BillTracker/.env.example

65 lines
4.2 KiB
Plaintext
Raw Normal View History

2026-05-03 19:51:57 -05:00
# ── Bill Tracker — Environment Variables ──────────────────────────────────────
# Copy this file to .env and fill in your values before deploying.
# Docker Compose reads .env automatically.
# For direct Node.js: NODE_ENV=production node server.js (or use PM2).
# ── Server ─────────────────────────────────────────────────────────────────────
PORT=3000
NODE_ENV=production
2026-05-09 13:03:36 -05:00
# ── CSRF Cookie httpOnly Setting ──────────────────────────────────────────────
# CSRF cookie httpOnly setting (default: true)
2026-05-31 15:52:50 -05:00
# The SPA fetches the token from GET /api/auth/csrf-token and stores it in
# memory — JavaScript does not need to read the cookie directly. httpOnly=true
# removes the token from the XSS-accessible cookie surface.
# CSRF_HTTP_ONLY: "true" (default — cookie not readable by document.cookie)
# CSRF_HTTP_ONLY: "false" (legacy — only if a custom client reads document.cookie)
2026-05-09 13:03:36 -05:00
#
# ── CSRF Cookie sameSite Setting ──────────────────────────────────────────────
# CSRF cookie sameSite setting (default: strict)
# Options: 'lax', 'strict', 'none'
# CSRF_SAME_SITE: "strict" (most secure - default)
# CSRF_SAME_SITE: "lax" (for SPA cross-site scenarios)
#
# ── CSRF Cookie secure Setting ───────────────────────────────────────────────
# CSRF cookie secure flag (default: true - HTTPS only)
# Set CSRF_SECURE=false for HTTP development (NOT recommended for production)
# CSRF_SECURE: "true" (HTTPS only - default)
# CSRF_SECURE: "false" (HTTP allowed - development only)
#
# ── CSRF Cookie Name ─────────────────────────────────────────────────────────
# CSRF cookie name (default: bt_csrf_token)
# Use CSRF_COOKIE_NAME to customize for multi-app deployments
# CSRF_COOKIE_NAME: "bt_csrf_token" (default)
2026-05-03 19:51:57 -05:00
# ── Data paths (used by both Docker and direct deployments) ───────────────────
# Docker: these are set in the Dockerfile; override here only if needed.
# Direct: set these to absolute paths on the server.
#
# DB_PATH=/opt/bill-tracker/data/db/bills.db
# BACKUP_PATH=/opt/bill-tracker/data/backups
2026-05-31 15:52:50 -05:00
# ── Encryption key ────────────────────────────────────────────────────────────
# AES-256-GCM key used to encrypt secrets at rest (SimpleFIN tokens, SMTP passwords).
# Must be at least 32 bytes. Any printable string works; a random hex string is best.
#
# Generate one with: node -e "console.log(require('crypto').randomBytes(48).toString('hex'))"
#
# If not set, Bill Tracker auto-generates a key and stores it in the database
# next to the encrypted data — anyone with database read access can decrypt.
# Set this variable in production to keep the key separate from the data.
#
# TOKEN_ENCRYPTION_KEY=replace-with-a-long-random-string-at-least-32-chars
# ── Bank Sync (SimpleFIN) ─────────────────────────────────────────────────────
# Enable/disable bank sync from the Admin panel. Users connect their own
# SimpleFIN Bridge from the Data page. No environment config required.
2026-05-03 19:51:57 -05:00
# ── First-run admin account ────────────────────────────────────────────────────
# Set BOTH on first start to create the admin account automatically.
# Remove or comment out after the server has started once — they are not
# needed again. Open the web UI afterward to create your first user account.
#
# INIT_ADMIN_USER=admin
# INIT_ADMIN_PASS=changeme123