourdomain.com>"
EMAIL_REPLY_TO="team@yourdomain.com"
# =============================================================================
# AI API Keys (Optional - for cloud fallback)
# =============================================================================
#
# Not required if using Ollama locally
# Useful as fallback when local AI is slow/unavailable
OPENROUTER_API_KEY=
OPENAI_API_KEY=
ANTHROPIC_API_KEY=
# =============================================================================
# Redis (Optional - for scaling)
# =============================================================================
#
# Enable with: docker compose -f docker-compose.prod.yml --profile with-redis up -d
REDIS_URL=redis://redis:6379
# =============================================================================
# Rate Limiting
# =============================================================================
# API rate limit (requests per minute per IP)
RATE_LIMIT_RPM=60
# =============================================================================
# Logging
# =============================================================================
# Log level: debug, info, warn, error
LOG_LEVEL=info
# =============================================================================
# Security
# =============================================================================
# JWT secret for session tokens
# Generate with: openssl rand -hex 32
JWT_SECRET=
# Session expiry (in seconds, default 7 days)
SESSION_EXPIRY=604800
# =============================================================================
# Analytics (Optional)
# =============================================================================
#
# Only set these for your own deployment - they won't be included in builds
# unless explicitly configured.
# Google Analytics Measurement ID (e.g., G-XXXXXXXXXX)
NEXT_PUBLIC_GA_ID=
# Microsoft Clarity Project ID (e.g., abc123xyz)
NEXT_PUBLIC_CLARITY_ID=