-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy path.env.example
More file actions
154 lines (120 loc) · 7.17 KB
/
Copy path.env.example
File metadata and controls
154 lines (120 loc) · 7.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
# =============================================================================
# nest-server — Environment Variables
# =============================================================================
# Copy to `.env` and adjust values.
#
# Legend:
# - Uncommented lines → REQUIRED for a production deployment.
# - Commented lines → OPTIONAL (defaults apply, or feature is off).
#
# Local/dev/ci/e2e environments have sensible fallbacks in `src/config.env.ts`
# (well-known test secrets, Mailhog defaults, localhost URLs) — you typically
# do NOT need any `.env` at all for local work.
#
# Two ways to configure:
# 1. Standard env vars → read via `process.env.X` in `src/config.env.ts`
# 2. NSC__ prefix → auto-mapped to config paths
# NSC__MONGOOSE__URI → config.mongoose.uri
# NSC__APP_URL → config.appUrl
# NSC__BASE_URL → config.baseUrl (single underscore → camelCase)
# =============================================================================
# Database (required in production)
# =============================================================================
MONGODB_URI=mongodb://localhost:27017/my-app-production
# =============================================================================
# URLs (required in production)
# =============================================================================
# API base URL — used for CORS, Passkey RP ID, email links, OAuth callbacks.
# The frontend/app URL is auto-derived: api.example.com → example.com
BASE_URL=https://api.example.com
# Frontend/app URL (optional — auto-derived from BASE_URL if unset)
# NSC__APP_URL=https://example.com
# =============================================================================
# Authentication Secrets (required in production)
# =============================================================================
# Better-Auth secret — signs session cookies + JWTs. Minimum 32 characters.
# Generate with:
# node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
BETTER_AUTH_SECRET=CHANGE_ME_generate_32plus_chars_with_node_crypto_randomBytes
# JWT secrets (optional — only required when using Legacy Auth endpoints).
# With BetterAuth-only mode, these can stay unset.
# Generate with:
# node -e "console.log(require('crypto').randomBytes(64).toString('base64'))"
# JWT_SECRET=CHANGE_ME_generate_64plus_chars_with_node_crypto_randomBytes
# JWT_REFRESH_SECRET=CHANGE_ME_different_64plus_chars_than_JWT_SECRET
# =============================================================================
# Email — SMTP required in production, Brevo optional overlay
# =============================================================================
# -----------------------------------------------------------------------------
# SMTP (required — baseline transport for ALL outgoing mail)
# -----------------------------------------------------------------------------
# Any SMTP provider: AWS SES, SendGrid, Postmark, Mailgun, self-hosted Postfix.
# Handles all auth flows and custom app emails.
EMAIL_DEFAULT_SENDER=noreply@example.com
SMTP_HOST=smtp.example.com
SMTP_PORT=587
SMTP_USER=smtp-user
SMTP_PASS=smtp-password
# EMAIL_DEFAULT_SENDER_NAME=My App # default: "Nest Server"
# SMTP_SECURE=true # default: true (set false for STARTTLS on :587)
# -----------------------------------------------------------------------------
# Brevo Transactional API (optional overlay for template-based mails)
# -----------------------------------------------------------------------------
# Brevo (ex-Sendinblue) sends via HTTPS with server-side templates.
# Runs IN PARALLEL to SMTP — only used when a module references a
# `brevoTemplateId` (e.g. `betterAuth.emailVerification.brevoTemplateId`).
# All other mails still flow through the SMTP transport above.
# Get an API key at https://app.brevo.com/settings/keys/api
# BREVO_API_KEY=xkeysib-your-brevo-api-key
# =============================================================================
# CORS (optional — origins auto-derived from BASE_URL + APP_URL)
# =============================================================================
# Additional allowed origins (comma-separated, merged with APP_URL + BASE_URL).
# CORS_ALLOWED_ORIGINS=https://admin.example.com,https://partner.example.com
# =============================================================================
# Feature Toggles (optional — sensible defaults apply)
# =============================================================================
# Disable Legacy Auth endpoints after all users have migrated to BetterAuth (IAM).
# Default: true (legacy endpoints active). Set to 'false' to return HTTP 410 Gone.
# LEGACY_AUTH_ENABLED=false
# BetterAuth rate limiting (in-memory, per IP).
# Defaults: enabled=true, max=10 requests per 60s window.
# RATE_LIMIT_ENABLED=true
# RATE_LIMIT_MAX=10
# Two-Factor Authentication app name — shown in Authenticator apps (TOTP issuer).
# Default: "Nest Server"
# TWO_FACTOR_APP_NAME=My App
# =============================================================================
# Social Login (optional — BetterAuth OAuth providers)
# =============================================================================
# SOCIAL_GOOGLE_CLIENT_ID=
# SOCIAL_GOOGLE_CLIENT_SECRET=
# SOCIAL_GITHUB_CLIENT_ID=
# SOCIAL_GITHUB_CLIENT_SECRET=
# =============================================================================
# AI Assistant module (optional — enabled when an `ai` config block is present)
# =============================================================================
# Connections to LLMs are managed at runtime (admin CRUD) and stored in the DB
# with AES-256-GCM-encrypted API keys. The variables below only (a) seed ONE
# default connection on first start and (b) provide the encryption secret.
# Encryption secret for stored API keys — REQUIRED in production when AI is used.
# Without it, keys are encrypted with an insecure development default (warned only).
# Minimum 32 characters. Generate with:
# node -e "console.log(require('crypto').randomBytes(32).toString('base64'))"
# NSC__AI__ENCRYPTION_SECRET=CHANGE_ME_generate_32plus_chars_with_node_crypto_randomBytes
# One-time seed of a default connection (only seeded when AI_BASE_URL is set).
# Works with any OpenAI-compatible endpoint (local runtime or hosted).
# AI_BASE_URL=https://llm.example.com/v1
# AI_API_KEY=your-llm-api-key
# AI_MODEL=gpt-oss-120b
# AI_SUPPORTS_JSON=true # backend supports response_format json_object
# AI_SUPPORTS_NATIVE_TOOLS=true # backend supports native function/tool calling
# MCP server OAuth 2.1 secret (only when ai.mcp.oauth is enabled). Minimum 32 chars.
# NSC__AI__MCP__OAUTH_SECRET=CHANGE_ME_generate_32plus_chars_with_node_crypto_randomBytes
# =============================================================================
# Initial Admin (optional — first deployment only; remove after setup)
# =============================================================================
# Creates a single admin user on first startup if the user collection is empty.
# NSC__SYSTEM_SETUP__INITIAL_ADMIN__EMAIL=admin@example.com
# NSC__SYSTEM_SETUP__INITIAL_ADMIN__PASSWORD=YourSecurePassword123!
# NSC__SYSTEM_SETUP__INITIAL_ADMIN__NAME=Admin