cobb/cauldron
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
cauldron/.env.example
Kayos d0d3c67a60 bugs: vendored bugs.sulkta.com SDK + /bugs page 
Wires cauldron up to the unified Sulkta bug tracker per
memory/spec-bugs-unified-sdk.md (Phases 1-7 shipped 2026-05-02).

What's included:
- Vendored bugs-sulkta-py at cauldron/vendor/bugs_sulkta (4 stdlib-only
  files copied verbatim from Sulkta-Coop/bugs-sulkta-py main). Same
  vendoring approach as TC's backend/api/bugs_sulkta — Docker BuildKit
  can't reach LAN Gitea, so the package ships in the source tree.
- BUGS_API_KEY + BUGS_BASE_URL env (config.py). Empty key = page renders
  "not configured" placeholder; POSTs return 503. Lets dev runs skip
  provisioning a key.
- New routes (server.py): GET /bugs (page), GET /api/bugs (list),
  POST /api/bugs (create). All session-auth. Per-service key returns
  every cauldron report; we filter client-side by user_email so each
  household member sees only their own. Admins get a "show all" toggle.
- bugs.html template in mythic-witch style: subject + message + kind
  + severity form, filed-reports list with status glyphs (📂 open
  🔨 in-progress  resolved  wontfix), relative timestamps.
- _base.html nav: 🐞 bugs link between discover and me.
- Server-side auto-fill: user_email/user_name from session, page_url
  from referrer, user_agent from request headers.

Defaults are dev-safe — no env change required for the LAN soak. When
Cobb mints the key with:
  docker exec bugs-sulkta bugs-sulkta-cli keys create \
    --service=cauldron --scopes=read,write,update \
    --description="cauldron prod"
…drop it into BUGS_API_KEY and the page lights up.
2026-05-02 20:41:12 -07:00

72 lines
2.8 KiB
Text
Raw Blame History

# Cauldron — copy to /mnt/cache/appdata/secrets/cauldron.env on Lucy
# (chmod 600, root:root). Some values are already populated by the deploy
# bootstrap (CLAWDFORGE_*); fill in the rest before first start.
# Flask
SECRET_KEY=change-me-32-bytes-of-entropy
# Bind
BIND_HOST=0.0.0.0
BIND_PORT=7790
# Mealie (recipes.sulkta.com is already wired with Authentik OIDC)
MEALIE_BASE_URL=https://recipes.sulkta.com
MEALIE_API_TOKEN=
# clawdforge (centralized claude-runner on Lucy)
CLAWDFORGE_URL=http://192.168.0.5:8800
CLAWDFORGE_TOKEN=
DEFAULT_MODEL=sonnet
DEFAULT_TIMEOUT_SECS=120
# Admin bearer for batch ops (sterilize-all, etc.) — separate from user OIDC
ADMIN_BEARER=change-me-this-is-the-cauldron-admin-batch-token
# Authentik OIDC (provisioned 2026-04-28; client_id + secret minted by Authentik)
OIDC_ISSUER=https://auth.sulkta.com/application/o/cauldron/
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URI=http://192.168.0.5:7790/auth/callback
# DB (sulkta-mariadb on the sulkta bridge)
DB_HOST=sulkta-mariadb
DB_PORT=3306
DB_NAME=cauldron
DB_USER=cauldron_app
DB_PASSWORD=
# Fernet master key for at-rest encryption of per-user Mealie tokens.
# Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
CAULDRON_FERNET_KEY=
# --- Public-deploy hardening (added 2026-05-02 CVE audit) ---
# Comma-separated list of authentik subjects who get the operator-tier
# /me admin tools panel (consolidate, discover scrape). Empty = nobody.
# Cobb's authentik sub goes here for production.
CAULDRON_ADMIN_SUBS=
# External base URL where cauldron is reachable. Set to your public host
# (e.g. https://cauldron.sulkta.com) when going public; leave empty for
# LAN-only HTTP. When set: enables CSRF Origin guard, HSTS, secure cookie.
CAULDRON_BASE_URL=
# Whether the deploy is fronted by TLS (rackham apache → cauldron over
# OpenVPN). Independent toggle from base_url so dev/staging can override.
# When true: SESSION_COOKIE_SECURE=True, HSTS header emitted.
CAULDRON_BEHIND_TLS=false
# Comma-separated CIDR list of trusted proxies whose X-Forwarded-* we
# honor. Empty = trust nothing → ProxyFix is OFF and X-Forwarded-* are
# stripped from every request. For the rackham→OpenVPN→lucy:7790 deploy,
# set this to rackham's WireGuard-internal IP (e.g. 10.20.30.1/32). Any
# X-Forwarded-* from a peer outside this list gets dropped before
# ProxyFix sees it.
CAULDRON_TRUSTED_PROXIES=
# bugs.sulkta.com integration. Per-service key minted via:
# docker exec bugs-sulkta bugs-sulkta-cli keys create --service=cauldron \
# --scopes=read,write,update --description="cauldron prod"
# Empty = bugs page renders a "not configured" placeholder; POSTs return 503.
BUGS_API_KEY=
# Override only for staging / on-prem bugs deployments. Default is fine.
BUGS_BASE_URL=https://bugs.sulkta.com
Reference in a new issue View git blame Copy permalink