# ============================================================================= # PatchMon Environment Configuration For Docker # ============================================================================= # Copy this file to .env and fill in the required values. # # cp env.example .env # # Generate strong secrets with: # openssl rand -hex 32 (for passwords) # openssl rand -hex 64 (for JWT secret) # # For full documentation, see: https://docs.patchmon.net # ============================================================================= # ============================================================================= # REQUIRED - These MUST be set before starting PatchMon # ============================================================================= POSTGRES_PASSWORD=WLYkMdTJpvaDcEwTmw4y REDIS_PASSWORD=zabUw7KgwaTgyHMV4Csn JWT_SECRET=Sq35fXQM93L2BlHcjJ8FAhVlEZtJEPs9OWjrmVONK04= # Server access - how agents and browsers reach PatchMon. # CORS_ORIGIN should match the full URL you access PatchMon from in your browser. SERVER_PROTOCOL=http SERVER_HOST=localhost SERVER_PORT=3000 CORS_ORIGIN=http://192.168.2.132:3000 # ============================================================================= # OPTIONAL - Uncomment and change any values below to override defaults # ============================================================================= # --- Environment --- # Set to 'development' for development mode, 'production' for production # Development mode enables hot reload, more verbose logging, and dev tools # NODE_ENV=production # --- Logging --- # LOG_LEVEL=info # ENABLE_LOGGING=true # PM_LOG_TO_CONSOLE=false # PM_LOG_REQUESTS_IN_DEV=false # PRISMA_LOG_QUERIES=false # --- Authentication --- # JWT_EXPIRES_IN=1h # JWT_REFRESH_EXPIRES_IN=7d # SESSION_INACTIVITY_TIMEOUT_MINUTES=30 # DEFAULT_USER_ROLE=user # --- Network --- # ENABLE_HSTS=true # TRUST_PROXY: Trust proxy headers when behind a reverse proxy (nginx, Apache, etc.) # SECURITY: Setting this to 'true' allows IP spoofing. Use specific values instead: # - '1' or 'loopback' for single trusted proxy (recommended for Docker) # - 'false' if not behind a reverse proxy # - See https://expressjs.com/en/guide/behind-proxies.html for advanced options # TRUST_PROXY=1 # Multiple CORS origins (comma-separated). Only needed if PatchMon is accessed # from more than one domain. Overrides CORS_ORIGIN above when set. # CORS_ORIGINS=https://patchmon.example.com,https://patchmon-alt.example.com # --- Body size limits --- # JSON_BODY_LIMIT=5mb # AGENT_UPDATE_BODY_LIMIT=2mb # --- Timezone --- # Controls timestamps in logs and the UI (e.g. UTC, Europe/London, America/New_York). # TZ=UTC # --- Database connection pool (Prisma) --- # Adjust based on deployment size. See documentation for guidance. # DB_CONNECTION_LIMIT=30 # DB_POOL_TIMEOUT=20 # DB_CONNECT_TIMEOUT=10 # DB_IDLE_TIMEOUT=300 # DB_MAX_LIFETIME=1800 # --- Database transaction timeouts (milliseconds) --- # DB_TRANSACTION_MAX_WAIT=10000 # DB_TRANSACTION_TIMEOUT=30000 # DB_TRANSACTION_LONG_TIMEOUT=60000 # --- Database connection retry --- # PM_DB_CONN_MAX_ATTEMPTS=30 # PM_DB_CONN_WAIT_INTERVAL=2 # --- Redis Configuration --- # These settings control Redis connection and BullMQ job queue behavior. # REDIS_HOST=redis # REDIS_PORT=6379 # REDIS_USER= # REDIS_DB=0 # Redis Connection Timeouts (milliseconds) # Increase these if you see "Command timed out" errors # Common causes: Redis memory pressure, slow disk I/O, connection pool exhaustion # REDIS_CONNECT_TIMEOUT_MS=60000 # Time to wait for initial connection (default: 60s) # REDIS_COMMAND_TIMEOUT_MS=60000 # Time to wait for Redis commands to complete (default: 60s) # # Note: enableReadyCheck is set to true by default to prevent commands from queueing # before Redis is ready. This prevents timeout errors caused by command queueing. # BullMQ Lock Configuration (milliseconds) # These settings prevent "Missing lock" or "could not renew lock" errors when Redis is slow. # lockDuration: How long a job can run before its lock expires (default: 120000 = 120s) # lockRenewTime: How often to renew the lock to prevent expiration (default: 20000 = 20s) # Increase lockDuration if you see lock expiration errors with long-running jobs # Decrease lockRenewTime if lock renewals are timing out (must be < lockDuration and < REDIS_COMMAND_TIMEOUT_MS) # BULLMQ_LOCK_DURATION_MS=120000 # BULLMQ_LOCK_RENEW_TIME_MS=20000 # --- Rate limiting (values in milliseconds) --- # RATE_LIMIT_WINDOW_MS=900000 # RATE_LIMIT_MAX=5000 # AUTH_RATE_LIMIT_WINDOW_MS=600000 # AUTH_RATE_LIMIT_MAX=500 # AGENT_RATE_LIMIT_WINDOW_MS=60000 # AGENT_RATE_LIMIT_MAX=1000 # --- Password policy --- # PASSWORD_MIN_LENGTH=8 # PASSWORD_REQUIRE_UPPERCASE=true # PASSWORD_REQUIRE_LOWERCASE=true # PASSWORD_REQUIRE_NUMBER=true # PASSWORD_REQUIRE_SPECIAL=true # PASSWORD_RATE_LIMIT_WINDOW_MS=900000 # PASSWORD_RATE_LIMIT_MAX=5 # --- Account lockout --- # MAX_LOGIN_ATTEMPTS=5 # LOCKOUT_DURATION_MINUTES=15 # --- Two-Factor Authentication (TFA) --- # MAX_TFA_ATTEMPTS=5 # TFA_LOCKOUT_DURATION_MINUTES=30 # TFA_REMEMBER_ME_EXPIRES_IN=30d # TFA_MAX_REMEMBER_SESSIONS=5 # TFA_SUSPICIOUS_ACTIVITY_THRESHOLD=3 # --- OIDC / SSO --- # Set OIDC_ENABLED=true and fill in the provider details to enable SSO. # OIDC_ENABLED=false # OIDC_ISSUER_URL= # OIDC_CLIENT_ID= # OIDC_CLIENT_SECRET= # OIDC_REDIRECT_URI=https://patchmon.example.com/api/v1/auth/oidc/callback # OIDC_SCOPES=openid email profile groups # OIDC_AUTO_CREATE_USERS=true # OIDC_DEFAULT_ROLE=user # OIDC_DISABLE_LOCAL_AUTH=false # OIDC_BUTTON_TEXT=Login with SSO # OIDC group-to-role mapping # OIDC_ADMIN_GROUP=PatchMon Admins # OIDC_USER_GROUP=PatchMon Users # OIDC_SYNC_ROLES=true # --- Encryption --- # Used to encrypt sensitive data (e.g. AI provider keys) at rest. # If not set, a key is derived automatically. Set this for consistent # encryption across container restarts and replicas # AI_ENCRYPTION_KEY= # SESSION_SECRET=