-
Notifications
You must be signed in to change notification settings - Fork 345
Expand file tree
/
Copy path.env.example
More file actions
166 lines (143 loc) · 6.05 KB
/
.env.example
File metadata and controls
166 lines (143 loc) · 6.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# --- Shared env vars ---
LOG_LEVEL=INFO
COMPOSE_PROJECT_NAME=tracecat
COMPOSE_BAKE=true
# --- Network configuration ---
PUBLIC_APP_PORT=80
PUBLIC_APP_URL=http://localhost:${PUBLIC_APP_PORT}
PUBLIC_API_URL=${PUBLIC_APP_URL}/api
INTERNAL_API_URL=http://api:8000
# -- Caddy env vars ---
BASE_DOMAIN=:${PUBLIC_APP_PORT}
ADDRESS=0.0.0.0
# --- Frontend env vars ---
# Important: environment variables prefixed with `NEXT_PUBLIC_` are exposed to the browser client
# You may need to adjust the domain (default `localhost`) based on your setup
# Containers in the same network can communicate with each other using the service name
# Or you can use the host.docker.internal to communicate with the host machine
NODE_ENV=development
NEXT_PUBLIC_APP_ENV=development
# The frontend app URL
NEXT_PUBLIC_APP_URL=${PUBLIC_APP_URL}
# Allows the browser to communicate with the backend
NEXT_PUBLIC_API_URL=${PUBLIC_API_URL}
# Allows the frontend server (inside docker) to communicate with the backend server (inside docker)
NEXT_SERVER_API_URL=${INTERNAL_API_URL}
# --- App and DB env vars ---
# One of `development`, `staging`, or `production`
TRACECAT__APP_ENV=development
# Used to encrypt/decrypt sensitive keys in the database
# Can be generated using `python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"`
TRACECAT__DB_ENCRYPTION_KEY=your-tracecat-db-fernet-key
# Used to authenticate with Tracecat services
# Can be generated using `openssl rand -hex 32`
TRACECAT__SERVICE_KEY=your-tracecat-service-key
TRACECAT__EXECUTOR_TOKEN_TTL_SECONDS=900
# Used to generate private webhook URLs
# Can be generated using `openssl rand -hex 32`
TRACECAT__SIGNING_SECRET=your-tracecat-signing-secret
# API Service URL
TRACECAT__API_URL=${INTERNAL_API_URL}
# Root path to deal with extra path prefix behind the reverse proxy
TRACECAT__API_ROOT_PATH=/api
# This the public URL for the frontend
TRACECAT__PUBLIC_APP_URL=${PUBLIC_APP_URL}
# This is the public URL for incoming webhooks
# If you wish to expose your webhooks to the internet, you can use a tunneling service like ngrok.
# If using ngrok, run `ngrok http --domain=INSERT_STATIC_NGROK_DOMAIN_HERE 8001`
# to start ngrok and update this with the forwarding URL
TRACECAT__PUBLIC_API_URL=${PUBLIC_API_URL}
# CORS (comman separated string of allowed origins)
TRACECAT__ALLOW_ORIGINS=http://localhost:3000,${PUBLIC_APP_URL}
# Postgres SSL model
TRACECAT__DB_SSLMODE=disable
# --- Postgres ---
TRACECAT__POSTGRES_USER=postgres
TRACECAT__POSTGRES_PASSWORD=postgres
TRACECAT__DB_URI=postgresql+psycopg://${TRACECAT__POSTGRES_USER}:${TRACECAT__POSTGRES_PASSWORD}@postgres_db:5432/postgres
# --- Authentication ---
# First user to promote to superadmin
TRACECAT__AUTH_SUPERADMIN_EMAIL=
# One or more comma-separated values from `basic`, `oidc`, `saml`
TRACECAT__AUTH_TYPES=basic
# One or more comma-separated domains, e.g. `example.com,example.org`
# Leave blank to allow all domains
TRACECAT__AUTH_ALLOWED_DOMAINS=
TRACECAT__AUTH_MIN_PASSWORD_LENGTH=12
# OIDC / OAuth
OIDC_ISSUER=
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_SCOPES="openid profile email"
# MCP server (external IDE integrations)
# MCP OAuth behavior:
# - Requests `offline_access` by default to obtain refresh tokens when supported.
# - If upstream rejects that scope (invalid_scope), retries once without it.
# - If upstream omits `expires_in`, access token fallback TTL is 86400s (24 hours).
TRACECAT_MCP__BASE_URL=${PUBLIC_APP_URL}
TRACECAT_MCP__FILE_TRANSFER_URL_EXPIRY_SECONDS=300
TRACECAT_MCP__STARTUP_MAX_ATTEMPTS=3
TRACECAT_MCP__STARTUP_RETRY_DELAY_SECONDS=2
# Legacy aliases (still supported)
OAUTH_CLIENT_ID=
OAUTH_CLIENT_SECRET=
# Used for password reset and email verification tokens
# Can be generated using `openssl rand -hex 32`
USER_AUTH_SECRET=your-auth-secret
# SAML SSO settings
SAML_IDP_METADATA_URL=
SAML_ACCEPTED_TIME_DIFF=3
# --- Temporal ---
TEMPORAL__CLUSTER_URL=temporal:7233
TEMPORAL__CLUSTER_QUEUE=tracecat-task-queue
TEMPORAL__CLUSTER_NAMESPACE=default
TEMPORAL__POSTGRES_USER=temporal
TEMPORAL__POSTGRES_PASSWORD=temporal
TEMPORAL__UI_VERSION=latest
# Leave empty if not using Temporal Cloud
TEMPORAL__API_KEY=
# --- Executor ---
TRACECAT__EXECUTOR_BACKEND=direct
TRACECAT__DISABLE_NSJAIL=true
# --- Workflow Artifacts ---
# Retention period in days for workflow artifacts in blob storage.
# Objects older than this will be automatically deleted via S3 lifecycle rules.
# Set to 0 to disable automatic expiration.
# Default: 30 days (matches Temporal Cloud workflow history retention).
TRACECAT__WORKFLOW_ARTIFACT_RETENTION_DAYS=30
# --- Blob storage ---
TRACECAT__BLOB_STORAGE_BUCKET_WORKFLOW=tracecat-workflow
TRACECAT__BLOB_STORAGE_BUCKET_ATTACHMENTS=tracecat-attachments
TRACECAT__BLOB_STORAGE_BUCKET_REGISTRY=tracecat-registry
# --- MinIO ---
MINIO_ROOT_USER=minio
MINIO_ROOT_PASSWORD=password
# --- Redis ---
REDIS_HOST=redis
REDIS_PORT=6379
REDIS_URL=redis://${REDIS_HOST}:${REDIS_PORT}
# --- Cloud only ---
# Tracecat Cloud only, please ignore if self-hosted:
NEXT_PUBLIC_POSTHOG_KEY=
NEXT_PUBLIC_POSTHOG_HOST=https://us.i.posthog.com
NEXT_PUBLIC_DISABLE_SESSION_RECORDING=true
# --- Externalization ---
# Disabled by default in OSS
TRACECAT__RESULT_EXTERNALIZATION_ENABLED=true
# Disabled by default
TRACECAT__COLLECTION_MANIFESTS_ENABLED=true
# Threshold in bytes above which payloads are externalized to blob storage.
TRACECAT__RESULT_EXTERNALIZATION_THRESHOLD_BYTES=128000
# --- Local registry ---
# Enable this only for local-registry development. Leave disabled for normal remote/builtin registry use.
TRACECAT__LOCAL_REPOSITORY_ENABLED=false
# Absolute host path to the local registry package for Docker bind mounts.
TRACECAT__LOCAL_REPOSITORY_PATH=/absolute/path/to/internal-registry
# Keep the default unless you need extra import paths in the executor containers.
PYTHONPATH=/home/apiuser/.local:/app/local_registry
# --- Enterprise ---
# Feature flags (comma-separated list)
# Modifying the following flags requires a Tracecat Enterprise License.
# Features activated by feature flags may be gated behind a license key in the future.
TRACECAT__FEATURE_FLAGS=""
TRACECAT__EE_MULTI_TENANT=false