-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
241 lines (221 loc) · 11 KB
/
.env.example
File metadata and controls
241 lines (221 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
# JIM Environment Configuration
# Copy this file to .env and fill in your values
# DO NOT commit .env to source control (it contains secrets)
# =============================================================================
# Locale Configuration
# =============================================================================
# Controls date/time formatting and other locale-specific behaviour.
# Uses standard locale codes (e.g., en_GB.UTF-8, en_US.UTF-8, de_DE.UTF-8)
LANG=en_GB.UTF-8
# =============================================================================
# Docker Configuration (for docker-compose)
# =============================================================================
# Docker registry prefix for pulling images (leave empty for local builds)
# Examples:
# DOCKER_REGISTRY=ghcr.io/tetronio/
# DOCKER_REGISTRY=your-registry.example.com/jim/
DOCKER_REGISTRY=
# JIM version tag (leave empty for local builds, set for production)
# Examples:
# JIM_VERSION=0.2.0
# JIM_VERSION=latest
JIM_VERSION=
# =============================================================================
# Database Configuration
# =============================================================================
JIM_DB_HOSTNAME=localhost
JIM_DB_NAME=jim
JIM_DB_USERNAME=jim
JIM_DB_PASSWORD=your_secure_password_here
JIM_DB_LOG_SENSITIVE_INFO=false
# Slow query log threshold in milliseconds. Queries exceeding this duration are logged.
# Set to -1 to disable slow query logging, 0 to log all queries.
# Default: 1000 (1 second) in production, 500 (0.5 seconds) in development.
JIM_DB_LOG_MIN_DURATION=1000
# =============================================================================
# Logging Configuration
# =============================================================================
# Valid levels: Verbose, Debug, Information, Warning, Error, Fatal
JIM_LOG_LEVEL=Information
JIM_LOG_PATH=/tmp/jim-logs
JIM_LOG_REQUESTS=false
# =============================================================================
# UI Theme (Optional)
# =============================================================================
# Built-in colour theme for the JIM web interface.
# Valid values: purple, black, blended-nav, future-minimal, navy-o5, navy-o6
# Default: navy-o6
#
# JIM_THEME=navy-o6
# =============================================================================
# OpenAPI Documentation (Optional)
# =============================================================================
# JIM_OPENAPI_GENERATE=true - Run in lightweight mode: generate OpenAPI doc and exit
# (no DB or IdP required). Used by jim-openapi-generate
# and the Docker build.
# JIM_OPENAPI_OUTPUT_PATH=<path> - Override the output path for the generated document.
# Default: wwwroot/api/openapi/v1.json
# =============================================================================
# Infrastructure API Key (Optional - for CI/CD automation)
# =============================================================================
# Set this to create an API key on startup for automated configuration.
# The key must start with 'jim_ak_' and be at least 32 characters.
# The infrastructure key:
# - Has Administrator role
# - Expires 24 hours after creation
# - Is marked as 'Infrastructure' in the UI
# - Should be deleted after initial setup is complete
#
# Generate a key with: openssl rand -hex 32 | sed 's/^/jim_ak_/'
# Example: jim_ak_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6
#
# JIM_INFRASTRUCTURE_API_KEY=jim_ak_your_generated_key_here
# =============================================================================
# SSO/OIDC Configuration — Development defaults (bundled Keycloak)
# =============================================================================
# The devcontainer ships a pre-configured Keycloak instance that starts
# automatically with jim-stack. These defaults work out of the box —
# override them below to use an external IdP instead.
#
# Bundled Keycloak:
# Admin console: http://localhost:8181 (admin / admin)
# Test users: admin / admin | user / user
# Realm: jim
#
# To use an external IdP, replace these values with your provider's settings.
# See docs/SSO_SETUP_GUIDE.md for provider-specific configuration.
#
# The OIDC authority URL - examples for common identity providers:
#
# Cloud-based:
# Microsoft Entra ID: https://login.microsoftonline.com/{tenant-id}/v2.0
# Okta: https://{your-domain}.okta.com
# Auth0: https://{your-tenant}.auth0.com
# Google: https://accounts.google.com
# AWS Cognito: https://cognito-idp.{region}.amazonaws.com/{user-pool-id}
# Ping Identity: https://{your-domain}.pingone.com/as
#
# Self-hosted / On-premises:
# AD FS: https://{adfs-server}/adfs
# Keycloak: https://{keycloak-server}/realms/{realm-name}
# IdentityServer: https://{your-server}
# Authentik: https://{authentik-server}/application/o/{app-slug}
# Zitadel: https://{your-instance}.zitadel.cloud
#
JIM_SSO_AUTHORITY=http://localhost:8181/realms/jim
# Optional: client-facing OIDC authority URL.
# Set this ONLY when the backend and interactive clients reach the identity
# provider on different URLs. Typical cases:
# - Dev devcontainer: jim.web reaches Keycloak via Docker DNS
# (jim.keycloak:8080) while browsers and the PowerShell module on the host
# reach it via localhost:8181. The bundled dev stack handles this for you
# via docker-compose.override.yml; you normally do not need to set it here.
# - Split-horizon reverse proxy: the backend has an internal URL to the IdP
# while clients use a public URL.
#
# When set, it is advertised to interactive clients via /api/v1/auth/config
# (used by the JIM PowerShell module for OIDC discovery). When unset, clients
# receive JIM_SSO_AUTHORITY. Backend token validation and JWKS lookups always
# use JIM_SSO_AUTHORITY and are unaffected by this setting.
#
# JIM_SSO_PUBLIC_AUTHORITY=http://localhost:8181/realms/jim
# The OAuth client/application ID
# Format varies by provider:
# Entra ID: GUID (e.g., 12345678-1234-1234-1234-123456789abc)
# Okta: alphanumeric string (e.g., 0oa1234567abcdefg)
# Auth0: alphanumeric string (e.g., abc123DEF456)
# Keycloak: client name or GUID
# AD FS: client identifier string
# Google: numeric string ending in .apps.googleusercontent.com
#
JIM_SSO_CLIENT_ID=jim-web
# Optional: client ID for interactive public clients (PowerShell module, etc.).
# OAuth 2.0 separates confidential clients (web apps with a stored secret) from
# public clients (desktop / CLI tools using PKCE with loopback redirects).
# Whether you need a separate registration depends on your IdP:
# - Entra ID: One app registration can have both a Web and a Mobile/Desktop
# platform; you can set this to the same value as JIM_SSO_CLIENT_ID.
# - AD FS: A single Application Group can include both a web and a native
# application; you can set this to the same client identifier.
# - Keycloak: Confidential and public clients MUST be registered separately.
# Create a second client (e.g. 'jim-powershell') and set this var to its
# client ID.
#
# When set, JIM advertises this client ID to interactive clients via the
# /api/v1/auth/config endpoint. When unset, clients receive JIM_SSO_CLIENT_ID
# (fine for IDPs where both platforms share a registration). Backend token
# validation is unaffected; tokens from either client must still carry the
# JIM_SSO_API_SCOPE audience and be signed by a trusted issuer.
#
# JIM_SSO_PUBLIC_CLIENT_ID=jim-powershell
# The OAuth client secret
JIM_SSO_SECRET=jim-dev-secret
# The API scope for JWT bearer authentication (API endpoints)
# Examples:
# Entra ID: api://{client-id}/access_as_user
# Okta: api://default
# Auth0: https://{your-api-identifier}
# Keycloak: {client-id}
# AD FS: api://{client-id}
#
JIM_SSO_API_SCOPE=jim-api
# Trusted token issuers for API JWT validation (comma-separated)
# Usually not needed - JIM auto-detects the issuer from the authority URL.
# Only set this if your provider's issuer URL differs from its authority URL,
# or you need to trust multiple issuers (e.g., during a provider migration).
#
# The bundled Keycloak is configured with KC_HOSTNAME=http://localhost:8181,
# so its 'iss' claim is always http://localhost:8181/realms/jim regardless
# of whether JIM.Web reaches Keycloak via localhost (native debugging) or
# Docker DNS (full stack). Only the back-channel endpoint URLs in the
# discovery document vary by access path; the token 'iss' claim is constant.
#
JIM_SSO_VALID_ISSUERS=http://localhost:8181/realms/jim
# =============================================================================
# User Identity Mapping
# =============================================================================
# JIM uses standard OIDC claim names (MapInboundClaims is disabled).
# This means claims like 'sub', 'name', 'email' are preserved as-is.
#
# The JWT claim type containing the user's unique identifier.
# This claim should contain a stable, unique value for each user.
#
# RECOMMENDED: Use 'sub' (standard OIDC subject identifier) for most providers.
# The 'sub' claim is guaranteed to be unique and stable per user per application.
#
# Standard OIDC claims (work with all providers):
# sub - Subject identifier (RECOMMENDED - unique per user per app)
# email - User's email address (if unique in your organisation)
# preferred_username - User's preferred username (often UPN for Entra ID)
#
# To find your claim values, log into JIM and visit the /claims page.
#
JIM_SSO_CLAIM_TYPE=sub
# The Metaverse attribute name to match the claim value against.
# This should be an attribute on the User object type in JIM that stores
# the unique identifier from your identity provider.
JIM_SSO_MV_ATTRIBUTE="Subject Identifier"
# The claim value for the initial admin user (used during first-time setup).
# This is the value of JIM_SSO_CLAIM_TYPE for your admin user.
#
# To find this value:
# 1. Log into JIM with your admin account
# 2. Navigate to /claims
# 3. Find the value of the claim type you specified above
#
# Examples by claim type:
# sub: Varies by provider (Entra ID uses a cryptographic hash, others use GUIDs)
# email: admin@example.com
#
# The default below matches the bundled Keycloak admin user (fixed UUID).
JIM_SSO_INITIAL_ADMIN=00000000-0000-0000-0000-000000000001
# =============================================================================
# Integration Test Metrics (Optional)
# =============================================================================
# When set, the integration test runner streams performance metrics to the
# JIM-Bench ingestion API (https://bench-api.junctional.io) for Grafana
# dashboards. Leave blank to disable metrics streaming (tests still run
# normally with local-only results).
#
#JIM_BENCH_API_URL=https://bench-api.junctional.io
#JIM_BENCH_API_KEY=