Environment variables

Environment Variables¶

Complete reference of all environment variables used by TrikuSec.

Variable	Purpose
`TRIKUSEC_DOMAIN`	Single domain input that auto-derives related URLs and hosts
`SECRET_KEY`	Django cryptographic signing key
`DJANGO_DEBUG`	Enables verbose Django debug mode for development
`DJANGO_ALLOWED_HOSTS`	Whitelisted hostnames served by Django
`DJANGO_ENV`	Switches between development, production, or testing settings
`DATABASE_URL`	Connection string for the application database
`TRIKUSEC_ADMIN_USERNAME`	Username for the bootstrap admin account
`TRIKUSEC_ADMIN_PASSWORD`	Password management for the bootstrap admin account
`SSL_CERT_DAYS`	Validity period for generated self-signed certificates
`SECURE_SSL_REDIRECT`	Forces HTTP traffic to redirect to HTTPS
`SECURE_HSTS_SECONDS`	Duration for the HTTP Strict Transport Security header
`SESSION_COOKIE_SECURE`	Restricts session cookies to HTTPS requests
`CSRF_COOKIE_SECURE`	Restricts CSRF cookies to HTTPS requests
`RATELIMIT_ENABLE`	Toggles rate limiting on API endpoints
`TRIKUSEC_URL`	Base URL for the admin UI
`TRIKUSEC_LYNIS_API_URL`	Base URL for the Lynis API used by devices

Simplified Configuration (Recommended)¶

TRIKUSEC_DOMAIN¶

The easiest way to configure TrikuSec is using a single domain variable. When set, this automatically derives other settings:

TRIKUSEC_DOMAIN=yourdomain.com

This automatically configures:

TRIKUSEC_URL=https://yourdomain.com:8000 (Admin UI)
TRIKUSEC_LYNIS_API_URL=https://yourdomain.com:8001 (Lynis API)
DJANGO_ALLOWED_HOSTS=localhost,yourdomain.com
NGINX_CERT_CN=yourdomain.com (SSL certificate)

You can still override any of these individually if needed for advanced configurations.

Examples:

For local development:

TRIKUSEC_DOMAIN=localhost

For production:

TRIKUSEC_DOMAIN=trikusec.example.com

Recommended Approach

Using TRIKUSEC_DOMAIN simplifies configuration and reduces errors. You only need to set one variable and everything else is automatically configured consistently.

Required Variables¶

SECRET_KEY¶

Django secret key for cryptographic signing.

SECRET_KEY=your-secret-key-here

Security Critical

NEVER commit your actual secret key to version control. Generate a new unique key for each deployment.

Generate a secure key:

python3 -c "import secrets; print(secrets.token_urlsafe(50))"

Django Settings¶

DJANGO_DEBUG¶

Enable or disable Django debug mode.

DJANGO_DEBUG=False  # Production (default)
DJANGO_DEBUG=True   # Development only

Never Enable in Production

Setting DJANGO_DEBUG=True in production exposes sensitive information including stack traces, environment variables, and database queries.

DJANGO_ALLOWED_HOSTS¶

Comma-separated list of allowed hostnames.

DJANGO_ALLOWED_HOSTS=yourdomain.com,www.yourdomain.com

For development, you can use:

DJANGO_ALLOWED_HOSTS=*

Production Security

Never use * in production. Always specify exact hostnames.

DJANGO_ENV¶

Environment type selector.

DJANGO_ENV=development   # Development settings (default)
DJANGO_ENV=production    # Production settings
DJANGO_ENV=testing       # Testing settings

Database Configuration¶

DATABASE_URL¶

Database connection URL. Defaults to SQLite if not set.

# PostgreSQL
DATABASE_URL=postgresql://user:password@host:5432/dbname

# SQLite (default)
# DATABASE_URL not set or empty

Admin Configuration¶

TRIKUSEC_ADMIN_USERNAME¶

Default admin username.

TRIKUSEC_ADMIN_USERNAME=admin

TRIKUSEC_ADMIN_PASSWORD¶

Admin password behavior depends on whether the admin user already exists:

On fresh installation:

TRIKUSEC_ADMIN_PASSWORD=secure-password

If not set, defaults to trikusec. The password is used to create the initial admin user.

On existing installation:

If TRIKUSEC_ADMIN_PASSWORD is set (explicitly in environment): Password will be updated to the new value
If TRIKUSEC_ADMIN_PASSWORD is not set or commented out: Existing password is preserved

Best Practice

Set this variable for initial deployment, then comment it out or remove it from your .env file to prevent accidental password overwrites. Change the password via the Django admin UI after first login.

Production Security

Never use the default trikusec password in production. Always set a strong password for initial deployment.

HTTPS Security¶

SSL_CERT_DAYS¶

Overrides the validity period (in days) for the self-signed SSL certificates generated.

SSL_CERT_DAYS=365    # example: 1-year validity

If not set, defaults to 1825 days.

SECURE_SSL_REDIRECT¶

Redirect all HTTP traffic to HTTPS.

SECURE_SSL_REDIRECT=True

SECURE_HSTS_SECONDS¶

HTTP Strict Transport Security (HSTS) duration in seconds.

SECURE_HSTS_SECONDS=31536000  # 1 year

SESSION_COOKIE_SECURE¶

Only send session cookies over HTTPS.

SESSION_COOKIE_SECURE=True

CSRF_COOKIE_SECURE¶

Only send CSRF cookies over HTTPS.

CSRF_COOKIE_SECURE=True

Rate Limiting¶

RATELIMIT_ENABLE¶

Enable or disable rate limiting on API endpoints.

RATELIMIT_ENABLE=True   # Enabled (default)
RATELIMIT_ENABLE=False  # Disabled

Server Configuration¶

TRIKUSEC_URL¶

TrikuSec admin UI server URL (used for generating admin interface links).

TRIKUSEC_URL=https://localhost:443

This is the endpoint used for accessing the web management interface. It should point to your nginx reverse proxy or direct Django server for admin access.

In the enrollment workflow, TRIKUSEC_URL is only used for authenticated admin interactions (no device traffic).

TRIKUSEC_LYNIS_API_URL¶

TrikuSec Lynis API server URL (used for device enrollment and report uploads).

TRIKUSEC_LYNIS_API_URL=https://localhost:8443

This is the endpoint used by monitored servers for: - Downloading the enrollment script (/api/lynis/enroll/) - Downloading self-signed certificate (via openssl) - License validation (/api/lynis/license/) - Uploading audit reports (/api/lynis/upload/)

If not set, falls back to TRIKUSEC_URL for backward compatibility.

Security Best Practice

Use separate endpoints for admin UI and Lynis API to improve security. This allows you to configure different firewall rules for each endpoint. See Security Configuration for details.

Example .env Files¶

Simple Configuration (Recommended)¶

# Required
SECRET_KEY=your-generated-secret-key-here

# Domain-based configuration (automatically derives URLs and settings)
TRIKUSEC_DOMAIN=yourdomain.com

# Admin
TRIKUSEC_ADMIN_USERNAME=admin
TRIKUSEC_ADMIN_PASSWORD=your-secure-password

# Optional: Database
DATABASE_URL=postgresql://trikusec_user:password@postgres:5432/trikusec

Advanced Configuration (All Options)¶

# Required
SECRET_KEY=your-generated-secret-key-here

# Domain (recommended)
TRIKUSEC_DOMAIN=yourdomain.com

# Django
DJANGO_DEBUG=False
DJANGO_ALLOWED_HOSTS=yourdomain.com,www.yourdomain.com
DJANGO_ENV=production

# Database
DATABASE_URL=postgresql://trikusec_user:password@postgres:5432/trikusec

# Admin
TRIKUSEC_ADMIN_USERNAME=admin
TRIKUSEC_ADMIN_PASSWORD=your-secure-password

# HTTPS
SECURE_SSL_REDIRECT=True
SECURE_HSTS_SECONDS=31536000
SESSION_COOKIE_SECURE=True
CSRF_COOKIE_SECURE=True

# Rate Limiting
RATELIMIT_ENABLE=True

# Server (manual override - not needed if TRIKUSEC_DOMAIN is set)
TRIKUSEC_URL=https://yourdomain.com:8000
TRIKUSEC_LYNIS_API_URL=https://yourdomain.com:8001