-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.env.example
More file actions
232 lines (170 loc) · 11 KB
/
.env.example
File metadata and controls
232 lines (170 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# ============================================================================
# Sandchest — Environment Variables
# ============================================================================
# Copy this file to .env and fill in the required values.
# In production, set these via Fly.io secrets. See apps/api/src/env.ts.
# ============================================================================
# ──────────────────────────────────────────────────────────────────────────────
# API / Control Plane (apps/api)
# ──────────────────────────────────────────────────────────────────────────────
# [Required] PlanetScale MySQL connection string.
# Also used by packages/db for migrations (drizzle-kit).
DATABASE_URL=mysql://sandchest:sandchest@127.0.0.1:3307/sandchest
# [Required] BetterAuth session/token signing key. Use a long random string.
BETTER_AUTH_SECRET=dev-secret-change-me-in-production
# [Required] Resend API key for sending OTP emails.
RESEND_API_KEY=re_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
# [Optional] Autumn billing API secret key. Billing is a no-op if unset.
# AUTUMN_SECRET_KEY=
# [Optional] Redis connection URL. Falls back to in-memory if unset.
# REDIS_URL=redis://127.0.0.1:6379
# [Optional] S3 bucket name for artifact and replay event storage.
# ARTIFACT_BUCKET_NAME=sandchest-artifacts-dev
# HTTP server port.
# Default: 3001
# PORT=3001
# Node.js environment mode.
# Default: development
# NODE_ENV=development
# Graceful shutdown drain timeout in milliseconds.
# Default: 30000
# DRAIN_TIMEOUT_MS=30000
# BetterAuth callback base URL. Must match the API's public URL.
# Default: http://localhost:3001
BETTER_AUTH_BASE_URL=http://localhost:3001
# Optional cookie domain for BetterAuth cross-subdomain cookies.
# Leave unset in local development. Production defaults to .sandchest.com.
# BETTER_AUTH_COOKIE_DOMAIN=
# Sender email address for OTP emails via Resend.
# Default: Sandchest Auth <noreply@send.sandchest.com>
# RESEND_FROM_EMAIL=Sandchest Auth <noreply@send.sandchest.com>
# ──────────────────────────────────────────────────────────────────────────────
# Frontend / Dashboard (apps/web — Next.js)
# ──────────────────────────────────────────────────────────────────────────────
# [Required] API URL exposed to the browser (NEXT_PUBLIC_ prefix = client-visible).
# Default: http://localhost:3001
NEXT_PUBLIC_API_URL=http://localhost:3001
# Admin server-side API target used by apps/admin server routes.
# Default: https://api.sandchest.com when unset, so set this locally.
API_URL=http://localhost:3001
# Optional dedicated smoke target for apps/admin /smoke.
# Falls back to API_URL when unset.
# SANDCHEST_SMOKE_BASE_URL=http://localhost:3001
# ──────────────────────────────────────────────────────────────────────────────
# SDK & CLI (packages/sdk-ts, packages/cli, packages/mcp)
# ──────────────────────────────────────────────────────────────────────────────
# [Required for SDK/CLI usage] Sandchest API key (sk_* prefix).
# The SDK reads this as a fallback when no apiKey is passed in options.
# The CLI reads this or from ~/.config/sandchest/config.json.
# SANDCHEST_API_KEY=sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxx
# ──────────────────────────────────────────────────────────────────────────────
# Node Daemon — Core (crates/sandchest-node)
# ──────────────────────────────────────────────────────────────────────────────
# These are written to /etc/sandchest/node.env on EC2 via user-data.
# Only needed locally if running the Rust node daemon directly.
# Rust tracing log level filter.
# Default: info (production), debug (dev)
# RUST_LOG=debug
# Root data directory for VM images, snapshots, and sandbox working dirs.
# Default: /var/sandchest
# SANDCHEST_DATA_DIR=/var/sandchest
# Unique node identifier. Auto-generated if unset.
# SANDCHEST_NODE_ID=
# gRPC server port for control plane communication.
# Default: 50051
# SANDCHEST_NODE_GRPC_PORT=50051
# API -> node daemon connection for local development.
# Point the local API at a local node daemon. When using plaintext localhost
# gRPC, set NODE_GRPC_INSECURE=1 instead of mTLS credentials.
# NODE_GRPC_ADDR=127.0.0.1:50051
# NODE_GRPC_NODE_ID=00000000000000000000000000000001
# NODE_GRPC_INSECURE=1
# Local control plane -> remote node daemon (for example, local apps/admin and
# apps/api talking to a real Fly-provisioned node). Keep API_URL /
# NEXT_PUBLIC_API_URL on localhost, but point NODE_GRPC_* at the real node and
# use client mTLS credentials copied from Fly secrets into ignored local files.
# NODE_GRPC_ADDR=<real-node-ip-or-host>:50051
# NODE_GRPC_NODE_ID=<real-node-id>
# NODE_GRPC_CA_PATH=/absolute/path/to/certs/fly-ca.pem
# NODE_GRPC_CERT_PATH=/absolute/path/to/certs/fly-client.pem
# NODE_GRPC_KEY_PATH=/absolute/path/to/certs/fly-client.key
# Optional API-side guardrails for hung node RPCs.
# NODE_CREATE_TIMEOUT_MS=30000
# NODE_FILE_TIMEOUT_MS=30000
# NODE_COLLECT_ARTIFACTS_TIMEOUT_MS=30000
# Path to the Linux kernel image used by Firecracker.
# Default: /var/sandchest/images/vmlinux-5.10
# SANDCHEST_KERNEL_PATH=/var/sandchest/images/vmlinux-5.10
# Control plane API URL for callbacks/heartbeat. Optional.
# SANDCHEST_CONTROL_PLANE_URL=
# ──────────────────────────────────────────────────────────────────────────────
# Node Daemon — S3 / Artifact Storage
# ──────────────────────────────────────────────────────────────────────────────
# [Required on node] S3 bucket name for artifact uploads.
# SANDCHEST_S3_BUCKET=sandchest-artifacts-dev
# S3/R2 region. Use 'auto' for Cloudflare R2.
# Default: auto
# SANDCHEST_S3_REGION=auto
# S3-compatible endpoint URL (e.g. for R2). Uses AWS default if unset.
# SANDCHEST_S3_ENDPOINT=
# Static S3 credentials. Uses EC2 instance profile if unset.
# SANDCHEST_S3_ACCESS_KEY=
# SANDCHEST_S3_SECRET_KEY=
# ──────────────────────────────────────────────────────────────────────────────
# Node Daemon — Network
# ──────────────────────────────────────────────────────────────────────────────
# Outbound network interface for TAP device NAT masquerade.
# Default: ens5 (EC2), eth0 (Rust default)
# SANDCHEST_OUTBOUND_IFACE=ens5
# Per-sandbox bandwidth limit in Mbps.
# Default: 100 (dev), 200 (production)
# SANDCHEST_BANDWIDTH_MBPS=100
# ──────────────────────────────────────────────────────────────────────────────
# Node Daemon — Firecracker Jailer
# ──────────────────────────────────────────────────────────────────────────────
# Enable Firecracker Jailer (chroot + seccomp sandbox).
# Default: false (dev), true (production)
# SANDCHEST_JAILER_ENABLED=false
# Path to Firecracker binary.
# Default: /usr/bin/firecracker
# SANDCHEST_FIRECRACKER_BINARY=/usr/bin/firecracker
# Path to Jailer binary.
# Default: /usr/bin/jailer
# SANDCHEST_JAILER_BINARY=/usr/bin/jailer
# Base directory for chroot jails.
# Default: {SANDCHEST_DATA_DIR}/jailer
# SANDCHEST_JAILER_CHROOT_BASE_DIR=/var/sandchest/jailer
# UID/GID to run Firecracker as inside the jail.
# Default: 10000
# SANDCHEST_JAILER_UID=10000
# SANDCHEST_JAILER_GID=10000
# Cgroup version for resource limits (1 or 2).
# Default: 2
# SANDCHEST_JAILER_CGROUP_VERSION=2
# Path to custom seccomp filter JSON. Uses Firecracker built-in filter if unset.
# SANDCHEST_JAILER_SECCOMP_FILTER=
# Create new PID namespace for jailed process.
# Default: true
# SANDCHEST_JAILER_NEW_PID_NS=true
# ──────────────────────────────────────────────────────────────────────────────
# Guest Agent (crates/sandchest-agent)
# ──────────────────────────────────────────────────────────────────────────────
# Only needed when developing the guest agent outside a microVM.
# Enable TCP dev mode instead of vsock (for local development).
# SANDCHEST_AGENT_DEV=1
# TCP port for the agent server in dev mode.
# Default: 50052
# SANDCHEST_AGENT_TCP_PORT=50052
# vsock port for agent communication (inside microVM).
# Default: 52
# SANDCHEST_AGENT_VSOCK_PORT=52
# TCP port the node daemon uses to connect to the agent in dev mode.
# Default: 8052
# SANDCHEST_AGENT_DEV_PORT=8052
# ──────────────────────────────────────────────────────────────────────────────
# CI / CD (GitHub Actions)
# ──────────────────────────────────────────────────────────────────────────────
# These are set as GitHub repository secrets, not in .env files.
# Listed here for documentation purposes only.
# Fly.io access token for flyctl in GitHub Actions deployment.
# FLY_ACCESS_TOKEN=