infra/cloud/.env.example

# Aggregated env for the cloud composition.
# Copy to .env and fill in real values. Never commit .env.

TZ=Europe/Amsterdam

# Domain / TLS
PRIMARY_DOMAIN=wbd-rd.nl
LETSENCRYPT_EMAIL=r.de.ren@brabantsedelta.nl
# Production CA: https://acme-v02.api.letsencrypt.org/directory
# Staging CA (testing): https://acme-staging-v02.api.letsencrypt.org/directory
ACME_CA_URI=https://acme-v02.api.letsencrypt.org/directory

# WireGuard server
WG_SERVER_PORT=51820
WG_SERVER_PUBLIC_HOST=

# Keycloak (admin bootstrap + DB). KEYCLOAK_ADMIN/_PASSWORD are the master-realm
# emergency admin — only used the first time the container starts. The wbd
# realm + per-app OIDC clients are bootstrapped via kcadm in stacks/keycloak/README.md.
KEYCLOAK_ADMIN=admin
KEYCLOAK_ADMIN_PASSWORD=
KEYCLOAK_HOSTNAME=auth.wbd-rd.nl
KEYCLOAK_DB_PASSWORD=

# InfluxDB
INFLUX_ADMIN_USER=admin
INFLUX_ADMIN_PASSWORD=
INFLUX_ADMIN_TOKEN=
INFLUX_ORG=wbd
INFLUX_BUCKET=telemetry

# Grafana
GRAFANA_ADMIN_USER=admin
GRAFANA_ADMIN_PASSWORD=
GRAFANA_ROOT_URL=https://dash.wbd-rd.nl

# SQL (postgres — single point of config)
SQL_DB=config
SQL_USER=config
SQL_PASSWORD=

# RabbitMQ
RABBITMQ_USER=admin
RABBITMQ_PASSWORD=
RABBITMQ_VHOST=/

# Postfix
POSTFIX_RELAYHOST=
POSTFIX_FROM_DOMAIN=wbd-rd.nl

# Gitea (HTTPS-only; uses sql backend; OIDC via Keycloak)
GITEA_ROOT_URL=https://git.wbd-rd.nl
GITEA_DOMAIN=git.wbd-rd.nl
GITEA_DB_HOST=sql:5432
GITEA_DB_NAME=gitea
GITEA_DB_USER=gitea
GITEA_DB_PASSWORD=
GITEA_OAUTH_CLIENT_ID=gitea
GITEA_OAUTH_CLIENT_SECRET=
GITEA_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
GITEA_MAIL_FROM=gitea@wbd-rd.nl

# Jenkins (authn via Keycloak OIDC + JCasC matrix-auth; see stacks/jenkins/config/jenkins.yaml)
JENKINS_ADMIN_USER=admin
JENKINS_ADMIN_PASSWORD=
JENKINS_OAUTH_CLIENT_ID=jenkins
JENKINS_OAUTH_CLIENT_SECRET=
JENKINS_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration

# MLflow (uses sql backend; gated by oauth2-proxy at the nginx layer)
MLFLOW_DB_NAME=mlflow
MLFLOW_DB_USER=mlflow
MLFLOW_DB_PASSWORD=
MLFLOW_OAUTH_CLIENT_ID=mlflow
MLFLOW_OAUTH_CLIENT_SECRET=
MLFLOW_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration

# JupyterHub (Keycloak OIDC via oauthenticator.GenericOAuthenticator)
# JUPYTERHUB_ADMIN_USERS: comma-separated emails of users who get the Hub admin UI.
JUPYTER_NOTEBOOK_IMAGE=jupyter/datascience-notebook:latest
JUPYTERHUB_ADMIN_USERS=
JUPYTERHUB_OAUTH_CLIENT_ID=jupyterhub
JUPYTERHUB_OAUTH_CLIENT_SECRET=
JUPYTERHUB_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration

# Node-RED (passport-openidconnect; only the editor is gated)
# NODERED_ADMIN_USERS: comma-separated usernames/emails — get permissions "*".
# Everyone else in the realm gets ["read"] (can view flows, can't deploy).
NODERED_OAUTH_CLIENT_ID=node-red
NODERED_OAUTH_CLIENT_SECRET=
NODERED_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration
NODERED_ADMIN_USERS=

# Grafana OIDC (generic_oauth → Keycloak wbd realm)
GRAFANA_OAUTH_CLIENT_ID=grafana
GRAFANA_OAUTH_CLIENT_SECRET=
GRAFANA_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration

# Portainer-CE — gated by oauth2-proxy at nginx; local admin pre-seeded via bcrypt hash.
# Generate hash with: docker run --rm python:3.13-alpine sh -c "pip install -q bcrypt;
#   python -c \"import bcrypt; print(bcrypt.hashpw(b'<password>', bcrypt.gensalt()).decode())\""
# Then double every $ in the hash before pasting (compose interpolates single $).
PORTAINER_ADMIN_PASSWORD=
PORTAINER_ADMIN_PASSWORD_HASH=
PORTAINER_OAUTH_CLIENT_ID=portainer-ce
PORTAINER_OAUTH_CLIENT_SECRET=
PORTAINER_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration

# RabbitMQ management UI — gated by oauth2-proxy at nginx. Users still log into
# the RabbitMQ UI with the local broker credentials above; SSO only gates access
# to the page itself.
RABBITMQ_OAUTH_CLIENT_ID=rabbitmq
RABBITMQ_OAUTH_CLIENT_SECRET=
RABBITMQ_OAUTH_DISCOVERY_URL=https://auth.wbd-rd.nl/realms/wbd/.well-known/openid-configuration

# oauth2-proxy cookie secrets (per-app). 16, 24, or 32 raw bytes — easiest is
# 32 hex chars (i.e. `openssl rand -hex 16`). Different per app to keep cookies
# scoped and to limit blast radius if one ever leaks.
OAUTH2_PROXY_COOKIE_SECRET_MLFLOW=
OAUTH2_PROXY_COOKIE_SECRET_PORTAINER=
OAUTH2_PROXY_COOKIE_SECRET_RABBITMQ=

# FROST (SensorThings — dedicated postgis + internal mosquitto bus, ingressed at sta.wbd-rd.nl)
FROST_DB_PASSWORD=
FROST_SERVICE_ROOT_URL=https://sta.wbd-rd.nl/FROST-Server