keywarden/.env.example

# ============================================================
# Keywarden – Environment Configuration
# ============================================================
# Copy this file to .env and adjust the values.
#   cp .env.example .env
#
# The .env file is loaded automatically by Docker Compose
# and is excluded from version control via .gitignore.
# ============================================================

# --- Application ---
KEYWARDEN_PORT=8080
KEYWARDEN_OWNER_USER=admin
KEYWARDEN_OWNER_EMAIL=admin@keywarden.local
KEYWARDEN_SESSION_KEY=change-me-to-a-random-string
KEYWARDEN_ENCRYPTION_KEY=change-me-encryption-key-32chars

# --- Logging ---
# Log level: ERROR, WARN, INFO (default), DEBUG, TRACE
KEYWARDEN_LOG_LEVEL=INFO

# --- Timezone ---
# IANA timezone name (e.g. Europe/Berlin, America/New_York).
# Affects all displayed timestamps in the UI.
TZ=Europe/Berlin

# --- Paths (optional, Docker defaults are usually fine) ---
# IMPORTANT: These paths refer to locations INSIDE the Docker container.
# The Dockerfile already sets correct defaults (/data/...). Only override
# if you know what you are doing. Do NOT use relative paths (./data/...)
# – they resolve to /app/data/ inside the container and bypass the
# persistent volume mount at /data, causing DATA LOSS on restart.
# KEYWARDEN_DB_PATH=/data/keywarden.db
# KEYWARDEN_DATA_DIR=/data
# KEYWARDEN_KEYS_DIR=/data/keys
# KEYWARDEN_MASTER_DIR=/data/master

# --- Security / Hardening (optional) ---
# Public URL used for email links and cookie config.
KEYWARDEN_BASE_URL=https://keywarden.example.com
# Comma-separated CIDRs of trusted reverse proxies.
KEYWARDEN_TRUSTED_PROXIES=10.0.0.0/8,172.16.0.0/12
# Set Secure flag on cookies (auto-derived from BASE_URL if empty).
KEYWARDEN_SECURE_COOKIES=true
# Max login POST attempts per IP per minute (0 = disabled).
KEYWARDEN_RATE_LIMIT_LOGIN=10
# Max request body size in bytes (0 = no limit, default 10 MB).
KEYWARDEN_MAX_REQUEST_SIZE=10485760

# --- SMTP / Email (optional) ---
# Leave KEYWARDEN_SMTP_HOST empty or remove it to disable email.
KEYWARDEN_SMTP_HOST=
KEYWARDEN_SMTP_PORT=587
KEYWARDEN_SMTP_USER=
KEYWARDEN_SMTP_PASSWORD=
KEYWARDEN_SMTP_FROM=keywarden@example.com
KEYWARDEN_SMTP_TLS=true