# Configuration All configuration is read from environment variables. Copy `.env.example` to `.env` for local development. ## Environment Variable Reference ### Database | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `DATABASE_URL` | Yes | — | PostgreSQL connection string (e.g. `postgres://user:password@localhost:5432/forgejo_tickets?sslmode=disable`) | ### Server | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `PUBLIC_ADDR` | No | `:8080` | Listen address for the public (customer-facing) server | | `ADMIN_ADDR` | No | `:8081` | Listen address for the admin server | | `BASE_URL` | No | `http://localhost:8080` | Public base URL used to construct links in emails and OAuth redirects | ### Sessions | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `SESSION_SECRET` | Yes | — | Secret key for signing session cookies and CSRF tokens. Must be a random hex string. | Generate a session secret: ```bash openssl rand -hex 32 ``` ### Forgejo | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `FORGEJO_URL` | No | `""` | Base URL of the Forgejo instance (e.g. `https://forgejo.example.com`) | | `FORGEJO_API_TOKEN` | No | `""` | API token for authenticating with the Forgejo API. Needs permission to create issues and comments. | Both must be set for ticket-to-issue sync to work. See [Forgejo Integration](./forgejo-integration.md) for details. ### Email (Postmark) | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `POSTMARK_SERVER_TOKEN` | No | `""` | Postmark server API token for sending transactional emails | | `POSTMARK_FROM_EMAIL` | No | `""` | Sender email address (e.g. `support@example.com`) | Both must be set for email sending to work. Without them, email operations will fail silently in the logs. ### OAuth — Google | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `GOOGLE_CLIENT_ID` | No | `""` | Google OAuth 2.0 client ID | | `GOOGLE_CLIENT_SECRET` | No | `""` | Google OAuth 2.0 client secret | Leave empty to disable Google sign-in. Redirect URI must be configured as `{BASE_URL}/auth/google/callback` in the Google Cloud Console. ### OAuth — Microsoft | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `MICROSOFT_CLIENT_ID` | No | `""` | Microsoft Azure AD application (client) ID | | `MICROSOFT_CLIENT_SECRET` | No | `""` | Microsoft Azure AD client secret | | `MICROSOFT_TENANT_ID` | No | `common` | Azure AD tenant ID. Use `common` for multi-tenant, or a specific tenant ID to restrict. | Leave `MICROSOFT_CLIENT_ID` empty to disable Microsoft sign-in. Redirect URI: `{BASE_URL}/auth/microsoft/callback`. ### OAuth — Apple | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `APPLE_CLIENT_ID` | No | `""` | Apple Services ID (e.g. `com.example.tickets`) | | `APPLE_TEAM_ID` | No | `""` | Apple Developer Team ID | | `APPLE_KEY_ID` | No | `""` | Key ID for the Sign in with Apple private key | | `APPLE_KEY_PATH` | No | `""` | File path to the `.p8` private key file | Leave `APPLE_CLIENT_ID` empty to disable Apple sign-in. Redirect URI: `{BASE_URL}/auth/apple/callback`. Note that Apple uses `form_post` response mode. ### Admin | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `TAILSCALE_ALLOWED_USERS` | No | `""` | Comma-separated list of Tailscale login names allowed to access the admin panel (e.g. `user@example.com,admin@example.com`). If empty, all requests are allowed (dev mode). | See [Admin Guide](./admin-guide.md#authentication) for details on how Tailscale authentication works.