serene-pub/.env.example

116 lines
No EOL
5.7 KiB
Text

# Serene Pub 0.5.0 - Development Configuration
# Copy this file to .env to customize development settings
# ===========================================
# APPLICATION DATA DIRECTORY
# ===========================================
# Override default data directory for development
# Default: Uses OS-appropriate directories
# Example for local development:
# SERENE_PUB_DATA_DIR=./dev-data
# ===========================================
# WEBSOCKET CONFIGURATION
# ===========================================
# By default the socket endpoint the browser connects to is auto-detected
# per-request from the page's own protocol/host — this is usually all you
# need, including for a reverse proxy/tunnel, AS LONG AS HOST_HEADER below is
# set so the app sees the real client-facing hostname.
# Hostnames that should always be told to use https for the socket
# connection, even if the request otherwise looks like plain http (eg.
# adapter-node doesn't trust PROTOCOL_HEADER, or it isn't set). Comma-
# separated. This is the recommended fix for "mixed content" socket errors
# when a domain is only ever reached through a TLS-terminating reverse
# proxy/tunnel — set it once here and the app will use https for that
# hostname specifically, while still auto-detecting plain http correctly for
# direct/local access (eg. http://localhost:3000) without needing to flip
# any setting between the two.
# SOCKETS_HTTPS_HOSTS=example.com,tunnel.example.com
# Extra hostnames allowed to open a connection to the socket server, on top
# of the automatic default: any origin whose hostname matches the hostname a
# request actually arrived on is always allowed (a same-site browser tab is
# inherently "cross-port, same-hostname" from the socket server's point of
# view, since it runs on a different port) — this already covers localhost,
# LAN IPs, and any custom domain with NO configuration needed. You only need
# this variable for the rarer case where they legitimately differ (eg.
# PUBLIC_SOCKETS_ENDPOINT pointing at a different hostname than the page
# itself). Comma-separated, hostname only (no scheme/port).
# SOCKETS_ALLOWED_ORIGINS=example.com,192.168.1.50
# Explicit protocol override, applied to every hostname that ISN'T listed in
# SOCKETS_HTTPS_HOSTS above. Rarely needed — prefer SOCKETS_HTTPS_HOSTS,
# since this applies globally regardless of which host the request came in
# on (eg. would incorrectly force https for local testing too).
# Default: auto-detected from the request
# SOCKETS_HTTP_MODE=https
# WebSocket server port
# Default: 3001
# SOCKETS_PORT=3001
# Full override for the URL the browser connects to for the socket server
# (protocol + host + port — any path is ignored). Takes priority over
# everything above. Only needed if the socket port genuinely isn't reachable
# at "<page-host>:<SOCKETS_PORT>" and SOCKETS_HTTPS_HOSTS doesn't cover it.
# PUBLIC_SOCKETS_ENDPOINT=https://example.com
# ===========================================
# CONTENT SECURITY POLICY
# ===========================================
# The app ships a strict-by-default CSP. These let you add extra allowed
# sources for content injected by your hosting layer that isn't part of the
# app itself — most commonly Cloudflare's "Browser Insights" beacon
# (static.cloudflareinsights.com), auto-injected into HTML responses when a
# zone is proxied through Cloudflare with that feature on. Prefer disabling
# such features in your CDN/proxy dashboard over widening these, since it's
# an injected script this app has no control over — but the escape hatch is
# here for cases where that isn't an option. Comma-separated.
# CSP_EXTRA_SCRIPT_SRC=https://static.cloudflareinsights.com
# CSP_EXTRA_STYLE_SRC=
# CSP_EXTRA_CONNECT_SRC=
# ===========================================
# REVERSE PROXY / TUNNEL (HTTPS termination in front of the app)
# ===========================================
# By default adapter-node does NOT trust forwarded headers (Node sees every
# request as plain HTTP, since that's genuinely how the proxy talks to it).
# HOST_HEADER lets the app see the real client-facing hostname (needed for
# SOCKETS_HTTPS_HOSTS above to match correctly, and for the app generally).
# PROTOCOL_HEADER lets it see the real client-facing protocol too — useful
# for SvelteKit's own URL/origin handling generally, but NOT required just
# for the socket endpoint if you're using SOCKETS_HTTPS_HOSTS instead.
# PROTOCOL_HEADER=x-forwarded-proto
# HOST_HEADER=x-forwarded-host
# ===========================================
# DEVELOPMENT DATABASE (External PostgreSQL)
# ===========================================
# These are only used when connecting to external PostgreSQL for development
# Production uses embedded PGlite automatically
# PostgreSQL connection for development
# DATABASE_PORT=5432
# POSTGRES_USER=postgres
# POSTGRES_PASSWORD=password
# ===========================================
# DEVELOPMENT OPTIONS
# ===========================================
# Automatically open browser on startup (default: enabled)
# Set to 1 to disable automatic browser opening
# SERENE_AUTO_OPEN=1
# ===========================================
# COMMUNITY LIBRARY / EXTERNAL CARD SOURCES
# ===========================================
# Some external character card sources (eg. CharaVault) can optionally
# include NSFW/adult content in browse results. By default Serene Pub always
# excludes it and never surfaces the option to include it, regardless of
# what the connected CharaVault account's own settings allow. Setting this
# enables the "include NSFW" toggle in Character Library browsing (still off
# by default even once enabled) and allows outbound search requests to ask
# for NSFW-inclusive results when a user turns it on.
# Default: unset (NSFW browsing option is hidden entirely)
# ENABLE_UNSAFE_CHARACTER_BROWSING=true