-
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
306 lines (222 loc) · 9.33 KB
/
.env.example
File metadata and controls
306 lines (222 loc) · 9.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
# =============================================================================
# Uncord Server Configuration
# =============================================================================
#
# Several fields below are set to placeholder values that MUST be replaced
# before running in production. Search this file for "REPLACE" to find them.
#
# To generate a cryptographically secure random string, run:
#
# openssl rand -hex 32
#
# Use a unique value for each field. Do not reuse secrets across fields.
# =============================================================================
# Core
# =============================================================================
# The SERVER_URL and SMTP settings are overwritten when SERVER_ENV=development
# so that the configuration works within Docker.
SERVER_NAME="Uncord Chat"
SERVER_DESCRIPTION="Your community. Your server. Your rules."
SERVER_URL="https://chat.example.com"
SERVER_PORT=9800
SERVER_ENV=production
# Must be exactly 64 hex characters (32 bytes).
SERVER_SECRET="REPLACE"
# Maximum duration for REST request processing before returning 408. WebSocket
# connections are exempt. Accepts Go duration strings (e.g. 30s, 1m).
REQUEST_TIMEOUT=30s
# How long to wait for inflight HTTP requests to complete during graceful shutdown.
SHUTDOWN_TIMEOUT=15s
# How long to wait for background goroutines (gateway publisher, cache subscriber,
# blocklist refresh, etc.) to stop after the HTTP server has shut down.
SHUTDOWN_GRACE_TIMEOUT=10s
# =============================================================================
# Database
# =============================================================================
# Ensure the password within DATABASE_URL matches DB_PASSWORD.
DATABASE_URL="postgres://uncord:REPLACE@postgres:5432/uncord?sslmode=disable"
DATABASE_MAX_CONNS=25
DATABASE_MIN_CONNS=5
DB_PASSWORD="REPLACE"
# =============================================================================
# Valkey
# =============================================================================
VALKEY_URL="valkey://valkey:6379/0"
VALKEY_DIAL_TIMEOUT=5s
VALKEY_PASSWORD="REPLACE"
# =============================================================================
# Auth
# =============================================================================
# Must be at least 32 characters.
JWT_SECRET="REPLACE"
JWT_ACCESS_TTL=15m
JWT_REFRESH_TTL=168h
ARGON2_MEMORY=65536
ARGON2_ITERATIONS=3
ARGON2_PARALLELISM=2
ARGON2_SALT_LENGTH=16
ARGON2_KEY_LENGTH=32
# How long to retain login attempts before automatic cleanup (Go duration format).
LOGIN_ATTEMPT_RETENTION=2160h
# =============================================================================
# MFA (Multi-Factor Authentication)
# =============================================================================
# Must be exactly 64 hex characters (32 bytes).
MFA_ENCRYPTION_KEY="REPLACE"
MFA_TICKET_TTL=5m
# =============================================================================
# Email (SMTP)
# =============================================================================
SMTP_HOST=""
SMTP_PORT=587
SMTP_USERNAME=""
SMTP_PASSWORD=""
SMTP_FROM="noreply@chat.example.com"
# =============================================================================
# Logging
# =============================================================================
LOG_HEALTH_REQUESTS=false
# =============================================================================
# Storage
# =============================================================================
STORAGE_BACKEND=local
STORAGE_LOCAL_PATH=/data/uncord/media
STORAGE_S3_ENDPOINT=""
STORAGE_S3_ACCESS_KEY=""
STORAGE_S3_SECRET_KEY=""
STORAGE_S3_BUCKET_ATTACHMENTS="uncord-attachments"
STORAGE_S3_BUCKET_AVATARS="uncord-avatars"
STORAGE_S3_BUCKET_EMOJI="uncord-emoji"
# =============================================================================
# Upload Limits
# =============================================================================
MAX_UPLOAD_SIZE_MB=100
MAX_AVATAR_SIZE_MB=8
MAX_AVATAR_DIMENSION=1080
MAX_BANNER_WIDTH=1920
MAX_BANNER_HEIGHT=480
MAX_EMOJI_SIZE_KB=256
MAX_EMOJI_PER_SERVER=200
# =============================================================================
# Typesense
# =============================================================================
TYPESENSE_URL="http://typesense:8108"
TYPESENSE_API_KEY="REPLACE"
TYPESENSE_TIMEOUT=30s
# =============================================================================
# Gateway
# =============================================================================
GATEWAY_HEARTBEAT_INTERVAL_MS=20000
GATEWAY_OFFLINE_DELAY_MS=3000
GATEWAY_SESSION_TTL_SECONDS=300
GATEWAY_REPLAY_BUFFER_SIZE=1000
GATEWAY_MAX_CONNECTIONS=10000
GATEWAY_READY_MEMBER_LIMIT=1000
GATEWAY_PUBLISH_WORKERS=4
GATEWAY_PUBLISH_QUEUE_SIZE=1024
GATEWAY_PUBLISH_TIMEOUT=5s
# =============================================================================
# E2EE (End-to-End Encryption)
# =============================================================================
E2EE_OPK_LOW_THRESHOLD=10
E2EE_MAX_OPK_BATCH=100
E2EE_MAX_DEVICES_PER_USER=5
# =============================================================================
# Rate Limiting
# =============================================================================
# General API rate limit.
RATE_LIMIT_API_REQUESTS=600
RATE_LIMIT_API_WINDOW_SECONDS=60
# Per-channel message rate limit.
RATE_LIMIT_MSG_COUNT=5
RATE_LIMIT_MSG_WINDOW_SECONDS=5
# Global message rate limit (across all channels).
RATE_LIMIT_MSG_GLOBAL_COUNT=30
RATE_LIMIT_MSG_GLOBAL_WINDOW_SECONDS=60
# File upload rate limit.
RATE_LIMIT_UPLOAD_COUNT=10
RATE_LIMIT_UPLOAD_WINDOW_SECONDS=60
# Gateway ticket rate limit (per user).
RATE_LIMIT_TICKET_COUNT=10
RATE_LIMIT_TICKET_WINDOW_SECONDS=60
# Authentication endpoint rate limit.
RATE_LIMIT_AUTH_COUNT=5
RATE_LIMIT_AUTH_WINDOW_SECONDS=300
# WebSocket message rate limit.
RATE_LIMIT_WS_COUNT=300
RATE_LIMIT_WS_WINDOW_SECONDS=60
# Plugin API rate limit.
RATE_LIMIT_PLUGIN_COUNT=120
RATE_LIMIT_PLUGIN_WINDOW_SECONDS=60
# =============================================================================
# CORS
# =============================================================================
# Comma-separated list of allowed origins for CORS. In development, "*" is accepted
# and dynamically echoes the request's Origin header (required for AllowCredentials).
# In production, explicit origins must be listed. A wildcard "*" is rejected in
# production because credentials (cookie-based) require explicit origins.
CORS_ALLOW_ORIGINS="*"
# =============================================================================
# Server Limits
# =============================================================================
MAX_CHANNELS=500
MAX_CATEGORIES=50
MAX_ROLES=250
MAX_MEMBERS=0
MAX_MESSAGE_LENGTH=4000
MAX_GROUP_DM_PARTICIPANTS=10
MESSAGE_RETENTION_DAYS=0
# =============================================================================
# Data Directory
# =============================================================================
# Optional path to the data directory containing templates and onboarding
# documents. When empty, built-in defaults are used. The directory should
# contain:
# templates/email/verification.html
# templates/pages/verify.html
# onboarding/manifest.json
# onboarding/documents/
DATA_DIR=""
# =============================================================================
# Onboarding
# =============================================================================
ONBOARDING_OPEN_JOIN=true
ONBOARDING_REQUIRE_EMAIL_VERIFICATION=true
ONBOARDING_MIN_ACCOUNT_AGE=0
ONBOARDING_REQUIRE_PHONE=false
ONBOARDING_REQUIRE_CAPTCHA=false
# =============================================================================
# Anti-Abuse
# =============================================================================
ABUSE_DISPOSABLE_EMAIL_BLOCKLIST_ENABLED=true
ABUSE_DISPOSABLE_EMAIL_BLOCKLIST_TIMEOUT=10s
ABUSE_EMAIL_DOMAIN_ALLOWLIST=""
ABUSE_EMAIL_DOMAIN_BLOCKLIST=""
ABUSE_AUTO_BAN_SHARED_IP=false
ABUSE_AUTO_BAN_SHARED_DEVICE=false
# =============================================================================
# Plugins
# =============================================================================
PLUGIN_EVENT_STREAM="uncord.events"
PLUGIN_API_PORT=9090
# =============================================================================
# Account Deletion
# =============================================================================
# When true, usernames are "tombstoned" on account deletion to prevent
# re-registration. Existing tombstones are always enforced regardless of this
# setting. Emails are always tombstoned.
DELETION_TOMBSTONE_USERNAMES=true
# How long to retain deletion tombstones. 0 = permanent (default).
# Enabling expiry allows deleted users to eventually re-register with their former email or username.
DELETION_TOMBSTONE_RETENTION=0
# =============================================================================
# Data Retention
# =============================================================================
# How often the background cleanup goroutine runs for all retention policies.
DATA_CLEANUP_INTERVAL=12h
# =============================================================================
# First-Run Owner
# =============================================================================
INIT_OWNER_EMAIL="admin@example.com"
INIT_OWNER_USERNAME="admin"
INIT_OWNER_PASSWORD="REPLACE"