forked from ugurkocde/IntuneGet
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.env.example
More file actions
196 lines (173 loc) · 8.11 KB
/
.env.example
File metadata and controls
196 lines (173 loc) · 8.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# IntuneGet Environment Variables
# Copy this file to .env.local and fill in the values
# ===========================================
# Database Mode (for Self-Hosting)
# ===========================================
# Choose your database backend:
# - "supabase" (default): Use Supabase cloud database
# - "sqlite": Use local SQLite database (true self-hosting, no external deps)
#
# For true self-hosting with zero external dependencies, set to "sqlite"
DATABASE_MODE=supabase
# SQLite database file path (only used when DATABASE_MODE=sqlite)
# Default: ./data/intuneget.db
DATABASE_PATH=./data/intuneget.db
# API key for packager authentication (required when DATABASE_MODE=sqlite)
# Generate with: openssl rand -hex 32
PACKAGER_API_KEY=
# ===========================================
# Supabase Configuration (optional in SQLite mode)
# ===========================================
# Get these from your Supabase project settings
# These are required when DATABASE_MODE=supabase
NEXT_PUBLIC_SUPABASE_URL=https://your-project.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=your-anon-key
SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
# ===========================================
# Microsoft Entra ID Configuration (MSAL)
# ===========================================
# Create a Multi-Tenant App Registration in Azure Portal:
# 1. Go to Azure Portal > Microsoft Entra ID > App registrations > New registration
# 2. Set "Supported account types" to "Accounts in any organizational directory (Any Entra ID directory - Multitenant)"
# 3. Set Redirect URI (Single-page application): http://localhost:3000 (for development)
# https://your-domain.com (for production)
# 4. Add API Permissions:
# - Microsoft Graph > Application permissions (for service principal):
# - DeviceManagementApps.ReadWrite.All
# - DeviceManagementManagedDevices.Read.All
# - Microsoft Graph > Delegated permissions (for user sign-in):
# - User.Read
# 5. Create a client secret (for service principal auth in GitHub Actions)
# Client ID (Application ID) - Required for MSAL
# In Docker deployments, NEXT_PUBLIC_* vars are inlined as empty at build time.
# docker-compose.yml automatically derives AZURE_CLIENT_ID from this value,
# which the server reads at runtime to inject the real client ID.
NEXT_PUBLIC_AZURE_AD_CLIENT_ID=your-azure-ad-client-id
# Client Secret - Required for:
# 1. Service principal authentication in GitHub Actions (stored in GitHub Secrets)
# 2. Server-side consent verification API (verifies admin consent was granted)
# Note: This is sensitive - never expose it to the client
AZURE_AD_CLIENT_SECRET=your-azure-ad-client-secret
# ===========================================
# Packager Mode Configuration
# ===========================================
# Choose how packaging jobs are processed:
# - "github" (default): Use GitHub Actions Windows runners
# - "local": Use a self-hosted Windows packager service
#
# For true self-hosting without GitHub dependency, set to "local"
# and run the @intuneget/packager on a Windows machine
PACKAGER_MODE=github
# ===========================================
# GitHub Actions Configuration (Packaging Pipeline)
# ===========================================
# Required when PACKAGER_MODE=github (default)
# The packaging pipeline runs on GitHub Actions using a Windows runner
# It uses IntuneWinAppUtil.exe to create .intunewin packages
#
# Security: Workflows run in a private repository to protect tenant information.
# The public repo (GITHUB_REPO) contains source code, while the private repo
# (GITHUB_WORKFLOWS_REPO) contains the actual packaging workflow.
# Personal Access Token (PAT) with the following scopes:
# - repo (for private repos) - needed for the private workflows repo
# - workflow (to trigger repository_dispatch)
# Generate at: https://github.com/settings/tokens
GITHUB_PAT=ghp_your-personal-access-token
# Your GitHub username or organization
GITHUB_OWNER=your-username-or-org
# The public repository name (optional, for reference)
GITHUB_REPO=IntuneGet
# The PRIVATE repository containing the packaging workflow (REQUIRED)
# This repo protects tenant IDs from being visible in public workflow runs
GITHUB_WORKFLOWS_REPO=IntuneGet-Workflows
# Optional: Branch to run workflows on (default: main)
# GITHUB_REF=main
# Optional: Workflow filename (default: package-intunewin.yml)
# GITHUB_WORKFLOW_FILE=package-intunewin.yml
# ===========================================
# Callback Security
# ===========================================
# Secret to verify callbacks from GitHub Actions pipeline
# MUST be the same value in GitHub Secrets (CALLBACK_SECRET)
# Generate with: openssl rand -hex 16
CALLBACK_SECRET=your-32-char-random-secret
# ===========================================
# Application URL
# ===========================================
# The public URL of your application (used for callbacks)
NEXT_PUBLIC_URL=http://localhost:3000
# ===========================================
# Analytics (Plausible) - Optional
# ===========================================
# Your domain as registered in Plausible
# Leave empty to disable analytics
NEXT_PUBLIC_PLAUSIBLE_DOMAIN=
# ===========================================
# Newsletter (Beehiiv) - Optional
# ===========================================
# Leave empty to disable newsletter integration
BEEHIIV_API_KEY=
# ===========================================
# GitHub Repository Secrets (set in PRIVATE repo: IntuneGet-Workflows)
# ===========================================
# These are NOT environment variables for your web app.
# Set these in your PRIVATE IntuneGet-Workflows repository's secrets:
#
# AZURE_CLIENT_ID - Same as NEXT_PUBLIC_AZURE_AD_CLIENT_ID
# AZURE_CLIENT_SECRET - Same as AZURE_AD_CLIENT_SECRET above
# CALLBACK_SECRET - Same as CALLBACK_SECRET above
# SUPABASE_SERVICE_ROLE_KEY - For database callbacks
# NEXT_PUBLIC_SUPABASE_URL - For database callbacks
# ===========================================
# Authentication Architecture Notes
# ===========================================
# This app uses a multi-tenant service principal architecture:
#
# 1. MSAL (Client-side): Users sign in with their Microsoft work account
# - Requires: NEXT_PUBLIC_AZURE_AD_CLIENT_ID
# - Scopes: User.Read (delegated) for user identification
#
# 2. Service Principal (Server-side): Uploads apps to user's Intune tenant
# - Requires: AZURE_AD_CLIENT_SECRET (in web app for consent verification)
# - Requires: AZURE_CLIENT_ID + AZURE_CLIENT_SECRET in GitHub Secrets
# - Scopes: DeviceManagementApps.ReadWrite.All (application)
#
# 3. Admin Consent: Global Admin must grant consent for the service principal
# - URL: https://login.microsoftonline.com/{tenant}/adminconsent
# - This creates a service principal in the user's tenant
# - One-time setup per organization
#
# For more details, see: /docs/authentication-architecture.md
# ===========================================
# Local Packager Configuration (Windows)
# ===========================================
# When running the packager service on a Windows machine,
# configure these variables in the packager's .env file:
#
# For SQLite/API mode (recommended for self-hosting):
# INTUNEGET_API_URL=http://your-server:3000
# PACKAGER_API_KEY=same-key-as-web-app
# AZURE_CLIENT_ID=your-azure-client-id
# AZURE_CLIENT_SECRET=your-azure-client-secret
#
# For Supabase mode (cloud deployments):
# SUPABASE_URL=https://your-project.supabase.co
# SUPABASE_SERVICE_ROLE_KEY=your-service-role-key
# AZURE_CLIENT_ID=your-azure-client-id
# AZURE_CLIENT_SECRET=your-azure-client-secret
#
# The packager will automatically detect which mode to use based
# on whether INTUNEGET_API_URL is set.
# ===========================================
# True Self-Hosting Quick Start
# ===========================================
# For complete self-hosting with no external dependencies:
#
# 1. Set DATABASE_MODE=sqlite
# 2. Set PACKAGER_MODE=local
# 3. Generate PACKAGER_API_KEY with: openssl rand -hex 32
# 4. Run: docker-compose up -d
# 5. On Windows machine, run packager with:
# - INTUNEGET_API_URL=http://your-docker-host:3000
# - PACKAGER_API_KEY=same-key-as-above
# - Azure credentials for Intune access