Rodrigo Rodriguez (Pragmatismo)
cfa1a01bc9
- Add create_vault_config() function to generate config.hcl with mTLS settings - Configure Vault to require client certificate verification - Generate client certificate for botserver in bootstrap - Update .env to include mTLS paths (VAULT_CACERT, VAULT_CLIENT_CERT, VAULT_CLIENT_KEY) - Remove unused import in tls.rs
36 lines
1.5 KiB
Text
36 lines
1.5 KiB
Text
# BotServer Environment Configuration
|
|
# =====================================
|
|
#
|
|
# ONLY VAULT VARIABLES ARE ALLOWED IN THIS FILE!
|
|
# All secrets (DATABASE_URL, API keys, etc.) MUST be stored in Vault.
|
|
# NO LEGACY FALLBACK - Vault is mandatory.
|
|
#
|
|
# Vault paths for secrets:
|
|
# - gbo/tables - PostgreSQL credentials (host, port, database, username, password)
|
|
# - gbo/drive - MinIO/S3 credentials (accesskey, secret)
|
|
# - gbo/cache - Redis credentials (password)
|
|
# - gbo/directory - Zitadel credentials (url, project_id, client_id, client_secret)
|
|
# - gbo/email - Email credentials (username, password)
|
|
# - gbo/llm - LLM API keys (openai_key, anthropic_key, groq_key)
|
|
# - gbo/encryption - Encryption keys (master_key)
|
|
# - gbo/meet - LiveKit credentials (api_key, api_secret)
|
|
# - gbo/alm - Forgejo credentials (url, admin_password, runner_token)
|
|
# - gbo/vectordb - Qdrant credentials (url, api_key)
|
|
# - gbo/observability - InfluxDB credentials (url, org, bucket, token)
|
|
|
|
# =====================
|
|
# VAULT CONFIGURATION - ONLY THESE VARS ARE ALLOWED
|
|
# =====================
|
|
|
|
# Vault server address
|
|
VAULT_ADDR=https://localhost:8200
|
|
|
|
# Vault authentication token (generated during vault init)
|
|
# This will be populated automatically after first bootstrap
|
|
VAULT_TOKEN=
|
|
|
|
# Skip TLS verification for development (set to false in production)
|
|
VAULT_SKIP_VERIFY=true
|
|
|
|
# Cache TTL for secrets in seconds (default: 300 = 5 minutes)
|
|
VAULT_CACHE_TTL=300
|