2026-03-30 05:44:20 +08:00
|
|
|
|
|
|
|
|
image:
|
|
|
|
|
repository: mauriceboe/trek
|
|
|
|
|
tag: latest
|
|
|
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
|
|
|
|
# Optional image pull secrets for private registries
|
|
|
|
|
imagePullSecrets: []
|
|
|
|
|
# - name: my-registry-secret
|
|
|
|
|
|
|
|
|
|
service:
|
|
|
|
|
type: ClusterIP
|
|
|
|
|
port: 3000
|
|
|
|
|
|
|
|
|
|
env:
|
|
|
|
|
NODE_ENV: production
|
|
|
|
|
PORT: 3000
|
feat(helm): add all missing env vars from README to Helm chart
Add TZ, LOG_LEVEL, FORCE_HTTPS, TRUST_PROXY, OIDC_ISSUER, OIDC_CLIENT_ID,
OIDC_DISPLAY_NAME, OIDC_ONLY, OIDC_ADMIN_CLAIM, OIDC_ADMIN_VALUE, OIDC_SCOPE,
DEMO_MODE to values.yaml and configmap.yaml. Add OIDC_CLIENT_SECRET as a
secretEnv entry rendered in secret.yaml and mounted in deployment.yaml.
2026-04-03 22:14:57 +08:00
|
|
|
# TZ: "UTC"
|
|
|
|
|
# Timezone for logs, reminders, and cron jobs (e.g. Europe/Berlin).
|
|
|
|
|
# LOG_LEVEL: "info"
|
|
|
|
|
# "info" = concise user actions, "debug" = verbose details.
|
2026-03-30 05:44:20 +08:00
|
|
|
# ALLOWED_ORIGINS: ""
|
fix: add SSRF protection for link preview and Immich URL
- Create server/src/utils/ssrfGuard.ts with checkSsrf() and createPinnedAgent()
- Resolves DNS before allowing outbound requests to catch hostnames that
map to private IPs (closes the TOCTOU gap in the old inline checks)
- Always blocks loopback (127.x, ::1) and link-local/metadata (169.254.x)
- RFC-1918, CGNAT (100.64/10), and IPv6 ULA ranges blocked by default;
opt-in via ALLOW_INTERNAL_NETWORK=true for self-hosters running Immich
on a local network
- createPinnedAgent() pins node-fetch to the validated IP, preventing
DNS rebinding between the check and the actual connection
- Replace isValidImmichUrl() (hostname-string check, no DNS resolution)
with checkSsrf(); make PUT /integrations/immich/settings async
- Audit log entry (immich.private_ip_configured) written when a user
saves an Immich URL that resolves to a private IP
- Response includes a warning field surfaced as a toast in the UI
- Replace ~20 lines of duplicated inline SSRF logic in the link-preview
handler with a single checkSsrf() call + pinned agent
- Document ALLOW_INTERNAL_NETWORK in README, docker-compose.yml,
server/.env.example, chart/values.yaml, chart/templates/configmap.yaml,
and chart/README.md
2026-04-01 13:53:46 +08:00
|
|
|
# NOTE: If using ingress, ensure env.ALLOWED_ORIGINS matches the domains in ingress.hosts for proper CORS configuration.
|
2026-04-03 09:51:29 +08:00
|
|
|
# APP_URL: "https://trek.example.com"
|
|
|
|
|
# Public base URL of this instance. Required when OIDC is enabled — must match the redirect URI registered with your IdP.
|
|
|
|
|
# Also used as the base URL for links in email notifications and other external links.
|
feat(helm): add all missing env vars from README to Helm chart
Add TZ, LOG_LEVEL, FORCE_HTTPS, TRUST_PROXY, OIDC_ISSUER, OIDC_CLIENT_ID,
OIDC_DISPLAY_NAME, OIDC_ONLY, OIDC_ADMIN_CLAIM, OIDC_ADMIN_VALUE, OIDC_SCOPE,
DEMO_MODE to values.yaml and configmap.yaml. Add OIDC_CLIENT_SECRET as a
secretEnv entry rendered in secret.yaml and mounted in deployment.yaml.
2026-04-03 22:14:57 +08:00
|
|
|
# FORCE_HTTPS: "false"
|
|
|
|
|
# Set to "true" to redirect HTTP to HTTPS behind a TLS-terminating proxy.
|
|
|
|
|
# COOKIE_SECURE: "true"
|
|
|
|
|
# Set to "false" to allow session cookies over plain HTTP (e.g. no ingress TLS). Not recommended for production.
|
|
|
|
|
# TRUST_PROXY: "1"
|
|
|
|
|
# Number of trusted reverse proxies for X-Forwarded-For header parsing.
|
fix: add SSRF protection for link preview and Immich URL
- Create server/src/utils/ssrfGuard.ts with checkSsrf() and createPinnedAgent()
- Resolves DNS before allowing outbound requests to catch hostnames that
map to private IPs (closes the TOCTOU gap in the old inline checks)
- Always blocks loopback (127.x, ::1) and link-local/metadata (169.254.x)
- RFC-1918, CGNAT (100.64/10), and IPv6 ULA ranges blocked by default;
opt-in via ALLOW_INTERNAL_NETWORK=true for self-hosters running Immich
on a local network
- createPinnedAgent() pins node-fetch to the validated IP, preventing
DNS rebinding between the check and the actual connection
- Replace isValidImmichUrl() (hostname-string check, no DNS resolution)
with checkSsrf(); make PUT /integrations/immich/settings async
- Audit log entry (immich.private_ip_configured) written when a user
saves an Immich URL that resolves to a private IP
- Response includes a warning field surfaced as a toast in the UI
- Replace ~20 lines of duplicated inline SSRF logic in the link-preview
handler with a single checkSsrf() call + pinned agent
- Document ALLOW_INTERNAL_NETWORK in README, docker-compose.yml,
server/.env.example, chart/values.yaml, chart/templates/configmap.yaml,
and chart/README.md
2026-04-01 13:53:46 +08:00
|
|
|
# ALLOW_INTERNAL_NETWORK: "false"
|
|
|
|
|
# Set to "true" if Immich or other integrated services are hosted on a private/RFC-1918 network address.
|
|
|
|
|
# Loopback (127.x) and link-local/metadata addresses (169.254.x) are always blocked.
|
feat(helm): add all missing env vars from README to Helm chart
Add TZ, LOG_LEVEL, FORCE_HTTPS, TRUST_PROXY, OIDC_ISSUER, OIDC_CLIENT_ID,
OIDC_DISPLAY_NAME, OIDC_ONLY, OIDC_ADMIN_CLAIM, OIDC_ADMIN_VALUE, OIDC_SCOPE,
DEMO_MODE to values.yaml and configmap.yaml. Add OIDC_CLIENT_SECRET as a
secretEnv entry rendered in secret.yaml and mounted in deployment.yaml.
2026-04-03 22:14:57 +08:00
|
|
|
# OIDC_ISSUER: ""
|
|
|
|
|
# OpenID Connect provider URL.
|
|
|
|
|
# OIDC_CLIENT_ID: ""
|
|
|
|
|
# OIDC client ID.
|
|
|
|
|
# OIDC_DISPLAY_NAME: "SSO"
|
|
|
|
|
# Label shown on the SSO login button.
|
|
|
|
|
# OIDC_ONLY: "false"
|
|
|
|
|
# Set to "true" to disable local password auth entirely (first SSO login becomes admin).
|
|
|
|
|
# OIDC_ADMIN_CLAIM: ""
|
|
|
|
|
# OIDC claim used to identify admin users.
|
|
|
|
|
# OIDC_ADMIN_VALUE: ""
|
|
|
|
|
# Value of the OIDC claim that grants admin role.
|
2026-04-02 13:46:27 +08:00
|
|
|
# OIDC_SCOPE: "openid email profile groups"
|
|
|
|
|
# Space-separated OIDC scopes to request. Must include scopes for any claim used by OIDC_ADMIN_CLAIM.
|
feat(helm): add all missing env vars from README to Helm chart
Add TZ, LOG_LEVEL, FORCE_HTTPS, TRUST_PROXY, OIDC_ISSUER, OIDC_CLIENT_ID,
OIDC_DISPLAY_NAME, OIDC_ONLY, OIDC_ADMIN_CLAIM, OIDC_ADMIN_VALUE, OIDC_SCOPE,
DEMO_MODE to values.yaml and configmap.yaml. Add OIDC_CLIENT_SECRET as a
secretEnv entry rendered in secret.yaml and mounted in deployment.yaml.
2026-04-03 22:14:57 +08:00
|
|
|
# OIDC_DISCOVERY_URL: ""
|
|
|
|
|
# Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik).
|
|
|
|
|
# DEMO_MODE: "false"
|
|
|
|
|
# Enable demo mode (hourly data resets).
|
2026-04-03 21:43:58 +08:00
|
|
|
# MCP_RATE_LIMIT: "60"
|
|
|
|
|
# Max MCP API requests per user per minute. Defaults to 60.
|
2026-03-30 05:44:20 +08:00
|
|
|
|
|
|
|
|
|
2026-04-01 12:38:38 +08:00
|
|
|
# Secret environment variables stored in a Kubernetes Secret.
|
|
|
|
|
# JWT_SECRET is managed entirely by the server (auto-generated into the data PVC,
|
|
|
|
|
# rotatable via the admin panel) — it is not configured here.
|
2026-03-30 05:44:20 +08:00
|
|
|
secretEnv:
|
fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation
Introduces a dedicated ENCRYPTION_KEY for encrypting stored secrets
(API keys, MFA TOTP, SMTP password, OIDC client secret) so that
rotating the JWT signing secret no longer invalidates encrypted data,
and a compromised JWT_SECRET no longer exposes stored credentials.
- server/src/config.ts: add ENCRYPTION_KEY (auto-generated to
data/.encryption_key if not set, same pattern as JWT_SECRET);
switch JWT_SECRET to `export let` so updateJwtSecret() keeps the
CJS module binding live for all importers without restart
- apiKeyCrypto.ts, mfaCrypto.ts: derive encryption keys from
ENCRYPTION_KEY instead of JWT_SECRET
- admin POST /rotate-jwt-secret: generates a new 32-byte hex secret,
persists it to data/.jwt_secret, updates the live in-process binding
via updateJwtSecret(), and writes an audit log entry
- Admin panel (Settings → Danger Zone): "Rotate JWT Secret" button
with a confirmation modal warning that all sessions will be
invalidated; on success the acting admin is logged out immediately
- docker-compose.yml, .env.example, README, Helm chart (values.yaml,
secret.yaml, deployment.yaml, NOTES.txt, README): document
ENCRYPTION_KEY and its upgrade migration path
2026-04-01 12:31:45 +08:00
|
|
|
# At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC, etc.).
|
2026-04-01 15:49:57 +08:00
|
|
|
# Recommended: set to a random 32-byte hex value (openssl rand -hex 32).
|
|
|
|
|
# If left empty the server resolves the key automatically:
|
|
|
|
|
# 1. data/.jwt_secret (existing installs — encrypted data stays readable after upgrade)
|
|
|
|
|
# 2. data/.encryption_key auto-generated on first start (fresh installs)
|
fix: decouple at-rest encryption from JWT_SECRET, add JWT rotation
Introduces a dedicated ENCRYPTION_KEY for encrypting stored secrets
(API keys, MFA TOTP, SMTP password, OIDC client secret) so that
rotating the JWT signing secret no longer invalidates encrypted data,
and a compromised JWT_SECRET no longer exposes stored credentials.
- server/src/config.ts: add ENCRYPTION_KEY (auto-generated to
data/.encryption_key if not set, same pattern as JWT_SECRET);
switch JWT_SECRET to `export let` so updateJwtSecret() keeps the
CJS module binding live for all importers without restart
- apiKeyCrypto.ts, mfaCrypto.ts: derive encryption keys from
ENCRYPTION_KEY instead of JWT_SECRET
- admin POST /rotate-jwt-secret: generates a new 32-byte hex secret,
persists it to data/.jwt_secret, updates the live in-process binding
via updateJwtSecret(), and writes an audit log entry
- Admin panel (Settings → Danger Zone): "Rotate JWT Secret" button
with a confirmation modal warning that all sessions will be
invalidated; on success the acting admin is logged out immediately
- docker-compose.yml, .env.example, README, Helm chart (values.yaml,
secret.yaml, deployment.yaml, NOTES.txt, README): document
ENCRYPTION_KEY and its upgrade migration path
2026-04-01 12:31:45 +08:00
|
|
|
ENCRYPTION_KEY: ""
|
2026-04-02 05:09:57 +08:00
|
|
|
# Initial admin account — only used on first boot when no users exist yet.
|
|
|
|
|
# If both values are non-empty the admin account is created with these credentials.
|
|
|
|
|
# If either is empty a random password is generated and printed to the server log.
|
|
|
|
|
ADMIN_EMAIL: ""
|
|
|
|
|
ADMIN_PASSWORD: ""
|
feat(helm): add all missing env vars from README to Helm chart
Add TZ, LOG_LEVEL, FORCE_HTTPS, TRUST_PROXY, OIDC_ISSUER, OIDC_CLIENT_ID,
OIDC_DISPLAY_NAME, OIDC_ONLY, OIDC_ADMIN_CLAIM, OIDC_ADMIN_VALUE, OIDC_SCOPE,
DEMO_MODE to values.yaml and configmap.yaml. Add OIDC_CLIENT_SECRET as a
secretEnv entry rendered in secret.yaml and mounted in deployment.yaml.
2026-04-03 22:14:57 +08:00
|
|
|
# OIDC client secret — set together with env.OIDC_ISSUER and env.OIDC_CLIENT_ID.
|
|
|
|
|
OIDC_CLIENT_SECRET: ""
|
2026-03-30 05:44:20 +08:00
|
|
|
|
2026-04-01 12:38:38 +08:00
|
|
|
# If true, a random ENCRYPTION_KEY is generated at install and preserved across upgrades
|
|
|
|
|
generateEncryptionKey: false
|
2026-03-30 05:44:20 +08:00
|
|
|
|
2026-04-01 12:38:38 +08:00
|
|
|
# If set, use an existing Kubernetes secret that contains ENCRYPTION_KEY
|
2026-03-30 05:44:20 +08:00
|
|
|
existingSecret: ""
|
2026-04-01 12:38:38 +08:00
|
|
|
existingSecretKey: ENCRYPTION_KEY
|
2026-03-30 05:44:20 +08:00
|
|
|
|
|
|
|
|
persistence:
|
|
|
|
|
enabled: true
|
|
|
|
|
data:
|
|
|
|
|
size: 1Gi
|
|
|
|
|
uploads:
|
|
|
|
|
size: 1Gi
|
|
|
|
|
|
2026-03-31 07:35:12 +08:00
|
|
|
resources:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: 100m
|
|
|
|
|
memory: 256Mi
|
|
|
|
|
limits:
|
|
|
|
|
cpu: 500m
|
|
|
|
|
memory: 512Mi
|
2026-03-30 05:44:20 +08:00
|
|
|
|
|
|
|
|
ingress:
|
|
|
|
|
enabled: false
|
|
|
|
|
annotations: {}
|
|
|
|
|
hosts:
|
|
|
|
|
- host: chart-example.local
|
|
|
|
|
paths:
|
|
|
|
|
- /
|
|
|
|
|
tls: []
|
|
|
|
|
# - secretName: chart-example-tls
|
|
|
|
|
# hosts:
|
|
|
|
|
# - chart-example.local
|