Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
db7948d279682efb454fed2987a73a77481dabd3
Nexus/.env.example
T
Hartmut 01f8974314
CI / Architecture Guardrails (pull_request) Successful in 2m59s
Details
CI / Typecheck (pull_request) Successful in 6m41s
Details
CI / Lint (pull_request) Successful in 4m18s
Details
CI / Assistant Split Regression (pull_request) Successful in 5m6s
Details
CI / Unit Tests (pull_request) Successful in 7m21s
Details
CI / Build (pull_request) Successful in 5m21s
Details
CI / Fresh-Linux Docker Deploy (pull_request) Failing after 38s
Details
CI / E2E Tests (pull_request) Successful in 3m28s
Details
CI / Release Images (pull_request) Has been skipped
Details
rename(phase 3): compose/DB/infra names + stray code refs capakraken → nexus 
- docker-compose.yml / .prod.yml / .ci.yml: project names, POSTGRES_DB/USER,
  pg_isready, DATABASE_URL, volume names (nexus_pgdata, nexus_prod_*)
- .github/workflows/ci.yml: POSTGRES_PASSWORD, pg_isready, psql credentials,
  GRANT statements, POSTGRES_PASSWORD=nexus_dev for Docker Deploy job
- scripts/db-target-guard.mjs: expectedDatabase default, NEXUS_EXPECTED_DB_NAME
- scripts/prisma-with-env.mjs, e2e/test-server.mjs: env-var rename
- packages/db/src/safe-destructive-env.ts + reset-dispo-import.ts: DB name set
- packages/db/src/destructive-db-guard.ts: PROTECTED_DATABASE_NAMES → "nexus"
- packages/db/src/destructive-db-guard.test.ts: all fixture DB names + comments
- .env.example, tooling/deploy/deploy.env.example: DATABASE_URL, image refs
- packages/api: Redis channel/key prefixes (rbac-invalidate, sse, ratelimit),
  logger service name, app-base-url log prefix
- E2E: DB container names, localStorage/sessionStorage keys, email domains
- scripts: architecture-guardrails filter, export/import-dev-seed defaults,
  harden-postgres defaults, start.sh pg_isready, worktree-hygiene fixture
- tooling/migrate/rename-to-nexus.sh: new maintenance-window cutover script

Only intentional capakraken survivor: anonymization.ts DEFAULT_ANONYMIZATION_SEED
(functional cryptographic constant — changing it would invalidate stored aliases).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-21 16:35:39 +02:00

115 lines
6.4 KiB
Bash
Raw Blame History

# ─────────────────────────────────────────────────────────────────────────────
# Nexus — environment variable reference
#
# Copy this file to .env and fill in the values before running the app.
# Lines starting with # are comments. Lines with no value are optional.
#
# IMPORTANT: Never commit your actual .env file — it is gitignored.
# ─────────────────────────────────────────────────────────────────────────────
# ─── App / Auth ──────────────────────────────────────────────────────────────
# REQUIRED — Public URL of the app (with scheme, no trailing slash).
# Used in email links (invites, password reset) and as the Auth.js base URL.
# Must use https:// in production.
NEXTAUTH_URL=https://nexus.example.com
# REQUIRED — Secret used to sign and encrypt JWTs and session cookies.
# Generate one with: openssl rand -base64 32
# Must not be a known placeholder value in production (e.g. "changeme").
NEXTAUTH_SECRET=
# ─── Database ────────────────────────────────────────────────────────────────
# REQUIRED when starting Docker Compose — postgres container initializes with
# this password and the app container derives DATABASE_URL from it. No default
# is shipped; set any non-empty value for local dev, use a generated secret in
# any shared or production environment.
# Generate one with: openssl rand -hex 32
POSTGRES_PASSWORD=
# REQUIRED — PostgreSQL connection string used by `pnpm dev` running on the
# host (outside Docker). Must match POSTGRES_PASSWORD above. Inside the app
# container this variable is overridden by docker-compose.yml (which routes
# to the postgres service name on the internal network).
DATABASE_URL=postgresql://nexus:nexus_dev@localhost:5433/nexus
# ─── Redis ───────────────────────────────────────────────────────────────────
# REQUIRED in production — password for the Redis server.
# The Docker Compose prod stack passes this both to the redis-server process
# (--requirepass) and to the application via REDIS_URL.
# Generate one with: openssl rand -hex 32
REDIS_PASSWORD=
# REQUIRED for SSE (real-time updates) and rate limiting.
# When using Docker Compose this is handled automatically inside the container
# (redis://redis:6379). Only needed when running `pnpm dev` directly on the host.
# REDIS_URL=redis://localhost:6380
# Controls which backend is used for rate limiting.
# Values: "redis" (default, requires REDIS_URL) | "memory" (in-process, not
# suitable for multi-instance deployments).
# RATE_LIMIT_BACKEND=redis
# ─── SMTP ────────────────────────────────────────────────────────────────────
#
# SMTP settings can be configured here OR via the Admin → Settings UI.
# Environment variables override the database values at runtime.
# If neither is set, email sending is silently skipped (logged at warn level).
#
# For local development the Docker Compose stack includes MailHog
# (http://localhost:8025) — no SMTP configuration is needed there.
# SMTP_HOST=smtp.example.com
# SMTP_PORT=587
# SMTP_USER=no-reply@example.com
# SMTP_PASSWORD=
# SMTP_FROM=Nexus <no-reply@example.com>
# SMTP_TLS=true # "true" = SMTPS (port 465); "false" = STARTTLS or plain
# ─── pgAdmin (dev / Docker Compose only) ─────────────────────────────────────
# REQUIRED when starting Docker Compose with the `full` profile.
# Used as the password for the pgAdmin web UI (http://localhost:5050).
PGADMIN_PASSWORD=
# Email shown on the pgAdmin login screen (default: admin@nexus.dev).
# PGADMIN_EMAIL=admin@nexus.dev
# ─── Logging ─────────────────────────────────────────────────────────────────
# Log verbosity. Values: trace | debug | info | warn | error | fatal
# Default: info
# LOG_LEVEL=info
# ─── Security / Cron ─────────────────────────────────────────────────────────
# Secret used to authenticate requests to cron endpoints (/api/cron/*).
# Generate one with: openssl rand -hex 32
# If not set, cron endpoints are disabled.
# CRON_SECRET=
# ─── Error Tracking (Sentry) ─────────────────────────────────────────────────
# Sentry DSN for client-side and server-side error reporting.
# Create a Next.js project at https://sentry.io and copy the DSN here.
# If not set, Sentry is disabled (SDK is installed but sends nothing).
# NEXT_PUBLIC_SENTRY_DSN=
# ─── Dispo import ────────────────────────────────────────────────────────────
# Absolute directory that dispo .xlsx workbook imports must live under. The
# tRPC surface only accepts relative paths and the runtime reader re-validates
# that any resolved path remains inside this directory; this prevents an
# admin (or compromised admin token) from pointing the parser at arbitrary
# files on disk and reaching ExcelJS CVEs. Defaults to ./imports if unset.
# DISPO_IMPORT_DIR=/var/lib/nexus/imports
# ─── Testing (never enable in production) ────────────────────────────────────
# Disables rate limiting and session tracking during end-to-end tests.
# MUST be "false" or unset in production — the runtime will refuse to start
# if this is "true" and NODE_ENV is "production".
# E2E_TEST_MODE=false
Reference in New Issue View Git Blame Copy Permalink