# This is an environment variable file for Endurain's docker-compose.yml.example # These are just the variable you have to set to be up and running. # There is many more variable you could set. Check them out here: https://docs.endurain.com/getting-started/advanced-started/#supported-environment-variables # Local path for data persistence volumes. Defaults to /var/opt/endurain (FHS-compliant). # Set this to an absolute path if you need to relocate data directories. # LOCAL_PATH=/var/opt/endurain # Set a strong password here. Check if there are no trailing whitespaces in the beginning and end. Must be the same as POSTGRES_PASSWORD DB_PASSWORD=changeme # Must be the same as DB_PASSWORD POSTGRES_PASSWORD=changeme SECRET_KEY=changeme FERNET_KEY=changeme TZ=Europe/Lisbon ENDURAIN_HOST=https://endurain.example.com BEHIND_PROXY=true RATE_LIMIT_STORAGE_URI=redis://redis:6379/0 AUTH_SECURITY_STORAGE_URI=redis://redis:6379/0 # Optional: Allow custom URI schemes in SSO redirect URLs (Mobile / system-browser OAuth flow) # Comma-separated list of custom URI schemes that mobile apps may pass as the # `redirect` query parameter when initiating SSO via the system browser. # Example: ALLOWED_REDIRECT_SCHEMES=endurain,gadgetbridge,myapp # Default when unset: endurain # If set, the provided list is used as-is (it does not merge with defaults). # Use an explicit empty value to allow only relative paths: # ALLOWED_REDIRECT_SCHEMES= # Security: External http/https URLs are always rejected regardless of this setting. #ALLOWED_REDIRECT_SCHEMES=endurain # Optional: SSRF allowlist for admin-configured outbound calls (currently OIDC # discovery and JWKS fetch only). Comma-separated list of exact hostnames # (case-insensitive) and/or explicit IP CIDR ranges that may resolve to # private/internal addresses. Use this to enable self-hosted identity providers # (Authentik, Pocket ID, Keycloak, ...) reachable only over a private network. # Examples: # SSRF_ALLOWED_HOSTS=auth.internal.example.com # SSRF_ALLOWED_HOSTS=auth.internal.example.com,10.10.0.0/24,fd00::/64 # Security: # - Wildcards ('*') are rejected. # - Overly broad CIDRs are rejected (IPv4 prefix must be >= /8, IPv6 >= /32). # - Every allowlisted outbound call is logged at INFO level for audit. # - The allowlist does NOT apply to other outbound calls (geocoding, etc.). # Default: empty (no private destinations are ever dialed). #SSRF_ALLOWED_HOSTS= # If you change this, you also have to change DB_DATABASE POSTGRES_DB=endurain # Uncomment and set it to the same as POSTGRES_DB if you change it # DB_DATABASE=endurain # If you change this, you also have to change DB_USER POSTGRES_USER=endurain # Uncomment and set it to the same as POSTGRES_USER if you change it # DB_USER=endurain PGDATA=/var/lib/postgresql/data/pgdata # Optional: Enable session timeouts (default: false) # Enable idle session timeout #SESSION_IDLE_TIMEOUT_ENABLED=true # If enabled, configure timeout durations # Idle timeout (no activity) #SESSION_IDLE_TIMEOUT_HOURS=1 # Absolute max session lifetime #SESSION_ABSOLUTE_TIMEOUT_HOURS=24 # Email configuration (for password reset functionality) #SMTP_HOST=smtp.protonmail.ch #SMTP_PORT=587 #SMTP_USERNAME=your-email@example.com #SMTP_PASSWORD=your-app-password #SMTP_SECURE=true #SMTP_SECURE_TYPE=starttls # Optional: Rate limiting configuration # Disable rate limiting for development (default: true) #RATE_LIMIT_ENABLED=true