-
Notifications
You must be signed in to change notification settings - Fork 28
Expand file tree
/
Copy path.env.production.example
More file actions
168 lines (146 loc) · 7.35 KB
/
Copy path.env.production.example
File metadata and controls
168 lines (146 loc) · 7.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# Vulcan Production Environment Configuration (Docker)
# Copy this file to .env for production Docker deployments
#
# IMPORTANT: Generate secure secrets with: ./setup-docker-secrets.sh
# =============================================================================
# REQUIRED: Database Configuration
# =============================================================================
# Generate with: openssl rand -hex 33
POSTGRES_PASSWORD=CHANGE_ME_USE_SETUP_SCRIPT
# =============================================================================
# REQUIRED: Rails Security Keys
# =============================================================================
# Generate with: ./setup-docker-secrets.sh or openssl rand -hex 64
SECRET_KEY_BASE=CHANGE_ME_USE_SETUP_SCRIPT
CIPHER_PASSWORD=CHANGE_ME_USE_SETUP_SCRIPT
CIPHER_SALT=CHANGE_ME_USE_SETUP_SCRIPT
# =============================================================================
# REQUIRED: Authentication (Configure at least one)
# =============================================================================
# --- Option 1: OIDC/OAuth2 (Recommended) ---
VULCAN_ENABLE_OIDC=true
VULCAN_OIDC_PROVIDER_TITLE=Your Organization
VULCAN_OIDC_ISSUER_URL=https://your-identity-provider.com
VULCAN_OIDC_CLIENT_ID=your_production_client_id
VULCAN_OIDC_CLIENT_SECRET=your_production_client_secret
VULCAN_OIDC_REDIRECT_URI=https://vulcan.your-org.com/users/auth/oidc/callback
# With auto-discovery enabled (v2.2+), endpoints are discovered automatically
# from the issuer's /.well-known/openid-configuration endpoint
VULCAN_OIDC_DISCOVERY=true
# --- Option 2: LDAP/Active Directory ---
VULCAN_ENABLE_LDAP=false
# VULCAN_LDAP_HOST=ldap.your-org.com
# VULCAN_LDAP_PORT=636
# VULCAN_LDAP_ENCRYPTION=simple_tls
# VULCAN_LDAP_BASE=dc=your-org,dc=com
# VULCAN_LDAP_BIND_DN=cn=vulcan,ou=services,dc=your-org,dc=com
# VULCAN_LDAP_ADMIN_PASS=secure_ldap_password
# VULCAN_LDAP_TITLE=Corporate LDAP
# VULCAN_LDAP_ATTRIBUTE=sAMAccountName
# --- Option 3: Local Login (Not recommended for production) ---
VULCAN_ENABLE_LOCAL_LOGIN=false
VULCAN_ENABLE_USER_REGISTRATION=false
# Session timeout: plain seconds (900), or with suffix: 30s, 15m, 1h
# Plain numbers: 1-9=hours, 10-299=minutes, 300+=seconds
# DoD standard: 900 (15 min) for non-privileged, 600 (10 min) for admin
VULCAN_SESSION_TIMEOUT=15m
# Remember Me: keep user logged in across browser restarts
# Disable for DoD/high-security environments
VULCAN_ENABLE_REMEMBER_ME=false
# VULCAN_REMEMBER_ME_DURATION=8h
# --- Admin Bootstrap (Production) ---
# Disable first-user-admin for production (security best practice)
VULCAN_FIRST_USER_ADMIN=false
# Create admin via environment variables instead (recommended):
# VULCAN_ADMIN_EMAIL=admin@your-org.com
# VULCAN_ADMIN_PASSWORD=your_secure_password_here
# If password is omitted, a secure random password will be generated and logged
# =============================================================================
# REQUIRED: Application Settings
# =============================================================================
VULCAN_APP_URL=https://vulcan.your-org.com
VULCAN_CONTACT_EMAIL=vulcan-admin@your-org.com
VULCAN_WELCOME_TEXT=Welcome to Your Organization's Vulcan Instance
# Project creation permissions
VULCAN_PROJECT_CREATE_PERMISSION_ENABLED=true
# =============================================================================
# OPTIONAL: Email Configuration
# =============================================================================
VULCAN_ENABLE_SMTP=true
VULCAN_SMTP_ADDRESS=smtp.your-org.com
VULCAN_SMTP_PORT=587
VULCAN_SMTP_DOMAIN=your-org.com
VULCAN_SMTP_AUTHENTICATION=plain
VULCAN_SMTP_ENABLE_STARTTLS_AUTO=true
VULCAN_SMTP_SERVER_USERNAME=vulcan@your-org.com # Optional: Defaults to VULCAN_CONTACT_EMAIL
VULCAN_SMTP_SERVER_PASSWORD=secure_smtp_password
# Optional: Email confirmation for new users
VULCAN_ENABLE_EMAIL_CONFIRMATION=false
# =============================================================================
# OPTIONAL: Account Lockout (STIG AC-07 — enabled by default)
# =============================================================================
# Lock accounts after consecutive failed login attempts.
# Defaults are STIG AC-07 compliant (3 attempts, 15 min unlock).
# VULCAN_LOCKOUT_ENABLED=true
# VULCAN_LOCKOUT_MAX_ATTEMPTS=3
# VULCAN_LOCKOUT_UNLOCK_IN_MINUTES=15
# VULCAN_LOCKOUT_UNLOCK_STRATEGY=both
# VULCAN_LOCKOUT_LAST_ATTEMPT_WARNING=true
# =============================================================================
# OPTIONAL: Classification Banner & Consent
# =============================================================================
# Display a colored classification banner at top and bottom of every page
# DoD standard colors: UNCLASSIFIED=#007a33, CUI=#502b85, CONFIDENTIAL=#0033a0,
# SECRET=#c8102e, TOP SECRET=#ff671f, TS/SCI=#f7ea48 (text: #000000)
VULCAN_BANNER_ENABLED=false
# VULCAN_BANNER_TEXT=UNCLASSIFIED
# VULCAN_BANNER_BACKGROUND_COLOR=#007a33
# VULCAN_BANNER_TEXT_COLOR=#ffffff
# Consent/terms-of-use modal — blocks access until user clicks "I Agree"
# Acknowledgment is tracked server-side in the Rails session (AC-8 compliant).
# Increment VULCAN_CONSENT_VERSION to re-prompt all users.
# Content supports Markdown formatting (bold, lists, links, etc.)
VULCAN_CONSENT_ENABLED=false
# VULCAN_CONSENT_VERSION=1
# VULCAN_CONSENT_TITLE=Terms of Use
# VULCAN_CONSENT_CONTENT=By using this system you agree to the **acceptable use policy**.
# How long consent remains valid: 0 = per-session (DoD default), or e.g. 24h, 12h, 30m
VULCAN_CONSENT_TTL=0
# =============================================================================
# OPTIONAL: Password Policy (DoD-aligned defaults — usually no changes needed)
# =============================================================================
# VULCAN_PASSWORD_MIN_LENGTH=15
# VULCAN_PASSWORD_MIN_UPPERCASE=2
# VULCAN_PASSWORD_MIN_LOWERCASE=2
# VULCAN_PASSWORD_MIN_NUMBER=2
# VULCAN_PASSWORD_MIN_SPECIAL=2
# =============================================================================
# OPTIONAL: Slack Integration
# =============================================================================
VULCAN_ENABLE_SLACK_COMMS=false
# VULCAN_SLACK_API_TOKEN=xoxb-your-production-token
# VULCAN_SLACK_CHANNEL_ID=C1234567890
# =============================================================================
# OPTIONAL: Container/Cloud Logging
# =============================================================================
# Enable structured logging for CloudWatch, Splunk, etc.
RAILS_LOG_TO_STDOUT=true
STRUCTURED_LOGGING=true
# =============================================================================
# OPTIONAL: Performance Tuning
# =============================================================================
# Rails performance settings
RAILS_MAX_THREADS=5
WEB_CONCURRENCY=2
# Force HTTPS redirects. Defaults to true (secure by default).
# Set to false ONLY for Docker quickstart without SSL termination.
# When behind a reverse proxy (nginx, traefik), keep this true as the
# proxy handles SSL termination and sets X-Forwarded-Proto header.
RAILS_FORCE_SSL=true
# Serve static files (required for Docker)
RAILS_SERVE_STATIC_FILES=true
# =============================================================================
# SSL CERTIFICATES (Corporate Proxy)
# =============================================================================
# If behind a corporate proxy, place certificates in ./certs/ directory
# See certs/README.md for instructions