-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy path.env.production.example
More file actions
194 lines (166 loc) · 7.2 KB
/
Copy path.env.production.example
File metadata and controls
194 lines (166 loc) · 7.2 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
# VoidRunner Production Environment Configuration
# Copy this file to .env.production for production deployment
# SECURITY WARNING: Review all settings before deploying to production!
# =============================================================================
# SERVER CONFIGURATION
# =============================================================================
SERVER_HOST=0.0.0.0
SERVER_PORT=8080
SERVER_ENV=production
API_PORT=8080
BUILD_TARGET=production
# =============================================================================
# DATABASE CONFIGURATION (PRODUCTION)
# =============================================================================
# Production database settings
# SECURITY: Use strong passwords and SSL in production
DB_HOST=your-production-db-host
DB_PORT=5432
DB_USER=voidrunner_prod
DB_PASSWORD=your-strong-database-password-here
DB_NAME=voidrunner
DB_SSL_MODE=require # REQUIRED: Always use SSL in production
# PostgreSQL container configuration (if using containerized DB)
POSTGRES_DB=voidrunner
POSTGRES_USER=voidrunner_prod
POSTGRES_PASSWORD=your-strong-database-password-here
POSTGRES_INITDB_ARGS=--encoding=UTF8 --lc-collate=C --lc-ctype=C
# =============================================================================
# REDIS CONFIGURATION (PRODUCTION)
# =============================================================================
# Production Redis settings
# SECURITY: Use Redis AUTH and/or private networks
REDIS_HOST=your-production-redis-host
REDIS_PORT=6379
REDIS_PASSWORD=your-redis-password-if-using-auth
REDIS_DATABASE=0
REDIS_MAX_MEMORY=1024mb # Adjust based on your Redis instance capacity
# Production Redis connection pool settings
REDIS_POOL_SIZE=20 # Higher pool size for production load
REDIS_MIN_IDLE_CONNECTIONS=10
REDIS_MAX_RETRIES=5 # More retries for production reliability
REDIS_DIAL_TIMEOUT=10s
REDIS_READ_TIMEOUT=5s
REDIS_WRITE_TIMEOUT=5s
REDIS_IDLE_TIMEOUT=10m
# =============================================================================
# QUEUE CONFIGURATION (PRODUCTION)
# =============================================================================
# Production queue names
QUEUE_TASK_QUEUE_NAME=voidrunner:tasks
QUEUE_DEAD_LETTER_QUEUE_NAME=voidrunner:tasks:dead
QUEUE_RETRY_QUEUE_NAME=voidrunner:tasks:retry
# Production queue settings
QUEUE_DEFAULT_PRIORITY=5
QUEUE_MAX_RETRIES=5 # More retries for production reliability
QUEUE_RETRY_DELAY=60s # Longer delay for production
QUEUE_RETRY_BACKOFF_FACTOR=2.0
QUEUE_MAX_RETRY_DELAY=30m
QUEUE_VISIBILITY_TIMEOUT=60m # Longer timeout for complex tasks
QUEUE_MESSAGE_TTL=72h # 3 days retention
QUEUE_BATCH_SIZE=20
# =============================================================================
# WORKER CONFIGURATION (PRODUCTION)
# =============================================================================
# Production worker settings
EMBEDDED_WORKERS=true # Or false if using separate worker services
WORKER_POOL_SIZE=5 # Adjust based on server capacity
WORKER_MAX_CONCURRENT_TASKS=50
WORKER_MAX_USER_CONCURRENT_TASKS=10
WORKER_TASK_TIMEOUT=2h # Allow longer tasks in production
WORKER_HEARTBEAT_INTERVAL=60s
WORKER_SHUTDOWN_TIMEOUT=60s
WORKER_CLEANUP_INTERVAL=10m
WORKER_STALE_TASK_THRESHOLD=4h
WORKER_ID_PREFIX=voidrunner-prod-worker
# =============================================================================
# EXECUTOR CONFIGURATION (PRODUCTION)
# =============================================================================
DOCKER_ENDPOINT=unix:///var/run/docker.sock
# Production resource limits
EXECUTOR_DEFAULT_MEMORY_LIMIT_MB=1024 # Higher limits for production
EXECUTOR_DEFAULT_CPU_QUOTA=200000 # Higher CPU quota
EXECUTOR_DEFAULT_PIDS_LIMIT=256
EXECUTOR_DEFAULT_TIMEOUT_SECONDS=7200 # 2 hours max
# Container images (pin to specific versions in production)
EXECUTOR_PYTHON_IMAGE=python:3.11-alpine
EXECUTOR_BASH_IMAGE=alpine:3.22
EXECUTOR_JAVASCRIPT_IMAGE=node:18-alpine
EXECUTOR_GO_IMAGE=golang:1.21-alpine
# SECURITY: Enable all security features in production
EXECUTOR_ENABLE_SECCOMP=true # REQUIRED: Enable seccomp profiles
EXECUTOR_SECCOMP_PROFILE_PATH=/opt/voidrunner/seccomp-profile.json
EXECUTOR_ENABLE_APPARMOR=true # Enable if AppArmor is available
EXECUTOR_APPARMOR_PROFILE=voidrunner-executor
EXECUTOR_EXECUTION_USER=1000:1000
# =============================================================================
# LOGGING CONFIGURATION (PRODUCTION)
# =============================================================================
# Production logging settings
LOG_LEVEL=info # Use info level for production (not debug)
LOG_FORMAT=json # JSON format for log aggregation/analysis
# =============================================================================
# JWT CONFIGURATION (PRODUCTION)
# =============================================================================
# CRITICAL SECURITY: Generate a strong, unique secret for production!
# Use: openssl rand -base64 32
# NEVER use the example secret below in production!
JWT_SECRET_KEY=REPLACE-WITH-STRONG-256-BIT-SECRET-GENERATED-SECURELY
JWT_ACCESS_TOKEN_DURATION=15m
JWT_REFRESH_TOKEN_DURATION=168h # 7 days
JWT_ISSUER=voidrunner-production
JWT_AUDIENCE=voidrunner-api-production
# =============================================================================
# CORS CONFIGURATION (PRODUCTION)
# =============================================================================
# SECURITY: Restrict CORS to your actual frontend domains
# DO NOT use wildcards (*) in production!
CORS_ALLOWED_ORIGINS=https://your-frontend-domain.com,https://app.yourdomain.com
CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
CORS_ALLOWED_HEADERS=Content-Type,Authorization,X-Request-ID
# =============================================================================
# PRODUCTION SECURITY CHECKLIST
# =============================================================================
# Before deploying to production, verify:
#
# ✅ Database:
# - Strong, unique passwords
# - SSL/TLS encryption enabled (DB_SSL_MODE=require)
# - Network-level access controls
# - Regular backups configured
#
# ✅ Redis:
# - Redis AUTH enabled if accessible over network
# - Private network or VPN access only
# - Memory limits configured appropriately
#
# ✅ JWT:
# - Strong, randomly generated JWT_SECRET_KEY
# - Appropriate token durations
# - Environment-specific issuer/audience
#
# ✅ CORS:
# - Specific origins listed (no wildcards)
# - Only necessary methods allowed
# - Restricted headers
#
# ✅ Container Security:
# - seccomp profiles enabled
# - AppArmor enabled (if available)
# - Non-root execution user
# - Resource limits configured
#
# ✅ Infrastructure:
# - HTTPS/TLS termination
# - Firewall rules configured
# - Monitoring and alerting
# - Log aggregation
# - Regular security updates
# =============================================================================
# ENVIRONMENT VARIABLES FOR KUBERNETES/DOCKER
# =============================================================================
# For containerized deployments, consider using:
# - Kubernetes Secrets for sensitive values (passwords, JWT secret)
# - ConfigMaps for non-sensitive configuration
# - External secret management (HashiCorp Vault, AWS Secrets Manager, etc.)
# - Environment-specific value injection through CI/CD pipelines