mirror of https://github.com/docusealco/docuseal
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
199 lines
8.6 KiB
199 lines
8.6 KiB
# =============================================================================
|
|
# DOCUSEAL S3 CONFIGURATION TEMPLATE
|
|
# =============================================================================
|
|
# Copy this file to .env and customize the values for your environment.
|
|
# Remove the .template extension after copying.
|
|
#
|
|
# SECURITY NOTE: Never commit actual credentials to version control!
|
|
# Use environment-specific .env files and add them to .gitignore.
|
|
# =============================================================================
|
|
|
|
# =============================================================================
|
|
# AWS CREDENTIALS
|
|
# =============================================================================
|
|
# Required: AWS access key ID for programmatic access
|
|
# Get this from AWS IAM console -> Users -> Security credentials
|
|
AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
|
|
|
|
# Required: AWS secret access key for programmatic access
|
|
# Keep this confidential and never share or commit to version control
|
|
AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
|
|
|
|
# Optional: AWS session token for temporary credentials
|
|
# Only required when using temporary credentials (e.g., with AWS STS)
|
|
# AWS_SESSION_TOKEN=AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE=
|
|
|
|
# =============================================================================
|
|
# AWS S3 CONFIGURATION
|
|
# =============================================================================
|
|
# Required: AWS region where your S3 bucket is located
|
|
# Examples: us-east-1, us-west-2, eu-west-1, ap-southeast-1
|
|
AWS_REGION=us-east-1
|
|
|
|
# Required: S3 bucket name for storing attachments
|
|
# Must be globally unique and follow S3 bucket naming rules
|
|
# Recommended format: your-company-docuseal-attachments-env
|
|
S3_ATTACHMENTS_BUCKET=your-company-docuseal-attachments-production
|
|
|
|
# =============================================================================
|
|
# S3 ACCESS CONTROL
|
|
# =============================================================================
|
|
# Optional: Whether files should be publicly accessible via direct URLs
|
|
# Set to 'true' for public access, 'false' for private access
|
|
# Private files require presigned URLs for access (more secure)
|
|
# Default: false (recommended for production)
|
|
ACTIVE_STORAGE_PUBLIC=false
|
|
|
|
# Optional: Expiration time for presigned URLs (in minutes)
|
|
# Only used when ACTIVE_STORAGE_PUBLIC=false
|
|
# Default: 240 minutes (4 hours)
|
|
PRESIGNED_URLS_EXPIRE_MINUTES=240
|
|
|
|
# =============================================================================
|
|
# S3 SECURITY OPTIONS
|
|
# =============================================================================
|
|
# Optional: Server-side encryption for uploaded files
|
|
# Options:
|
|
# - AES256 (S3-managed encryption)
|
|
# - aws:kms (KMS-managed encryption with AWS KMS key)
|
|
# - aws:kms:dsse (KMS-managed encryption with double server-side encryption)
|
|
# Uncomment the desired option below
|
|
# S3_SERVER_SIDE_ENCRYPTION=AES256
|
|
# S3_SERVER_SIDE_ENCRYPTION=aws:kms
|
|
|
|
# Optional: AWS KMS Key ID for KMS-managed encryption
|
|
# Only required when using aws:kms encryption with a specific KMS key
|
|
# S3_KMS_KEY_ID=arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
|
|
|
|
# Optional: Force path-style URLs instead of virtual-hosted-style URLs
|
|
# Set to 'true' for S3-compatible services (MinIO, DigitalOcean Spaces, etc.)
|
|
# or if you encounter DNS resolution issues
|
|
# Default: false
|
|
# S3_FORCE_PATH_STYLE=false
|
|
|
|
# =============================================================================
|
|
# S3 ENDPOINT CONFIGURATION (FOR S3-COMPATIBLE SERVICES)
|
|
# =============================================================================
|
|
# Optional: Custom S3 endpoint URL
|
|
# Only required for S3-compatible services (MinIO, DigitalOcean Spaces, etc.)
|
|
# S3_ENDPOINT=https://nyc3.digitaloceanspaces.com
|
|
|
|
# =============================================================================
|
|
# ADVANCED S3 OPTIONS
|
|
# =============================================================================
|
|
# Optional: S3 storage class for uploaded files
|
|
# Options: STANDARD, REDUCED_REDUNDANCY, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING,
|
|
# GLACIER, DEEP_ARCHIVE, OUTPOSTS, GLACIER_IR
|
|
# Default: STANDARD
|
|
# S3_STORAGE_CLASS=STANDARD
|
|
|
|
# Optional: Cache control header for uploaded files
|
|
# Affects browser caching behavior for publicly accessible files
|
|
# Default: 'public, max-age=31536000' (1 year)
|
|
# S3_CACHE_CONTROL=public, max-age=31536000
|
|
|
|
# Optional: Content disposition for uploaded files
|
|
# Controls how browsers handle file downloads
|
|
# S3_CONTENT_DISPOSITION=attachment
|
|
|
|
# =============================================================================
|
|
# AWS IAM ROLE CONFIGURATION (ALTERNATIVE TO ACCESS KEYS)
|
|
# =============================================================================
|
|
# Optional: Use IAM role instead of access keys (recommended for EC2/ECS)
|
|
# When using IAM roles, you don't need to set AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
|
|
# The role must have appropriate S3 permissions
|
|
|
|
# Optional: AWS profile name for credential configuration
|
|
# Uses credentials from ~/.aws/credentials file
|
|
# AWS_PROFILE=default
|
|
|
|
# Optional: AWS credentials file path
|
|
# Default: ~/.aws/credentials
|
|
# AWS_SHARED_CREDENTIALS_FILE=/path/to/credentials
|
|
|
|
# Optional: AWS config file path
|
|
# Default: ~/.aws/config
|
|
# AWS_CONFIG_FILE=/path/to/config
|
|
|
|
# =============================================================================
|
|
# MONITORING AND DEBUGGING
|
|
# =============================================================================
|
|
# Optional: Enable AWS SDK logging
|
|
# Set to 'true' for debug output, 'false' to disable
|
|
# Default: false
|
|
# AWS_SDK_LOGGING=false
|
|
|
|
# Optional: AWS SDK log level
|
|
# Options: DEBUG, INFO, WARN, ERROR, FATAL
|
|
# Default: INFO
|
|
# AWS_SDK_LOG_LEVEL=INFO
|
|
|
|
# =============================================================================
|
|
# CLOUDFRONT SIGNED URLs (SECURED STORAGE)
|
|
# =============================================================================
|
|
# Optional: CloudFront distribution URL for secure document access
|
|
# Required for secured storage with signed URLs (production deployments)
|
|
# Format: https://your-cloudfront-domain.cloudfront.net
|
|
# SECURITY NOTE: Set via cpdocuseal deployment config, not committed to repo
|
|
# CF_URL=https://example.cloudfront.net
|
|
|
|
# Optional: CloudFront key pair ID for signing URLs
|
|
# Required when using CloudFront signed URLs for document access
|
|
# SECURITY NOTE: Set via cpdocuseal deployment config, not committed to repo
|
|
# CF_KEY_PAIR_ID=K1234567890ABC
|
|
|
|
# Optional: CloudFront private key secret path in AWS Secrets Manager
|
|
# The initializer will load the private key from this secret location
|
|
# Format: environment/cloudfront/private_key
|
|
# SECURITY NOTE: Set via cpdocuseal deployment config, not committed to repo
|
|
# CF_KEY_SECRET=production/cloudfront/private_key
|
|
|
|
# Optional: Secured storage bucket name (shared with ATS for compliance)
|
|
# Required when using secured CloudFront storage
|
|
# SECURITY NOTE: Set via cpdocuseal deployment config, not committed to repo
|
|
# SECURED_STORAGE_BUCKET=your-company-compliance-documents
|
|
|
|
# Optional: Secured storage region
|
|
# Default: us-east-1
|
|
# SECURED_STORAGE_REGION=us-east-1
|
|
|
|
# Optional: Disable secured storage in development
|
|
# Set to 'true' to use local disk storage instead of secured S3/CloudFront
|
|
# Only applies in development environment
|
|
# DOCUSEAL_DISABLE_SECURED_STORAGE=true
|
|
|
|
# =============================================================================
|
|
# EXAMPLE CONFIGURATIONS
|
|
# =============================================================================
|
|
#
|
|
# DEVELOPMENT (Local Disk Storage):
|
|
# Comment out all S3 variables above
|
|
# The application will use local disk storage automatically
|
|
#
|
|
# STAGING (Basic S3):
|
|
# AWS_ACCESS_KEY_ID=your_staging_access_key
|
|
# AWS_SECRET_ACCESS_KEY=your_staging_secret_key
|
|
# AWS_REGION=us-east-1
|
|
# S3_ATTACHMENTS_BUCKET=your-company-docuseal-staging
|
|
# ACTIVE_STORAGE_PUBLIC=true
|
|
#
|
|
# PRODUCTION (Secure S3):
|
|
# AWS_ACCESS_KEY_ID=your_production_access_key
|
|
# AWS_SECRET_ACCESS_KEY=your_production_secret_key
|
|
# AWS_REGION=us-east-1
|
|
# S3_ATTACHMENTS_BUCKET=your-company-docuseal-production
|
|
# ACTIVE_STORAGE_PUBLIC=false
|
|
# PRESIGNED_URLS_EXPIRE_MINUTES=60
|
|
# S3_SERVER_SIDE_ENCRYPTION=AES256
|
|
# S3_STORAGE_CLASS=STANDARD_IA
|
|
#
|
|
# MINIO (Self-hosted S3-compatible):
|
|
# AWS_ACCESS_KEY_ID=minioadmin
|
|
# AWS_SECRET_ACCESS_KEY=minioadmin
|
|
# AWS_REGION=us-east-1
|
|
# S3_ENDPOINT=http://localhost:9000
|
|
# S3_FORCE_PATH_STYLE=true
|
|
# S3_ATTACHMENTS_BUCKET=docuseal-minio
|
|
# ACTIVE_STORAGE_PUBLIC=true
|
|
#
|
|
# ============================================================================= |