nessi
597579376f
Some checks are pending
Container CVE Scan (development) / Scan backend/frontend images for CVEs (push) Waiting to run
Migration Safety / Alembic upgrade/downgrade safety (push) Successful in 2m43s
PostgreSQL Compatibility Matrix / PG14 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG15 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG16 smoke (push) Successful in 8s
PostgreSQL Compatibility Matrix / PG17 smoke (push) Successful in 7s
PostgreSQL Compatibility Matrix / PG18 smoke (push) Successful in 7s
Proxy Profile Validation / validate (push) Successful in 3s
Python Dependency Security / pip-audit (block high/critical) (push) Successful in 26s
Docker Publish (Release) / Build and Push Docker Images (release) Successful in 1m41s
Introduced a comprehensive guide for secure production secret handling (`docs/security/secret-management.md`). Updated `.env.example` files with clearer comments on best practices, emphasizing not hardcoding secrets and implementing rotation strategies. Enhanced README with a new section linking to the secret management documentation.
60 lines
2.1 KiB
Plaintext
60 lines
2.1 KiB
Plaintext
# ------------------------------
|
|
# Application
|
|
# ------------------------------
|
|
# Display name used in API docs/UI.
|
|
APP_NAME=NexaPG Monitor
|
|
# Runtime environment: dev | staging | prod | test
|
|
ENVIRONMENT=dev
|
|
# Backend log level: DEBUG | INFO | WARNING | ERROR
|
|
LOG_LEVEL=INFO
|
|
|
|
# ------------------------------
|
|
# Core Database (internal metadata DB)
|
|
# ------------------------------
|
|
# Database that stores users, targets, metrics, query stats, and audit logs.
|
|
# DEV default only. Use strong unique credentials in production.
|
|
DB_NAME=nexapg
|
|
DB_USER=nexapg
|
|
DB_PASSWORD=nexapg
|
|
# Host port mapped to the internal PostgreSQL container port 5432.
|
|
DB_PORT=5433
|
|
|
|
# ------------------------------
|
|
# Backend API
|
|
# ------------------------------
|
|
# Host port mapped to backend container port 8000.
|
|
BACKEND_PORT=8000
|
|
# JWT signing secret. Never hardcode in source. Rotate regularly.
|
|
JWT_SECRET_KEY=change_this_super_secret
|
|
JWT_ALGORITHM=HS256
|
|
# Access token lifetime in minutes.
|
|
JWT_ACCESS_TOKEN_MINUTES=15
|
|
# Refresh token lifetime in minutes (10080 = 7 days).
|
|
JWT_REFRESH_TOKEN_MINUTES=10080
|
|
# Key used to encrypt monitored target passwords at rest.
|
|
# Never hardcode in source. Rotate with re-encryption plan.
|
|
# Generate with:
|
|
# python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
|
|
ENCRYPTION_KEY=REPLACE_WITH_FERNET_KEY
|
|
# Allowed CORS origins for browser clients.
|
|
# Use comma-separated values, e.g.:
|
|
# CORS_ORIGINS=http://localhost:5173,https://nexapg.example.com
|
|
# Dev-only shortcut:
|
|
# CORS_ORIGINS=*
|
|
CORS_ORIGINS=http://localhost:5173,http://localhost:8080
|
|
# Target polling interval in seconds.
|
|
POLL_INTERVAL_SECONDS=30
|
|
# Initial admin bootstrap user (created on first startup if not present).
|
|
INIT_ADMIN_EMAIL=admin@example.com
|
|
INIT_ADMIN_PASSWORD=ChangeMe123!
|
|
|
|
# ------------------------------
|
|
# Frontend
|
|
# ------------------------------
|
|
# Host port mapped to frontend container port 8080.
|
|
FRONTEND_PORT=5173
|
|
# Base API URL used at frontend build time.
|
|
# For reverse proxy + SSL, keep this relative to avoid mixed-content issues.
|
|
# Example direct mode: VITE_API_URL=http://localhost:8000/api/v1
|
|
VITE_API_URL=/api/v1
|