100 lines
3.0 KiB
Plaintext
100 lines
3.0 KiB
Plaintext
# Service configuration
|
|
# ---------------------
|
|
LOCAL_DOMAIN=example.com
|
|
LOCAL_HTTPS=true
|
|
ALTERNATE_DOMAINS=localhost,127.0.0.1
|
|
# Use 'true' since you have an external proxy (Pangolin/Nginx) handling TLS
|
|
# This tells Mastodon to generate https:// links
|
|
|
|
# Trusted Proxy Configuration
|
|
# ---------------------------
|
|
# Allow Mastodon to trust headers (X-Forwarded-For, X-Forwarded-Proto) from your reverse proxy.
|
|
# We whitelist standard private ranges so the proxy's internal IP is trusted.
|
|
TRUSTED_PROXY_IP=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
|
|
|
|
# OIDC / Authentik Integration
|
|
# ----------------------------
|
|
OIDC_ENABLED=true
|
|
OIDC_DISPLAY_NAME=Authentik
|
|
OIDC_DISCOVERY=true
|
|
# Fill these in from Authentik:
|
|
OIDC_ISSUER=https://auth.example.com/application/o/mastodon/
|
|
OIDC_AUTH_ENDPOINT=https://auth.example.com/application/o/authorize/
|
|
OIDC_CLIENT_ID=<YOUR_CLIENT_ID>
|
|
OIDC_CLIENT_SECRET=<YOUR_CLIENT_SECRET>
|
|
OIDC_SCOPE=openid,profile,email
|
|
OIDC_UID_FIELD=preferred_username
|
|
OIDC_REDIRECT_URI=https://social.example.com/auth/auth/openid_connect/callback
|
|
# Automatically verify emails from Authentik
|
|
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
|
|
# To force users to log in with Authentik only:
|
|
# OMNIAUTH_ONLY=true
|
|
|
|
# Database configuration
|
|
# ----------------------
|
|
DB_HOST=db
|
|
DB_PORT=5432
|
|
DB_NAME=mastodon_production
|
|
DB_USER=mastodon
|
|
DB_PASS=<DB_PASSWORD>
|
|
# DB_PASS is used by the Mastodon application to connect
|
|
|
|
# Postgres container configuration (must match above)
|
|
POSTGRES_USER=mastodon
|
|
POSTGRES_PASSWORD=<DB_PASSWORD>
|
|
POSTGRES_DB=mastodon_production
|
|
|
|
# Redis configuration
|
|
# -------------------
|
|
REDIS_HOST=redis
|
|
REDIS_PORT=6379
|
|
# REDIS_PASSWORD=
|
|
# If you set a Redis password, also update REDIS_URL below
|
|
|
|
# Mastodon secrets
|
|
# ----------------
|
|
# Use `docker-compose run --rm web bundle exec rake secret` to generate new keys if needed
|
|
# Generate new secrets for production!
|
|
SECRET_KEY_BASE=<GENERATED_SECRET>
|
|
OTP_SECRET=<GENERATED_SECRET>
|
|
|
|
# VAPID keys (for push notifications)
|
|
# Required. Generate with `docker-compose run --rm web bundle exec rake mastodon:webpush:generate_vapid_key`
|
|
VAPID_PRIVATE_KEY=<GENERATED_VAPID_PRIVATE_KEY>
|
|
VAPID_PUBLIC_KEY=<GENERATED_VAPID_PUBLIC_KEY>
|
|
|
|
# ActiveRecord Encryption (Rails 7+)
|
|
# ----------------------------------
|
|
# Required. Do not change these once data is encrypted in the DB.
|
|
# Generate these!
|
|
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<GENERATED_KEY>
|
|
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<GENERATED_KEY>
|
|
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<GENERATED_SALT>
|
|
|
|
# S3 / Object Storage (Optional)
|
|
# ------------------------------
|
|
# S3_ENABLED=true
|
|
# S3_BUCKET=
|
|
# AWS_ACCESS_KEY_ID=
|
|
# AWS_SECRET_ACCESS_KEY=
|
|
# S3_REGION=
|
|
# S3_PROTOCOL=https
|
|
# S3_HOSTNAME=
|
|
|
|
# SMTP / Email
|
|
# ------------
|
|
SMTP_SERVER=smtp.gmail.com
|
|
SMTP_PORT=587
|
|
SMTP_LOGIN=notifications@example.com
|
|
SMTP_PASSWORD=<SMTP_PASSWORD>
|
|
SMTP_FROM_ADDRESS=notifications@example.com
|
|
SMTP_AUTH_METHOD=plain
|
|
SMTP_OPENSSL_VERIFY_MODE=require
|
|
# SMTP_ENABLE_STARTTLS_AUTO=true
|
|
|
|
# Application defaults
|
|
# --------------------
|
|
RAILS_ENV=production
|
|
NODE_ENV=production
|
|
RAILS_SERVE_STATIC_FILES=true
|