# NOTE:

# The variables set here are not all automatically passed to the containers when run with our provided

# Docker Compose files. Only specific ones are (see docker-compose.yaml).

# If you need to add new environment variables, refer to them in the Compose file in the appropriate

# container for your configuration to be correctly applied.

# See https://docs.checkmarble.com/docs/technical-configuration#/ for a full guide to Marble environment variables, agnostic

# of the docker-compose context.

#

# REQUIRED SETTINGS

#

# Ports on the host Docker will listen on. Specific to using docker-compose,

# can be ignored for a deployment with managed containers or k8s.

HOST_API_PORT=8080

HOST_APP_PORT=3000

# Set this to the url used by your users to access Marble's frontend from the browser.

# Must include the scheme (e.g http://), and the port if non-standard.

MARBLE_APP_URL="http://localhost:3000"

# Set the value to the URL the Marble API can be reached at, from the frontend host. Must include the scheme (e.g http://)

# With docker-compose, use the api container name as host name.

MARBLE_API_URL="http://api:8080"

# RSA private key, in PEM format, used for for signing authentication tokens. MUST be changed for production.

# We recommend using AUTHENTICATION_JWT_SIGNING_KEY_FILE to point to a private key on disk because multi-line

# environment variables are not handled very gracefully.

#

# If using AUTHENTICATION_JWT_SIGNING_KEY, line breaks should be replaced with '\n':

# e.g. AUTHENTICATION_JWT_SIGNING_KEY="-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBA...

#

# To generate a private key, use `openssl genrsa -out /path/to/private/key.pem 4096`.

# If left empty, a key will be regenerated on every app restart, which may cause unexpected logouts.

AUTHENTICATION_JWT_SIGNING_KEY=

# AUTHENTICATION_JWT_SIGNING_KEY_FILE=/shared/jwt_key.pem

# Configure your PostgreSQL database connection information, either by providing a DSN using this form (no other format is accepted):

# PG_CONNECTION_STRING='postgres://postgres:marble@localhost:5432/marble?sslmode=prefer'

# Or by setting each piece of information in those variables:

PG_HOSTNAME=db

PG_PORT=5432

PG_USER=postgres

PG_PASSWORD=changeme

# For production, this SHOULD be set to 'require'

PG_SSL_MODE=prefer

# Configure the ID of your Firebase project for authentication and the path to the service account's JSON private key file.

# - The 'Project ID' can be found in the 'General' section of your Firebase project's settings page.

# - The private key must be generated in the 'Service accounts' tab by clicking 'Generate new private key'

# If you are using GCS as a blob storage backend, the same service account key is used to sign URLs.

GOOGLE_CLOUD_PROJECT=

FIREBASE_PROJECT_ID=

GOOGLE_APPLICATION_CREDENTIALS=/shared/service_account_key.json

# Configure the document blob storage backend.

# The example values MUST be changed for anything but a local test environment since the file provider does not support all features.

#

# Several blob storage implementations are supported:

# - 'file://{path}?create_dir=true' (see https://pkg.go.dev/gocloud.dev/blob/fileblob#URLOpener)

# - 'gs://{bucket_name}' for Google Cloud Storage

# - 's3://{bucket_name}' for AWS S3 or any S3-compatible platform (Minio, ...)

# - 'azblob://{bucket_name}' for Azure Blob Storage

#

# Depending on the used cloud provider, the idiomatic way to discover credentials will be used, such as:

# - GOOGLE_APPLICATION_CREDENTIALS or Application Default Credentials for Google Cloud Platform

# - AWS_DEFAULT_REGION, AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY or default profile for Amazon Web Services

# - AZURE_STORAGE_ACCOUNT and AZURE_STORAGE_KEY or equivalent for Azure

#

# If you are using Minio, you should use the S3 provider with some options set, depending on your setup, for example:

# - s3://marble?awssdk=v1&endpoint=https://minio.local&s3ForcePathStyle=true

# When testing Marble, you can add the 'requireSSL=false' query parameter to connect in cleartext.

#

# See https://gocloud.dev/howto/blob/ for more details.

INGESTION_BUCKET_URL="file://./tempFiles/data-ingestion-bucket?create_dir=true"

CASE_MANAGER_BUCKET_URL="file://./tempFiles/case-manager-bucket?create_dir=true"

ANALYTICS_BUCKET_URL="file://./tempFiles/analytics-bucket?create_dir=true"

# Configure your Firebase project to allow username and password authentication.

# To retrieve this value, go into the settings of your Firebase project, and register

# a new app from the 'General' tab.

FIREBASE_API_KEY=

# Generate a random string, for instance using `openssl rand -base64 128 | tr -d "\n"`

SESSION_SECRET=changeme

#

# OPTIONAL SETTINGS

#

# Used for minor logging and telemetry settings. In particular, it will be used by sentry to mark the environment

# an error occurred in. Do not touch it in the general case and it should work fine.

# *DO NOT* set it to "development" for production purposes, as this specifically enables some unsafe settings.

# ENV=production

# Configure the frontend cookie session max age, in seconds. Defaults to 43200

# SESSION_MAX_AGE=43200

# Set your license key here if you have one in order to access premium features.

LICENSE_KEY=

# Marble collects basic anonymous product usage data (broad decision volumes and related data) and simple user analytics via segment (non-anonymous, but not correlated with product usage statistics).

# You can disable them here, but please note that we do this in order to better understand product usage patterns and that you help us improve the product by leaving them on.

DISABLE_SEGMENT=false

DISABLE_TELEMETRY=false

# Change the two settings below to create your initial organization and users.

# The user must also have a matching account in the authentication store used (in Firebase, for example).

# Subsequent users will be able to be created from the application, and the variables

# can be left blank.

CREATE_ORG_NAME=

CREATE_ORG_ADMIN_EMAIL=

# Set up connection details to Convoy to enable webhooks sending.

# You can get your project ID and API key from your project settings page in Convoy's dashboard, in the "Secrets" section.

# NB: CONVOY_API_URL should be {scheme}://{host}:{port}/api - forgetting the /api will result in unexpected errors.

CONVOY_API_URL=

CONVOY_API_KEY=

CONVOY_PROJECT_ID=

# Configure the URL of the Elasticsearch instance used by motiva for sanction screening.

# Those are not specific to marble, and are only used to configure containers

# when using docker-compose.

ELASTICSEARCH_HOST=http://marble-es:9200

ES_PORT=9200

# Configure access to the Open Sanctions API to use sanction checks

#

# If you use the SaaS Open Sanctions API, only uncomment OPENSANCTIONS_API_KEY and provide its values.

# If you self-host the API, uncomment all relevant settings to point to your deployment and configure authentication.

# - OPENSANCTIONS_AUTH_METHOD supports 'bearer' and 'basic'

# If basic, provide the username and password in the form of 'user:password'

# The value below corresponds to the setting to use with the docker-compose.yaml file in the repository.

OPENSANCTIONS_API_HOST=http://marble-motiva

# OPENSANCTIONS_AUTH_METHOD=bearer

# OPENSANCTIONS_API_KEY=

# Configure various external integrations.

# SENTRY_DSN=

# If you need to support federated authentication through Firebase, you will need to configure the following settings:

# To retrieve those values, go into the settings of your Firebase project, and register a new app from the 'General' tab.

# The two pieces of information below will be provided to you after that.

# FIREBASE_APP_ID=

# FIREBASE_AUTH_DOMAIN=

# Set to true to offload decision rules content to blob storage.

# This will enable a background task moving the rule payloads that are older than `OFFLOADING_BEFORE`

# to blob storage to improve database efficiency, while keeping retention requirements.

# If enabled, OFFLOADING_BUCKET_URL (see syntax above along with CASE_MANAGER_BUCKET_URL) must be set on the API and worker,

# while the other variables below need only be set on the worker.

# OFFLOADING_ENABLED=false

# OFFLOADING_BUCKET_URL="file://./tempFiles/offloading-bucket?create_dir=true"

# OFFLOADING_JOB_INTERVAL=30m

# OFFLOADING_BEFORE=168h

# OFFLOADING_BATCH_SIZE=10000

# OFFLOADING_SAVE_POINTS=1000

# OFFLOADING_WRITES_PER_SEC=200