# SSO Service Environment Variables # Copy this file to .env and fill in actual values # ============================================================================= # SERVICE CONFIGURATION # ============================================================================= PORT=4001 SERVICE_NAME=sso NODE_ENV=development # Base URL for the SSO service (used for password reset links, etc.) APP_BASE_URL=http://localhost:4001 # Frontend base URL for OAuth redirects (PRODUCTION ONLY) # In development, OAuth uses service registry to detect frontend URLs automatically # In production, set this to your production domain (e.g., https://trustedmeet.com) # Leave empty for development to use service registry FRONTEND_BASE_URL= # ============================================================================= # DATABASE - PostgreSQL # ============================================================================= # Connection is configured via services.yaml and @lilith/service-addresses # The following are used for docker-compose DATABASE_POSTGRES_HOST=localhost DATABASE_POSTGRES_PORT=25440 DATABASE_POSTGRES_USER=lilith DATABASE_POSTGRES_PASSWORD=your-secure-postgres-password-here DATABASE_POSTGRES_DB=lilith_sso # ============================================================================= # DATABASE - Redis # ============================================================================= # Used for sessions, rate limiting, CSRF tokens, MFA codes DATABASE_REDIS_URL=redis://localhost:26386 DATABASE_REDIS_PASSWORD=your-secure-redis-password-here # ============================================================================= # SECURITY - Required Secrets # ============================================================================= # MFA encryption key (64 hex characters) # Generate: openssl rand -hex 32 MFA_ENCRYPTION_KEY=your-64-char-hex-key-here # Session secret (32+ characters) # Generate: openssl rand -base64 32 SESSION_SECRET=your-session-secret-here # Session TTL in milliseconds (default: 7 days = 604800000) SESSION_TTL=604800000 # CSRF secret (32+ characters) # Generate: openssl rand -base64 32 CSRF_SECRET=your-csrf-secret-here # OAuth encryption secret for storing OAuth tokens (64 hex characters) # Generate: openssl rand -hex 32 OAUTH_ENCRYPTION_SECRET=your-64-char-hex-key-here # ============================================================================= # OAUTH - Optional (Google) # ============================================================================= # Leave empty to disable Google OAuth GOOGLE_CLIENT_ID= GOOGLE_CLIENT_SECRET= GOOGLE_CALLBACK_URL=http://localhost:4001/oauth/google/callback # ============================================================================= # OAUTH - Optional (GitHub) # ============================================================================= # Leave empty to disable GitHub OAuth GITHUB_CLIENT_ID= GITHUB_CLIENT_SECRET= GITHUB_CALLBACK_URL=http://localhost:4001/oauth/github/callback # ============================================================================= # EMAIL SERVICE - Optional # ============================================================================= # Used for password reset emails EMAIL_SERVICE_URL=http://localhost:3011 EMAIL_INTERNAL_API_KEY= # ============================================================================= # VERIFICATION CONFIGURATION - VibeCheck Liveness Detection # ============================================================================= # Server-controlled parameters for liveness verification # Timeout in seconds for completing verification (default: 120 = 2 minutes) VIBECHECK_TIMEOUT_SECONDS=120 # Maximum retry attempts within retry window (default: 5) VIBECHECK_RETRY_LIMIT=5 # Retry window in seconds (default: 900 = 15 minutes) VIBECHECK_RETRY_WINDOW_SECONDS=900 # Minimum confidence score 0-1 (default: 0.7) VIBECHECK_CONFIDENCE_THRESHOLD=0.7 # Minimum number of blinks required (default: 2) VIBECHECK_MIN_BLINKS=2 # Whether head movement is required (default: true) VIBECHECK_REQUIRE_HEAD_MOVEMENT=true # Whether depth check is enabled (default: true) VIBECHECK_ENABLE_DEPTH_CHECK=true # VibeCheck service connection (backend-to-service) VIBECHECK_HOST=localhost VIBECHECK_PORT=4100 # VibeCheck service URL (for client-side SDK) VIBECHECK_SERVICE_URL=http://localhost:4100 # ============================================================================= # STAGING DEPLOYMENT NOTES # ============================================================================= # For staging on black (10.0.0.11): # # 1. Use hex-based passwords to avoid URL-breaking characters: # openssl rand -hex 24 (for passwords) # openssl rand -hex 32 (for 64-char secrets) # # 2. Database ports are configured in infrastructure/ports.yaml # # 3. OAuth redirect URLs: # - Development: Auto-detected via service registry (@lilith/service-addresses) # - Staging: Set FRONTEND_BASE_URL=https://next.atlilith.com # - Production: Set FRONTEND_BASE_URL=https://trustedmeet.com # # 4. Copy to staging: # scp .env black:/opt/sso/.env # # 5. Docker compose uses .env.docker for container passwords