# Copy to .env and fill in as needed. # Settings are primarily managed through the in-app Settings UI. # These are NOT required — the app defaults to LM Studio with no API keys. ANTHROPIC_API_KEY= OPENAI_API_KEY= # ── PostgreSQL ─────────────────────────────────────────────────────────────── # App user — SELECT/INSERT/UPDATE/DELETE only, used by FastAPI + Celery DATABASE_URL=postgresql+psycopg://docuvault_app:changeme_app@postgres:5432/docuvault # Migration user — DDL privileges, used ONLY by Alembic, never by the app at runtime DATABASE_MIGRATE_URL=postgresql+psycopg://docuvault_migrate:changeme_migrate@postgres:5432/docuvault # Superuser password for the postgres init container — used only by initdb.d scripts POSTGRES_PASSWORD=changeme_super # ── MinIO ──────────────────────────────────────────────────────────────────── MINIO_ROOT_USER=minioadmin MINIO_ROOT_PASSWORD=changeme_minio_root MINIO_ENDPOINT=minio:9000 # App-level access key — minimal permissions on docuvault bucket only MINIO_ACCESS_KEY=docuvault_app MINIO_SECRET_KEY=changeme_minio_app MINIO_BUCKET=docuvault # ── Redis ───────────────────────────────────────────────────────────────────── REDIS_PASSWORD=changeme_redis # Must match REDIS_PASSWORD; the leading : is the no-username form for requirepass REDIS_URL=redis://:changeme_redis@redis:6379/0 # ── Security (Phase 2) ─────────────────────────────────────────────────────── # JWT signing secret — generate with: python3 -c "import secrets; print(secrets.token_hex(64))" SECRET_KEY=CHANGEME-replace-with-64-char-random-hex # ── Admin Bootstrap (Phase 2 — D-04) ───────────────────────────────────────── # First admin account created on startup if users table is empty. # Both vars must be set; if missing, a WARNING is logged but app starts normally. ADMIN_EMAIL=admin@example.com ADMIN_PASSWORD=CHANGEME-replace-with-strong-password # ── SMTP / Email (Phase 2 — D-01) ──────────────────────────────────────────── # When SMTP_HOST is unset, password reset links are logged to stdout (dev mode). SMTP_HOST= SMTP_PORT=587 SMTP_USER= SMTP_PASSWORD= SMTP_FROM=noreply@docuvault.local # ── CORS (Phase 2 — D-09) ──────────────────────────────────────────────────── # Comma-separated list of allowed origins. Default: http://localhost:5173 # Example for production: https://app.docuvault.example.com CORS_ORIGINS=http://localhost:5173 # ── Cloud Storage Backends (Phase 5) ───────────────────────────────────────── # Master key for HKDF per-user cloud credential encryption. # Must be at least 32 bytes. Generate with: # python3 -c "import secrets; print(secrets.token_urlsafe(32))" CLOUD_CREDS_KEY=CHANGEME-32-bytes-padded!! # Google Drive OAuth 2.0 — create credentials at https://console.cloud.google.com/ GOOGLE_CLIENT_ID= GOOGLE_CLIENT_SECRET= # Microsoft OneDrive OAuth 2.0 — create app at https://portal.azure.com/ ONEDRIVE_CLIENT_ID= ONEDRIVE_CLIENT_SECRET= # "common" for personal + org accounts; or your tenant UUID for org-only ONEDRIVE_TENANT_ID=common # Backend and frontend URLs — used to construct OAuth callback/redirect URLs BACKEND_URL=http://localhost:8000 FRONTEND_URL=http://localhost:5173