From 933849a6ff96cc7327558e4cabc1a00c957467bb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?E=CC=81ric=20Gaspar?= <46165813+ericgaspar@users.noreply.github.com> Date: Fri, 7 Jun 2024 14:26:42 +0200 Subject: First commit --- conf/.env | 361 +++++++++++++++++++++++++++++++++++++++++++++++++++ conf/nginx.conf | 15 +++ conf/systemd.service | 49 +++++++ 3 files changed, 425 insertions(+) create mode 100644 conf/.env create mode 100644 conf/nginx.conf create mode 100644 conf/systemd.service (limited to 'conf') diff --git a/conf/.env b/conf/.env new file mode 100644 index 0000000..5dcf0a1 --- /dev/null +++ b/conf/.env @@ -0,0 +1,361 @@ +# ********** INDEX ********** +# +# - LICENSE (DEPRECATED) +# - DATABASE +# - SHARED +# - NEXTAUTH +# - E-MAIL SETTINGS +# - ORGANIZATIONS + +# - LICENSE (DEPRECATED) ************************************************************************************ +# https://github.com/calcom/cal.com/blob/main/LICENSE +# +# Summary of terms: +# - The codebase has to stay open source, whether it was modified or not +# - You can not repackage or sell the codebase +# - Acquire a commercial license to remove these terms by visiting: cal.com/sales +# +# To enable enterprise-only features, as an admin, go to /auth/setup to select your license and follow +# instructions. This environment variable is deprecated although still supported for backward compatibility. +# @see https://console.cal.com +CALCOM_LICENSE_KEY= +# *********************************************************************************************************** + +# - DATABASE ************************************************************************************************ +DATABASE_URL="postgresql://__DB_USER__:__DB_PWD__@localhost:5450/__DB_NAME__" +# Needed to run migrations while using a connection pooler like PgBouncer +# Use the same one as DATABASE_URL if you're not using a connection pooler +DATABASE_DIRECT_URL="postgresql://__DB_USER__:__DB_PWD__@localhost:5450/__DB_NAME__" +INSIGHTS_DATABASE_URL= + +# Uncomment to enable a dedicated connection pool for Prisma using Prisma Data Proxy +# Cold boots will be faster and you'll be able to scale your DB independently of your app. +# @see https://www.prisma.io/docs/data-platform/data-proxy/use-data-proxy +#PRISMA_GENERATE_DATAPROXY=true + + +# *********************************************************************************************************** + +# - SHARED ************************************************************************************************** +# Set this to http://app.cal.local:3000 if you want to enable organizations, and +# check variable ORGANIZATIONS_ENABLED at the bottom of this file +NEXT_PUBLIC_WEBAPP_URL='http://localhost:__PORT__' +# Change to 'http://localhost:3001' if running the website simultaneously +NEXT_PUBLIC_WEBSITE_URL='http://localhost:3000' +NEXT_PUBLIC_CONSOLE_URL='http://localhost:3004' +NEXT_PUBLIC_EMBED_LIB_URL='http://localhost:3000/embed/embed.js' + +# To enable SAML login, set both these variables +# @see https://github.com/calcom/cal.com/tree/main/packages/features/ee#setting-up-saml-login +# SAML_DATABASE_URL="postgresql://postgres:@localhost:5450/cal-saml" +SAML_DATABASE_URL= +# SAML_ADMINS='pro@example.com' +SAML_ADMINS= +# NEXT_PUBLIC_HOSTED_CAL_FEATURES=1 +NEXT_PUBLIC_HOSTED_CAL_FEATURES= +# For additional security set to a random secret and use that value as the client_secret during the OAuth 2.0 flow. +SAML_CLIENT_SECRET_VERIFIER= + +# If you use Heroku to deploy Postgres (or use self-signed certs for Postgres) then uncomment the follow line. +# @see https://devcenter.heroku.com/articles/connecting-heroku-postgres#connecting-in-node-js +# PGSSLMODE='no-verify' +PGSSLMODE= + +# Define which hostnames are expected for the app to work on +ALLOWED_HOSTNAMES='"cal.com","cal.dev","cal-staging.com","cal.community","cal.local:3000","localhost:3000"' +# Reserved orgs subdomains for our own usage +RESERVED_SUBDOMAINS='"app","auth","docs","design","console","go","status","api","saml","www","matrix","developer","cal","my","team","support","security","blog","learn","admin"' + +# - NEXTAUTH +# @see: https://github.com/calendso/calendso/issues/263 +# @see: https://next-auth.js.org/configuration/options#nextauth_url +# Required for Vercel hosting - set NEXTAUTH_URL to equal your NEXT_PUBLIC_WEBAPP_URL +NEXTAUTH_URL='http://localhost:3000' +# @see: https://next-auth.js.org/configuration/options#nextauth_secret +# You can use: `openssl rand -base64 32` to generate one +NEXTAUTH_SECRET=__KEY__ +# Used for cross-domain cookie authentication +NEXTAUTH_COOKIE_DOMAIN= + +# Set this to '1' if you don't want Cal to collect anonymous usage +CALCOM_TELEMETRY_DISABLED= + +# ApiKey for cronjobs +CRON_API_KEY='0cc0e6c35519bba620c9360cfe3e68d0' + +# Whether to automatically keep app metadata in the database in sync with the metadata/config files. When disabled, the +# sync runs in a reporting-only dry-run mode. +CRON_ENABLE_APP_SYNC=false + +# Application Key for symmetric encryption and decryption +# must be 32 bytes for AES256 encryption algorithm +# You can use: `openssl rand -base64 32` to generate one +CALENDSO_ENCRYPTION_KEY=__KEY__ + +# Intercom Config +NEXT_PUBLIC_INTERCOM_APP_ID= + +# Secret to enable Intercom Identity Verification +INTERCOM_SECRET= + +# Zendesk Config +NEXT_PUBLIC_ZENDESK_KEY= + +# Help Scout Config +NEXT_PUBLIC_HELPSCOUT_KEY= + +# Fresh Chat Config +NEXT_PUBLIC_FRESHCHAT_TOKEN= +NEXT_PUBLIC_FRESHCHAT_HOST= + +# Google OAuth credentials +# To enable Login with Google you need to: +# 1. Set `GOOGLE_API_CREDENTIALS` above +# 2. Set `GOOGLE_LOGIN_ENABLED` to `true` +# When self-hosting please ensure you configure the Google integration as an Internal app so no one else can login to your instance +# @see https://support.google.com/cloud/answer/6158849#public-and-internal&zippy=%2Cpublic-and-internal-applications +GOOGLE_LOGIN_ENABLED=false + +# - GOOGLE CALENDAR/MEET/LOGIN +# Needed to enable Google Calendar integration and Login with Google +# @see https://github.com/calcom/cal.com#obtaining-the-google-api-credentials +GOOGLE_API_CREDENTIALS= + +# Inbox to send user feedback +SEND_FEEDBACK_EMAIL= + +# Sengrid +# Used for email reminders in workflows and internal sync services +SENDGRID_API_KEY= +SENDGRID_EMAIL= +NEXT_PUBLIC_SENDGRID_SENDER_NAME= + +# Sentry +# Used for capturing exceptions and logging messages +NEXT_PUBLIC_SENTRY_DSN= + +# Formbricks Experience Management Integration +NEXT_PUBLIC_FORMBRICKS_HOST_URL=https://app.formbricks.com +NEXT_PUBLIC_FORMBRICKS_ENVIRONMENT_ID= +FORMBRICKS_FEEDBACK_SURVEY_ID= + +# AvatarAPI +# Used to pre-fill avatar during signup +AVATARAPI_USERNAME= +AVATARAPI_PASSWORD= + +# Twilio +# Used to send SMS reminders in workflows +TWILIO_SID= +TWILIO_TOKEN= +TWILIO_MESSAGING_SID= +TWILIO_PHONE_NUMBER= +TWILIO_WHATSAPP_PHONE_NUMBER= +# For NEXT_PUBLIC_SENDER_ID only letters, numbers and spaces are allowed (max. 11 characters) +NEXT_PUBLIC_SENDER_ID= +TWILIO_VERIFY_SID= + +# Set it to "1" if you need to run E2E tests locally. +NEXT_PUBLIC_IS_E2E= + +# Used for internal billing system +NEXT_PUBLIC_STRIPE_PRO_PLAN_PRICE= +NEXT_PUBLIC_STRIPE_PREMIUM_PLAN_PRICE= +NEXT_PUBLIC_IS_PREMIUM_NEW_PLAN=0 +NEXT_PUBLIC_STRIPE_PREMIUM_NEW_PLAN_PRICE= +STRIPE_TEAM_MONTHLY_PRICE_ID= +STRIPE_ORG_MONTHLY_PRICE_ID= +STRIPE_WEBHOOK_SECRET= +STRIPE_WEBHOOK_SECRET_APPS= +STRIPE_PRIVATE_KEY= +STRIPE_CLIENT_ID= + + +# Use for internal Public API Keys and optional +API_KEY_PREFIX=cal_ +# *********************************************************************************************************** + +# - E-MAIL SETTINGS ***************************************************************************************** +# Cal uses nodemailer (@see https://nodemailer.com/about/) to provide email sending. As such we are trying to +# allow access to the nodemailer transports from the .env file. E-mail templates are accessible within lib/emails/ +# Configures the global From: header whilst sending emails. +EMAIL_FROM='notifications@yourselfhostedcal.com' + +# Configure SMTP settings (@see https://nodemailer.com/smtp/). +# Configuration to receive emails locally (mailhog) +EMAIL_SERVER_HOST='localhost' +EMAIL_SERVER_PORT=1025 + +# Note: The below configuration for Office 365 has been verified to work. +# EMAIL_SERVER_HOST='smtp.office365.com' +# EMAIL_SERVER_PORT=587 +# EMAIL_SERVER_USER='' +# Keep in mind that if you have 2FA enabled, you will need to provision an App Password. +# EMAIL_SERVER_PASSWORD='' + +# The following configuration for Gmail has been verified to work. +# EMAIL_SERVER_HOST='smtp.gmail.com' +# EMAIL_SERVER_PORT=465 +# EMAIL_SERVER_USER='' +## You will need to provision an App Password. +## @see https://support.google.com/accounts/answer/185833 +# EMAIL_SERVER_PASSWORD='' + +# Used for E2E for email testing +# Set it to "1" if you need to email checks in E2E tests locally +# Make sure to run mailhog container manually or with `yarn dx` +E2E_TEST_MAILHOG_ENABLED= + +# Resend +# Send transactional email using resend +# RESEND_API_KEY= + +# ********************************************************************************************************** + +# Cloudflare Turnstile +NEXT_PUBLIC_CLOUDFLARE_SITEKEY= +CLOUDFLARE_TURNSTILE_SECRET= + +# Set the following value to true if you wish to enable Team Impersonation +NEXT_PUBLIC_TEAM_IMPERSONATION=false + +# Close.com internal CRM +CLOSECOM_API_KEY= + +# Sendgrid internal sync service +SENDGRID_SYNC_API_KEY= + +# Change your Brand +NEXT_PUBLIC_APP_NAME="Cal.com" +NEXT_PUBLIC_SUPPORT_MAIL_ADDRESS="help@cal.com" +NEXT_PUBLIC_COMPANY_NAME="Cal.com, Inc." +# Set this to true in to disable new signups +# NEXT_PUBLIC_DISABLE_SIGNUP=true +NEXT_PUBLIC_DISABLE_SIGNUP= + +# Set this to 'non-strict' to enable CSP for support pages. 'strict' isn't supported yet. Also, check the README for details. +# Content Security Policy +CSP_POLICY= + +# Vercel Edge Config +EDGE_CONFIG= + +NEXT_PUBLIC_MINUTES_TO_BOOK=5 # Minutes +NEXT_PUBLIC_BOOKER_NUMBER_OF_DAYS_TO_LOAD=0 # Override the booker to only load X number of days worth of data + +# Control time intervals on a user's Schedule availability +NEXT_PUBLIC_AVAILABILITY_SCHEDULE_INTERVAL= + +# - ORGANIZATIONS ******************************************************************************************* +# Enable Organizations non-prod domain setup, works in combination with organizations feature flag +# This is mainly needed locally, because for orgs to work a full domain name needs to point +# to the app, i.e. app.cal.local instead of using localhost, which is very disruptive +# +# This variable should only be set to 1 or true if you are in a non-prod environment and you want to +# use organizations +ORGANIZATIONS_ENABLED= + +# This variable should only be set to 1 or true if you want to autolink external provider sing-ups with +# existing organizations based on email domain address +ORGANIZATIONS_AUTOLINK= + +# Vercel Config to create subdomains for organizations +# Get it from https://vercel.com///settings +PROJECT_ID_VERCEL= +# Get it from: https://vercel.com/teams//settings +TEAM_ID_VERCEL= +# Get it from: https://vercel.com/account/tokens +AUTH_BEARER_TOKEN_VERCEL= +# Add the main domain that you want to use for testing vercel domain management for organizations. This is necessary because WEBAPP_URL of local isn't a valid public domain +# Would create org1.example.com for an org with slug org1 +# LOCAL_TESTING_DOMAIN_VERCEL="example.com" + +## Set it to 1 if you use cloudflare to manage your DNS and would like us to manage the DNS for you for organizations +# CLOUDFLARE_DNS=1 +## Get it from: https://dash.cloudflare.com/profile/api-tokens. Select Edit Zone template and choose a zone(your domain) +# AUTH_BEARER_TOKEN_CLOUDFLARE= +## Zone ID can be found in the Overview tab of your domain in Cloudflare +# CLOUDFLARE_ZONE_ID= +## It should usually work with the default value. This is the DNS CNAME record content to point to Vercel domain +# CLOUDFLARE_VERCEL_CNAME=cname.vercel-dns.com + +# - APPLE CALENDAR +# Used for E2E tests on Apple Calendar +E2E_TEST_APPLE_CALENDAR_EMAIL="" +E2E_TEST_APPLE_CALENDAR_PASSWORD="" + +# - CALCOM QA ACCOUNT +# Used for E2E tests on Cal.com that require 3rd party integrations +E2E_TEST_CALCOM_QA_EMAIL="qa@example.com" +# Replace with your own password +E2E_TEST_CALCOM_QA_PASSWORD="password" +E2E_TEST_CALCOM_QA_GCAL_CREDENTIALS= +E2E_TEST_CALCOM_GCAL_KEYS= + +# - APP CREDENTIAL SYNC *********************************************************************************** +# Used for self-hosters that are implementing Cal.com into their applications that already have certain integrations +# Under settings/admin/apps ensure that all app secrets are set the same as the parent application +# You can use: `openssl rand -base64 32` to generate one +CALCOM_CREDENTIAL_SYNC_SECRET="" +# This is the header name that will be used to verify the webhook secret. Should be in lowercase +CALCOM_CREDENTIAL_SYNC_HEADER_NAME="calcom-credential-sync-secret" +# This the endpoint from which the token is fetched +CALCOM_CREDENTIAL_SYNC_ENDPOINT="" +# Key should match on Cal.com and your application +# must be 24 bytes for AES256 encryption algorithm +# You can use: `openssl rand -base64 24` to generate one +CALCOM_APP_CREDENTIAL_ENCRYPTION_KEY="" + +# - OIDC E2E TEST ******************************************************************************************* + +# Ensure this ADMIN EMAIL is present in the SAML_ADMINS list +E2E_TEST_SAML_ADMIN_EMAIL= +E2E_TEST_SAML_ADMIN_PASSWORD= + +E2E_TEST_OIDC_CLIENT_ID= +E2E_TEST_OIDC_CLIENT_SECRET= +E2E_TEST_OIDC_PROVIDER_DOMAIN= + +E2E_TEST_OIDC_USER_EMAIL= +E2E_TEST_OIDC_USER_PASSWORD= + +# *********************************************************************************************************** + +# provide a value between 0 and 100 to ensure the percentage of traffic +# redirected from the legacy to the future pages +AB_TEST_BUCKET_PROBABILITY=50 +# whether we redirect to the future/event-types from event-types or not +APP_ROUTER_EVENT_TYPES_ENABLED=0 +APP_ROUTER_SETTINGS_ADMIN_ENABLED=0 +APP_ROUTER_APPS_INSTALLED_CATEGORY_ENABLED=0 +APP_ROUTER_APPS_SLUG_ENABLED=0 +APP_ROUTER_APPS_SLUG_SETUP_ENABLED=0 +# whether we redirect to the future/apps/categories from /apps/categories or not +APP_ROUTER_APPS_CATEGORIES_ENABLED=0 +# whether we redirect to the future/apps/categories/[category] from /apps/categories/[category] or not +APP_ROUTER_APPS_CATEGORIES_CATEGORY_ENABLED=0 +APP_ROUTER_BOOKINGS_STATUS_ENABLED=0 +APP_ROUTER_WORKFLOWS_ENABLED=0 +APP_ROUTER_SETTINGS_TEAMS_ENABLED=0 +APP_ROUTER_GETTING_STARTED_STEP_ENABLED=0 +APP_ROUTER_APPS_ENABLED=0 +APP_ROUTER_VIDEO_ENABLED=0 +APP_ROUTER_TEAMS_ENABLED=0 + +# disable setry server source maps +SENTRY_DISABLE_SERVER_WEBPACK_PLUGIN=1 + +# api v2 +NEXT_PUBLIC_API_V2_URL="http://localhost:5555/api/v2" + +# Tasker features +TASKER_ENABLE_WEBHOOKS=0 +TASKER_ENABLE_EMAILS=0 + +# Ratelimiting via unkey +UNKEY_ROOT_KEY= + + +# Used for Cal.ai Enterprise Voice AI Agents +# https://retellai.com +RETELL_AI_KEY= diff --git a/conf/nginx.conf b/conf/nginx.conf new file mode 100644 index 0000000..af69dcd --- /dev/null +++ b/conf/nginx.conf @@ -0,0 +1,15 @@ +#sub_path_only rewrite ^__PATH__$ __PATH__/ permanent; +location __PATH__/ { + + proxy_pass http://127.0.0.1:__PORT__/; + proxy_redirect off; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Host $server_name; + + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; +} diff --git a/conf/systemd.service b/conf/systemd.service new file mode 100644 index 0000000..3ac834c --- /dev/null +++ b/conf/systemd.service @@ -0,0 +1,49 @@ +[Unit] +Description=Cal.com: +After=network.target + +[Service] +Type=simple +User=__APP__ +Group=__APP__ +Environment="__YNH_NODE_LOAD_PATH__" +Environment="NODE_ENV=production" +WorkingDirectory=__INSTALL_DIR__/ +ExecStart=__YNH_NPM__ start + +### Depending on specificities of your service/app, you may need to tweak these +### .. but this should be a good baseline +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectProc=invisible +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + +[Install] +WantedBy=multi-user.target -- cgit v1.2.3