security-by-design/.env.example at master · laugiov/security-by-design · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# SkyLink - Environment Variables Template
# Copy this file to .env and fill in the values
# NEVER commit .env to version control!

# ============================================
# JWT RS256 Keys (REQUIRED)
# ============================================
# These keys are used for signing and verifying JWT tokens
# KEEP THESE SECURE - Never commit, never log, never expose

# HOW TO SET UP (Local Development):
# 1. Generate RSA key pair:
#    openssl genrsa -out private.pem 2048
#    openssl rsa -in private.pem -pubout -out public.pem
#
# 2. Copy the ENTIRE content of each file (including BEGIN/END lines)
#    and paste below as multi-line strings:
#
# PRIVATE_KEY_PEM="-----BEGIN PRIVATE KEY-----
# MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDBZbV3NCtfNOpY
# ...paste all lines here...
# -----END PRIVATE KEY-----"
#
# PUBLIC_KEY_PEM="-----BEGIN PUBLIC KEY-----
# MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwWW1dzQrXzTqWDsENkW+
# ...paste all lines here...
# -----END PUBLIC KEY-----"

# HOW TO SET UP (GitLab CI/CD):
# 1. Go to: Settings → CI/CD → Variables
# 2. Add variable PRIVATE_KEY_PEM:
#    - Type: Variable (not File)
#    - Value: Entire content of private.pem (multi-line)
#    - Protected: ✓
#    - Masked: ✗ (too large for masking)
# 3. Add variable PUBLIC_KEY_PEM:
#    - Type: Variable (not File)
#    - Value: Entire content of public.pem (multi-line)
#    - Protected: ✓
#    - Masked: ✗

# SECURITY NOTES:
# - These keys MUST be in .env file (which is in .gitignore)
# - NEVER commit these keys to version control
# - In production, use a secret management service (Vault, AWS Secrets Manager, etc.)
# - Rotate keys periodically (recommended: every 90 days)
# - If keys are compromised, rotate immediately

PRIVATE_KEY_PEM="__REPLACE_WITH_YOUR_PRIVATE_KEY_PEM_CONTENT__"
PUBLIC_KEY_PEM="__REPLACE_WITH_YOUR_PUBLIC_KEY_PEM_CONTENT__"

# ============================================
# Weather API
# ============================================
# Get your API key from: https://www.weatherapi.com/
WEATHER_API_KEY="your_weather_api_key_here"
WEATHER_API_URL="https://api.weatherapi.com/v1"

# ============================================
# Google OAuth2 (for contacts service)
# ============================================
# Get credentials from: https://console.cloud.google.com/
# See: local/contacts-oauth/GOOGLE_CLOUD_SETUP.md for setup instructions

# OAuth Client credentials
GOOGLE_CLIENT_ID="123456789-abc...xyz.apps.googleusercontent.com"
GOOGLE_CLIENT_SECRET="GOCSPX-abc...xyz"
GOOGLE_REDIRECT_URI="http://localhost:8003/oauth/callback"

# Encryption key for OAuth refresh tokens (32 bytes = 64 hex chars)
# Generate with: openssl rand -hex 32
ENCRYPTION_KEY="0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"

# Contacts service mode
DEMO_MODE="true"  # Set to "false" for production OAuth mode

# ============================================
# Database
# ============================================
# PostgreSQL (production)
DB_URL="postgresql://skylink:password@localhost:5432/skylink"

# SQLite (development fallback)
# DB_URL="sqlite:///./skylink.db"

# ============================================
# Redis Cache
# ============================================
REDIS_URL="redis://localhost:6379/0"

# ============================================
# Application Settings
# ============================================
# Environment: development, staging, production
ENVIRONMENT="development"

# Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL
LOG_LEVEL="INFO"

# Rate limiting
RATE_LIMIT_PER_MINUTE=60
RATE_LIMIT_GLOBAL_PER_SECOND=10

# ============================================
# mTLS (Mutual TLS) - Optional
# ============================================
# Enable mutual TLS authentication for aircraft-to-gateway communication
# See: local/MTLS_IMPLEMENTATION.md for setup instructions

# Enable/disable mTLS (default: false)
MTLS_ENABLED="false"

# Server certificate and key paths
MTLS_CERT_FILE="certs/server/server.crt"
MTLS_KEY_FILE="certs/server/server.key"

# CA certificate for client verification
MTLS_CA_CERT_FILE="certs/ca/ca.crt"

# Client certificate verification mode:
#   CERT_NONE     - No client certificate required
#   CERT_OPTIONAL - Client certificate optional (for gradual rollout)
#   CERT_REQUIRED - Client certificate required (production)
MTLS_VERIFY_MODE="CERT_REQUIRED"

# HOW TO SET UP mTLS:
# 1. Generate test certificates:
#    ./scripts/generate_test_certs.sh
#
# 2. Enable mTLS:
#    MTLS_ENABLED="true"
#
# 3. Test with curl:
#    curl --cacert certs/ca/ca.crt \
#         --cert certs/clients/aircraft-test-001/aircraft-test-001.crt \
#         --key certs/clients/aircraft-test-001/aircraft-test-001.key \
#         https://localhost:8000/health

# ============================================
# Service URLs (Docker internal network)
# ============================================
# These are used by the gateway to proxy requests to microservices
TELEMETRY_SERVICE_URL="http://telemetry:8001"
WEATHER_SERVICE_URL="http://weather:8002"
CONTACTS_SERVICE_URL="http://contacts:8003"

# ============================================
# OpenTelemetry (optional)
# ============================================
OTEL_EXPORTER_OTLP_ENDPOINT="http://localhost:4318"
OTEL_SERVICE_NAME="skylink"