agentic-rag/.env.docker.example at main · logfab-stack/agentic-rag · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
# =============================================================================
# Agentic RAG System - Docker Deployment Environment Variables
# =============================================================================
# Copy this file to .env and configure before running docker-compose.
#
# Usage:
#   cp .env.docker.example .env
#   # Edit .env with your settings
#   docker compose -f docker-compose.prod.yml up -d
#
# With Ollama (local LLM):
#   docker compose -f docker-compose.prod.yml --profile ollama up -d
# =============================================================================


# =============================================================================
# POSTGRESQL DATABASE
# =============================================================================
# Database credentials (change these in production!)
POSTGRES_USER=postgres
POSTGRES_PASSWORD=your-strong-password-here
POSTGRES_DB=agentic_rag

# Database port mapping (default: 5432)
# Change if you have another PostgreSQL instance running
POSTGRES_PORT=5432

# Connection pool settings
DATABASE_POOL_SIZE=5
DATABASE_MAX_OVERFLOW=10


# =============================================================================
# BACKEND SERVICE
# =============================================================================
# Backend port mapping (default: 8000)
BACKEND_PORT=8000

# Number of uvicorn workers (recommended: 2 * CPU cores + 1)
BACKEND_WORKERS=2

# Logging level: DEBUG, INFO, WARNING, ERROR
LOG_LEVEL=INFO


# =============================================================================
# FRONTEND SERVICE
# =============================================================================
# Frontend port mapping (default: 80)
# This is the port users will access the application on
FRONTEND_PORT=80

# CORS origins (comma-separated)
# Add your domain here for production
CORS_ORIGINS=http://localhost,http://localhost:80,https://your-domain.com


# =============================================================================
# API KEYS (Required)
# =============================================================================
# OpenAI API Key - Required for LLM and embeddings
# Get your key at: https://platform.openai.com/api-keys
OPENAI_API_KEY=sk-your-openai-api-key-here

# Cohere API Key - Optional but recommended for re-ranking
# Get your key at: https://dashboard.cohere.com/api-keys
COHERE_API_KEY=

# OpenRouter API Key - Optional alternative LLM provider
# Get your key at: https://openrouter.ai/keys
OPENROUTER_API_KEY=


# =============================================================================
# MODEL CONFIGURATION
# =============================================================================
# Default LLM model
# Options: gpt-4o, gpt-4o-mini, gpt-4-turbo, or ollama:<model-name>
DEFAULT_LLM_MODEL=gpt-4o

# Default embedding model
# Options: text-embedding-3-small, text-embedding-3-large, or ollama:<model-name>
DEFAULT_EMBEDDING_MODEL=text-embedding-3-small

# Default reranker
# Options: cohere, cross-encoder
DEFAULT_RERANKER=cohere


# =============================================================================
# OLLAMA (Optional - for local LLM inference)
# =============================================================================
# Enable with: docker compose --profile ollama up -d
# Ollama port mapping (default: 11434)
OLLAMA_PORT=11434

# Ollama base URL (automatically configured for Docker networking)
OLLAMA_BASE_URL=http://ollama:11434


# =============================================================================
# SECURITY (Change these in production!)
# =============================================================================
# Secret key for encryption
# Generate with: python -c "import secrets; print(secrets.token_hex(32))"
SECRET_KEY=change-me-in-production-use-a-secure-random-string


# =============================================================================
# RAG CONFIGURATION
# =============================================================================
# Number of chunks to retrieve (5-100)
DEFAULT_TOP_K=10

# Minimum relevance threshold (0.0-1.0)
MIN_RELEVANCE_THRESHOLD=0.4

# Strict mode relevance threshold (0.0-1.0)
STRICT_RELEVANCE_THRESHOLD=0.6

# Maximum file upload size in megabytes
MAX_FILE_SIZE_MB=100


# =============================================================================
# TELEGRAM BOT (Optional)
# =============================================================================
# Bot token from @BotFather
TELEGRAM_BOT_TOKEN=

# Webhook URL (requires public HTTPS URL)
TELEGRAM_WEBHOOK_URL=


# =============================================================================
# TWILIO/WHATSAPP (Optional)
# =============================================================================
# Twilio Account SID
TWILIO_ACCOUNT_SID=

# Twilio Auth Token
TWILIO_AUTH_TOKEN=

# WhatsApp number (format: whatsapp:+1234567890)
TWILIO_WHATSAPP_NUMBER=


# =============================================================================
# SSL/TLS CONFIGURATION (Feature #326)
# =============================================================================
# For production HTTPS deployment, use docker-compose.ssl.yml

# Enable SSL mode (automatically enables security headers like HSTS)
SSL_ENABLED=false

# Force HTTP to HTTPS redirect (only when behind reverse proxy)
FORCE_HTTPS=false

# HTTPS port for frontend (when using docker-compose.ssl.yml)
FRONTEND_HTTPS_PORT=443

# Path to SSL certificate files (for direct nginx SSL)
SSL_CERT_PATH=./certs/fullchain.pem
SSL_KEY_PATH=./certs/privkey.pem

# Domain for Traefik (when using Let's Encrypt)
DOMAIN=localhost

# Email for Let's Encrypt certificate notifications
ACME_EMAIL=admin@example.com


# =============================================================================
# SECURITY HEADERS (Feature #326)
# =============================================================================
# Enable security headers middleware (default: true)
SECURITY_HEADERS_ENABLED=true

# HSTS (HTTP Strict Transport Security) settings
# max-age in seconds (default: 1 year = 31536000)
HSTS_MAX_AGE=31536000
HSTS_INCLUDE_SUBDOMAINS=true
# Only enable preload if your domain is on the HSTS preload list
HSTS_PRELOAD=false

# X-Frame-Options: DENY, SAMEORIGIN, or ALLOW-FROM uri
X_FRAME_OPTIONS=SAMEORIGIN

# X-Content-Type-Options: nosniff
X_CONTENT_TYPE_OPTIONS=nosniff

# X-XSS-Protection (legacy but still useful)
X_XSS_PROTECTION=1; mode=block

# Referrer-Policy options: no-referrer, no-referrer-when-downgrade, origin,
# origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin
REFERRER_POLICY=strict-origin-when-cross-origin

# Content Security Policy
# Default allows self, inline scripts/styles, and external API services
CSP_DIRECTIVES=default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' ws: wss: https://api.openai.com https://api.cohere.com https://openrouter.ai; frame-ancestors 'self'

# Permissions Policy (formerly Feature Policy)
# Disables access to sensitive browser features
PERMISSIONS_POLICY=accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()