394a1aa367
Remove SSH private keys from git, add SECRET_KEY validation, move WS auth from query string to first message, add session limits/idle timeout, PBKDF2 Fernet key, refresh token rotation, TOTP replay protection, file upload size limit + filename sanitization, symlink safety check, restrict CORS methods, IP-gate OpenClaw token, run container as non-root, rate-limit refresh/passkey endpoints, sanitize Gitea path params. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
43 lines
1.8 KiB
Python
43 lines
1.8 KiB
Python
import os
|
|
# Dashboard v1.3 — Runner DNS fix applied
|
|
|
|
GITEA_URL = os.environ.get("GITEA_URL", "http://gitea:3000")
|
|
GITEA_TOKEN = os.environ.get("GITEA_TOKEN", "")
|
|
DOCKER_HOST = os.environ.get("DOCKER_HOST", "tcp://docker-socket-proxy:2375")
|
|
VOLUME_ROOT = os.environ.get("VOLUME_ROOT", "/volume1")
|
|
|
|
# Auth
|
|
SECRET_KEY = os.environ.get("SECRET_KEY", "")
|
|
if not SECRET_KEY or len(SECRET_KEY) < 32:
|
|
raise RuntimeError("SECRET_KEY must be set and at least 32 characters")
|
|
ALGORITHM = "HS256"
|
|
ACCESS_TOKEN_EXPIRE_MINUTES = 30
|
|
REFRESH_TOKEN_EXPIRE_MINUTES = 60 * 24 * 7 # 7 days
|
|
ADMIN_USER = os.environ.get("ADMIN_USER", "admin")
|
|
ADMIN_PASSWORD_HASH = os.environ.get("ADMIN_PASSWORD_HASH", "")
|
|
TOTP_SECRET = os.environ.get("TOTP_SECRET", "")
|
|
|
|
# SSH terminal
|
|
SSH_HOST = os.environ.get("SSH_HOST", "host.docker.internal")
|
|
SSH_USER = os.environ.get("SSH_USER", "zjgump")
|
|
SSH_KEY_PATH = os.environ.get("SSH_KEY_PATH", "/app/ssh/id_ed25519")
|
|
SSH_KNOWN_HOSTS = os.environ.get("SSH_KNOWN_HOSTS", "/app/ssh/known_hosts")
|
|
|
|
VPS_SSH_HOST = os.environ.get("VPS_SSH_HOST", "158.101.140.85")
|
|
VPS_SSH_USER = os.environ.get("VPS_SSH_USER", "jimmyg")
|
|
VPS_SSH_KEY_PATH = os.environ.get("VPS_SSH_KEY_PATH", "/app/ssh/vps_id_ed25519")
|
|
|
|
# Telegram notifications
|
|
TELEGRAM_BOT_TOKEN = os.environ.get("TELEGRAM_BOT_TOKEN", "")
|
|
TELEGRAM_CHAT_ID = os.environ.get("TELEGRAM_CHAT_ID", "")
|
|
TELEGRAM_PROXY = os.environ.get("TELEGRAM_PROXY", "")
|
|
|
|
WEBAUTHN_RP_ID = os.environ.get("WEBAUTHN_RP_ID", "nas.jimmygan.com")
|
|
WEBAUTHN_ORIGINS = os.environ.get("WEBAUTHN_ORIGIN", "https://nas.jimmygan.com,https://nas.jimmygan.com:8443").split(",")
|
|
|
|
# CORS
|
|
CORS_ORIGINS = os.environ.get("CORS_ORIGINS", "https://nas.jimmygan.com,https://nas.jimmygan.com:8443").split(",")
|
|
|
|
# OpenClaw
|
|
OPENCLAW_GATEWAY_TOKEN = os.environ.get("OPENCLAW_GATEWAY_TOKEN", "")
|