Catalyst / admin/Synapse-Cortex 14.8 GB / 57.8 GB 40.0 GB free
Help Sign in

admin / Synapse-Cortex

public

Self Hosted ITSM Tool with RBAC/Tenanting and MFA

Code Issues Pull requests Pipelines Packages Security Insights Wiki Settings
Synapse-Cortex / Synapse-Cortexv2 / .env.example 2978 B · main
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
POSTGRES_USER=cortex
POSTGRES_PASSWORD=change-me
POSTGRES_DB=synapse_cortex
# Also wraps the credential vault key at rest once created via Admin ->
# Vault (see below) - keep this at least as protected as a database
# credential.
SECRET_KEY=replace-with-a-long-random-value

# AI Remediation Module
# The credential vault (a Fernet key protecting vaulted host credentials
# and the saved Claude API key) is no longer configured via environment
# variable - a global_admin creates it exactly once from Admin -> Vault in
# the running app. There is no env var equivalent and no rotate/recreate
# path anywhere in the app.
#
# Claude API key for the AI investigator: preferably saved from Admin -> AI
# Settings (encrypted with the tenant's vault key) once a vault exists.
# ANTHROPIC_API_KEY below is only a fallback for deployments that want to
# configure it via environment instead - the UI-saved key takes priority
# when both are set. Leave both unset until then - the investigate endpoint
# fails with a clear error rather than crashing.
ANTHROPIC_API_KEY=
# "Execute Live on Client" is available on EVERY deployment and for every
# playbook, and always opens a REAL SSH connection to fix the client using the
# vaulted credential linked to the ticket. It is gated by an explicit human
# confirmation AND a prior simulation of the same run (the Simulate button is
# the separate safe rehearsal). Real-SSH tuning:
#   SSH_AUTO_ADD_HOST_KEYS - true (default) trusts a host's key on first contact
#     so a new host just connects; false rejects hosts absent from known_hosts.
#   SSH_CONNECT_TIMEOUT / SSH_COMMAND_TIMEOUT - seconds; bound connect + per-command.
SSH_AUTO_ADD_HOST_KEYS=true
SSH_CONNECT_TIMEOUT=10
SSH_COMMAND_TIMEOUT=60
# Privilege elevation is AUTO-DETECTED per host: on first contact Cortex checks
# `id -u`, then runs commands directly on a root account or via sudo (whole
# command in a shell under `sudo -S`, password on stdin, never in the command
# text) on a non-root account - so a fleet mixing root and non-root hosts just
# works with no per-host config.
#   SSH_USE_SUDO      - true (default) auto-detect (root -> direct, non-root ->
#                       sudo); false to never use sudo (run exactly as given).
#   SSH_SUDO_PASSWORD - password for sudo. Defaults to the ticket's vaulted
#                       credential secret (the account's own password); set this
#                       only if the sudo password differs from the login one.
#   SSH_SUDO_SHELL    - shell used to run the command under sudo (default bash).
# Requires the sudoers entry to allow the command (ideally NOPASSWD or the
# account's password) and `requiretty` to be OFF (the modern default).
SSH_USE_SUDO=true
SSH_SUDO_SHELL=bash
# Playbooks may only be set to AUTO_APPROVE (skips the human Approve click)
# when this is true, and only by a global_admin. Defaults to false so
# out-of-the-box behavior always requires an explicit approval.
ALLOW_AUTO_APPROVE=false