# ───────────────────────────────────────────────────────────────── # Dezky Local Development — Environment Variables # ───────────────────────────────────────────────────────────────── # # Copy this file to .env and fill in the values. # Generate secure random values with: openssl rand -hex 32 # # DO NOT commit .env to git. # ───────────────────────────────────────────────────────────────── # ──────────────────────────────────────── # Database root passwords # ──────────────────────────────────────── POSTGRES_ROOT_PASSWORD=changeme_use_openssl_rand MONGO_ROOT_PASSWORD=changeme_use_openssl_rand REDIS_PASSWORD=changeme_use_openssl_rand # ──────────────────────────────────────── # Per-service DB passwords # ──────────────────────────────────────── AUTHENTIK_DB_PASSWORD=changeme_use_openssl_rand OCIS_DB_PASSWORD=changeme_use_openssl_rand # ──────────────────────────────────────── # Authentik # ──────────────────────────────────────── # AUTHENTIK_SECRET_KEY must be 50+ chars AUTHENTIK_SECRET_KEY=changeme_run_openssl_rand_hex_50 AUTHENTIK_BOOTSTRAP_PASSWORD=admin_change_this_after_first_login # AUTHENTIK_BOOTSTRAP_TOKEN is used by the provisioning service to call Authentik API AUTHENTIK_BOOTSTRAP_TOKEN=changeme_use_openssl_rand_hex_32 # ──────────────────────────────────────── # Operator OIDC (dezky-operator) # ──────────────────────────────────────── # The operator app differs from the portal: its OAuth provider is provisioned # declaratively by the operator-application blueprint, which CONSUMES the secret # below (rather than Authentik generating one for you to copy out). You must set # a value BEFORE first boot — on a fresh environment the blueprint creates the # provider with exactly this secret, and the operator container authenticates # with the same value, so the two only agree if it's set here first. # Generate with: openssl rand -hex 64 OPERATOR_OIDC_CLIENT_ID=dezky-operator OPERATOR_OIDC_CLIENT_SECRET=changeme_run_openssl_rand_hex_64 # ──────────────────────────────────────── # Stalwart Mail # ──────────────────────────────────────── # Fallback admin login (config.toml authentication.fallback-admin). platform-api # uses admin + this password for Basic auth on the JMAP management API. STALWART_ADMIN_USER=admin STALWART_ADMIN_PASSWORD=changeme_use_openssl_rand # HMAC secret Stalwart signs its audit webhook POSTs with (verified by # platform-api at /ingest/stalwart/webhook). openssl rand -hex 32 STALWART_WEBHOOK_SECRET=changeme_use_openssl_rand_hex_32 # Set true to let platform-api create/delete domains + DKIM in Stalwart from the # customer-admin Domains page. Off by default (domain steps record 'skipped'). STALWART_PROVISIONING_ENABLED=false # ──────────────────────────────────────── # OCIS # ──────────────────────────────────────── OCIS_ADMIN_PASSWORD=changeme_use_openssl_rand # Dedicated OCIS service user (Authentik) used by platform-api to read drive # quotas for the Storage page via an OIDC password grant. Must exist in # Authentik, have access to the OCIS application, and hold the OCIS admin role # (required to list all drives). See docs/NEXT-STEPS.md. OCIS_SVC_USERNAME=svc-platform-api OCIS_SVC_PASSWORD=changeme_use_openssl_rand # OCIS account UUID of the service user, used to grant it the OCIS admin role at # startup (required for libregraph ListAllDrives). Populate after the OCIS # bootstrap autoprovisions the account (see docs/NEXT-STEPS.md). Leave empty # until then. OCIS_ADMIN_USER_ID= # ──────────────────────────────────────── # Collabora # ──────────────────────────────────────── COLLABORA_ADMIN_PASSWORD=changeme_use_openssl_rand