rustio-admin-cli 0.27.6

Command-line tools for rustio-admin: project scaffolding, migrations, user management.
# rustio-admin — environment template
# Copy to .env and adjust only what you need to change.
# Defaults below are SAFE FOR LOCAL DEVELOPMENT.

# ── Application ───────────────────────────────────────────────

# env_logger filter. Bump to "rustio_admin=debug" for framework
# internals, or "debug" for everything.
RUST_LOG=info

# Optional override for the embedded admin templates. Leave unset
# to use the framework defaults.
# RUSTIO_TEMPLATE_DIR=templates


# ── Database ──────────────────────────────────────────────────

# Components for a fresh local Postgres install. Override
# individually or set DATABASE_URL directly below.
DB_HOST=localhost
DB_PORT=5432
DB_USER=postgres
DB_PASSWORD=postgres            # IMPORTANT: change in production
DB_NAME={{name}}_dev

# Composed connection string. rustio-admin reads this directly;
# the components above are substituted at .env load time.
DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}


# ── Security ──────────────────────────────────────────────────

# CSRF tokens, session cookies, and password hashing are managed
# by the framework — no shared secret to set here. Security
# headers (HSTS, X-Frame-Options, etc.) are wired in code via
# `middleware::security_headers`.

# 32-byte symmetric key used by:
#   - R3 TOTP MFA — AES-256-GCM encryption of `mfa_secret_ciphertext`
#     at rest. Required whenever ANY user has MFA enabled OR the
#     operator opts into `Admin::require_mfa(MfaPolicy::Required)`.
#   - R4 CLI emergency-access — HMAC-SHA256 signing of the
#     compliance-export envelope (if your project ships an export
#     surface that mirrors lursystem's Phase 6).
#
# Format: 32 random bytes, URL-safe-base64-encoded, no padding.
# Generate with:
#
#   openssl rand 32 | base64 | tr '+/' '-_' | tr -d '='
#
# A project that boots without this set + with `MfaPolicy::Disabled`
# AND zero MFA-enrolled users keeps working. The first MFA enrol
# refuses with a 500 from the AES-GCM init guard.
#
# IMPORTANT: rotate via a staged-key playbook; never overwrite
# this value while there are users with MFA enabled, or every
# `mfa_secret_ciphertext` row becomes undecryptable.
RUSTIO_SECRET_KEY=


# ── Initial Admin Account ─────────────────────────────────────

# Admin users are created via the CLI, not env vars:
#   rustio-admin-cli user create \
#     --email admin@example.com \    # IMPORTANT: change in production
#     --role administrator           # CLI prompts for a password
# Minimum password length: 10 characters.


# ── Mail / Recovery ───────────────────────────────────────────

# The mailer is configured in code via `Admin::mailer(...)`.
# Default `LogMailer` writes reset emails to stdout —
# DEVELOPMENT ONLY. Production: wire `SmtpMailer` and call
# `Admin::recovery_policy(... .with_strict_mailer_required(true))`.


# ── Session / Recovery ────────────────────────────────────────

# Recovery tunables (token TTL, login throttle, re-auth window)
# live on the `RecoveryPolicy` trait. Defaults: 1h token TTL,
# 5 failures / 10 min → 15 min auto-lock, 15 min re-auth window.
# Override via `Admin::recovery_policy(...)` in code.