-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
executable file
·143 lines (126 loc) · 4.73 KB
/
Copy path.env.example
File metadata and controls
executable file
·143 lines (126 loc) · 4.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# MySQL
MYSQL_ROOT_PASSWORD=generate_strong_password_here
MYSQL_PASSWORD=generate_strong_password_here
# Optional: read secrets from Docker secrets files instead of env
# MYSQL_ROOT_PASSWORD_FILE=/run/secrets/mysql_root_password
# MYSQL_PASSWORD_FILE=/run/secrets/mysql_password
# Optional: cap MySQL concurrent connections (prevents memory spikes)
# MYSQL_MAX_CONNECTIONS=200
MYSQL_MAX_CONNECTIONS=
# API
JWT_SECRET=generate_with_openssl_rand_base64_32
# Optional: read secrets from Docker secrets files instead of env
# JWT_SECRET_FILE=/run/secrets/jwt_secret
# DATABASE_PASSWORD_FILE=/run/secrets/mysql_password
# Release tag for correlating deploys/incidents (e.g., git sha or timestamp)
# TAILSHELL_RELEASE=dev
TAILSHELL_RELEASE=
# Bootstrap admin (recommended; if unset, API will generate on first run)
# On a fresh DB the bootstrap admin must rotate password on first login.
TAILSHELL_ADMIN_USERNAME=admin
TAILSHELL_ADMIN_PASSWORD=generate_strong_password_here
# Cookie hardening (set to true only when accessing over HTTPS)
# TAILSHELL_COOKIE_SECURE=true
TAILSHELL_COOKIE_SECURE=
# Access/refresh token rotation
# TAILSHELL_ACCESS_TOKEN_TTL_MIN=15
TAILSHELL_ACCESS_TOKEN_TTL_MIN=
# TAILSHELL_REFRESH_TOKEN_TTL_DAYS=7
TAILSHELL_REFRESH_TOKEN_TTL_DAYS=
# Password policy
# TAILSHELL_PASSWORD_MIN_LENGTH=12
TAILSHELL_PASSWORD_MIN_LENGTH=
# TAILSHELL_PASSWORD_REQUIRE_UPPER=true
TAILSHELL_PASSWORD_REQUIRE_UPPER=
# TAILSHELL_PASSWORD_REQUIRE_LOWER=true
TAILSHELL_PASSWORD_REQUIRE_LOWER=
# TAILSHELL_PASSWORD_REQUIRE_NUMBER=true
TAILSHELL_PASSWORD_REQUIRE_NUMBER=
# TAILSHELL_PASSWORD_REQUIRE_SYMBOL=true
TAILSHELL_PASSWORD_REQUIRE_SYMBOL=
# TAILSHELL_PASSWORD_HASH_ROUNDS=12
TAILSHELL_PASSWORD_HASH_ROUNDS=
# MFA TOTP tolerance in seconds (default: 30)
# TAILSHELL_MFA_EPOCH_TOLERANCE=30
TAILSHELL_MFA_EPOCH_TOLERANCE=
# Maintenance mode (returns 503 for most API routes)
# TAILSHELL_MAINTENANCE_MODE=true
TAILSHELL_MAINTENANCE_MODE=
# Auth caching (reduces per-request DB reads)
# TAILSHELL_AUTH_CACHE_TTL_MS=30000
TAILSHELL_AUTH_CACHE_TTL_MS=
# TAILSHELL_AUTH_CACHE_MAX_ENTRIES=5000
TAILSHELL_AUTH_CACHE_MAX_ENTRIES=
# Read-mostly metadata caching (workspaces/tags/folders/me)
# TAILSHELL_METADATA_CACHE_TTL_MS=5000
TAILSHELL_METADATA_CACHE_TTL_MS=
# TAILSHELL_METADATA_CACHE_MAX_ENTRIES=5000
TAILSHELL_METADATA_CACHE_MAX_ENTRIES=
# DB tuning (optional)
# DATABASE_POOL_SIZE=10
DATABASE_POOL_SIZE=
# DATABASE_POOL_QUEUE_LIMIT=50
DATABASE_POOL_QUEUE_LIMIT=
# DATABASE_QUERY_TIMEOUT_MS=30000
DATABASE_QUERY_TIMEOUT_MS=
# DATABASE_READ_QUERY_RETRIES=2
DATABASE_READ_QUERY_RETRIES=
# DATABASE_CIRCUIT_FAILURE_THRESHOLD=5
DATABASE_CIRCUIT_FAILURE_THRESHOLD=
# DATABASE_CIRCUIT_RESET_MS=30000
DATABASE_CIRCUIT_RESET_MS=
# DATABASE_CIRCUIT_FAILURE_WINDOW_MS=60000
DATABASE_CIRCUIT_FAILURE_WINDOW_MS=
# DB slow query logging + metrics (admin/system)
# TAILSHELL_SLOW_QUERY_MS=250
TAILSHELL_SLOW_QUERY_MS=
# TAILSHELL_SLOW_QUERY_MAX_ENTRIES=50
TAILSHELL_SLOW_QUERY_MAX_ENTRIES=
# Idempotency controls (create requests)
# TAILSHELL_IDEMPOTENCY_TTL_MS=86400000
TAILSHELL_IDEMPOTENCY_TTL_MS=
# TAILSHELL_IDEMPOTENCY_KEY_MAX_LENGTH=128
TAILSHELL_IDEMPOTENCY_KEY_MAX_LENGTH=
# Terminal session limits
# TAILSHELL_TERMINAL_MAX_SESSIONS_PER_USER=2
TAILSHELL_TERMINAL_MAX_SESSIONS_PER_USER=
# TAILSHELL_TERMINAL_SESSION_TTL_MS=120000
TAILSHELL_TERMINAL_SESSION_TTL_MS=
# Comma-separated roles allowed to open terminals
# TAILSHELL_TERMINAL_ALLOWED_ROLES=admin,user
TAILSHELL_TERMINAL_ALLOWED_ROLES=
# Login throttling and captcha (Turnstile)
# TAILSHELL_LOGIN_IP_WINDOW_MS=900000
TAILSHELL_LOGIN_IP_WINDOW_MS=
# TAILSHELL_LOGIN_IP_MAX_ATTEMPTS=20
TAILSHELL_LOGIN_IP_MAX_ATTEMPTS=
# TAILSHELL_LOGIN_USERNAME_WINDOW_MS=900000
TAILSHELL_LOGIN_USERNAME_WINDOW_MS=
# TAILSHELL_LOGIN_USERNAME_MAX_ATTEMPTS=10
TAILSHELL_LOGIN_USERNAME_MAX_ATTEMPTS=
# TAILSHELL_LOGIN_CAPTCHA_THRESHOLD=5
TAILSHELL_LOGIN_CAPTCHA_THRESHOLD=
# TAILSHELL_TURNSTILE_SITE_KEY=your_site_key
TAILSHELL_TURNSTILE_SITE_KEY=
# TAILSHELL_TURNSTILE_SECRET_KEY=your_secret
TAILSHELL_TURNSTILE_SECRET_KEY=
# API HTTP server timeouts (behind nginx)
# HTTP_KEEPALIVE_TIMEOUT_MS=5000
HTTP_KEEPALIVE_TIMEOUT_MS=
# HTTP_HEADERS_TIMEOUT_MS=10000
HTTP_HEADERS_TIMEOUT_MS=
# HTTP_REQUEST_TIMEOUT_MS=65000
HTTP_REQUEST_TIMEOUT_MS=
# Escape hatch (NOT recommended): allow weak placeholder secrets
# TAILSHELL_ALLOW_WEAK_SECRETS=true
TAILSHELL_ALLOW_WEAK_SECRETS=
# Optional (CORS is disabled when empty)
# Comma-separated allowlist, e.g.:
# CORS_ORIGIN=http://localhost:5173
# CORS_ORIGIN=http://localhost:5173,https://my-ui.example.com
CORS_ORIGIN=
# If you intentionally need cookies cross-origin, also set:
# CORS_CREDENTIALS=true
# Optional: explicit CSRF allowlist (defaults to CORS_ORIGIN or same-origin)
# TAILSHELL_CSRF_ORIGINS=https://my-ui.example.com
TAILSHELL_CSRF_ORIGINS=