.env.example

######################
# General settings
######################

# Whether the environment is in debug mode (e.g. Django debug)
# VALUES: 0 - non debug mode; 1 - debug mode
# DEFAULT: 1
DEBUG=1

# Main hostname of the QFieldCloud instance. Must be included in `DJANGO_ALLOWED_HOSTS`.
# Must not have a leading `http://` or `https://` and must not have a trailing slash or port.
# NOTE: Must be defined in the beginning of this file as it is used by other variables below.
# DEFAULT: localhost
QFIELDCLOUD_HOST=localhost

# Environment where QFieldCloud runs
# VALUES: `development` - local development; `staging` - staging server; `test` - tests; `production` - production server
# DEFAULT: development
ENVIRONMENT=development


######################
# Security settings
######################

# Secret key used by Django for cryptographic signing.
# Change this value, for instance with `pwgen -sn 128`.
# See: https://docs.djangoproject.com/en/4.2/ref/settings/#secret-key
# NOTE: do not change on already existing instances until QF-6361 Remove legacy `django_cryptography`'s encrypted field support
# DEFAULT: change_me
SECRET_KEY=change_me

# Key used for cryptographic operations on encrypted fields.
# Change this value, for instance with `pwgen -sn 128`.
# See: https://pypi.org/project/django-fernet-encrypted-fields/
# DEFAULT: 0123456789abcdefghijklmnopqrstuvwxyz
SALT_KEY=0123456789abcdefghijklmnopqrstuvwxyz


######################
# Certificate settings
######################

# TLS certificate filename from within the `nginx` container.
# For usage with Let's Encrypt certificate, use as:
# QFIELDCLOUD_TLS_CERT="/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/fullchain.pem"
# DEFAULT: "/etc/nginx/certs/${QFIELDCLOUD_HOST}.pem"
QFIELDCLOUD_TLS_CERT="/etc/nginx/certs/${QFIELDCLOUD_HOST}.pem"

# TLS private key filename from within the `nginx` container.
# For usage with Let's Encrypt certificate, use as:
# QFIELDCLOUD_TLS_KEY="/etc/letsencrypt/live/${QFIELDCLOUD_HOST}/privkey.pem"
# DEFAULT: "/etc/nginx/certs/${QFIELDCLOUD_HOST}-key.pem"
QFIELDCLOUD_TLS_KEY="/etc/nginx/certs/${QFIELDCLOUD_HOST}-key.pem"

# TLS DF parameters filename from within the `nginx` container.
# When empty, no DF parameters are used.
# DEFAULT: "/etc/nginx/dhparams/ssl-dhparams.pem"
QFIELDCLOUD_TLS_DHPARAMS="/etc/nginx/dhparams/ssl-dhparams.pem"

# Let's Encrypt email used for registration and recovery contact.
# DEFAULT: test@example.com
LETSENCRYPT_EMAIL="test@example.com"

# Let's Encrypt RSA key size. See https://eff-certbot.readthedocs.io/en/stable/using.html#rsa-and-ecdsa-keys
# VALUES: 4096
# DEFAULT: 4096
LETSENCRYPT_RSA_KEY_SIZE=4096

# Whether the Let's Encrypt certificate is used in staging or production environment. See https://eff-certbot.readthedocs.io/en/stable/using.html#revoking-certificates
# NOTE: Let's Encrypt has rate limits. When testing your setup, use staging environment to avoid hitting the limits.
# VALUES: 0 - production; 1 - staging
# DEFAULT: 1
LETSENCRYPT_STAGING=1


##################
# Storage settings
##################

# Used to define storages in QFieldCloud. Note the contents of this variable is a superset of Django's `STORAGES` setting.
# NOTE: Note if the `STORAGES` is not available, QFieldCloud will still work with `STORAGE_ACCESS_KEY_ID`, `STORAGE_SECRET_KEY_ID`, `STORAGE_BUCKET_NAME` and `STORAGE_REGION_NAME` from previous QFC versions.
# NOTE: The `endpoint_url` must be a URL reachable from within docker and the host, the default value `172.17.0.1` for `rustfs` is the docker network `bridge`. On windows/mac, change the value to "http://host.docker.internal:8009".
# DEFAULT:
# {
#     "default": {
#         "BACKEND": "qfieldcloud.filestorage.backend.QfcS3Boto3Storage",
#         "OPTIONS": {
#             "access_key": "rustfsadmin",
#             "secret_key": "rustfsadmin",
#             "bucket_name": "qfieldcloud-local",
#             "region_name": "",
#             "endpoint_url": "http://172.17.0.1:8009"
#         }
#     }
# }

# WebDav storage setup with `bytemark/WebDAV` docker image:
# NOTE: HTTP basic auth user and password must be the same as the WEBDAV_USERNAME and WEBDAV_PASSWORD env variables.
# {
#     "webdav": {
#         "BACKEND": "qfieldcloud.filestorage.backend.QfcWebDavStorage",
#         "OPTIONS": {
#             "webdav_url": "http://qfc_webdav_user:qfc_webdav_pwd@webdav",
#             "public_url": "http://webdav",
#             "basic_auth": "qfc_webdav_user:qfc_webdav_pwd"
#         }
#     }
# }

# WebDav storage setup with an external NextCloud server:
# NOTE: USERNAME and PASSWORD refer to a user's credentials on the NextCloud server.
# NOTE: NEXTCLOUD_SHARE_TOKEN refer to a public share token that can be generated from the NextCloud UI.
# {
#     "webdav_nextcloud": {
#         "BACKEND": "qfieldcloud.filestorage.backend.QfcWebDavStorage",
#         "OPTIONS": {
#             "webdav_url": "https://USERNAME:PASSWORD@my.nextcloud.server/remote.php/dav/files/USERNAME",
#             "public_url": "https://my.nextcloud.server/public.php/webdav",
#             "basic_auth": "NEXTCLOUD_SHARE_TOKEN:"
#         }
#     }
# }

STORAGES='{
        "default": {
            "BACKEND": "qfieldcloud.filestorage.backend.QfcS3Boto3Storage",
            "OPTIONS": {
                "access_key": "rustfsadmin",
                "secret_key": "rustfsadmin",
                "bucket_name": "qfieldcloud-local",
                "region_name": "",
                "endpoint_url": "http://172.17.0.1:8009"
            }
        }
    }'

# Setting what is the default storage for new projects. If empty, it will use the `default` storage.
# NOTE: The value must be a key of the `STORAGES` setting.
# DEFAULT: ""
# STORAGES_PROJECT_DEFAULT_STORAGE=

# Setting what is the default attachments storage for new projects. If empty, it will use the `default` storage.
# NOTE: The value must be a key of the `STORAGES` setting.
# DEFAULT: ""
# STORAGES_PROJECT_DEFAULT_ATTACHMENTS_STORAGE=

# Default value on new projects if attachments should be versioned.
# NOTE: can currently be unset only when using an attachment storage of type WebDAV (qfieldcloud.filestorage.backend.QfcWebDavStorage).
# See definition of the `STORAGES_PROJECT_DEFAULT_ATTACHMENTS_STORAGE` setting.
# VALUES: 0 - not versioned; 1 - versioned
# DEFAULT: 1
# STORAGE_PROJECT_DEFAULT_ATTACHMENTS_VERSIONED=1


##################
# Nginx settings
##################

# Public port for HTTP connections.
# DEFAULT: 80
WEB_HTTP_PORT=80

# Public port for HTTPS connections.
# DEFAULT: 443
WEB_HTTPS_PORT=443

# Messages are logged at the specified level and all more severe levels. The nginx default is `error`. See https://nginx.org/en/docs/ngx_core_module.html#error_log
# OPTIONS: debug, info, notice, warn, error, crit, alert, emerg
# DEFAULT: error
NGINX_ERROR_LOG_LEVEL=error

# Sets the maximum allowed size of the client request body.
# DEFAULT: 10g
NGINX_CLIENT_MAX_BODY_SIZE=10g

# Timeout for establishing a connection with the proxied server
# DEFAULT: 5s
NGINX_PROXY_CONNECT_TIMEOUT=5s

# Timeout for reading a response from the proxied server.
# DEFAULT: 300s
NGINX_PROXY_READ_TIMEOUT=300s

# Timeout for transmitting a request to the proxied server.
# DEFAULT: 300s
NGINX_PROXY_SEND_TIMEOUT=300s

# If the nginx reverse-proxy should allow internal HTTP requests.
# This applies only to requests coming from the internal network (e.g. workers containers).
# If not, all the requests will be redirected to HTTPS.
# DEFAULT: 0
NGINX_ALLOW_INTERNAL_HTTP=0

##################
# Gunicorn settings
##################

# The maximum number of seconds a Gunicorn worker can take to handle a request before being killed and restarted. See https://docs.gunicorn.org/en/stable/settings.html#timeout
# DEFAULT: 300
GUNICORN_TIMEOUT_S=300

# The maximum number of requests a Gunicorn worker will process before being restarted (helps prevent memory leaks). See https://docs.gunicorn.org/en/stable/settings.html#max-requests
# DEFAULT: 300
GUNICORN_MAX_REQUESTS=300

# The number of Gunicorn worker processes to handle incoming requests (increase for more concurrency). See https://docs.gunicorn.org/en/stable/settings.html#workers
# DEFAULT: 3
GUNICORN_WORKERS=3

# The number of threads per Gunicorn worker process (increase for more concurrency, especially for I/O-bound workloads). See https://docs.gunicorn.org/en/stable/settings.html#threads
# DEFAULT: 3
GUNICORN_THREADS=3


###################
# Database settings
###################

# PostgreSQL connection user. This user must have access to create, modify the `POSTGRES_DB` database, and ensure `postgis` extension is installed.
# DEFAULT: qfieldcloud_db_admin
POSTGRES_USER=qfieldcloud_db_admin

# PostgreSQL connection password. Change this value, for instance with `pwgen -sn 16`.
# DEFAULT: 3shJDd2r7Twwkehb
POSTGRES_PASSWORD=3shJDd2r7Twwkehb

# PostgreSQL database name. This database will be created if it does not exist.
# DEFAULT: qfieldcloud_db
POSTGRES_DB=qfieldcloud_db

# PostgreSQL host.
# DEFAULT: db
POSTGRES_HOST=db

# PostgreSQL port.
# DEFAULT: 5432
POSTGRES_PORT=5432

# PostgreSQL SSL mode.
# Use "prefer" OR "require" most of the times
# See https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
# VALUES: "disable", "allow", "prefer", "require", "verify-ca", "verify-full"
# DEFAULT: prefer
POSTGRES_SSLMODE=prefer


#########################
# Sentry settings
#########################

# Sentry DSN. Missing value disables Sentry logging. Can be found on https://opengisch.sentry.io/settings/projects/qfieldcloud/keys/
# DEFAULT: <NO VALUE>
SENTRY_DSN=

# Sentry sample rate between 0 and 1. See https://docs.sentry.io/platforms/python/configuration/sampling/
# DEFAULT: 1
SENTRY_SAMPLE_RATE=1

# Release version shown on sentry. See https://docs.sentry.io/product/releases/
# DEFAULT: dev
SENTRY_RELEASE=dev


###################
# Django settings
###################

# Django settings module to be used. See https://docs.djangoproject.com/en/4.2/topics/settings/#envvar-DJANGO_SETTINGS_MODULE
# DEFAULT: qfieldcloud.settings
DJANGO_SETTINGS_MODULE=qfieldcloud.settings

# Space separated list of allowed hostnames.
# Must include the `QFIELDCLOUD_HOST` value.
# Use `*` to allow all hostnames (not recommended in production).
# See https://docs.djangoproject.com/en/4.2/ref/settings/#allowed-hosts
# DEFAULT: "localhost 127.0.0.1 0.0.0.0 app nginx
DJANGO_ALLOWED_HOSTS="localhost 127.0.0.1 0.0.0.0 app nginx"

# Whether to use `X-Forwarded-Host` header when getting the host of the requests.
# This is required when QFieldCloud is behind a proxy that sets the `X-Forwarded-Host` header.
# See https://docs.djangoproject.com/en/5.2/ref/settings/#use-x-forwarded-host
# DEFAULT: 1
DJANGO_USE_X_FORWARDED_HOST=1

# Whether QFieldCloud should be translated in another language other than English. See  https://docs.djangoproject.com/en/4.2/ref/settings/#use-i18n
# NOTE if there is no full translation in given language, QFieldCloud will be shown in mixture of English and the given language. Also installed Django modules have their own translations that might not be complete.
# VALUES: 0 - English only; 1 - enable other languages
# DEFAULT: 1
QFIELDCLOUD_USE_I18N=1

# QFieldCloud default language that is displayed in the interface. See https://docs.djangoproject.com/en/4.2/ref/settings/#language-code
# DEFAULT: "en"
QFIELDCLOUD_DEFAULT_LANGUAGE="en"

# QFieldCloud default timezone that is used when account has no timezone. See https://docs.djangoproject.com/en/4.2/ref/settings/#time-zone
# DEFAULT: "Europe/Zurich"
QFIELDCLOUD_DEFAULT_TIME_ZONE="Europe/Zurich"


###################
# Email settings
###################

# Hostname of the email server used to send emails. See https://docs.djangoproject.com/en/4.2/ref/settings/#email-host
# DEFAULT: smtp4dev
EMAIL_HOST=smtp4dev

# Whether to use TLS when connecting to the email server. See https://docs.djangoproject.com/en/4.2/ref/settings/#email-use-tls
# DEFAULT: False
EMAIL_USE_TLS=False

# Whether to use SSL when connecting to the email server. See https://docs.djangoproject.com/en/4.2/ref/settings/#email-use-ssl
# VALUES: True, False
# DEFAULT: False
EMAIL_USE_SSL=False

# Port to use for the email server. See https://docs.djangoproject.com/en/4.2/ref/settings/#email-port
# DEFAULT: 25
EMAIL_PORT=25

# Username to use for the email server. See https://docs.djangoproject.com/en/4.2/ref/settings/#email-host-user
# DEFAULT: user
EMAIL_HOST_USER=user

# Password to use for the email server. See https://docs.djangoproject.com/en/4.2/ref/settings/#email-host-password
# DEFAULT: password
EMAIL_HOST_PASSWORD=password

# Default email address to use on behalf of QFieldCloud. See https://docs.djangoproject.com/en/4.2/ref/settings/#default-from-email
# DEFAULT: "webmaster@localhost"
DEFAULT_FROM_EMAIL="webmaster@localhost"


#########################
# Authentication settings
#########################

# Whether password based login is enabled for QFC clients.
# VALUES: 0 - password login disabled; 1 - password login enabled
# DEFAULT: 1
QFIELDCLOUD_PASSWORD_LOGIN_IS_ENABLED=1

# Social account providers.
#
# Dictionary of OIDC / OAuth2 providers configurations that may be used for
# authentication in this QFC instance.
#
# Refer to django.allauth documentation for more information:
# https://docs.allauth.org/en/dev/socialaccount/providers/index.html
#
# NOTE: Also requires the respective provider to be added to INSTALLED_APPS
# if it's not already contained there.
#
# EXAMPLE:
# SOCIALACCOUNT_PROVIDERS = '{
#   "google": {
#     "OAUTH_PKCE_ENABLED": true,
#     "APP": {
#       "client_id": "<client-id>",
#       "key": ""
#     }
#   },
#   "github": {
#     "APP": {
#       "client_id": "<client-id>",
#       "secret": "<client-secret>"
#     }
#   },
#   "openid_connect": {
#     "OAUTH_PKCE_ENABLED": true,
#     "APP": {
#       "provider_id": "keycloak",
#       "name": "Keycloak",
#       "client_id": "<client-id>",
#       "settings": {
#         "server_url": "https://keycloak.local/realms/myrealm/.well-known/openid-configuration"
#       }
#     }
#   }
# }'
#
# DEFAULT: {}
SOCIALACCOUNT_PROVIDERS='{}'

# Choose one of "mandatory", "optional", or "none".
# For local development and test use "optional" or "none"
# DEFAULT: optional
ACCOUNT_EMAIL_VERIFICATION=optional

# QFieldCloud account adapter model.
# See allauth's default account adapter here: https://docs.allauth.org/en/dev/account/adapter.html
# Use `qfieldcloud.core.adapters.AccountAdapterSignUpOpen` for the open signup.
# Use `qfieldcloud.core.adapters.AccountAdapterSignUpClosed` for the closed signup.
# DEFAULT: qfieldcloud.core.adapters.AccountAdapterSignUpOpen
QFIELDCLOUD_ACCOUNT_ADAPTER=qfieldcloud.core.adapters.AccountAdapterSignUpOpen

# QFieldCloud auth token expiration hours. For example 720 hours (30 days).
# DEFAULT: 720
QFIELDCLOUD_AUTH_TOKEN_EXPIRATION_HOURS=720


##################
# Other QFieldCloud specific settings
##################

# Admin URI. Requires slash in the end. Must not have a leading slash.
# DEFAULT: "admin/"
QFIELDCLOUD_ADMIN_URI=admin/

# QFieldCloud subscription model
# DEFAULT: subscription.Subscription
QFIELDCLOUD_SUBSCRIPTION_MODEL=subscription.Subscription


##################
# QGIS worker settings
##################

# QFieldCloud URL used within the worker as configuration for qfieldcloud-sdk.
# DEFAULT: "http://app:8000/api/v1/"
QFIELDCLOUD_WORKER_QFIELDCLOUD_URL=http://app:8000/api/v1/

# number of parallel workers
# DEFAULT: 1
QFIELDCLOUD_WORKER_REPLICAS=1

# Docker compose default network also used by the docker in docker workers
# If empty value, a default name will be generated at build time, for example `qfieldcloud_default`.
# DEFAULT: ""
# QFIELDCLOUD_DEFAULT_NETWORK=""

# QFieldCloud QGIS image name to be used as worker by the `worker_wrapper`.
# If empty value, a default name will be generated at build time, for example `qfieldcloud-qgis`.
# DEFAULT: ""
# QFIELDCLOUD_QGIS_IMAGE_NAME=""

# Directory used by QFieldCloud worker for temporary files shared between the host, the worker_wrapper and the worker containers.
# Must be an absolute path on the host.
# DEFAULT: /tmp
TMP_DIRECTORY=/tmp


##################
# Docker settings
##################

# Prefix used by docker compose for each of the containers, e.g. app will be `qfieldcloud_app`
# DEFAULT: qfieldcloud
COMPOSE_PROJECT_NAME=qfieldcloud

# List of docker compose files
# DEFAULT: docker-compose.yml:docker-compose.override.local.yml
COMPOSE_FILE=docker-compose.yml:docker-compose.override.local.yml:docker-compose.override.standalone.yml

# Separator in `COMPOSE_FILE` between filenames. Required for making COMPOSE_FILE above cross-platform (do not change)
# DEFAULT: :
COMPOSE_PATH_SEPARATOR=:

# Forces Docker to use the amd64 platform when building or pulling images.
# Useful on Apple Silicon (arm64) Macs where some images are only available for amd64.
# DEFAULT: linux/amd64
DOCKER_DEFAULT_PLATFORM=linux/amd64

##################
# Standalone settings - development only
##################

# Not used in production.
# NOTE: Ignored if `smtp4dev` is not used.
# DEFAULT: 8012
SMTP4DEV_WEB_PORT=8012

# Not used in production.
# NOTE: Ignored if `smtp4dev` is not used.
# DEFAULT: 25
SMTP4DEV_SMTP_PORT=25

# Not used in production.
# NOTE: Ignored if `smtp4dev` is not used.
# DEFAULT: 143
SMTP4DEV_IMAP_PORT=143

# Docker image tag used for local/standalone database setup. See https://hub.docker.com/r/postgis/postgis/tags
# When setting up a new local instance, do not hesitate to pick a recent version.
# For migrating a local postgis to a more recent major version (risky operation),
# see this gist: https://gist.github.com/gounux/2c0779fcb22e512cbdc613eb78200571
# Migration to a newer database version is a risky operation to your data, so prepare and test the backup of the `postgres_data` volume.
# NOTE: Ignored if `db` is not used.
# DEFAULT: 17-3.5-alpine
POSTGIS_IMAGE_VERSION=17-3.5-alpine

# Local admin username configuration for object storage in local and standalone instances.
# NOTE: Ignored if `rustfs` is not used.
# NOTE: Needs to be the same as in the `STORAGES` setting in standalone config.
# DEFAULT: "rustfsadmin"
OBJECT_STORAGE_ROOT_USER="rustfsadmin"

# Local admin password configuration for object storage in local and standalone instances.
# NOTE: Ignored if `rustfs` is not used.
# NOTE: Needs to be the same as in the `STORAGES` setting in standalone config.
# DEFAULT: "rustfsadmin"
OBJECT_STORAGE_ROOT_PASSWORD="rustfsadmin"

# Public port to the object storage API endpoint. It must match the configured port in `STORAGE_ENDPOINT_URL`.
# NOTE: Ignored if `rustfs` is not used.
# NOTE: Needs to be the same as in the `STORAGES` setting in standalone config.
# DEFAULT: 8009
OBJECT_STORAGE_API_PORT=8009

# Public port to the object storage browser endpoint.
# NOTE: Ignored if `rustfs` is not used.
# DEFAULT: 8010
OBJECT_STORAGE_BROWSER_PORT=8010

# Public port to the webdav server.
# NOTE: Ignored if `webdav` docker service is not used.
# DEFAULT: 8020
WEBDAV_PUBLIC_PORT=8020

# Username of the user in the webdav server.
# NOTE: Ignored if `webdav` docker service is not used.
# DEFAULT: qfc_webdav_user
WEBDAV_USERNAME=qfc_webdav_user

# Password of the user in the webdav server.
# NOTE: Ignored if `webdav` docker service is not used.
# DEFAULT: qfc_webdav_pwd
WEBDAV_PASSWORD=qfc_webdav_pwd

# Comma-separated list of values for the mini WebDAV server names.
# NOTE: Ignored if `webdav` docker service is not used.
# DEFAULT: "172.17.0.1,webdav"
WEBDAV_SERVER_NAMES="172.17.0.1,webdav"

# Host port to the PostgreSQL database.
# DEFAULT: 5433
HOST_POSTGRES_PORT=5433

# Comma-separated list of origins allowed to make cross-origin requests to the API.
# Example  "https://app.example.com,http://localhost:5173"
# NOTE: Do NOT include trailing slashes.
# DEFAULT: "https://docs.qfield.org"
CORS_ALLOWED_ORIGINS=https://docs.qfield.org

# Allow credentials (cookies, authorization headers) in cross-origin requests.
# VALUES: 0 - do not allow credentials; 1 - allow clients to send authentication tokens or session cookies.
# DEFAULT: 1
CORS_ALLOW_CREDENTIALS=1


##################
# Debug settings - development only
##################

# Debugpy port used for the `app` service
# NOTE modifying this value requires modification of `.vscode/launch.json` file too
# DEFAULT: 5678
DEBUG_APP_DEBUGPY_PORT=5678

# Debugpy port used for the `worker_wrapper` service
# NOTE modifying this value requires modification of `.vscode/launch.json` file too
# DEFAULT: 5679
DEBUG_WORKER_WRAPPER_DEBUGPY_PORT=5679

# Debugpy port used for the `qgis` service
# NOTE modifying this value requires modification of `.vscode/launch.json` file too
# NOTE setting a value to this variable (e.g. 5680) will make the `qgis` container wait until a debugger is attached
# DEFAULT: ""
DEBUG_QGIS_DEBUGPY_PORT=""

# Host path which will be mounted by the `worker_wrapper` into the `worker` containers to facilitate development and debugging python files.
# Will mount `qfc_worker`, `entrypoint.py`, and if exists - `qfieldcloud-sdk` and `libqfieldsync`.
# If empty or invalid value, the original code from the docker image (either copied or pip installed) will be used.
# DEFAULT: ""
DEBUG_QGIS_WORKER_HOST_PATH=""

# The Django development port. Not used in production.
# DEFAULT: 8011
DJANGO_DEV_PORT=8011