# --- Portainer / Compose --- APP_PORT="3080" POSTGRES_PASSWORD="change-this" # --- Auth.js --- # Generate with: openssl rand -base64 32 AUTH_SECRET="change-me" # Public origin of the app (no trailing slash). AUTH_URL="https://forms.example.com" # Public origin used for published form, share, and embed links. PUBLIC_FORM_URL="https://forms-public.example.com" # --- Authentik OIDC --- # In Authentik: Applications → Providers → Create → OAuth2/OpenID # Redirect URI: ${AUTH_URL}/api/auth/callback/oidc OIDC_ISSUER="https://authentik.example.com/application/o/formbuilder/" OIDC_CLIENT_ID="your-client-id" OIDC_CLIENT_SECRET="your-client-secret" OIDC_PROVIDER_NAME="Authentik" # Comma-separated emails auto-promoted to admin on first sign-in. # (The very first user is also auto-promoted to admin.) AUTH_BOOTSTRAP_ADMINS="" # --- Rate limiting --- # memory (default, single process) or redis (multi-instance; requires REDIS_URL) RATE_LIMIT_DRIVER="memory" # REDIS_URL="redis://localhost:6379" # --- Notifications --- # Admin origin used for response links in notifications. Defaults to AUTH_URL. # PUBLIC_BASE_URL="https://forms.example.com" # Email driver: resend | smtp | none EMAIL_DRIVER="none" EMAIL_FROM="Forms " # RESEND_API_KEY="re_xxx" # SMTP_URL="smtp://user:pass@smtp.example.com:587" # --- File storage --- # local (default; files under ./uploads/) | s3 (install @aws-sdk/client-s3 first) STORAGE_DRIVER="local" UPLOAD_DIR="uploads" # S3_BUCKET="" # S3_REGION="" # S3_ENDPOINT="" # set for R2 / Minio / custom # S3_ACCESS_KEY_ID="" # S3_SECRET_ACCESS_KEY="" # --- hCaptcha (optional) --- # Site key + secret from https://dashboard.hcaptcha.com/ # HCAPTCHA_SITE_KEY="" # HCAPTCHA_SECRET="" # --- Webhook worker (optional) --- # Shared secret protecting POST /api/webhooks/process — call it from a cron job # every minute to drain pending webhook retries. # Example call: # curl -X POST -H "Authorization: Bearer $CRON_SECRET" \ # $PUBLIC_BASE_URL/api/webhooks/process # CRON_SECRET=""