# Datenbank (PostgreSQL) POSTGRES_USER=archive_user POSTGRES_PASSWORD=change-me POSTGRES_DB=family_archive_db # Object Storage (MinIO) MINIO_ROOT_USER=minio_admin MINIO_ROOT_PASSWORD=change-me MINIO_DEFAULT_BUCKETS=archive-documents # Ports (für Zugriff vom Host/NAS) PORT_DB=5432 PORT_MINIO_API=9000 PORT_MINIO_CONSOLE=9001 PORT_BACKEND=8080 PORT_FRONTEND=5173 # Mailpit — local mail catcher (dev only, included in docker-compose) # Web UI: http://localhost:8025 # SMTP: localhost:1025 (used automatically by the backend container) PORT_MAILPIT_UI=8100 PORT_MAILPIT_SMTP=1025 # OCR Training — secret token required to call /train and /segtrain on the OCR service. # Also set in the backend so it can pass the token through. Must not be empty in production. # Generate with: python3 -c "import secrets; print(secrets.token_hex(32))" OCR_TRAINING_TOKEN=change-me-in-production # --- Observability --- # Optional stack — start with: docker compose -f docker-compose.observability.yml up -d # Requires the main stack to already be running (docker compose up -d creates archiv-net). # In production the stack is managed from /opt/familienarchiv/ (see docs/DEPLOYMENT.md §4). # Ports for host access PORT_GRAFANA=3003 PORT_GLITCHTIP=3002 PORT_PROMETHEUS=9090 # Grafana admin password — change this before exposing Grafana beyond localhost GRAFANA_ADMIN_PASSWORD=changeme # Password for the read-only grafana_reader PostgreSQL role used by the PO # Overview dashboard. Consumed by Flyway V68 (to set the role's password) and # by Grafana's PostgreSQL datasource (to connect). REQUIRED in production — # generate with: openssl rand -hex 32 GRAFANA_DB_PASSWORD=changeme-generate-with-openssl-rand-hex-32 # GlitchTip domain — production: use https://glitchtip.archiv.raddatz.cloud (must match Caddy vhost) GLITCHTIP_DOMAIN=http://localhost:3002 # GlitchTip secret key — Django SECRET_KEY equivalent, used to sign sessions and tokens. # REQUIRED in production — must not be empty or 'changeme'. Fail-closed: GlitchTip will # refuse to start with an invalid key. # Generate with: python3 -c "import secrets; print(secrets.token_hex(50))" GLITCHTIP_SECRET_KEY=changeme-generate-a-real-secret # PostgreSQL hostname for GlitchTip's db-init job and workers. # Override when only the staging stack is running (container name differs from archive-db). # Default (archive-db) is correct for production with the full stack up. POSTGRES_HOST=archive-db # $$ escaping note: passwords in /opt/familienarchiv/.env that contain a literal '$' must # use '$$' so Docker Compose does not expand them as variable references. # Example: a password 'p@$$word' should be written as 'p@$$$$word' in the .env file. # Error reporting DSNs — leave empty to disable the SDK (safe default). # SENTRY_DSN: backend (Spring Boot) — used by the GlitchTip/Sentry Java SDK SENTRY_DSN= SENTRY_TRACES_SAMPLE_RATE= # VITE_SENTRY_DSN: frontend (SvelteKit) — injected at build time via Vite VITE_SENTRY_DSN= # Sentry/GlitchTip auth token for source map upload at build time (optional) SENTRY_AUTH_TOKEN= # NL search — Ollama LLM inference # Leave APP_OLLAMA_BASE_URL empty to disable NL search (safe default for CX32 / CI). # Set to http://ollama:11434 to enable. Requires CX42 (16 GB RAM) to run alongside OCR. APP_OLLAMA_BASE_URL=http://ollama:11434 # CPU limit: 4.0 is safe on both CX32 (4 vCPUs) and CX42 (8 vCPUs). # Raise to 7.5 on CX42 for full throughput. OLLAMA_CPU_LIMIT=4.0 # Memory limit: requires CX42 (16 GB) to run alongside OCR. # Reduce or set APP_OLLAMA_BASE_URL= on smaller hosts. OLLAMA_MEM_LIMIT=8g # Ollama API key — set on the Ollama service to restrict inference API access on archiv-net. # Generate with: openssl rand -hex 32 # NOTE: Empirically verified that OLLAMA_API_KEY is NOT enforced in Ollama 0.6.5 or 0.30.6 (ADR-028 §7). # archiv-net network isolation is the only effective access control. Retained for forward compatibility. OLLAMA_API_KEY= # Production SMTP — uncomment and fill in to send real emails instead of catching them # APP_BASE_URL=https://your-domain.example.com # MAIL_HOST=smtp.example.com # MAIL_PORT=587 # MAIL_USERNAME=your-smtp-user # MAIL_PASSWORD=your-smtp-password # MAIL_SMTP_AUTH=true # MAIL_STARTTLS_ENABLE=true # APP_MAIL_FROM=noreply@your-domain.example.com