-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy path.env.example
More file actions
186 lines (154 loc) · 10.3 KB
/
.env.example
File metadata and controls
186 lines (154 loc) · 10.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
# ═══════════════════════════════════════════════════════════════════
# LLMPROXY — Environment Configuration
# ═══════════════════════════════════════════════════════════════════
#
# Copy to .env and fill in your values: cp .env.example .env
# NEVER commit .env with real secrets.
#
# Docs: https://github.com/fabriziosalmi/llmproxy
# ┌──────────────────────────────────────────────────────────────────┐
# │ KEY GLOSSARY — read this before pasting anything │
# ├──────────────────────────────────────────────────────────────────┤
# │ LLM_PROXY_API_KEYS Client Bearer tokens. Send as │
# │ `Authorization: Bearer <key>`. │
# │ This is what /v1/chat/completions accepts. │
# │ │
# │ LLM_PROXY_MASTER_KEY ⚠ KEK for Fernet encryption of secrets at │
# │ rest. NOT a Bearer credential. Losing or │
# │ rotating it makes existing encrypted │
# │ secrets unrecoverable. NEVER paste as a │
# │ client auth header — it grants nothing │
# │ and risks key disclosure in logs. │
# │ │
# │ OIDC_* JWT path. Only used when identity.enabled │
# │ is true and you've configured SSO. │
# └──────────────────────────────────────────────────────────────────┘
# ─────────────────────────────────────────────────────────────────
# REQUIRED — Proxy won't start without these
# ─────────────────────────────────────────────────────────────────
# Client Bearer tokens — sent as `Authorization: Bearer <key>` by
# anything calling /v1/chat/completions, /v1/completions, /v1/embeddings,
# and the /api/v1/* admin/read-only routes.
# Comma-separated list (multiple keys are valid for rotation / per-team).
# Generate with: python -c "import secrets; print(f'sk-proxy-{secrets.token_hex(16)}')"
LLM_PROXY_API_KEYS=sk-proxy-CHANGE-ME
# Master key for encrypting secrets at rest (Fernet/AES). REQUIRED before
# the proxy can decrypt anything in `data/` written by SecretManager.
# Generate with: python -c "import secrets; print(secrets.token_urlsafe(32))"
#
# ⚠ This is NOT a Bearer credential. Do NOT send it in Authorization
# headers; do NOT share it with clients. Treat it like a database
# master key: losing or rotating it makes existing encrypted values
# unrecoverable. Store separately from LLM_PROXY_API_KEYS so a leak
# of one does not compromise the other.
LLM_PROXY_MASTER_KEY=
# ─────────────────────────────────────────────────────────────────
# LLM PROVIDERS — Enable at least one
# ─────────────────────────────────────────────────────────────────
# OpenAI (https://platform.openai.com/api-keys)
OPENAI_API_KEY=sk-proj-...
# Anthropic (https://console.anthropic.com/settings/keys)
# ANTHROPIC_API_KEY=sk-ant-...
# Google Gemini (https://aistudio.google.com/apikey)
# GOOGLE_API_KEY=AIza...
# Azure OpenAI
# AZURE_OPENAI_API_KEY=...
# Groq (https://console.groq.com/keys)
# GROQ_API_KEY=gsk_...
# Together AI
# TOGETHER_API_KEY=...
# Mistral (https://console.mistral.ai/api-keys)
# MISTRAL_API_KEY=...
# DeepSeek
# DEEPSEEK_API_KEY=...
# xAI / Grok
# XAI_API_KEY=...
# Perplexity
# PERPLEXITY_API_KEY=...
# OpenRouter (https://openrouter.ai/keys)
# OPENROUTER_API_KEY=sk-or-v1-...
# Fireworks AI
# FIREWORKS_API_KEY=...
# SambaNova
# SAMBANOVA_API_KEY=...
# ─────────────────────────────────────────────────────────────────
# OPENAI-COMPATIBLE LOCAL/CUSTOM ENDPOINTS (no YAML editing needed)
# ─────────────────────────────────────────────────────────────────
# Declare any OpenAI-compatible endpoint (LM Studio, vLLM, TGI, Ollama,
# private gateway, self-hosted inference...) purely via env vars.
#
# Convention:
# LLM_PROXY_ENDPOINT_<NAME>_URL = base URL (required)
# LLM_PROXY_ENDPOINT_<NAME>_KEY = bearer token (optional — omit for no-auth)
# LLM_PROXY_ENDPOINT_<NAME>_MODELS = CSV of model ids (optional)
# LLM_PROXY_ENDPOINT_<NAME>_PROVIDER = adapter hint (default: openai-compatible)
#
# <NAME> becomes the endpoint id (lowercased). You can declare several.
#
# Example — LM Studio on the LAN, no auth:
# LLM_PROXY_ENDPOINT_LMSTUDIO_URL=http://192.168.1.50:1234/v1
# LLM_PROXY_ENDPOINT_LMSTUDIO_MODELS=llama-3.3-70b,qwen-2.5-coder-32b
#
# Example — remote vLLM with API key:
# LLM_PROXY_ENDPOINT_VLLM_URL=https://inference.internal.example.com/v1
# LLM_PROXY_ENDPOINT_VLLM_KEY=sk-internal-...
# LLM_PROXY_ENDPOINT_VLLM_MODELS=mixtral-8x22b
# ─────────────────────────────────────────────────────────────────
# OPTIONAL — Security toggles
# ─────────────────────────────────────────────────────────────────
# Byte-level WAF (ASGI injection firewall). Default: enabled.
# Set to 0/false/off to disable entirely (useful for local integration tests
# or when fronting the proxy with another WAF). UI will show OFF + reason.
# LLM_PROXY_FIREWALL_ENABLED=1
# JWT signing secret for internal identity tokens (proxy-minted JWTs).
# Independent from LLM_PROXY_MASTER_KEY; rotating this only invalidates
# active proxy-issued sessions, not encrypted data at rest.
# LLM_PROXY_IDENTITY_SECRET=
# Federation secret for multi-instance deployments (cluster-wide HMAC).
# Must match across all peers in the federation.
# LLM_PROXY_FEDERATION_SECRET=
# PostgreSQL Database Connection DSN (only used if server.storage.type is "postgres" in config.yaml)
# DATABASE_URL=postgresql://postgres:postgres@localhost:5432/llmproxy
# ─────────────────────────────────────────────────────────────────
# OPTIONAL — Auto-discovery of local / Tailscale LLM hosts
# ─────────────────────────────────────────────────────────────────
# At startup the proxy probes 127.0.0.1 and host.docker.internal for
# Ollama (:11434), LM Studio (:1234), vLLM (:8000), and LiteLLM (:4000).
# Responders are registered automatically — zero config.
#
# To extend discovery to remote hosts (Tailscale peers, LAN nodes, ...)
# list them below. "host" alone probes all four standard ports; "host:port"
# probes only that port. Accepts IPs, DNS names, Tailscale addresses.
#
# LLM_PROXY_DISCOVERY_PEERS=100.98.112.23,100.118.189.6,100.66.12.82,100.108.97.78:8000
#
# Disable auto-discovery entirely:
# LLM_PROXY_LOCAL_DISCOVERY=0
#
# Re-discovery runs every 5 min by default so peers that come back online
# are picked up without a restart. Change via config.yaml:
# discovery:
# scan_interval_s: 300 # default 300 seconds; set 0 to boot-only
# ─────────────────────────────────────────────────────────────────
# OPTIONAL — Infisical (Managed Secrets — replaces env vars above)
# ─────────────────────────────────────────────────────────────────
# INFISICAL_SITE_URL=https://app.infisical.com
# INFISICAL_CLIENT_ID=
# INFISICAL_CLIENT_SECRET=
# INFISICAL_PROJECT_ID=
# INFISICAL_ENV=dev
# ─────────────────────────────────────────────────────────────────
# OPTIONAL — Identity / SSO (OIDC)
# ─────────────────────────────────────────────────────────────────
# OIDC_GOOGLE_CLIENT_ID=...apps.googleusercontent.com
# OIDC_MICROSOFT_CLIENT_ID=
# OIDC_APPLE_CLIENT_ID=
# ─────────────────────────────────────────────────────────────────
# OPTIONAL — Observability & Alerting
# ─────────────────────────────────────────────────────────────────
# Sentry error tracking
# SENTRY_DSN=https://examplePublicKey@o0.ingest.sentry.io/0
# Webhook alerts (Slack, Discord, Telegram)
# SLACK_WEBHOOK_URL=https://hooks.slack.com/services/T.../B.../xxx
# DISCORD_WEBHOOK_URL=https://discord.com/api/webhooks/...
# TELEGRAM_BOT_TOKEN=123456:ABC-DEF...