Skip to content

env.md

Latest commit

 

History

History
186 lines (137 loc) · 7.74 KB

env.md

File metadata and controls

186 lines (137 loc) · 7.74 KB

Environment Variables

Complete reference for all environment variables supported by Hemmelig.

Required Variables

Variable Description Default
DATABASE_URL SQLite connection string file:./data/hemmelig.db
BETTER_AUTH_SECRET Secret key for authentication sessions -
BETTER_AUTH_URL Public URL of your instance (for proper cookie handling) -

Server Configuration

Variable Description Default
NODE_ENV Environment mode (production or development) development
HEMMELIG_PORT Port the server listens on 3000
HEMMELIG_BASE_URL Public URL of your instance (required for OAuth) -
HEMMELIG_TRUSTED_ORIGIN Additional trusted origin for CORS -

General Settings

Variable Description Default
HEMMELIG_INSTANCE_NAME Custom name for your instance -
HEMMELIG_INSTANCE_DESCRIPTION Custom description for your instance -
HEMMELIG_ALLOW_REGISTRATION Allow new user registrations (true/false) true

Security Settings

Variable Description Default
HEMMELIG_ALLOW_PASSWORD_PROTECTION Allow password-protected secrets true
HEMMELIG_ALLOW_IP_RESTRICTION Allow IP range restrictions on secrets true
HEMMELIG_ALLOW_FILE_UPLOADS Allow users to attach files to secrets true
HEMMELIG_DISABLE_EMAIL_PASSWORD_SIGNUP Disable email/password registration (social login only) false
HEMMELIG_MAX_ENCRYPTED_PAYLOAD_SIZE Hard ceiling for encrypted payloads in KB (parsed at startup) 1024

Analytics

Variable Description Default
HEMMELIG_ANALYTICS_ENABLED Enable privacy-focused analytics true
HEMMELIG_ANALYTICS_HMAC_SECRET HMAC secret for anonymizing visitor IDs auto-generated

Social Login Providers

See Social Login Documentation for detailed setup instructions.

GitHub

Variable Description
HEMMELIG_AUTH_GITHUB_ID GitHub OAuth App Client ID
HEMMELIG_AUTH_GITHUB_SECRET GitHub OAuth App Client Secret

Google

Variable Description
HEMMELIG_AUTH_GOOGLE_ID Google OAuth Client ID
HEMMELIG_AUTH_GOOGLE_SECRET Google OAuth Client Secret

Microsoft (Azure AD)

Variable Description
HEMMELIG_AUTH_MICROSOFT_ID Microsoft Application (client) ID
HEMMELIG_AUTH_MICROSOFT_SECRET Microsoft Client Secret
HEMMELIG_AUTH_MICROSOFT_TENANT_ID Azure AD Tenant ID (optional, defaults to "common")

Discord

Variable Description
HEMMELIG_AUTH_DISCORD_ID Discord Application Client ID
HEMMELIG_AUTH_DISCORD_SECRET Discord Application Client Secret

GitLab

Variable Description
HEMMELIG_AUTH_GITLAB_ID GitLab Application ID
HEMMELIG_AUTH_GITLAB_SECRET GitLab Application Secret

Apple

Variable Description
HEMMELIG_AUTH_APPLE_ID Apple Services ID
HEMMELIG_AUTH_APPLE_SECRET Apple Client Secret

Twitter/X

Variable Description
HEMMELIG_AUTH_TWITTER_ID Twitter OAuth 2.0 Client ID
HEMMELIG_AUTH_TWITTER_SECRET Twitter OAuth 2.0 Client Secret

Generic OAuth

Hemmelig supports any OAuth 2.0 / OpenID Connect provider through generic OAuth configuration.

Variable Description
HEMMELIG_AUTH_GENERIC_OAUTH JSON array of generic OAuth provider configurations. See Social Login docs for details.

Example:

HEMMELIG_AUTH_GENERIC_OAUTH='[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'

Supported generic providers include: Authentik, Authelia, Keycloak, Zitadel, Ory Hydra, and any OAuth 2.0 / OIDC-compatible identity provider.

Example Configuration

Minimal Setup

# Required
DATABASE_URL=file:./data/hemmelig.db
BETTER_AUTH_SECRET=your-secret-key-min-32-chars-long
BETTER_AUTH_URL=https://secrets.example.com

Production Setup

# Required
DATABASE_URL=file:./data/hemmelig.db
BETTER_AUTH_SECRET=your-very-secure-secret-key-here
BETTER_AUTH_URL=https://secrets.example.com

# Server
NODE_ENV=production
HEMMELIG_PORT=3000
HEMMELIG_TRUSTED_ORIGIN=https://secrets.example.com

# Instance
HEMMELIG_INSTANCE_NAME=Company Secrets
HEMMELIG_INSTANCE_DESCRIPTION=Secure secret sharing for our team

# Security
HEMMELIG_ENABLE_RATE_LIMITING=true

# Analytics
HEMMELIG_ANALYTICS_ENABLED=true
HEMMELIG_ANALYTICS_HMAC_SECRET=your-analytics-hmac-secret

# Social Login (optional)
HEMMELIG_AUTH_GITHUB_ID=your-github-client-id
HEMMELIG_AUTH_GITHUB_SECRET=your-github-client-secret

Docker Compose Example

version: '3.8'

services:
    hemmelig:
        image: hemmelig/hemmelig:latest
        ports:
            - '3000:3000'
        environment:
            - DATABASE_URL=file:/data/hemmelig.db
            - BETTER_AUTH_SECRET=change-this-to-a-secure-secret
            - BETTER_AUTH_URL=https://secrets.example.com
            - NODE_ENV=production
            - HEMMELIG_PORT=3000
            - HEMMELIG_ANALYTICS_ENABLED=true
        volumes:
            - hemmelig_data:/data

volumes:
    hemmelig_data:

Notes

  • Boolean values accept true or false (case-insensitive)
  • All HEMMELIG_AUTH_* variables require both _ID and _SECRET to enable a provider
  • BETTER_AUTH_URL is required when using social login providers
  • Generate secure secrets using: openssl rand -base64 32