refactor: move environment variables to runtime for secure containerized builds
Some checks failed
CI / build-and-deploy (push) Failing after 47s
Some checks failed
CI / build-and-deploy (push) Failing after 47s
Change from $env/static/private to $env/dynamic/private for all environment variables. This allows building in CI without embedding secrets in build artifacts, while keeping secrets secure on the server at runtime. Changes: - Refactor auth configuration to use dynamic env vars - Move database connection string to runtime - Update image API routes to read IMAGE_DIR at runtime - Add .env.example for documentation This enables the containerized build workflow to succeed without requiring a .env file during build, as secrets are only needed when the application starts on the server.
This commit is contained in:
24
.env.example
Normal file
24
.env.example
Normal file
@@ -0,0 +1,24 @@
|
||||
# Database Configuration
|
||||
MONGO_URL="mongodb://user:password@host:port/database?authSource=admin"
|
||||
|
||||
# Authentication Secrets (runtime only - not embedded in build)
|
||||
AUTHENTIK_ID="your-authentik-client-id"
|
||||
AUTHENTIK_SECRET="your-authentik-client-secret"
|
||||
|
||||
# Static Configuration (embedded in build - OK to be public)
|
||||
AUTHENTIK_ISSUER="https://sso.example.com/application/o/your-app/"
|
||||
|
||||
# File Storage
|
||||
IMAGE_DIR="/path/to/static/files"
|
||||
|
||||
# Optional: Development Settings
|
||||
# DEV_DISABLE_AUTH="true"
|
||||
# ORIGIN="http://127.0.0.1:3000"
|
||||
|
||||
# Optional: Additional Configuration
|
||||
# BEARER_TOKEN="your-bearer-token"
|
||||
# COOKIE_SECRET="your-cookie-secret"
|
||||
# PEPPER="your-pepper-value"
|
||||
# ALLOW_REGISTRATION="1"
|
||||
# AUTH_SECRET="your-auth-secret"
|
||||
# USDA_API_KEY="your-usda-api-key"
|
||||
Reference in New Issue
Block a user