From 09aed43301a5b7396bcc6ff312da3442847b343c Mon Sep 17 00:00:00 2001 From: Tomas Rebro Date: Tue, 8 Oct 2024 22:14:21 +0200 Subject: [PATCH 1/6] Add new pages --- mint.json | 4 ++++ self-host/docker-compose.mdx | 3 +++ self-host/helm-chart.mdx | 3 +++ 3 files changed, 10 insertions(+) create mode 100644 self-host/docker-compose.mdx create mode 100644 self-host/helm-chart.mdx diff --git a/mint.json b/mint.json index 8fde8f7..3eb2686 100644 --- a/mint.json +++ b/mint.json @@ -106,6 +106,10 @@ } ] }, + { + "group": "Self-host", + "pages": ["self-host/docker-compose","self-host/helm-chart"] + }, { "group": "Media & Presentations", "pages": ["videos-and-talks/web-expo","videos-and-talks/deepnote-case"] diff --git a/self-host/docker-compose.mdx b/self-host/docker-compose.mdx new file mode 100644 index 0000000..73b5995 --- /dev/null +++ b/self-host/docker-compose.mdx @@ -0,0 +1,3 @@ +--- +title: 'Local - Docker Compose' +--- \ No newline at end of file diff --git a/self-host/helm-chart.mdx b/self-host/helm-chart.mdx new file mode 100644 index 0000000..d236965 --- /dev/null +++ b/self-host/helm-chart.mdx @@ -0,0 +1,3 @@ +--- +title: 'Kubernetes - Helm Chart' +--- \ No newline at end of file From d6e27dadf1640b82e351b4c03f715445c8de0487 Mon Sep 17 00:00:00 2001 From: Tomas Rebro Date: Thu, 10 Oct 2024 12:37:36 +0200 Subject: [PATCH 2/6] Update docs --- self-host/docker-compose.mdx | 194 ++++++++++++++++++++++++++++++++++- self-host/helm-chart.mdx | 119 ++++++++++++++++++++- 2 files changed, 311 insertions(+), 2 deletions(-) diff --git a/self-host/docker-compose.mdx b/self-host/docker-compose.mdx index 73b5995..b59f006 100644 --- a/self-host/docker-compose.mdx +++ b/self-host/docker-compose.mdx @@ -1,3 +1,195 @@ --- title: 'Local - Docker Compose' ---- \ No newline at end of file +--- + +This guide walks you through setting up Langtail for **local development** using Docker Compose. + +> **Note:** This setup is for **local development** only. It is **not recommended for production** due to the use of default secrets and non-persistent database. For production, follow the [Kubernetes Helm Chart guide](/self-host/helm-chart). + +## Prerequisites + +- Docker and Docker Compose installed. +- Basic knowledge of Docker Compose commands. + +## Docker Compose Setup + +Below is the Docker Compose configuration for running Langtail locally: + +```yaml +services: + db: + image: mysql:8.0 + environment: + MYSQL_ROOT_PASSWORD: rootpassword + MYSQL_DATABASE: langtail + MYSQL_USER: admin + MYSQL_PASSWORD: admin + ports: + - "3306:3306" + volumes: + - mysql-data:/var/lib/mysql # Persists data across container restarts + + wait-for-db: + image: atkrad/wait4x + depends_on: + db: + condition: service_started + command: tcp db:3306 -t 30s -i 250ms + + init-db: + platform: linux/amd64 + image: langtail/langtail-db-migrations:latest + environment: + DATABASE_URL: "mysql://admin:admin@db:3306/langtail" + depends_on: + wait-for-db: + condition: service_completed_successfully + + app: + platform: linux/amd64 + image: langtail/langtail:latest + environment: + # Email settings + SMTP_URL: "smtp://user:password@smtp.example.com:587" + EMAIL_FROM: "default@example.com" + + # JWT keys (use default or generate your own) + JWT_PRIVATE: '{"key_ops":["sign"],"kty": "EC","d": "bSsPE9H0IiKvxxZA6zPxjUpSLqa0bIDlluPxnTNnt88","use": "sig","crv": "P-256","x": "IavsPecpkyukuGxL6qcS6a-TG_yE9Rv4O_MaM8moUI0","y": "S9NhGgdxLrZHYgvrcT1xEMW76rM_x2C64h_y2oUGnfo","alg": "ES256"}' + JWT_PUBLIC: '{"key_ops":["verify"],"kty": "EC","use": "sig","crv": "P-256","x": "IavsPecpkyukuGxL6qcS6a-TG_yE9Rv4O_MaM8moUI0","y": "S9NhGgdxLrZHYgvrcT1xEMW76rM_x2C64h_y2oUGnfo","alg": "ES256"}' + JWT_SIGNING_KEY: '{"kty": "oct","use": "sig","k": "vRCzGRHUGztzfvB-TSmNmcBHiC2ccz92M0RDJNkmwZjmFHsD_xlfHGD_3qewcO0p23s_BJIQkW92pRW4zNVPnO66jY3-ZZ7dIbt4x3ETh6-9TJ5X_B9Rb9e9ZNraH3TSKidW0Q6IvZq01qRSBiuhIddeC20HdFdUe-M-yGygie3EvsxXA3tL__o9pb25LHovsqZDwAi46TpovwHF5lS9K_a79-a9HLhPLvqbclSbhcC0mDwFiHaRGyB-xKiOpgpmdbdf2d1sdUnx8i8sA3sYS5Lo4gyhk2r_U2a8l9oU2s44erp-i3klGsVYuE82JNOeB9B7-hYuTwckvXLm75G0Ng"}' + + # Authentication settings + AUTH_SECRET: "7AdqG566X2lX2klWVbgjlLZVjgxLve2a/NVRHCs0PnI=" # Use default or generate your own + AUTH_URL: "http://localhost:3000" + + # Database + DATABASE_URL: "mysql://admin:admin@db:3306/langtail" + PRISMA_FIELD_ENCRYPTION_KEY: "k1.aesgcm256.Yf2B9VlwQGmRSOzppSxEgnAgxCnk3ucvbwcqul17f_g=" # Use default or generate your own + + # Misc configurations (adjust if needed) + TINYBIRD_API_URL: "https://default-tinybird-api-url.com" + EVALUATOR_URL: "https://default-evaluator-url.com" + IS_E2E_TEST: "false" + SENTRY_ENABLED: "true" + SKIP_ENV_VALIDATION: "false" + + # API Keys (use default or customize) + IMAGES_AWS_SECRET_ACCESS_KEY: "default-aws-secret-access-key" # Generate your own + LANGTAIL_MAGIC_TOKEN: "default-langtail-magic-token" # TODO what's this? + LANGTAIL_MAGIC_TESTS_TOKEN: "default-langtail-magic-tests-token" # TODO what's this? + EMAIL_VERIFICATION_SECRET: "default-email-verification-secret" + STRIPE_SECRET_KEY: "default-stripe-secret-key" + TINYBIRD_API_KEY: "default-tinybird-api-key" + CANNY_JWT_KEY: "default-canny-jwt-key" + STRIPE_SECRET_KEY: "default-stripe-secret-key" + EVALUATOR_API_KEY: "default-evaluator-api-key" # TODO should be removed? + + # Social login IDs (use default or customize) + GITHUB_ID: "default-github-id" + GITHUB_SECRET: "default-github-secret" + GOOGLE_ID: "default-google-id" + GOOGLE_SECRET: "default-google-secret" + + # TODO should be removed? + CLERK_SECRET_KEY: "default-clerk-secret-key" + LOOPS_API_KEY: "default-loops-api-key" + NEXT_PUBLIC_REWARDFUL_API_KEY: "default-rewardful-api-key" + ports: + - 3000:3000 + depends_on: + init-db: + condition: service_completed_successfully + +volumes: + mysql-data: +``` + +### Explanation of Services + +- **db**: Runs a MySQL 8.0 database with credentials for local use. +- **wait-for-db**: Ensures the database is ready before starting other services. +- **init-db**: Initializes the database by running migrations after the database is ready. +- **app**: The main Langtail application, which depends on the database and migrations. + +## Generate Your Own Secrets (Optional) + +While the default secrets are fine for local development, it is recommended to generate your own if desired. Here are the steps: + +### Generate `AUTH_SECRET` + +Run the following command to generate a new `AUTH_SECRET`: + +```bash +$ openssl rand -base64 32 +``` + +### Generate `JWT_PUBLIC` and `JWT_PRIVATE` + +To generate new JWT keys: + +1. Go to [https://mkjwk.org/](https://mkjwk.org/). +1. Select **EC** as the key type and **P-256** as the curve. +1. Copy the public and private keys and replace them in your `docker-compose.yml` under `JWT_PRIVATE` and `JWT_PUBLIC`. + +### Generate `JWT_SIGNING_KEY` + +To generate a new signing key: + +1. Go to [https://mkjwk.org/](https://mkjwk.org/). +1. Select **oct** as the key type and **Signature** as the key use. +1. Copy the generated key and replace the `JWT_SIGNING_KEY` in your `docker-compose.yml`. + +## Sending Emails (Optional) + +If you want to test sending emails (e.g., for user sign-up verification), you will need to set up an SMTP server. For local development, you can use a free service like [Ethereal Email](https://ethereal.email/). + +### Setup SMTP using Ethereal Email + +1. Sign up for a free Ethereal Email account. +1. Copy the SMTP credentials (host, port, username, password). +1. Update the `SMTP_URL` in your `docker-compose.yml` with the following format: + +```bash +SMTP_URL="smtp://username:password@smtp.ethereal.email:587" +``` + +## Configuring Social Login (Optional) + +Langtail supports social login via Google and GitHub. To enable this feature, you need to obtain OAuth credentials from Google and GitHub and set the corresponding environment variables. + +### Google Social Login + +1. Follow the instructions at [NextAuth.js - Google Provider](https://next-auth.js.org/providers/google) to create a Google OAuth application. +2. Obtain your **Google Client ID** and **Google Client Secret**. +3. Update your `docker-compose.yml`: + +```yaml +environment: + GOOGLE_ID: "your-google-client-id" + GOOGLE_SECRET: "your-google-client-secret" +``` + +### GitHub Social Login + +1. Follow the instructions at [NextAuth.js - GitHub Provider](https://next-auth.js.org/providers/github) to create a GitHub OAuth application. +2. Obtain your **GitHub Client ID** and **GitHub Client Secret**. +3. Update your `docker-compose.yml`: + +```yaml +environment: + GITHUB_ID: "your-github-client-id" + GITHUB_SECRET: "your-github-client-secret" +``` + +> **Note:** Ensure that your OAuth application's redirect URIs are set correctly to `http://localhost:3000/api/auth/callback/google` for Google and `http://localhost:3000/api/auth/callback/github` for GitHub. + +## Running the Application + +1. Save the `docker-compose.yml` file in your project root. +1. Run the following command to start the services: + +```bash +docker-compose up +``` + +1. Once all services are up, you can access the app at [http://localhost:3000](http://localhost:3000). \ No newline at end of file diff --git a/self-host/helm-chart.mdx b/self-host/helm-chart.mdx index d236965..2c9fa0b 100644 --- a/self-host/helm-chart.mdx +++ b/self-host/helm-chart.mdx @@ -1,3 +1,120 @@ --- title: 'Kubernetes - Helm Chart' ---- \ No newline at end of file +--- + +This guide covers deploying Langtail for **production** using Kubernetes with a Helm chart. + +> **Note:** This setup is for **production**, and it is **highly recommended** to generate your own secrets for security. Using default or insecure secrets in production is not advised. + +## Prerequisites + +1. A running **Kubernetes cluster**. +2. **Helm** installed on your local machine. +3. A **managed MySQL database**. +4. Access to the [Langtail Helm chart repository](https://github.com/langtail/langtail-k8s). + +### Required Environment Variables + +Before deploying, ensure you have the following environment variables configured in your Helm values file: + +```yaml +# ENVs +DATABASE_URL: "mysql://user:password@your-database-host:3306/your-database" +MIGRATIONS_DATABASE_URL: "mysql://user:password@your-database-host:3306/your-database" + +EMAIL_FROM: "your-email@example.com" +SMTP_URL: "smtp://user:password@smtp.example.com:587" +EMAIL_VERIFICATION_SECRET: "your-email-verification-secret" + +JWT_SIGNING_KEY: "your-jwt-signing-key" +JWT_PRIVATE: "your-jwt-private-key" +JWT_PUBLIC: "your-jwt-public-key" +AUTH_SECRET: "your-auth-secret" + +LANGTAIL_MAGIC_TOKEN: "your-langtail-magic-token" +LANGTAIL_MAGIC_TESTS_TOKEN: "your-langtail-magic-tests-token" + +PRISMA_FIELD_ENCRYPTION_KEY: "your-prisma-field-encryption-key" +IMAGES_AWS_SECRET_ACCESS_KEY: "your-aws-secret-access-key" +``` + +### Generating Production-Ready Secrets + +In production, you **must** generate and set secure values for the following secrets. Here’s how to generate them: + +**Generate `AUTH_SECRET`** + +Run the following command to generate a new `AUTH_SECRET`: + +```bash +$ openssl rand -base64 32 +``` + +**Generate `JWT_PUBLIC` and `JWT_PRIVATE`** + +To generate new JWT keys: + +1. Go to [https://mkjwk.org/](https://mkjwk.org/). +1. Select **EC** as the key type and **P-256** as the curve. +1. Copy the public and private keys and replace them in your `docker-compose.yml` under `JWT_PRIVATE` and `JWT_PUBLIC`. + +**Generate `JWT_SIGNING_KEY`** + +To generate a new signing key: + +1. Go to [https://mkjwk.org/](https://mkjwk.org/). +1. Select **oct** as the key type and **Signature** as the key use. +1. Copy the generated key and replace the `JWT_SIGNING_KEY` in your `docker-compose.yml`. + +### Configuring Social Logins (Google and GitHub) + +To configure social login with Google and GitHub, follow the steps below: + +- **Google OAuth Credentials**: + [NextAuth.js - Google Provider](https://next-auth.js.org/providers/google) + +- **GitHub OAuth Credentials**: + [NextAuth.js - GitHub Provider](https://next-auth.js.org/providers/github) + +Set the corresponding environment variables in your Helm values: + +```yaml +GITHUB_ID: "your-github-client-id" +GITHUB_SECRET: "your-github-client-secret" +GOOGLE_ID: "your-google-client-id" +GOOGLE_SECRET: "your-google-client-secret" +``` + +## Installing the Helm Chart + +To install Langtail using the Helm chart, follow these steps: + +1. Add the Langtail Helm repository: + + ```bash + helm repo add langtail https://github.com/langtail/langtail-k8s + ``` + +2. Install the Helm chart with your configured values (replace placeholders with your actual values): + + ```bash + helm install langtail langtail/langtail \ + --set-file values.yaml + ``` + +## Running Migrations with Helm Hooks + +Langtail uses **Helm chart hooks** to manage migrations. The migration job runs automatically as part of the Helm chart upgrade process, ensuring that migrations are applied before the new version of the app is deployed. + +To deploy or upgrade the Helm chart and apply the migrations: + +```bash +helm upgrade langtail langtail/langtail \ + --set-file values.yaml +``` + +This will ensure that the migrations are run before the app spins up with the new version. + +## Accessing Langtail + +Once the deployment is complete, your Langtail instance will be running on your Kubernetes cluster. Use the service details provided by Kubernetes to access the application. From 8edd2437076f84f0d1d51477bb4b692f15bdf441 Mon Sep 17 00:00:00 2001 From: Tomas Rebro Date: Fri, 11 Oct 2024 12:53:30 +0200 Subject: [PATCH 3/6] Update docker compose --- self-host/docker-compose.mdx | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/self-host/docker-compose.mdx b/self-host/docker-compose.mdx index b59f006..82cda6b 100644 --- a/self-host/docker-compose.mdx +++ b/self-host/docker-compose.mdx @@ -52,6 +52,7 @@ services: # Email settings SMTP_URL: "smtp://user:password@smtp.example.com:587" EMAIL_FROM: "default@example.com" + EMAIL_VERIFICATION_SECRET: "default-email-verification-secret" # JWT keys (use default or generate your own) JWT_PRIVATE: '{"key_ops":["sign"],"kty": "EC","d": "bSsPE9H0IiKvxxZA6zPxjUpSLqa0bIDlluPxnTNnt88","use": "sig","crv": "P-256","x": "IavsPecpkyukuGxL6qcS6a-TG_yE9Rv4O_MaM8moUI0","y": "S9NhGgdxLrZHYgvrcT1xEMW76rM_x2C64h_y2oUGnfo","alg": "ES256"}' @@ -67,7 +68,6 @@ services: PRISMA_FIELD_ENCRYPTION_KEY: "k1.aesgcm256.Yf2B9VlwQGmRSOzppSxEgnAgxCnk3ucvbwcqul17f_g=" # Use default or generate your own # Misc configurations (adjust if needed) - TINYBIRD_API_URL: "https://default-tinybird-api-url.com" EVALUATOR_URL: "https://default-evaluator-url.com" IS_E2E_TEST: "false" SENTRY_ENABLED: "true" @@ -77,11 +77,6 @@ services: IMAGES_AWS_SECRET_ACCESS_KEY: "default-aws-secret-access-key" # Generate your own LANGTAIL_MAGIC_TOKEN: "default-langtail-magic-token" # TODO what's this? LANGTAIL_MAGIC_TESTS_TOKEN: "default-langtail-magic-tests-token" # TODO what's this? - EMAIL_VERIFICATION_SECRET: "default-email-verification-secret" - STRIPE_SECRET_KEY: "default-stripe-secret-key" - TINYBIRD_API_KEY: "default-tinybird-api-key" - CANNY_JWT_KEY: "default-canny-jwt-key" - STRIPE_SECRET_KEY: "default-stripe-secret-key" EVALUATOR_API_KEY: "default-evaluator-api-key" # TODO should be removed? # Social login IDs (use default or customize) @@ -94,6 +89,11 @@ services: CLERK_SECRET_KEY: "default-clerk-secret-key" LOOPS_API_KEY: "default-loops-api-key" NEXT_PUBLIC_REWARDFUL_API_KEY: "default-rewardful-api-key" + TINYBIRD_API_URL: "https://default-tinybird-api-url.com" + STRIPE_SECRET_KEY: "default-stripe-secret-key" + TINYBIRD_API_KEY: "default-tinybird-api-key" + CANNY_JWT_KEY: "default-canny-jwt-key" + STRIPE_SECRET_KEY: "default-stripe-secret-key" ports: - 3000:3000 depends_on: From 25d31f97d211742e6017efd04a49be050736652a Mon Sep 17 00:00:00 2001 From: Tomas Rychlik Date: Tue, 19 Nov 2024 15:32:00 +0100 Subject: [PATCH 4/6] docs env var updates --- self-host/docker-compose.mdx | 32 +++++++------------------------- self-host/helm-chart.mdx | 14 +++++--------- 2 files changed, 12 insertions(+), 34 deletions(-) diff --git a/self-host/docker-compose.mdx b/self-host/docker-compose.mdx index 82cda6b..1ee44f9 100644 --- a/self-host/docker-compose.mdx +++ b/self-host/docker-compose.mdx @@ -49,7 +49,7 @@ services: platform: linux/amd64 image: langtail/langtail:latest environment: - # Email settings + # Email login (remove if not needed) SMTP_URL: "smtp://user:password@smtp.example.com:587" EMAIL_FROM: "default@example.com" EMAIL_VERIFICATION_SECRET: "default-email-verification-secret" @@ -60,40 +60,22 @@ services: JWT_SIGNING_KEY: '{"kty": "oct","use": "sig","k": "vRCzGRHUGztzfvB-TSmNmcBHiC2ccz92M0RDJNkmwZjmFHsD_xlfHGD_3qewcO0p23s_BJIQkW92pRW4zNVPnO66jY3-ZZ7dIbt4x3ETh6-9TJ5X_B9Rb9e9ZNraH3TSKidW0Q6IvZq01qRSBiuhIddeC20HdFdUe-M-yGygie3EvsxXA3tL__o9pb25LHovsqZDwAi46TpovwHF5lS9K_a79-a9HLhPLvqbclSbhcC0mDwFiHaRGyB-xKiOpgpmdbdf2d1sdUnx8i8sA3sYS5Lo4gyhk2r_U2a8l9oU2s44erp-i3klGsVYuE82JNOeB9B7-hYuTwckvXLm75G0Ng"}' # Authentication settings - AUTH_SECRET: "7AdqG566X2lX2klWVbgjlLZVjgxLve2a/NVRHCs0PnI=" # Use default or generate your own + AUTH_SECRET: "7AdqG566X2lX2klWVbgjlLZVjgxLve2a/NVRHCs0PnI=" # Generate using guide below AUTH_URL: "http://localhost:3000" # Database DATABASE_URL: "mysql://admin:admin@db:3306/langtail" - PRISMA_FIELD_ENCRYPTION_KEY: "k1.aesgcm256.Yf2B9VlwQGmRSOzppSxEgnAgxCnk3ucvbwcqul17f_g=" # Use default or generate your own + PRISMA_FIELD_ENCRYPTION_KEY: "k1.aesgcm256.Yf2B9VlwQGmRSOzppSxEgnAgxCnk3ucvbwcqul17f_g=" # Generate using guide below # Misc configurations (adjust if needed) - EVALUATOR_URL: "https://default-evaluator-url.com" - IS_E2E_TEST: "false" - SENTRY_ENABLED: "true" - SKIP_ENV_VALIDATION: "false" - - # API Keys (use default or customize) - IMAGES_AWS_SECRET_ACCESS_KEY: "default-aws-secret-access-key" # Generate your own - LANGTAIL_MAGIC_TOKEN: "default-langtail-magic-token" # TODO what's this? - LANGTAIL_MAGIC_TESTS_TOKEN: "default-langtail-magic-tests-token" # TODO what's this? - EVALUATOR_API_KEY: "default-evaluator-api-key" # TODO should be removed? - - # Social login IDs (use default or customize) + SENTRY_ENABLED: "false" + IMAGES_AWS_SECRET_ACCESS_KEY: "default-aws-secret-access-key" # Key to S3 compatible image storage + + # Social login IDs (remove if you don't need them) GITHUB_ID: "default-github-id" GITHUB_SECRET: "default-github-secret" GOOGLE_ID: "default-google-id" GOOGLE_SECRET: "default-google-secret" - - # TODO should be removed? - CLERK_SECRET_KEY: "default-clerk-secret-key" - LOOPS_API_KEY: "default-loops-api-key" - NEXT_PUBLIC_REWARDFUL_API_KEY: "default-rewardful-api-key" - TINYBIRD_API_URL: "https://default-tinybird-api-url.com" - STRIPE_SECRET_KEY: "default-stripe-secret-key" - TINYBIRD_API_KEY: "default-tinybird-api-key" - CANNY_JWT_KEY: "default-canny-jwt-key" - STRIPE_SECRET_KEY: "default-stripe-secret-key" ports: - 3000:3000 depends_on: diff --git a/self-host/helm-chart.mdx b/self-host/helm-chart.mdx index 2c9fa0b..19ebe2f 100644 --- a/self-host/helm-chart.mdx +++ b/self-host/helm-chart.mdx @@ -21,21 +21,17 @@ Before deploying, ensure you have the following environment variables configured # ENVs DATABASE_URL: "mysql://user:password@your-database-host:3306/your-database" MIGRATIONS_DATABASE_URL: "mysql://user:password@your-database-host:3306/your-database" - -EMAIL_FROM: "your-email@example.com" -SMTP_URL: "smtp://user:password@smtp.example.com:587" -EMAIL_VERIFICATION_SECRET: "your-email-verification-secret" - JWT_SIGNING_KEY: "your-jwt-signing-key" JWT_PRIVATE: "your-jwt-private-key" JWT_PUBLIC: "your-jwt-public-key" AUTH_SECRET: "your-auth-secret" - -LANGTAIL_MAGIC_TOKEN: "your-langtail-magic-token" -LANGTAIL_MAGIC_TESTS_TOKEN: "your-langtail-magic-tests-token" - PRISMA_FIELD_ENCRYPTION_KEY: "your-prisma-field-encryption-key" IMAGES_AWS_SECRET_ACCESS_KEY: "your-aws-secret-access-key" + +# In case you want to enable login using email code +EMAIL_FROM: "your-email@example.com" +SMTP_URL: "smtp://user:password@smtp.example.com:587" +EMAIL_VERIFICATION_SECRET: "your-email-verification-secret" ``` ### Generating Production-Ready Secrets From 1a75e39f01796424508973decf24c23ec090b305 Mon Sep 17 00:00:00 2001 From: Tomas Rychlik Date: Tue, 26 Nov 2024 15:59:00 +0100 Subject: [PATCH 5/6] add note about secure secrets handling --- self-host/helm-chart.mdx | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/self-host/helm-chart.mdx b/self-host/helm-chart.mdx index 19ebe2f..858c46c 100644 --- a/self-host/helm-chart.mdx +++ b/self-host/helm-chart.mdx @@ -18,7 +18,10 @@ This guide covers deploying Langtail for **production** using Kubernetes with a Before deploying, ensure you have the following environment variables configured in your Helm values file: ```yaml -# ENVs +# Env vars +AUTH_URL: https://langtail.yourdomain.com # Replace with the URL where the instance will be accessible + +# Secret envs DATABASE_URL: "mysql://user:password@your-database-host:3306/your-database" MIGRATIONS_DATABASE_URL: "mysql://user:password@your-database-host:3306/your-database" JWT_SIGNING_KEY: "your-jwt-signing-key" @@ -26,7 +29,7 @@ JWT_PRIVATE: "your-jwt-private-key" JWT_PUBLIC: "your-jwt-public-key" AUTH_SECRET: "your-auth-secret" PRISMA_FIELD_ENCRYPTION_KEY: "your-prisma-field-encryption-key" -IMAGES_AWS_SECRET_ACCESS_KEY: "your-aws-secret-access-key" +IMAGES_AWS_SECRET_ACCESS_KEY: "your-aws-secret-access-key" # Optional - used for image uploads # In case you want to enable login using email code EMAIL_FROM: "your-email@example.com" @@ -34,6 +37,20 @@ SMTP_URL: "smtp://user:password@smtp.example.com:587" EMAIL_VERIFICATION_SECRET: "your-email-verification-secret" ``` +### Securely handling secrets + +It's **highly recommended** to encrypt your secrets using a secret manager like Helm Secrets before storing the values yaml file. + +You can also use your own secrets manager, but you'll add these values to configure langtail to use your own secrets in kubernetes: + +``` +manageSecret: false +secretRef: + name: "your-secret-name" + migrationName: "your-migration-secret-name" + +``` + ### Generating Production-Ready Secrets In production, you **must** generate and set secure values for the following secrets. Here’s how to generate them: From ff5d8d5925c31802001a7a1361e17aeb2d27efce Mon Sep 17 00:00:00 2001 From: Tomas Rychlik Date: Mon, 2 Dec 2024 15:32:24 +0100 Subject: [PATCH 6/6] add misisng PRISMA_FIELD_ENCRYPTION_KEY docs --- self-host/helm-chart.mdx | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/self-host/helm-chart.mdx b/self-host/helm-chart.mdx index 858c46c..0933e47 100644 --- a/self-host/helm-chart.mdx +++ b/self-host/helm-chart.mdx @@ -39,7 +39,7 @@ EMAIL_VERIFICATION_SECRET: "your-email-verification-secret" ### Securely handling secrets -It's **highly recommended** to encrypt your secrets using a secret manager like Helm Secrets before storing the values yaml file. +It's **highly recommended** to encrypt your secrets using a secret manager like [Helm Secrets](https://github.com/jkroepke/helm-secrets) before storing the values yaml file. You can also use your own secrets manager, but you'll add these values to configure langtail to use your own secrets in kubernetes: @@ -79,6 +79,16 @@ To generate a new signing key: 1. Select **oct** as the key type and **Signature** as the key use. 1. Copy the generated key and replace the `JWT_SIGNING_KEY` in your `docker-compose.yml`. +**Generate `PRISMA_FIELD_ENCRYPTION_KEY`** + +This key is used to encrypt LLM provider keys in database. + +Generate it via a web UI: cloak.47ng.com or via the command line: + ```bash + npm install -g @47ng/cloak + cloak generate + ``` + ### Configuring Social Logins (Google and GitHub) To configure social login with Google and GitHub, follow the steps below: