optio/.env.example at main · jonwiggins/optio · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# Database
DATABASE_URL=postgres://optio:optio_dev@localhost:5432/optio

# Redis
REDIS_URL=redis://localhost:6379

# Container Runtime: "docker" | "kubernetes"
OPTIO_RUNTIME=kubernetes

# Encryption key for secrets at rest (REQUIRED — generate with: openssl rand -hex 32)
# The server will refuse to start if this is empty or set to a known-weak value.
OPTIO_ENCRYPTION_KEY=

# API server
API_PORT=4000
API_HOST=0.0.0.0

# Docker socket (for Docker runtime)
DOCKER_HOST=unix:///var/run/docker.sock

# Agent container image
# Local dev uses locally-built images; production uses ghcr.io registry
OPTIO_AGENT_IMAGE=optio-agent:latest

# Image pull policy: "Never" for local images, "Always" or "IfNotPresent" for registry
# Local dev must use "Never" since images are built with docker build, not pulled from a registry
OPTIO_IMAGE_PULL_POLICY=Never

# Authentication
# Set to "true" to disable auth entirely (for local dev)
OPTIO_AUTH_DISABLED=true

# OAuth providers (set client ID + secret to enable a provider)
# GITHUB_OAUTH_CLIENT_ID=
# GITHUB_OAUTH_CLIENT_SECRET=
# GOOGLE_OAUTH_CLIENT_ID=
# GOOGLE_OAUTH_CLIENT_SECRET=
# GITLAB_OAUTH_CLIENT_ID=
# GITLAB_OAUTH_CLIENT_SECRET=

# Generic OIDC provider (Keycloak, Authentik, Authelia, Zitadel, Okta, Auth0, etc.)
# OIDC_ISSUER_URL=https://auth.example.com/realms/optio
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_DISPLAY_NAME=SSO
# OIDC_SCOPES=openid email profile

# GitHub webhook signature validation (generate with: openssl rand -hex 32)
# Must match the secret configured in GitHub's webhook settings
# GITHUB_WEBHOOK_SECRET=

# Public URL (used for OAuth callback URLs and redirects)
# PUBLIC_URL=http://localhost:3000

# WebSocket URL override (optional — only needed when the API runs on a different origin than the web UI)
# NEXT_PUBLIC_WS_URL=ws://localhost:4000