284313f908
Some checks are pending
Bidi Control Character Guard / bidi-control-guard (push) Waiting to run
Circular Dependency Check / Check for new circular dependencies (push) Waiting to run
Citus Migration Smoke / Combined migrations on single-node Citus (push) Waiting to run
E2E Fresh Install Tests / fresh-install-e2e (push) Waiting to run
ext-v2 guardrails / Run ext-v2 guard and ESLint (push) Waiting to run
Integration Tests / Check for relevant changes (push) Waiting to run
Integration Tests / ${{ (github.event_name == 'schedule' || github.event.inputs.suite == 'full') && 'Full integration suite' || 'Tier-1 integration subset' }} (push) Blocked by required conditions
Mobile checks / Mobile lint + typecheck (push) Waiting to run
Mobile checks / Mobile unit tests (push) Waiting to run
Mobile checks / Mobile dependency audit (report) (push) Waiting to run
Mobile checks / Mobile reproducibility checks (push) Waiting to run
Secrets guard (env backups) / Ensure no tracked env backup files (push) Waiting to run
Temporal Readiness / fast-readiness (push) Waiting to run
Temporal Readiness / docker-parity (push) Waiting to run
TypeScript Type Check / Nx affected typecheck (push) Waiting to run
Unit Tests / Skipped-test budget (push) Waiting to run
Unit Tests / Nx affected unit tests (push) Waiting to run
Unit Tests / Server unit coverage (informational) (push) Waiting to run
Validate Tenant Management Schema / Check for relevant changes (push) Waiting to run
Validate Tenant Management Schema / Validate Tenant Management Schema (push) Blocked by required conditions
EE Workflows Build Guard / ee-workflows-build-guard (push) Waiting to run
Excluded: .git, node_modules, secrets/, compose.env, assemblyscript tgz Source: /opt/alga-psa on psa.joliet.tech
373 lines
15 KiB
Plaintext
373 lines
15 KiB
Plaintext
# Application Settings
|
|
APP_VERSION=1.0.0
|
|
APP_NAME=sebastian
|
|
APP_HOST=0.0.0.0
|
|
APP_PORT=3000
|
|
APP_EDITION=community # Options: community, enterprise
|
|
NEXT_PUBLIC_EDITION=community # Options: community, enterprise
|
|
APP_VERIFY_EMAIL=false
|
|
APP_ENV=production
|
|
NODE_ENV=production
|
|
# Container Image Selection (auto-populated by scripts/set-image-tag.sh)
|
|
ALGA_IMAGE_TAG=latest
|
|
NEXTAUTH_SECRET=dummy
|
|
|
|
# Login Captcha (optional, Cloudflare Turnstile)
|
|
# When both keys are set, sign-in requires a captcha after repeated failed
|
|
# attempts. Can also be provided via the secret provider as captcha_site_key /
|
|
# captcha_secret_key. Leave unset to rely on rate limiting alone.
|
|
# CAPTCHA_SITE_KEY=
|
|
# CAPTCHA_SECRET_KEY=
|
|
|
|
# Redis Configuration
|
|
REDIS_HOST=redis
|
|
REDIS_PORT=6379
|
|
# REDIS_PASSWORD is managed via Docker secrets
|
|
|
|
# Database Configuration
|
|
DB_TYPE=postgres # Required: Must be "postgres"
|
|
DB_HOST=postgres
|
|
DB_PORT=5432
|
|
DB_NAME=server
|
|
DB_NAME_SERVER=server
|
|
DB_NAME_HOCUSPOCUS=hocuspocus
|
|
|
|
# Database Users:
|
|
# 1. Admin User (postgres):
|
|
# - Username: postgres (fixed)
|
|
# - Used for: Database administration, setup, migrations
|
|
# - Password: Managed via postgres_password secret
|
|
# - Has full database access
|
|
POSTGRES_USER=postgres
|
|
DB_USER_ADMIN=postgres # Required: Admin user for database operations
|
|
DB_PASSWORD_ADMIN=/run/secrets/postgres_password # Required: Path to admin password secret
|
|
DB_PASSWORD_SUPERUSER=/run/secrets/postgres_password # Required: Path to superuser password secret
|
|
DB_PASSWORD_SERVER=/run/secrets/db_password_server # Required: Path to server password secret
|
|
|
|
# 2. Application User (app_user):
|
|
# - Username: app_user (fixed)
|
|
# - Used for: Application database access
|
|
# - Password: Managed via db_password_server secret
|
|
# - Access controlled by Row Level Security (RLS)
|
|
DB_USER_SERVER=app_user
|
|
|
|
# 3. Hocuspocus User:
|
|
# - Username: hocuspocus_user
|
|
# - Used for: Hocuspocus service database access
|
|
# - Password: Managed via db_password_hocuspocus secret
|
|
# - Scoped to the dedicated Hocuspocus database
|
|
DB_USER_HOCUSPOCUS=hocuspocus_user
|
|
|
|
# Logging Configuration
|
|
LOG_LEVEL=INFO # Required: One of 'SYSTEM' | 'TRACE' | 'DEBUG' | 'INFO' | 'WARNING' | 'ERROR' | 'CRITICAL'
|
|
LOG_IS_FORMAT_JSON=false # Required: Boolean
|
|
LOG_IS_FULL_DETAILS=false # Required: Boolean
|
|
LOG_ENABLED_FILE_LOGGING=false
|
|
LOG_DIR_PATH=/path/to/logs
|
|
LOG_ENABLED_EXTERNAL_LOGGING=false
|
|
LOG_EXTERNAL_HTTP_HOST=
|
|
LOG_EXTERNAL_HTTP_PORT=
|
|
|
|
# Secret Provider Configuration
|
|
# For local dev environments, use env and filesystem only (no vault)
|
|
SECRET_READ_CHAIN=env,filesystem
|
|
SECRET_WRITE_PROVIDER=filesystem
|
|
|
|
# Runner Configuration
|
|
RUNNER_BACKEND=knative
|
|
RUNNER_BASE_URL=http://runner:8080
|
|
# Optional override when using the Docker backend locally
|
|
RUNNER_DOCKER_HOST=http://localhost:8085
|
|
# Accepts absolute URLs or relative paths (e.g., /runner when proxying via Next.js)
|
|
RUNNER_PUBLIC_BASE=https://runner.example.com
|
|
RUNNER_SERVICE_TOKEN=
|
|
LOG_EXTERNAL_HTTP_PATH=
|
|
LOG_EXTERNAL_HTTP_LEVEL=
|
|
LOG_EXTERNAL_HTTP_TOKEN=
|
|
|
|
# Hocuspocus Configuration
|
|
HOCUSPOCUS_PORT=1234
|
|
# Browser-facing WebSocket URL for in-app notifications and collaborative editing.
|
|
# Must be NEXT_PUBLIC_* — this is read by client code and baked in at build time.
|
|
# In production (non-localhost) the client auto-derives wss://<host>/hocuspocus,
|
|
# and your reverse proxy must route /hocuspocus to the hocuspocus container on
|
|
# port 1234 with WebSocket upgrade headers (see docs/getting-started/setup_guide.md).
|
|
NEXT_PUBLIC_HOCUSPOCUS_URL=ws://localhost:1234
|
|
|
|
# nm-store Integration (for license management)
|
|
NM_STORE_URL=http://localhost:3000 # URL of nm-store service
|
|
TEMPORAL_WEBHOOK_SECRET=your-shared-secret-here # Shared secret for Temporal callbacks
|
|
ALGA_WEBHOOK_SECRET=your-shared-secret-here # Shared secret for webhook authentication
|
|
REQUIRE_HOCUSPOCUS=false # Optional: Set to "true" to require hocuspocus
|
|
|
|
# Job Runner Configuration
|
|
# The job runner type: 'pgboss' (default for CE) or 'temporal' (EE only)
|
|
JOB_RUNNER_TYPE=pgboss
|
|
# Whether to fall back to PG Boss if Temporal is unavailable (EE only, default: true)
|
|
JOB_RUNNER_FALLBACK_TO_PGBOSS=true
|
|
|
|
# App-wide Search
|
|
# Default false for rollout safety. Set true after the search backfill has completed
|
|
# so event-bus subscribers begin writing incremental updates to app_search_index.
|
|
SEARCH_INDEX_LIVE=false
|
|
|
|
# Temporal Configuration (EE only - for job runner)
|
|
# Address of the Temporal server
|
|
TEMPORAL_ADDRESS=temporal-frontend.temporal.svc.cluster.local:7233
|
|
# Temporal namespace
|
|
TEMPORAL_NAMESPACE=default
|
|
# Task queue for generic jobs (separate from workflow-specific queues)
|
|
TEMPORAL_JOB_TASK_QUEUE=alga-jobs
|
|
|
|
# Stripe Integration (for license purchasing)
|
|
# Get keys from: Stripe Dashboard → Developers → API keys
|
|
STRIPE_SECRET_KEY=sk_test_your_secret_key_here
|
|
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_your_publishable_key_here
|
|
STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret_here
|
|
# Master billing tenant (Nine Minds organization)
|
|
MASTER_BILLING_TENANT_ID=your-nine-minds-tenant-uuid-here
|
|
# Product/Price IDs (create in Stripe Dashboard → Products)
|
|
# Pro uses a single per-seat recurring price. Quantity equals licensed users.
|
|
STRIPE_PRO_PRICE_ID=price_pro_per_seat_here
|
|
# STRIPE_SOLO_BASE_PRICE_ID=price_solo_base_here
|
|
# Premium uses multi-item subscriptions (base fee + per-user).
|
|
# STRIPE_PREMIUM_BASE_PRICE_ID=price_premium_base_here
|
|
# STRIPE_PREMIUM_USER_PRICE_ID=price_premium_per_user_here
|
|
# Annual prices
|
|
# STRIPE_PRO_ANNUAL_PRICE_ID=price_pro_per_seat_annual_here
|
|
# STRIPE_SOLO_BASE_ANNUAL_PRICE_ID=price_solo_base_annual_here
|
|
# STRIPE_PREMIUM_BASE_ANNUAL_PRICE_ID=price_premium_base_annual_here
|
|
# STRIPE_PREMIUM_USER_ANNUAL_PRICE_ID=price_premium_per_user_annual_here
|
|
# Add-on prices
|
|
# STRIPE_AI_ADDON_PRICE_ID=price_ai_addon_here
|
|
# STRIPE_AI_ADDON_ANNUAL_PRICE_ID=price_ai_addon_annual_here
|
|
# STRIPE_TEAMS_ADDON_PRICE_ID=price_teams_addon_here
|
|
# STRIPE_TEAMS_ADDON_ANNUAL_PRICE_ID=price_teams_addon_annual_here
|
|
# STRIPE_ENTERPRISE_ADDON_PRICE_ID=price_enterprise_addon_here
|
|
# STRIPE_ENTERPRISE_ADDON_ANNUAL_PRICE_ID=price_enterprise_addon_annual_here
|
|
# Early adopters prices (grandfathered customers migrated from preview)
|
|
# STRIPE_EARLY_ADOPTERS_BASE_PRICE_ID=price_early_adopters_base_here
|
|
# STRIPE_EARLY_ADOPTERS_USER_PRICE_ID=price_early_adopters_per_user_here
|
|
# STRIPE_EARLY_ADOPTERS_BASE_ANNUAL_PRICE_ID=price_early_adopters_base_annual_here
|
|
# STRIPE_EARLY_ADOPTERS_USER_ANNUAL_PRICE_ID=price_early_adopters_per_user_annual_here
|
|
# AlgaDesk prices (per-user only, no base fee — tenants with product_code='algadesk')
|
|
# STRIPE_ALGADESK_USER_PRICE_ID=price_algadesk_per_user_here
|
|
# STRIPE_ALGADESK_USER_ANNUAL_PRICE_ID=price_algadesk_per_user_annual_here
|
|
|
|
# Email Configuration
|
|
EMAIL_ENABLE=false # Required: Boolean
|
|
EMAIL_FROM=noreply@example.com # Required: Valid email address
|
|
EMAIL_HOST=smtp.example.com
|
|
EMAIL_PORT=587 # Required: Number greater than 0
|
|
EMAIL_USERNAME=noreply@example.com # Required: Valid email address
|
|
# EMAIL_PASSWORD is managed via Docker secrets
|
|
|
|
# Cryptographic Settings
|
|
# CRYPTO_KEY is managed via Docker secrets
|
|
CRYPTO_SALT_BYTES=16
|
|
CRYPTO_ITERATION=100000
|
|
CRYPTO_KEY_LENGTH=64
|
|
CRYPTO_ALGORITHM=aes-256-gcm
|
|
|
|
# Authentication Settings
|
|
NEXTAUTH_URL=http://localhost:3000 # Required: Valid URL
|
|
NEXTAUTH_SESSION_EXPIRES=86400 # Required: Number greater than 0
|
|
|
|
# OAuth fallback for MSP SSO (CE + EE):
|
|
# - Used by NextAuth when tenant-specific provider credentials are not selected/available.
|
|
# - Also used when domain-based MSP discovery is unresolved (unknown or ambiguous login domain mapping).
|
|
# - CE MSP login can use these values as app-level fallback for Google/Microsoft SSO.
|
|
# GOOGLE_OAUTH_CLIENT_ID=
|
|
# GOOGLE_OAUTH_CLIENT_SECRET=
|
|
# MICROSOFT_OAUTH_CLIENT_ID=
|
|
# MICROSOFT_OAUTH_CLIENT_SECRET=
|
|
# MICROSOFT_OAUTH_TENANT_ID=common
|
|
# MICROSOFT_OAUTH_AUTHORITY=https://login.microsoftonline.com
|
|
|
|
# Mobile app sign-in (EE only — Cloud and the licensed appliance):
|
|
# - Not available on the open-source CE edition: CE builds reject the mobile token
|
|
# exchange and report enabled=false from /api/v1/mobile/auth/capabilities.
|
|
# - The mobile app signs in against this server via /api/v1/mobile/auth/* and the
|
|
# /auth/mobile/handoff web flow; NEXTAUTH_URL must be the server's public URL.
|
|
# - Google and/or Microsoft OAuth credentials (above) must be configured for mobile
|
|
# sign-in; the capabilities endpoint only advertises configured providers.
|
|
# - Comma-separated hostnames allowed for mobile sign-in. Leave empty to allow any
|
|
# host (the app connects to whichever server the user configured).
|
|
# ALGA_MOBILE_HOST_ALLOWLIST=
|
|
|
|
# Enterprise AI Chat provider configuration (EE only)
|
|
# Defaults to openrouter when unset or invalid.
|
|
AI_CHAT_PROVIDER=openrouter # openrouter | vertex
|
|
|
|
# OpenRouter provider (default)
|
|
OPENROUTER_API_KEY=your-openrouter-api-key
|
|
OPENROUTER_CHAT_MODEL=minimax/minimax-m2
|
|
|
|
# Vertex provider (OpenAI-compatible endpoint)
|
|
VERTEX_PROJECT_ID=your-gcp-project-id
|
|
VERTEX_LOCATION=us-central1
|
|
VERTEX_CHAT_MODEL=glm-5-maas
|
|
# Optional override for the OpenAI-compatible Vertex endpoint URL.
|
|
# VERTEX_OPENAPI_BASE_URL=https://us-central1-aiplatform.googleapis.com/v1/projects/your-gcp-project-id/locations/us-central1/endpoints/openapi
|
|
# Optional ADC credentials file path (for on-prem/non-GKE deployments).
|
|
# GOOGLE_APPLICATION_CREDENTIALS=/path/to/google-application-credentials.json
|
|
|
|
# Workflow Configuration
|
|
WORKFLOW_DISTRIBUTED_MODE=true # Enable distributed mode with Redis Streams
|
|
WORKFLOW_REDIS_STREAM_PREFIX=workflow:events: # Redis stream prefix
|
|
WORKFLOW_REDIS_CONSUMER_GROUP=workflow-workers # Consumer group name
|
|
WORKFLOW_REDIS_BATCH_SIZE=10 # Number of events to process in a batch
|
|
WORKFLOW_REDIS_IDLE_TIMEOUT_MS=60000 # Idle timeout in milliseconds
|
|
WORKFLOW_WORKER_REPLICAS=2 # Number of worker containers to run
|
|
|
|
# Deployment Settings
|
|
PROJECT_NAME=sebastian
|
|
EXPOSE_DB_PORT=5432
|
|
EXPOSE_HOCUSPOCUS_PORT=1234
|
|
EXPOSE_REDIS_PORT=6379
|
|
EXPOSE_SERVER_PORT=3000
|
|
IMAP_WEBHOOK_SECRET=replace-with-a-secure-random-string
|
|
EXPOSE_IMAP_TEST_SMTP_PORT=3025
|
|
EXPOSE_IMAP_TEST_IMAP_PORT=3143
|
|
EXPOSE_IMAP_TEST_IMAPS_PORT=3993
|
|
EXPOSE_IMAP_TEST_HTTP_PORT=8080
|
|
|
|
# Docker Secrets:
|
|
# The following sensitive values are managed via Docker secrets:
|
|
# 1. Database Passwords:
|
|
# - postgres_password: Admin user password
|
|
# - db_password_server: Application user password
|
|
# - db_password_hocuspocus: Hocuspocus service password
|
|
# 2. Redis Password:
|
|
# - redis_password
|
|
# 3. Email Password:
|
|
# - email_password
|
|
# 4. Security Keys:
|
|
# - crypto_key
|
|
# - token_secret_key
|
|
# - nextauth_secret
|
|
# - alga_auth_key
|
|
# - secret_key
|
|
# 5. OAuth Credentials:
|
|
# - google_oauth_client_id
|
|
# - google_oauth_client_secret
|
|
# - microsoft_oauth_client_id
|
|
# - microsoft_oauth_client_secret
|
|
|
|
# Google OAuth - Email Integration (existing)
|
|
GOOGLE_CLIENT_ID=your-email-app-client-id
|
|
GOOGLE_CLIENT_SECRET=your-email-app-client-secret
|
|
|
|
# Google OAuth - Calendar Integration (NEW - separate app)
|
|
GOOGLE_CALENDAR_CLIENT_ID=your-calendar-app-client-id
|
|
GOOGLE_CALENDAR_CLIENT_SECRET=your-calendar-app-client-secret
|
|
GOOGLE_CALENDAR_PROJECT_ID=your-calendar-project-id
|
|
GOOGLE_CALENDAR_REDIRECT_URI=https://yourdomain.com/api/auth/google/calendar/callback
|
|
|
|
# Microsoft OAuth - Email & Calendar Integration (shared app)
|
|
# NOTE: Do not rely on values in this file for production. The server calls `dotenv.config()`
|
|
# and the Docker image copies this file into `/app/server/.env`, which can accidentally
|
|
# configure placeholder values at runtime. Prefer K8s env vars and/or Vault app secrets.
|
|
# MICROSOFT_CLIENT_ID=
|
|
# MICROSOFT_CLIENT_SECRET=
|
|
# MICROSOFT_TENANT_ID=common
|
|
# MICROSOFT_REDIRECT_URI=
|
|
|
|
# Calendar Webhook Configuration
|
|
# Removed: Let the code use NEXTAUTH_URL as the fallback webhook base
|
|
# CALENDAR_WEBHOOK_BASE_URL=https://your-ngrok-domain.ngrok-free.app
|
|
|
|
# Enterprise Edition Gmail Configuration
|
|
# These are only used when NEXT_PUBLIC_EDITION=enterprise
|
|
# Hosted Gmail provider settings for simplified configuration
|
|
EE_GMAIL_CLIENT_ID=your-ee-gmail-client-id
|
|
EE_GMAIL_PROJECT_ID=your-ee-gmail-project-id
|
|
EE_GMAIL_REDIRECT_URI=https://api.algapsa.com/api/auth/google/callback
|
|
# EE_GMAIL_CLIENT_SECRET is managed via filesystem secrets
|
|
|
|
# Enterprise Edition Microsoft Configuration
|
|
# These are only used when NEXT_PUBLIC_EDITION=enterprise
|
|
# Hosted Microsoft provider settings for simplified configuration
|
|
# EE_MICROSOFT_CLIENT_ID=
|
|
# EE_MICROSOFT_TENANT_ID=common
|
|
# EE_MICROSOFT_REDIRECT_URI=
|
|
# EE_MICROSOFT_CLIENT_SECRET is managed via filesystem secrets/Vault (do not inline here)
|
|
|
|
|
|
# Deployment Identifier for Observability
|
|
# Used to identify this deployment in observability tools (Grafana, etc.)
|
|
# For hosted: Use environment name (e.g., "production", "staging")
|
|
# For on-premise: Use customer/instance identifier (e.g., "customer-abc", "demo-instance")
|
|
# DEPLOYMENT_ID=
|
|
|
|
# Usage Statistics
|
|
# Set to false to opt out of anonymous usage statistics
|
|
# This data helps us improve the product
|
|
ALGA_USAGE_STATS=true
|
|
|
|
# Analytics User ID Anonymization
|
|
# When true (default), user IDs are anonymized for privacy
|
|
# When false, actual user IDs are used (prefixed with "user_")
|
|
ANALYTICS_ANONYMIZE_USER_IDS=true
|
|
|
|
# Frontend configuration
|
|
# NEXT_PUBLIC_ALGA_USAGE_STATS=true # Set to false to disable
|
|
NEXT_PUBLIC_ANALYTICS_ANONYMIZE_USER_IDS=true # Must match ANALYTICS_ANONYMIZE_USER_IDS for frontend
|
|
|
|
# Instance identification
|
|
# If not set, a hash of the hostname will be used
|
|
# INSTANCE_ID=
|
|
|
|
# ============================================================================
|
|
# OBSERVABILITY CONFIGURATION (GRAFANA STACK)
|
|
# ============================================================================
|
|
#
|
|
# IMPORTANT: This is for OPERATIONAL OBSERVABILITY only (performance, errors, traces)
|
|
# This is completely separate from PostHog usage analytics.
|
|
#
|
|
# Two separate systems:
|
|
# 1. OpenTelemetry → Grafana Alloy → Prometheus/Loki/Tempo (this section)
|
|
# - Application performance metrics
|
|
# - Error tracking and traces
|
|
# - Database query performance
|
|
# - HTTP request metrics
|
|
# - System resource utilization
|
|
#
|
|
# 2. PostHog (configured separately above)
|
|
# - Product usage analytics
|
|
# - User behavior tracking
|
|
# - Feature usage statistics
|
|
# - Business intelligence data
|
|
#
|
|
# Deployment behavior:
|
|
# - Hosted: Always enabled for operational monitoring
|
|
# - On-premise: Opt-in via ALGA_OBSERVABILITY=true environment variable
|
|
# ============================================================================
|
|
|
|
# Enable/Disable Observability
|
|
# Set to true to enable local observability (metrics, logs, traces)
|
|
# For hosted deployments, this is automatically enabled
|
|
# For on-premise deployments, this must be explicitly enabled
|
|
ALGA_OBSERVABILITY=true
|
|
|
|
# OpenTelemetry OTLP Endpoint (Grafana Alloy)
|
|
# This is where metrics, logs, and traces are sent
|
|
# Grafana Alloy then routes them to Prometheus, Loki, and Tempo
|
|
# OTLP_ENDPOINT=
|
|
|
|
# Grafana Stack Endpoints (optional, for dashboard links and direct access)
|
|
# GRAFANA_ENDPOINT=
|
|
# PROMETHEUS_ENDPOINT=
|
|
# LOKI_ENDPOINT=
|
|
# TEMPO_ENDPOINT=
|
|
|
|
# Logging Configuration for Observability
|
|
# LOG_LEVEL is already defined above but affects observability logging
|
|
# Additional observability-specific logging settings:
|
|
# LOG_INCLUDE_TRACE_CONTEXT=true # Include OpenTelemetry trace context in logs
|
|
|
|
# PostHog Feature Flag Management (EE only)
|
|
POSTHOG_PERSONAL_API_KEY=
|
|
POSTHOG_PROJECT_ID=
|
|
POSTHOG_API_HOST=https://us.posthog.com
|