clinch/.env.example

# Rails Configuration
# SECRET_KEY_BASE is used for:
#   - Session cookie encryption
#   - Signed token verification
#   - ActiveRecord encryption (currently: TOTP secrets)
#   - OIDC token prefix HMAC derivation
#
# CRITICAL: Do NOT change SECRET_KEY_BASE after deployment. Changing it will:
#   - Invalidate all user sessions (users must re-login)
#   - Break encrypted data (users must re-setup 2FA)
#   - Invalidate all OIDC access/refresh tokens (clients must re-authenticate)
#
# Optional: Override encryption keys with env vars for key rotation:
#   - ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
#   - ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
#   - ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
#   - OIDC_TOKEN_PREFIX_HMAC
SECRET_KEY_BASE=generate-with-bin/rails/secret
RAILS_ENV=development

# Database
# SQLite database files are stored in the storage/ directory
# In production with Docker, mount this as a persistent volume

# SMTP Configuration (for sending emails)
SMTP_ADDRESS=smtp.example.com
SMTP_PORT=587
SMTP_DOMAIN=example.com
SMTP_USERNAME=your-username
SMTP_PASSWORD=your-password
SMTP_AUTHENTICATION=plain
SMTP_ENABLE_STARTTLS=true

# Application Configuration
CLINCH_HOST=http://localhost:3000
CLINCH_FROM_EMAIL=noreply@example.com

# WebAuthn / Passkey Configuration
# Required for passkeys to work in production (HTTPS required)
#
# CLINCH_RP_ID is the Relying Party Identifier - the domain that owns the passkeys
# - If your site is auth.example.com, use either "auth.example.com" or "example.com"
# - Using parent domain (e.g., "example.com") allows passkeys to work across all subdomains
# - Using subdomain (e.g., "auth.example.com") restricts passkeys to that specific subdomain
#
# CLINCH_RP_NAME is shown to users when creating/using passkeys
#
# Examples:
#   For https://auth.example.com:
#     CLINCH_HOST=https://auth.example.com
#     CLINCH_RP_ID=example.com
#     CLINCH_RP_NAME="Example Company"
#
#   For https://sso.mycompany.com:
#     CLINCH_HOST=https://sso.mycompany.com
#     CLINCH_RP_ID=mycompany.com
#     CLINCH_RP_NAME="My Company Identity"
#
CLINCH_RP_ID=localhost
CLINCH_RP_NAME="Clinch Identity Provider"

# DNS Rebinding Protection Configuration
# Set to service name (e.g., 'clinch') if running in same Docker compose as Caddy
CLINCH_DOCKER_SERVICE_NAME=

# Allow internal IP access for cross-compose deployments (true/false)
CLINCH_ALLOW_INTERNAL_IPS=true

# Allow localhost access for development (true/false)
CLINCH_ALLOW_LOCALHOST=true

# OIDC Configuration
# RSA private key for signing ID tokens (JWT)
# Generate with: openssl genrsa 2048
# Important: Generate once and keep the same key across deployments
# If you change this key, all existing OIDC sessions will be invalidated
# OIDC_PRIVATE_KEY="-----BEGIN RSA PRIVATE KEY-----
# MIIEpAIBAAKCAQEAyZ0qaICMiLVWSFs+ef9Xok3fzy0p6k/7D5TQzmxf...
# ...your key content here...
# -----END RSA PRIVATE KEY-----"

# Optional: Force SSL in production
# FORCE_SSL=true

# Optional: Set custom port
# PORT=9000

# Sentry Configuration (Optional)
# Enable error tracking and performance monitoring
# Leave SENTRY_DSN empty to disable Sentry completely
#
# Production: Get your DSN from https://sentry.io/settings/projects/
# SENTRY_DSN=https://your-dsn@sentry.io/project-id
#
# Optional: Override Sentry environment (defaults to Rails.env)
# SENTRY_ENVIRONMENT=production
#
# Optional: Override Sentry release (defaults to Git commit hash)
# SENTRY_RELEASE=v1.0.0
#
# Optional: Performance monitoring sample rate (0.0 to 1.0, default 0.2)
# Higher values provide more data but cost more
# SENTRY_TRACES_SAMPLE_RATE=0.2
#
# Optional: Continuous profiling sample rate (0.0 to 1.0, default 0.0)
# Very resource intensive, only enable for performance investigations
# SENTRY_PROFILES_SAMPLE_RATE=0.0
#
# Development: Enable Sentry in development for testing
# SENTRY_ENABLED_IN_DEVELOPMENT=true