scriptos/keywarden
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 6 Wiki Activity
Files
c4171e5b871cff3784c26893b1e8f03c6a5b7830
keywarden/.env.example
Patrick Asmus (scriptos) bb3bf0330f security: fix data loss on container restart due to relative paths 
Root cause: .env.example used relative paths (./data/...) which resolve
to /app/data/ inside the container instead of the persistent volume at
/data/. This caused the database to be recreated on every container
restart, resetting the admin password to a new initial value.

Fixes:
- .env.example: comment out path settings with clear warning about
  relative paths; Dockerfile already provides correct absolute defaults
- auth: add initial_setup_complete flag in settings table as
  defence-in-depth so EnsureAdmin never re-creates an admin after
  the initial setup, even if the users table is unexpectedly empty
- main: add validateDataPaths() startup check that warns when relative
  container paths are detected (potential data-loss misconfiguration)
- auth_test: extend TestEnsureAdmin to verify the flag prevents
  admin re-creation after user deletion
2026-04-05 19:21:15 +02:00

53 lines
2.0 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# ============================================================
# Keywarden Environment Configuration
# ============================================================
# Copy this file to .env and adjust the values.
# cp .env.example .env
#
# The .env file is loaded automatically by Docker Compose
# and is excluded from version control via .gitignore.
# ============================================================
# --- Application ---
KEYWARDEN_PORT=8080
KEYWARDEN_OWNER_USER=admin
KEYWARDEN_OWNER_EMAIL=admin@keywarden.local
KEYWARDEN_SESSION_KEY=change-me-to-a-random-string
KEYWARDEN_ENCRYPTION_KEY=change-me-encryption-key-32chars
# --- Logging ---
# Log level: ERROR, WARN, INFO (default), DEBUG, TRACE
KEYWARDEN_LOG_LEVEL=INFO
# --- Paths (optional, Docker defaults are usually fine) ---
# IMPORTANT: These paths refer to locations INSIDE the Docker container.
# The Dockerfile already sets correct defaults (/data/...). Only override
# if you know what you are doing. Do NOT use relative paths (./data/...)
# they resolve to /app/data/ inside the container and bypass the
# persistent volume mount at /data, causing DATA LOSS on restart.
# KEYWARDEN_DB_PATH=/data/keywarden.db
# KEYWARDEN_DATA_DIR=/data
# KEYWARDEN_KEYS_DIR=/data/keys
# KEYWARDEN_MASTER_DIR=/data/master
# --- Security / Hardening (optional) ---
# Public URL used for email links and cookie config.
KEYWARDEN_BASE_URL=https://keywarden.example.com
# Comma-separated CIDRs of trusted reverse proxies.
KEYWARDEN_TRUSTED_PROXIES=10.0.0.0/8,172.16.0.0/12
# Set Secure flag on cookies (auto-derived from BASE_URL if empty).
KEYWARDEN_SECURE_COOKIES=true
# Max login POST attempts per IP per minute (0 = disabled).
KEYWARDEN_RATE_LIMIT_LOGIN=10
# Max request body size in bytes (0 = no limit, default 10 MB).
KEYWARDEN_MAX_REQUEST_SIZE=10485760
# --- SMTP / Email (optional) ---
# Leave KEYWARDEN_SMTP_HOST empty or remove it to disable email.
KEYWARDEN_SMTP_HOST=
KEYWARDEN_SMTP_PORT=587
KEYWARDEN_SMTP_USER=
KEYWARDEN_SMTP_PASSWORD=
KEYWARDEN_SMTP_FROM=keywarden@example.com
KEYWARDEN_SMTP_TLS=true
Reference in New Issue View Git Blame Copy Permalink