Skip to content

docs(env): document the 9 runtime env vars missing from .env.example #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CryptoJones merged 1 commit into from
May 18, 2026
Merged

docs(env): document the 9 runtime env vars missing from .env.example #93

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .env.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,3 +50,57 @@ DB_USER=timetracker
# Set a real password here. The configured database user must have access
# to the `dbo` schema. Do NOT commit a populated `.env`.
DB_PASSWORD=changeme

# ---- Logging ----

# pino log level. One of: trace|debug|info|warn|error|fatal|silent.
# Default 'info' is fine for production; turn up to 'debug' when chasing
# a bug, down to 'warn' if log volume is a budget concern.
# LOG_LEVEL=info

# Set to '1' to switch the JSON output to a human-readable pretty
# format via pino-pretty. Useful in development; leave unset in
# production so log aggregators get the structured JSON they expect.
# LOG_PRETTY=

# ---- Rate limiting ----

# Per-key request budget for /v1/* in the window below. Defaults to 100.
# Set to 0 to disable rate limiting entirely (useful for load tests).
# RATE_LIMIT_MAX=100

# Rolling window in milliseconds. Defaults to 15 minutes (900000).
# RATE_LIMIT_WINDOW_MS=900000

# ---- Body size + headers ----

# Maximum request body size (express.json limit). Defaults to '100kb'.
# Accepts the same forms as bytes (e.g. '512kb', '1mb'). Bumping this
# is rarely needed — the largest legitimate body in the schema is a
# TimeEntry create with a 10000-char teDescription.
# JSON_BODY_LIMIT=100kb

# Set to '1' to re-enable helmet's Content-Security-Policy. Disabled by
# default because this is a JSON API and a misconfigured CSP would
# break Swagger UI at /docs.
# HELMET_CSP=

# ---- Reverse-proxy / observability ----

# When set, the server trusts X-Forwarded-* headers from a reverse
# proxy so rate-limit / log-IP / etc. resolve to the real client IP.
# Accepts 'true' (trust any proxy) or a hop count (e.g. '1' for one
# reverse proxy in front). Default false — never trust XFF from a
# non-proxied client.
# TRUST_PROXY=true

# Optional bearer token gating /metrics. Unset = open scrape (the
# usual private-network deployment pattern). When set, the
# Prometheus scrape must include `Authorization: Bearer <token>`.
# METRICS_BEARER_TOKEN=

# How long the graceful-shutdown drain may run before we force-exit
# with code 1. Default 25_000 (25 seconds) — long enough for in-flight
# requests to finish, short enough that systemd / k8s don't SIGKILL
# us first.
# SHUTDOWN_TIMEOUT_MS=25000
Loading