# ========================================== # Baron SSO - Unified Environment Configuration # ========================================== # --- General System --- APP_ENV=stage # 애플리케이션 실행 환경 (dev, stage, production) TZ=Asia/Seoul IDP_PROVIDER=ory # --- Infrastructure Ports --- DB_PORT=5432 CLICKHOUSE_PORT_HTTP=8123 CLICKHOUSE_PORT_NATIVE=9000 BACKEND_PORT=3000 ADMINFRONT_PORT=5173 DEVFRONT_PORT=5174 USERFRONT_PORT=5000 USERFRONT_BUILD_TARGET=production # --- Database Credentials (PostgreSQL) --- DB_USER=baron DB_PASSWORD=password DB_NAME=baron_sso # --- Backend Configuration --- # Must be 32 bytes. Generate with `openssl rand -hex 32` COOKIE_SECRET=super-secret-key-must-be-32-bytes! JWT_SECRET=super-secret-key-must-be-32-bytes! # Optional backend slog override: debug, info, warn, error BACKEND_LOG_LEVEL= REDIS_ADDR=redis:6389 # compose.infra.yaml의 redis 포트(컨테이너 내부 기준) CORS_ALLOWED_ORIGINS=http://localhost:5000 # 쿠키 인증 사용 시 정확한 Origin 지정 필요 # --- NAVER WORKS API --- WORKS_ADMIN_API_BASE_URL=https://www.worksapis.com WORKS_ADMIN_OAUTH_TOKEN_URL=https://auth.worksmobile.com/oauth2/v2.0/token # --- NAVER WORKS Drive backup upload --- # Drive API 업로드에는 `file` scope가 필요합니다. # 운영에서는 Drive 권한이 위임된 사용자/OAuth access token을 우선 사용하세요. # 서비스 계정 JWT 방식은 WORKS 앱 정책에서 Drive API scope 위임이 허용된 경우에만 사용할 수 있습니다. WORKS_DRIVE_TARGET=sharedrive WORKS_DRIVE_SHARED_DRIVE_ID= WORKS_DRIVE_PARENT_FILE_ID= WORKS_DRIVE_USER_ID=me WORKS_DRIVE_GROUP_ID= WORKS_DRIVE_SHARED_FOLDER_ID= WORKS_DRIVE_ACCESS_TOKEN= WORKS_DRIVE_ACCESS_TOKEN_FILE= WORKS_DRIVE_ACCESS_TOKEN_CMD= WORKS_DRIVE_OAUTH_SCOPE=file WORKS_DRIVE_OAUTH_CLIENT_ID= WORKS_DRIVE_OAUTH_CLIENT_SECRET= WORKS_DRIVE_OAUTH_CLIENT_SERVICE_ACCOUNT= WORKS_DRIVE_OAUTH_CLIENT_PRIVATE_KEY_FILE=./config/worksmobile-driveapp-private-key.pem WORKS_DRIVE_OAUTH_REFRESH_TOKEN= WORKS_DRIVE_OAUTH_REDIRECT_URI= WORKS_DRIVE_SPLIT_SIZE=9000M WORKS_DRIVE_MAX_SINGLE_FILE_BYTES=0 WORKS_DRIVE_FORCE_SPLIT=false WORKS_DRIVE_OVERWRITE=false WORKS_DRIVE_DRY_RUN=false WORKS_DRIVE_UPLOAD_REPORTS=true WORKS_DRIVE_REPORT_FOLDER_NAME=reports # Audit System Configuration AUDIT_WORKER_COUNT=5 # 비동기 감사 로그 처리를 위한 고루틴 워커 수 AUDIT_QUEUE_SIZE=2000 # 감사 로그 대기열(채널) 버퍼 크기 # Redis Cache Configuration PROFILE_CACHE_TTL=30m # User Profile Redis 캐시 만료 시간 # --- Naver Cloud Services --- NAVER_CLOUD_ACCESS_KEY=ncp_iam_... NAVER_CLOUD_SECRET_KEY=ncp_iam_... NAVER_CLOUD_SERVICE_ID=ncp:sms:kr:...:... NAVER_SENDER_PHONE_NUMBER=... # --- AWS SES (이메일 발송용) --- AWS_REGION=ap-northeast-2 AWS_ACCESS_KEY_ID=... AWS_SECRET_ACCESS_KEY=... AWS_SES_SENDER=no-reply@baron.co.kr # --- 관리자 page pw --- ADMIN_EMAIL=admin@baron.co.kr ADMIN_PASSWORD=adminPasswordIsNotSimple # --- URLs for Proxy/Handoff --- # Project Public Base URL (Served by UserFront Nginx) USERFRONT_URL=https://sso.hmac.kr # Services proxied via Nginx BACKEND_PUBLIC_URL=${USERFRONT_URL} BACKEND_URL=${USERFRONT_URL} OATHKEEPER_PUBLIC_URL=${USERFRONT_URL} # ory-stack 변수들 ORY_POSTGRES_TAG=17-alpine CLICKHOUSE_TAG=24.6 ORY_POSTGRES_USER=ory ORY_POSTGRES_PASSWORD=EuBV5ywvXFehkggHQrnYo5727MseEi6i9 ORY_POSTGRES_DB=ory # ORY_POSTGRES_PORT=5433 # Internal only KRATOS_DB=ory_kratos HYDRA_DB=ory_hydra KETO_DB=ory_keto # Ory Kratos Configuration KRATOS_VERSION=v26.2.0-distroless # KRATOS_PUBLIC_PORT=4433 # Internal only # KRATOS_ADMINFRONT_PORT=4434 # Internal only KRATOS_UI_NODE_VERSION=v26.2.0 # KRATOS_UI_PORT=4455 # Internal only # Ory Hydra Configuration HYDRA_VERSION=v26.2.0-distroless # HYDRA_PUBLIC_PORT=4441 # Internal only # HYDRA_ADMINFRONT_PORT=4445 # Internal only # Ory Keto Configuration KETO_VERSION=v26.2.0-distroless # KETO_READ_PORT=4466 # Internal only # KETO_WRITE_PORT=4467 # Internal only KETO_READ_URL=http://keto:4466 KETO_WRITE_URL=http://keto:4467 # Kratos Selfservice UI upstreams (override for deployments) ORY_SDK_URL=http://kratos:4433 KRATOS_PUBLIC_URL=http://kratos:4433 KRATOS_ADMIN_URL=http://kratos:4434 # 브라우저가 접근할 Kratos Public/UI 외부 URL # Oathkeeper가 /auth 경로를 Kratos Public API로 라우팅합니다. KRATOS_BROWSER_URL=${OATHKEEPER_PUBLIC_URL}/auth # Kratos UI는 UserFront가 렌더링합니다. KRATOS_UI_URL=http://localhost:5000 HYDRA_ADMIN_URL=http://hydra:4445 # Oathkeeper가 /oidc 경로를 Hydra Public API로 라우팅합니다. HYDRA_PUBLIC_URL=${OATHKEEPER_PUBLIC_URL}/oidc HYDRA_SYSTEM_SECRET=change-me-to-at-least-16-characters # 선택: Hydra 화면 핸드오프 URL을 USERFRONT_URL 기준 기본값과 다르게 둘 때만 설정합니다. # HYDRA_LOGIN_URL=https://sso.hmac.kr/login # HYDRA_CONSENT_URL=https://sso.hmac.kr/consent # HYDRA_ERROR_URL=https://sso.hmac.kr/error # Kratos allowed_return_urls 확장 목록 (콤마 구분, 선택) # 기본값은 KRATOS_UI_URL, USERFRONT_URL, 각 callback URL을 자동 포함합니다. KRATOS_ALLOWED_RETURN_URLS_EXTRA= KRATOS_ALLOWED_RETURN_URLS_JSON=["http://localhost:5000","http://localhost:5000/","https://sso.hmac.kr","https://sso.hmac.kr/","https://sso.hmac.kr/ko","https://sso.hmac.kr/ko/","https://sso.hmac.kr/en","https://sso.hmac.kr/en/","https://sso.hmac.kr/auth/callback","https://sso.hmac.kr/ko/auth/callback","https://sso.hmac.kr/en/auth/callback","http://localhost:5173/auth/callback","http://localhost:5174/auth/callback","http://localhost:5175/auth/callback","https://sso.hmac.kr/orgfront/auth/callback"] # Oathkeeper JWKS (내부 통신용) JWKS_URL=http://oathkeeper:4456/.well-known/jwks.json # Oathkeeper 실행 사용자/프로브 설정 OATHKEEPER_VERSION=v26.2.0 OATHKEEPER_UID=1001 OATHKEEPER_GID=1001 OATHKEEPER_HEALTH_URL=http://oathkeeper:4456/health/ready OATHKEEPER_HEALTH_INTERVAL_SECONDS=10 OATHKEEPER_HEALTH_TIMEOUT_SECONDS=2 OATHKEEPER_HEALTH_ENABLED=true # Kratos Selfservice UI required secrets (local only) COOKIE_SECRET=localcookie123 CSRF_COOKIE_NAME=__HOST-baronSSO_csrf CSRF_COOKIE_SECRET=localcsrf123 # AdminFront OIDC 설정 ADMINFRONT_URL=http://localhost:5173 ADMINFRONT_CALLBACK_URLS=http://localhost:5173/auth/callback,https://sso.hmac.kr/auth/callback # DevFront OIDC 설정 VITE_OIDC_CLIENT_ID=devfront VITE_OIDC_AUTHORITY=https://sso.hmac.kr/oidc DEVFRONT_URL=http://localhost:5174 DEVFRONT_CALLBACK_URLS=http://localhost:5174/auth/callback,https://sso.hmac.kr/devfront/auth/callback ORGFRONT_CALLBACK_URLS=http://localhost:5175/auth/callback,https://sso.hmac.kr/orgfront/auth/callback VITE_ORGCHART_URL= # promtail에서 로그를 전송받을 Loki 서버 엔드포인트 URL LOKI_URL=http://loki:3100/loki/api/v1/push