# ============================================================================= # VulnCheck Environment Configuration # ============================================================================= # Copy this file to .env and adjust values before starting: # cp .env.example .env # # Designed to run behind a reverse proxy (Nginx Proxy Manager, Traefik, etc.) # with HTTPS termination at the proxy level. # ============================================================================= # --- Database --- POSTGRES_USER=vulnmanager POSTGRES_PASSWORD=changeme # Change this! POSTGRES_DB=vulnmanager POSTGRES_PORT=5432 # --- Application Ports --- # These are the internal Docker ports. Map them in your reverse proxy. BACKEND_PORT=8022 FRONTEND_PORT=3003 # --- Security (REQUIRED) --- # Generate with: openssl rand -hex 32 JWT_SECRET_KEY=CHANGE-ME-GENERATE-WITH-openssl-rand-hex-32 # --- Environment --- # 'production' disables Swagger docs and enables security headers. # 'development' enables Swagger UI at /docs and relaxes some checks. ENV=production # --- Cookies --- # Set to true when using HTTPS (recommended, required behind HTTPS proxy) AUTH_COOKIE_SECURE=true AUTH_COOKIE_SAMESITE=lax # --- Reverse Proxy --- # Enable if running behind a reverse proxy to trust X-Forwarded-For headers # for correct client IP in rate limiting and audit logs. TRUST_PROXY_HEADERS=true # --- Default Admin Account --- # Created on first start only (if no admin exists in the database). # The password MUST satisfy strength rules (>=8 chars, upper, lower, digit, special), # otherwise the admin will NOT be created and login will be impossible. # Change the password immediately after first login. DEFAULT_ADMIN_USERNAME=admin DEFAULT_ADMIN_PASSWORD=ChangeMe123! DEFAULT_ADMIN_EMAIL=admin@vulnmanager.local # Set to true to skip default admin creation entirely # DISABLE_DEFAULT_ADMIN=false # --- Emergency Admin Reset (optional) --- # Uncomment and set a token to enable the /auth/setup-admin endpoint. # SETUP_ADMIN_TOKEN=your-setup-token # ALLOW_ADMIN_RESET=false # --- Timezone --- TIMEZONE=Europe/Zurich # --- Dashboard URL --- # Used in email notifications for links back to the dashboard. # Set this to your external URL (behind reverse proxy). # DASHBOARD_URL=https://vuln.example.com # ============================================================================= # Multi-Provider Authentication (LDAP / OIDC / SAML / TOTP-MFA) # ============================================================================= # Default config = local only (backwards compatible). Enable providers # below by listing them in AUTH_PROVIDERS and filling in the matching block. # ============================================================================= # Comma-separated list of enabled providers. Local is always recommended # as fallback for emergency admin access. AUTH_PROVIDERS=local # AUTH_PROVIDERS=local,ldap,oidc,saml # Order in which credential-based providers are tried for username/password # login. SSO providers (saml/oidc) are not in this chain — they have their # own redirect endpoints. AUTH_LOOKUP_ORDER=local,ldap # Auto-create local user stub on first SSO/LDAP login. Re-evaluates role # from external groups on every subsequent login. AUTH_JIT_PROVISIONING=true # Fallback role when no group-mapping rule matches. # Values: admin, editor, readonly AUTH_JIT_DEFAULT_ROLE=readonly # Fernet key for encrypting LDAP bind-pw and TOTP secrets at rest. # Generate with: # python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())" # CHANGE THIS — losing the key invalidates all stored TOTP secrets. AUTH_PROVIDER_CRYPTO_KEY=CHANGE-ME-FERNET-KEY # ----------------------------------------------------------------------------- # LDAPS (Active Directory by default) # ----------------------------------------------------------------------------- LDAP_HOST=ldaps.company.internal LDAP_PORT=636 LDAP_USE_SSL=true LDAP_USE_STARTTLS=false # mutually exclusive with USE_SSL # CA bundle that signed the LDAPS server cert (required for strict validation). LDAP_CA_CERT_PATH=/etc/ssl/certs/company-ca.pem LDAP_VALIDATE_CERT=true # NEVER set to false in production # Service account for the search-then-bind flow. LDAP_BIND_DN=cn=svc-vulncheck,ou=ServiceAccounts,dc=company,dc=local # Bootstrap password — loaded once, encrypted, stored in DB. # Remove from env AFTER the first successful start. LDAP_BIND_PASSWORD_BOOTSTRAP= # User search LDAP_USER_SEARCH_BASE=ou=Users,dc=company,dc=local # {username} is replaced by the login form input (filter-escaped). LDAP_USER_SEARCH_FILTER=(&(objectClass=user)(sAMAccountName={username})) LDAP_USER_ATTR_USERNAME=sAMAccountName LDAP_USER_ATTR_EMAIL=mail LDAP_USER_ATTR_GROUPS=memberOf LDAP_USER_ATTR_GUID=objectGUID # AD stable identifier LDAP_USER_ATTR_DISPLAY=displayName # ----------------------------------------------------------------------------- # OIDC (OpenID Connect) — Entra ID / Okta / Keycloak / Google # ----------------------------------------------------------------------------- OIDC_PROVIDER_NAME=Entra ID # Examples: # Entra ID: https://login.microsoftonline.com//v2.0/.well-known/openid-configuration # Okta: https:///.well-known/openid-configuration # Keycloak: https://kc.company.com/realms//.well-known/openid-configuration # Google: https://accounts.google.com/.well-known/openid-configuration OIDC_DISCOVERY_URL= OIDC_CLIENT_ID= OIDC_CLIENT_SECRET= OIDC_REDIRECT_URI=https://vulncheck.company.com/auth/oidc/callback OIDC_SCOPES=openid profile email groups # Claim names — defaults work for Entra ID / Keycloak. Adjust per IdP. OIDC_CLAIM_USERNAME=preferred_username OIDC_CLAIM_EMAIL=email OIDC_CLAIM_GROUPS=groups OIDC_CLAIM_DISPLAY=name OIDC_CLAIM_SUBJECT=sub # ----------------------------------------------------------------------------- # SAML 2.0 # ----------------------------------------------------------------------------- SAML_PROVIDER_NAME=Single Sign-On SAML_SP_ENTITY_ID=https://vulncheck.company.com/auth/saml/metadata SAML_SP_ACS_URL=https://vulncheck.company.com/auth/saml/acs SAML_SP_SLO_URL=https://vulncheck.company.com/auth/saml/slo # SP cert + key — generate a keypair specifically for this SP: # openssl req -x509 -newkey rsa:2048 -nodes \ # -keyout sp.key -out sp.crt -days 730 \ # -subj "/CN=vulncheck.company.com" SAML_SP_CERT_PATH=/etc/vulncheck/saml/sp.crt SAML_SP_PRIVATE_KEY_PATH=/etc/vulncheck/saml/sp.key # IdP metadata source — exactly one of: SAML_IDP_METADATA_URL= # SAML_IDP_METADATA_PATH=/etc/vulncheck/saml/idp-metadata.xml # Attribute mapping (defaults work for most IdPs) SAML_ATTR_USERNAME=urn:oid:0.9.2342.19200300.100.1.1 SAML_ATTR_EMAIL=urn:oid:1.2.840.113549.1.9.1 SAML_ATTR_GROUPS=http://schemas.xmlsoap.org/claims/Group SAML_ATTR_DISPLAY=urn:oid:2.16.840.1.113730.3.1.241