# ============================================================================= # Azaion Admin API — environment variable template # Copy to `.env` (git-ignored) and fill in real values for your environment. # Production secrets MUST come from the secret manager, not from a checked-in # file. See _docs/04_deploy/reports/deploy_status_report.md for the full table. # ============================================================================= # ---------- ASP.NET Core runtime -------------------------------------------- ASPNETCORE_ENVIRONMENT=Development # Development | Staging | Production ASPNETCORE_URLS=http://+:8080 # Kestrel bind address inside the container # ---------- Database (PostgreSQL on port 4312 in prod, 5432 in test) -------- # Two roles: reader (read-only) and admin (read/write). See env/db/01_permissions.sql. ASPNETCORE_ConnectionStrings__AzaionDb=Host=localhost;Port=4312;Database=azaion;Username=azaion_reader;Password=CHANGE_ME ASPNETCORE_ConnectionStrings__AzaionDbAdmin=Host=localhost;Port=4312;Database=azaion;Username=azaion_admin;Password=CHANGE_ME # ---------- JWT (ES256, 15 min access, 8/12 h refresh — AZ-531/AZ-532) ------ # AZ-532 — admin signs access tokens with ES256. Keys live as PEM files in # JwtConfig__KeysFolder (the kid is the filename without `.pem`); generate with # scripts/generate-jwt-key.sh. JwtConfig__Secret is gone — verifiers fetch the # public key from /.well-known/jwks.json instead. ASPNETCORE_JwtConfig__Issuer=AzaionApi ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins ASPNETCORE_JwtConfig__KeysFolder=secrets/jwt-keys # ActiveKid optional — defaults to the lexicographically first PEM in the folder. # ASPNETCORE_JwtConfig__ActiveKid=kid-20260514-000000 ASPNETCORE_JwtConfig__AccessTokenLifetimeMinutes=15 # AZ-531 — refresh-token windows. Sliding extends on every rotation; absolute # caps the family lifetime regardless of activity. ASPNETCORE_SessionConfig__RefreshSlidingHours=8 ASPNETCORE_SessionConfig__RefreshAbsoluteHours=12 # ---------- Resource storage (filesystem) ----------------------------------- ASPNETCORE_ResourcesConfig__ResourcesFolder=Content # ---------- Container build / image label ------------------------------------ # Injected at build time as --build-arg CI_COMMIT_SHA=… by Woodpecker. # Local builds may leave it unset (Dockerfile defaults to "unknown"). # CI_COMMIT_SHA= # ---------- Deploy targets (consumed by scripts/, not by the API process) --- DEPLOY_HOST=admin.azaion.com # SSH target for scripts/deploy.sh DEPLOY_SSH_USER=root # SSH user on DEPLOY_HOST DEPLOY_CONTAINER_NAME=azaion.api # Docker container name on the host DEPLOY_HOST_PORT=4000 # Port published on DEPLOY_HOST (mapped to 8080 in container) DEPLOY_HOST_CONTENT_DIR=/root/api/content # Bind-mount for resource files DEPLOY_HOST_LOGS_DIR=/root/api/logs # Bind-mount for Serilog rolling files # ---------- Container registry ---------------------------------------------- REGISTRY_HOST=docker.azaion.com # Private registry; CI may use localhost:5000 REGISTRY_IMAGE=azaion/admin # Image path inside REGISTRY_HOST REGISTRY_TAG=dev-arm # main→arm, stage→stage-arm, dev→dev-arm REGISTRY_USER= # CI / scripts only — leave empty in dev .env REGISTRY_TOKEN= # CI / scripts only — leave empty in dev .env