diff --git a/wiki/Audit-Log.md b/wiki/Audit-Log.md index c6fbd52e..245b0cfb 100644 --- a/wiki/Audit-Log.md +++ b/wiki/Audit-Log.md @@ -117,7 +117,7 @@ The panel loads 100 entries at a time by default. Click **Load more** at the bot ## IP addresses -The client IP is read from the `X-Forwarded-For` header. When TREK is behind a reverse proxy, set `TRUST_PROXY=true` so the header is trusted and the real client IP is recorded. Without this setting, the proxy's own IP is logged instead. See [Environment-Variables](Environment-Variables). +The client IP is read from the `X-Forwarded-For` header. When TREK is behind a reverse proxy, set `TRUST_PROXY=1` (the number of proxy hops) so the header is trusted and the real client IP is recorded. Without this setting, the proxy's own IP is logged instead. See [Environment-Variables](Environment-Variables). ## Log file diff --git a/wiki/Backups.md b/wiki/Backups.md index cf6d927e..a32422a2 100644 --- a/wiki/Backups.md +++ b/wiki/Backups.md @@ -32,7 +32,7 @@ You can also download or delete any existing backup from the list. You can restore from: - **A stored backup** — click **Restore** next to any backup in the list. -- **An uploaded ZIP** — click **Upload & Restore** and select a backup file from your computer (maximum upload size: 500 MB). +- **An uploaded ZIP** — click **Upload & Restore** and select a backup file from your computer (maximum upload size: 500 MB by default, configurable with the `BACKUP_UPLOAD_LIMIT_MB` environment variable — see [Environment-Variables](Environment-Variables)). Before restoring, TREK runs integrity checks on the uploaded database: diff --git a/wiki/Demo-Mode.md b/wiki/Demo-Mode.md index 43d62e91..4aab92ba 100644 --- a/wiki/Demo-Mode.md +++ b/wiki/Demo-Mode.md @@ -17,6 +17,8 @@ When demo mode is active, the login page shows a one-click **"Try the demo"** bu | Email | `demo@trek.app` | | Password | `demo12345` | +**Admin account:** an admin account is also seeded on first start. By default it uses username `admin`, email `admin@trek.app`, and password `admin12345`. You can override these at seed time with the `DEMO_ADMIN_USER`, `DEMO_ADMIN_EMAIL`, and `DEMO_ADMIN_PASS` environment variables (they only take effect when `DEMO_MODE=true`, on the first start before the database is seeded). See [Environment-Variables](Environment-Variables). + ## What the demo user can and cannot do The demo user account has read access to the shared trip data but the following operations are permanently blocked: diff --git a/wiki/Environment-Variables.md b/wiki/Environment-Variables.md index 4cb7b3d9..32729e16 100644 --- a/wiki/Environment-Variables.md +++ b/wiki/Environment-Variables.md @@ -8,33 +8,38 @@ Complete reference for all environment variables TREK reads. - **Docker run** — pass each variable with `-e VARIABLE=value` - **Helm** — use `env:` for plain values and `secretEnv:` for sensitive values in `values.yaml` - **Unraid** — set in the container template editor +- **Proxmox Community Script** — set in `/opt/trek/server/.env` --- ## Core -| Variable | Description | Default | -|---|---|---| -| `PORT` | Server port | `3000` | -| `HOST` | Bind address for the HTTP server (e.g. `127.0.0.1`, `10.0.0.72`). **Source / Proxmox installs only** — do not set this in Docker or any containerized deployment. See note below. | all interfaces | -| `NODE_ENV` | Environment (`production` / `development`) | `production` | -| `ENCRYPTION_KEY` | At-rest encryption key — see resolution order below | auto | -| `TZ` | Timezone for logs, reminders, and cron jobs (e.g. `Europe/Berlin`) | `UTC` | -| `LOG_LEVEL` | `info` = concise user actions; `debug` = verbose details | `info` | -| `DEFAULT_LANGUAGE` | Default language on the login page — see supported codes below | `en` | -| `SESSION_DURATION` | How long a login session stays valid before re-login is required. Used when **"Remember me" is unchecked** on the login form (the default): applies to the `trek_session` JWT `exp` claim, and the cookie is issued as a **browser-session cookie** (no `maxAge`, cleared when the browser closes). Accepts `ms`-style strings: `1h`, `12h`, `7d`, `30d`, `90d`. Invalid values warn at startup and fall back to the default. Does not affect the short-lived MFA challenge token or MCP OAuth tokens (those keep their own TTL). | `24h` | -| `SESSION_DURATION_REMEMBER` | Session length used when the user **ticks "Remember me"** on login: a longer-lived JWT `exp` claim plus a **persistent** `trek_session` cookie whose `maxAge` matches, so the session survives browser restarts. Same `ms`-style format and startup-fallback behaviour as `SESSION_DURATION`. | `30d` | -| `ALLOWED_ORIGINS` | Comma-separated origins for CORS and email notification links | same-origin | -| `ALLOW_INTERNAL_NETWORK` | Allow outbound requests to private/RFC-1918 IPs. Set `true` if Immich or other integrated services are on your local network. Loopback (`127.x`) and link-local (`169.254.x`) addresses remain blocked regardless. | `false` | -| `APP_URL` | Public base URL (e.g. `https://trek.example.com`). Required when OIDC is enabled — must match the redirect URI registered with your IdP. Also used as the base URL for email notification links. | — | +| Variable | Description | Default | +|-----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------| +| `PORT` | Server port | Sources: `3001`, Docker: `3000` | +| `HOST` | Bind address for the HTTP server (e.g. `127.0.0.1`, `10.0.0.72`). **Source / Proxmox installs only** — do not set this in Docker or any containerized deployment. See note below. | all interfaces | +| `NODE_ENV` | Environment (`production` / `development`) | `production` | +| `ENCRYPTION_KEY` | At-rest encryption key — see resolution order below | auto | +| `TZ` | Timezone for logs, reminders, and cron jobs (e.g. `Europe/Berlin`) | `UTC` | +| `LOG_LEVEL` | `info` = concise user actions; `debug` = verbose details | `info` | +| `DEFAULT_LANGUAGE` | Default language on the login page — see supported codes below | `en` | +| `SESSION_DURATION` | How long a login session stays valid before re-login is required. Used when **"Remember me" is unchecked** on the login form (the default): applies to the `trek_session` JWT `exp` claim, and the cookie is issued as a **browser-session cookie** (no `maxAge`, cleared when the browser closes). Accepts `ms`-style strings: `1h`, `12h`, `7d`, `30d`, `90d`. Invalid values warn at startup and fall back to the default. Does not affect the short-lived MFA challenge token or MCP OAuth tokens (those keep their own TTL). | `24h` | +| `SESSION_DURATION_REMEMBER` | Session length used when the user **ticks "Remember me"** on login: a longer-lived JWT `exp` claim plus a **persistent** `trek_session` cookie whose `maxAge` matches, so the session survives browser restarts. Same `ms`-style format and startup-fallback behaviour as `SESSION_DURATION`. | `30d` | +| `ALLOWED_ORIGINS` | Comma-separated origins for CORS and email notification links | same-origin | +| `ALLOW_INTERNAL_NETWORK` | Allow outbound requests to private/RFC-1918 IPs. Set `true` if Immich or other integrated services are on your local network. Loopback (`127.x`) and link-local (`169.254.x`) addresses remain blocked regardless. | `false` | +| `APP_URL` | Public base URL (e.g. `https://trek.example.com`). Required when OIDC is enabled — must match the redirect URI registered with your IdP. Also used as the base URL for email notification links. | — | ### `HOST` — Source and Proxmox installs only -By default TREK binds to all network interfaces (`0.0.0.0`), which is the correct behaviour inside a container because Docker handles port exposure at the host level. Setting `HOST` overrides the bind address at the Node.js level. +By default TREK binds to all network interfaces (`0.0.0.0`), which is the correct behaviour inside a container because +Docker handles port exposure at the host level. Setting `HOST` overrides the bind address at the Node.js level. -**When to use it:** only when running TREK directly on a host (git sources or the [Proxmox community script](Install-Proxmox)) and you need to restrict which interface the server listens on — for example, to expose TREK only on a LAN interface while keeping it off the public-facing one. +**When to use it:** only when running TREK directly on a host (git sources or +the [Proxmox community script](Install-Proxmox)) and you need to restrict which interface the server listens on — for +example, to expose TREK only on a LAN interface while keeping it off the public-facing one. -**Never set `HOST` in Docker, Docker Compose, Helm, or Unraid deployments.** Use Docker's `-p ::` syntax or your orchestrator's port binding instead. +**Never set `HOST` in Docker, Docker Compose, Helm, or Unraid deployments.** Use Docker's +`-p ::` syntax or your orchestrator's port binding instead. ``` # .env — source / Proxmox installs only @@ -48,33 +53,58 @@ When `HOST` is set, the startup banner includes a `Host:` line confirming the bo `server/src/config.ts` resolves the encryption key in this order: -1. **`ENCRYPTION_KEY` env var** — explicit value, always takes priority. Persisted to `data/.encryption_key` automatically. +1. **`ENCRYPTION_KEY` env var** — explicit value, always takes priority. Persisted to `data/.encryption_key` + automatically. 2. **`data/.encryption_key` file** — present on any install that has started at least once. -3. **`data/.jwt_secret` file** — one-time fallback for existing installs upgrading without a pre-set key. The value is immediately persisted to `data/.encryption_key` so JWT rotation cannot break decryption later. +3. **`data/.jwt_secret` file** — one-time fallback for existing installs upgrading without a pre-set key. The value is + immediately persisted to `data/.encryption_key` so JWT rotation cannot break decryption later. 4. **Auto-generated** — fresh install with none of the above; persisted to `data/.encryption_key`. Setting `ENCRYPTION_KEY` explicitly is recommended so you can back it up independently of the data volume. ### `DEFAULT_LANGUAGE` — Supported Codes -Verified in `server/src/config.ts` (line 107): +You can set `DEFAULT_LANGUAGE` to any of the 20 languages TREK ships. The currently supported codes are: -`de`, `en`, `es`, `fr`, `hu`, `nl`, `br`, `cs`, `pl`, `ru`, `zh`, `zh-TW`, `it`, `ar` +| Code | Language | +|---------|--------------------| +| `en` | English | +| `de` | Deutsch | +| `es` | Español | +| `fr` | Français | +| `hu` | Magyar | +| `nl` | Nederlands | +| `br` | Português (Brasil) | +| `cs` | Česky | +| `pl` | Polski | +| `ru` | Русский | +| `zh` | 简体中文 | +| `zh-TW` | 繁體中文 | +| `it` | Italiano | +| `tr` | Türkçe | +| `ar` | العربية | +| `id` | Bahasa Indonesia | +| `ja` | 日本語 | +| `ko` | 한국어 | +| `uk` | Українська | +| `gr` | Ελληνικά | -> **Note:** `id` (Indonesian / Bahasa Indonesia) appears in `client/src/i18n/supportedLanguages.ts` but is not in the server's supported-codes list in `config.ts`. Setting `DEFAULT_LANGUAGE=id` will fall back to `en` with a warning in the server log. +If you set a code that isn't supported, TREK falls back to English (`en`). This list grows as new +translations are added to TREK. --- ## HTTPS / Proxy -These three variables work together behind a TLS-terminating reverse proxy. See [Reverse-Proxy](Reverse-Proxy) for the full explanation. +These three variables work together behind a TLS-terminating reverse proxy. See [Reverse-Proxy](Reverse-Proxy) for the +full explanation. -| Variable | Description | Default | -|---|---|---| -| `FORCE_HTTPS` | When `true`: 301-redirects HTTP→HTTPS, sends HSTS (`max-age=31536000`), adds CSP `upgrade-insecure-requests`, forces cookie `secure` flag. Only useful behind a TLS proxy. Requires `TRUST_PROXY`. | `false` | -| `HSTS_INCLUDE_SUBDOMAINS` | When `true`: adds the `includeSubDomains` directive to the HSTS header, extending HTTPS enforcement to all subdomains. Only effective when HSTS is active (`FORCE_HTTPS=true` or `NODE_ENV=production`). Leave `false` if you run other services on sibling subdomains over plain HTTP. | `false` | -| `TRUST_PROXY` | Number of trusted proxy hops. Tells Express to read the real client IP from `X-Forwarded-For` and protocol from `X-Forwarded-Proto`. Defaults to `1` automatically in production. Required for `FORCE_HTTPS` to detect the forwarded protocol. | `1` (production) | -| `COOKIE_SECURE` | Controls the `secure` flag on the `trek_session` cookie. Auto-derived as `true` when `NODE_ENV=production` or `FORCE_HTTPS=true`. Set to `false` only as an escape hatch for LAN testing without TLS — not recommended in production. | auto | +| Variable | Description | Default | +|---------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------| +| `FORCE_HTTPS` | When `true`: 301-redirects HTTP→HTTPS, sends HSTS (`max-age=31536000`), adds CSP `upgrade-insecure-requests`, forces cookie `secure` flag. Only useful behind a TLS proxy. Requires `TRUST_PROXY`. | `false` | +| `HSTS_INCLUDE_SUBDOMAINS` | When `true`: adds the `includeSubDomains` directive to the HSTS header, extending HTTPS enforcement to all subdomains. Only effective when HSTS is active (`FORCE_HTTPS=true` or `NODE_ENV=production`). Leave `false` if you run other services on sibling subdomains over plain HTTP. | `false` | +| `TRUST_PROXY` | Number of trusted proxy hops. Tells Express to read the real client IP from `X-Forwarded-For` and protocol from `X-Forwarded-Proto`. Defaults to `1` automatically in production. Required for `FORCE_HTTPS` to detect the forwarded protocol. | `1` (production) | +| `COOKIE_SECURE` | Controls the `secure` flag on the `trek_session` cookie. Auto-derived as `true` when `NODE_ENV=production` or `FORCE_HTTPS=true`. Set to `false` only as an escape hatch for LAN testing without TLS — not recommended in production. | auto | > **Warning:** `FORCE_HTTPS=true` without `TRUST_PROXY` set causes a redirect loop. @@ -84,34 +114,50 @@ These three variables work together behind a TLS-terminating reverse proxy. See For setup instructions, see [OIDC-SSO](OIDC-SSO). -| Variable | Description | Default | -|---|---|---| -| `OIDC_ISSUER` | OpenID Connect provider URL (e.g. `https://auth.example.com`) | — | -| `OIDC_CLIENT_ID` | OIDC client ID | — | -| `OIDC_CLIENT_SECRET` | OIDC client secret | — | -| `OIDC_DISPLAY_NAME` | Label shown on the SSO login button | `SSO` | -| `OIDC_ONLY` | Force SSO-only mode: disables password login and registration, overrides Admin > Settings toggles, cannot be changed at runtime. First SSO login becomes admin on a fresh instance. | `false` | -| `OIDC_ADMIN_CLAIM` | OIDC claim used to identify admin users (e.g. `groups`) | — | -| `OIDC_ADMIN_VALUE` | Value of the OIDC claim that grants admin role (e.g. `app-trek-admins`) | — | -| `OIDC_SCOPE` | Space-separated OIDC scopes to request. **Fully replaces** the default — always include `openid email profile` plus any extra scopes (e.g. add `groups` when using `OIDC_ADMIN_CLAIM`) | `openid email profile` | -| `OIDC_DISCOVERY_URL` | Override the auto-constructed OIDC discovery endpoint. Required for providers with a non-standard path (e.g. Authentik) | — | +| Variable | Description | Default | +|----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------| +| `OIDC_ISSUER` | OpenID Connect provider URL (e.g. `https://auth.example.com`) | — | +| `OIDC_CLIENT_ID` | OIDC client ID | — | +| `OIDC_CLIENT_SECRET` | OIDC client secret | — | +| `OIDC_DISPLAY_NAME` | Label shown on the SSO login button | `SSO` | +| `OIDC_ONLY` | Force SSO-only mode: disables password login and registration, overrides Admin > Settings toggles, cannot be changed at runtime. First SSO login becomes admin on a fresh instance. | `false` | +| `OIDC_ADMIN_CLAIM` | OIDC claim used to identify admin users (e.g. `groups`) | — | +| `OIDC_ADMIN_VALUE` | Value of the OIDC claim that grants admin role (e.g. `app-trek-admins`) | — | +| `OIDC_SCOPE` | Space-separated OIDC scopes to request. **Fully replaces** the default — always include `openid email profile` plus any extra scopes (e.g. add `groups` when using `OIDC_ADMIN_CLAIM`) | `openid email profile` | +| `OIDC_DISCOVERY_URL` | Override the auto-constructed OIDC discovery endpoint. Required for providers with a non-standard path (e.g. Authentik) | — | + +--- + +## WebAuthn / Passkeys + +Passkey (WebAuthn) login is configured from the Admin panel, but the two cryptographically +sensitive values can be pinned via environment variables. Env vars take priority over the +corresponding database settings. These values are **only** ever derived from server-side config — +never from request `Host` / `X-Forwarded-Host` headers (mirroring OIDC redirect-URI handling). + +| Variable | Description | Default | +|--------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------| +| `WEBAUTHN_RP_ID` | Relying-Party ID — the registrable domain passkeys are bound to (e.g. `trek.example.com`). Overrides the `webauthn_rp_id` DB setting. When unset, it is derived from the hostname of `APP_URL`. Bare IP literals (IPv4/IPv6) are rejected. If it cannot be resolved, passkeys are disabled. | derived from `APP_URL` | +| `WEBAUTHN_ORIGINS` | Comma-separated list of allowed origins for passkey ceremonies (e.g. `https://trek.example.com`). Overrides the `webauthn_origins` DB setting; trailing slashes are stripped. When unset and the RP ID is not `localhost`, a single origin is derived from `APP_URL`. In dev (RP ID `localhost`) `http://localhost:5173` and `http://localhost:3001` are added automatically. | derived from `APP_URL` | --- ## Email / SMTP -SMTP settings can be configured via the Admin panel or overridden with environment variables. Env vars take priority over the database values. +SMTP settings can be configured via the Admin panel or overridden with environment variables. Env vars take priority +over the database values. -| Variable | Description | Default | -|---|---|---| -| `SMTP_HOST` | SMTP server hostname (e.g. `smtp.example.com`) | — | -| `SMTP_PORT` | SMTP server port. Port `465` enables implicit TLS (`secure: true`); all other ports use STARTTLS or plain. | — | -| `SMTP_USER` | SMTP authentication username | — | -| `SMTP_PASS` | SMTP authentication password | — | -| `SMTP_FROM` | Sender address for outbound emails (e.g. `TREK `) | — | +| Variable | Description | Default | +|------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|---------| +| `SMTP_HOST` | SMTP server hostname (e.g. `smtp.example.com`) | — | +| `SMTP_PORT` | SMTP server port. Port `465` enables implicit TLS (`secure: true`); all other ports use STARTTLS or plain. | — | +| `SMTP_USER` | SMTP authentication username | — | +| `SMTP_PASS` | SMTP authentication password | — | +| `SMTP_FROM` | Sender address for outbound emails (e.g. `TREK `) | — | | `SMTP_SKIP_TLS_VERIFY` | Set `true` to disable TLS certificate validation. Useful for self-signed certs on internal SMTP relays — not recommended in production. | `false` | -`SMTP_HOST`, `SMTP_PORT`, and `SMTP_FROM` are all required for email delivery to work. `SMTP_USER` and `SMTP_PASS` are optional (for unauthenticated relays). +`SMTP_HOST`, `SMTP_PORT`, and `SMTP_FROM` are all required for email delivery to work. `SMTP_USER` and `SMTP_PASS` are +optional (for unauthenticated relays). --- @@ -119,12 +165,13 @@ SMTP settings can be configured via the Admin panel or overridden with environme These variables only take effect on first boot, before any user exists. -| Variable | Description | Default | -|---|---|---| -| `ADMIN_EMAIL` | Email for the first admin account | `admin@trek.local` | -| `ADMIN_PASSWORD` | Password for the first admin account | random | +| Variable | Description | Default | +|------------------|--------------------------------------|--------------------| +| `ADMIN_EMAIL` | Email for the first admin account | `admin@trek.local` | +| `ADMIN_PASSWORD` | Password for the first admin account | random | -Both variables must be set together. If either is omitted, the account is created with email `admin@trek.local` and a randomly generated password that is printed to the server log. Once any user exists, these variables have no effect. +Both variables must be set together. If either is omitted, the account is created with email `admin@trek.local` and a +randomly generated password that is printed to the server log. Once any user exists, these variables have no effect. --- @@ -132,28 +179,57 @@ Both variables must be set together. If either is omitted, the account is create For setup instructions, see [MCP-Overview](MCP-Overview). -| Variable | Description | Default | -|---|---|---| -| `MCP_RATE_LIMIT` | Max MCP API requests per user per minute | `300` | -| `MCP_MAX_SESSION_PER_USER` | Max concurrent MCP sessions per user | `20` | +| Variable | Description | Default | +|----------------------------|------------------------------------------|---------| +| `MCP_RATE_LIMIT` | Max MCP API requests per user per minute | `300` | +| `MCP_MAX_SESSION_PER_USER` | Max concurrent MCP sessions per user | `20` | --- ## Booking Import (KDE Itinerary) -| Variable | Description | Default | -|---|---|---| +| Variable | Description | Default | +|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------| | `KITINERARY_EXTRACTOR_PATH` | Full path to the `kitinerary-extractor` binary. When unset, TREK searches `/usr/lib/*/libexec/kf6/kitinerary-extractor` and then `PATH`. Set this if you install the binary to a non-standard location. | auto-detected | -The official TREK Docker image bundles the binary automatically: on amd64 it downloads the static release from `https://cdn.kde.org/ci-builds/pim/kitinerary/`; on arm64 it installs `libkitinerary-bin` via apt (Debian trixie). When running TREK from source, install `libkitinerary-bin` (Debian trixie / Ubuntu 25.04+) or download the static binary directly and place it anywhere on `PATH`. The `GET /api/health/features` endpoint returns `{ "bookingImport": true }` when the binary is found, and the Import button in the Reservations panel is hidden when it is not. +The official TREK Docker image bundles the binary automatically: on amd64 it downloads the static release from +`https://cdn.kde.org/ci-builds/pim/kitinerary/`; on arm64 it installs `libkitinerary-bin` via apt (Debian trixie). When +running TREK from source, install `libkitinerary-bin` (Debian trixie / Ubuntu 25.04+) or download the static binary +directly and place it anywhere on `PATH`. The `GET /api/health/features` endpoint returns `{ "bookingImport": true }` +when the binary is found, and the Import button in the Reservations panel is hidden when it is not. --- -## Other +## Storage & Paths -| Variable | Description | Default | -|---|---|---| -| `DEMO_MODE` | Enable demo mode (hourly data resets). Not intended for regular use. | `false` | +| Variable | Description | Default | +|--------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------| +| `TREK_PLACE_PHOTO_DIR` | Directory where cached Google place photos are stored. Created recursively on boot. Set this to point photo storage at a dedicated mounted volume. | `uploads/photos/google` | +| `BACKUP_UPLOAD_LIMIT_MB` | Maximum **compressed** size (in MB) of a restore-backup archive that may be uploaded. Raise it if your backups (which include the `uploads/` directory) exceed the default. Non-positive or invalid values log a warning and fall back to the default. | `500` | + +--- + +## Advanced / Tuning + +| Variable | Description | Default | +|---------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------| +| `IDEMPOTENCY_TTL_SECONDS` | How long (in seconds) stored idempotency keys are kept before garbage collection. The offline client replays queued mutations with their `X-Idempotency-Key` on reconnect, so this must exceed the longest expected offline window or a replay could create a duplicate. Invalid values silently fall back to the default. | `2592000` (30 days) | + +--- + +## Demo Mode + +Demo mode runs TREK as a public, self-resetting sandbox. Not intended for regular deployments. + +| Variable | Description | Default | +|--------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------| +| `DEMO_MODE` | Enable demo mode: seeds example data, resets the database hourly, exposes the demo-login endpoint, and blocks destructive mutations (password change, account deletion, uploads) for demo users. Logs a security warning at startup if combined with `NODE_ENV=production`. | `false` | +| `DEMO_ADMIN_USER` | Username of the seeded demo admin account. | `admin` | +| `DEMO_ADMIN_EMAIL` | Email of the seeded demo admin account. | `admin@trek.app` | +| `DEMO_ADMIN_PASS` | Initial password for the seeded demo admin (bcrypt-hashed at seed time). | `admin12345` | + +The `DEMO_ADMIN_*` variables only take effect when `DEMO_MODE=true`, and only at the moment the demo data is first +seeded. --- diff --git a/wiki/Install-Helm.md b/wiki/Install-Helm.md index 1a320a09..27d13b60 100644 --- a/wiki/Install-Helm.md +++ b/wiki/Install-Helm.md @@ -97,7 +97,7 @@ env: PORT: 3000 # TZ: "Europe/Berlin" # timezone for logs, reminders, cron jobs # LOG_LEVEL: "info" # "info" = concise, "debug" = verbose - # DEFAULT_LANGUAGE: "en" # fallback language on login page; supported: de, en, es, fr, hu, nl, br, cs, pl, ru, zh, zh-TW, it, ar + # DEFAULT_LANGUAGE: "en" # fallback language on login page; supported: de, en, es, fr, hu, nl, br, cs, pl, ru, zh, zh-TW, it, tr, ar, id, ja, ko, uk, gr # ALLOWED_ORIGINS: "https://trek.example.com" # APP_URL: "https://trek.example.com" # FORCE_HTTPS: "false" # enable HTTPS redirect + HSTS; requires TRUST_PROXY diff --git a/wiki/Languages.md b/wiki/Languages.md index 418185eb..5a230d3e 100644 --- a/wiki/Languages.md +++ b/wiki/Languages.md @@ -1,6 +1,6 @@ # Languages -TREK ships with translations for 15 languages. You can change your language at any time without logging out. +TREK ships with translations for 20 languages. You can change your language at any time without logging out. ## Supported languages @@ -19,8 +19,13 @@ TREK ships with translations for 15 languages. You can change your language at a | `zh` | 简体中文 | | `zh-TW` | 繁體中文 | | `it` | Italiano | +| `tr` | Türkçe | | `ar` | العربية | | `id` | Bahasa Indonesia | +| `ja` | 日本語 | +| `ko` | 한국어 | +| `uk` | Українська | +| `gr` | Ελληνικά | ## RTL support diff --git a/wiki/Security-Hardening.md b/wiki/Security-Hardening.md index 5e8ff9da..9c08cb4b 100644 --- a/wiki/Security-Hardening.md +++ b/wiki/Security-Hardening.md @@ -7,7 +7,6 @@ A production TREK deployment checklist. All items reference actual TREK configur - [ ] Set a strong `ENCRYPTION_KEY` (generate with `openssl rand -hex 32`). See [Encryption-Key-Rotation](Encryption-Key-Rotation). - [ ] Back up `ENCRYPTION_KEY` separately from the database backup ZIP — losing it makes all stored API keys and secrets unreadable. Stored secrets use AES-256-GCM encryption derived from this key. - [ ] Rotate `ENCRYPTION_KEY` if it may have been exposed. See [Encryption-Key-Rotation](Encryption-Key-Rotation). -- [ ] Do **not** set `JWT_SECRET` via environment variable. TREK auto-generates it on first start, persists it to `data/.jwt_secret`, and manages rotation through the Admin Panel. Setting it via env var would override any rotation performed through the UI on next restart. ## HTTPS & Network