feat: reorganized .env (#1566)

* feat: reorganized .env

* Set a default model that works without token

.env

@@ -1,18 +1,18 @@
 # Use .env.local to change these variables
 # DO NOT EDIT THIS FILE WITH SENSITIVE DATA
 
-MONGODB_URL=#your mongodb URL here
+### MongoDB ###
+MONGODB_URL=#your mongodb URL here, use chat-ui-db image if you don't want to set this
 MONGODB_DB_NAME=chat-ui
 MONGODB_DIRECT_CONNECTION=false
 
-COOKIE_NAME=hf-chat
-COOKIE_SAMESITE=
-COOKIE_SECURE=
-TRUSTED_EMAIL_HEADER= # only set this if you understand the implications
 
-HF_TOKEN=#hf_<token> from https://huggingface.co/settings/token
+### Endpoints config ###
 HF_API_ROOT=https://api-inference.huggingface.co/models
-
+# HF_TOKEN is used for a lot of things, not only for inference but also fetching tokenizers, etc.
+# We recommend using an HF_TOKEN even if you use a local endpoint.
+HF_TOKEN= #get it from https://huggingface.co/settings/token
+# API Keys for providers, you will need to specify models in the MODELS section but these keys can be kept secret
 OPENAI_API_KEY=#your openai api key here
 ANTHROPIC_API_KEY=#your anthropic api key here
 CLOUDFLARE_ACCOUNT_ID=#your cloudflare account id here
@@ -20,59 +20,13 @@ CLOUDFLARE_API_TOKEN=#your cloudflare api token here
 COHERE_API_TOKEN=#your cohere api token here
 GOOGLE_GENAI_API_KEY=#your google genai api token here
 
-HF_ACCESS_TOKEN=#LEGACY! Use HF_TOKEN instead
-
-# used to activate search with web functionality. disabled if none are defined. choose one of the following:
-YDC_API_KEY=#your docs.you.com api key here
-SERPER_API_KEY=#your serper.dev api key here
-SERPAPI_KEY=#your serpapi key here
-SERPSTACK_API_KEY=#your serpstack api key here
-SEARCHAPI_KEY=#your searchapi api key here
-USE_LOCAL_WEBSEARCH=#set to true to parse google results yourself, overrides other API keys
-SEARXNG_QUERY_URL=# where '<query>' will be replaced with query keywords see https://docs.searxng.org/dev/search_api.html eg https://searxng.yourdomain.com/search?q=<query>&engines=duckduckgo,google&format=json
-BING_SUBSCRIPTION_KEY=#your key
-PLAYWRIGHT_ADBLOCKER=true
-
-WEBSEARCH_ALLOWLIST=`[]` # if it's defined, allow websites from only this list.
-WEBSEARCH_BLOCKLIST=`[]` # if it's defined, block websites from this list.
-WEBSEARCH_JAVASCRIPT=true # CPU usage reduces by 60% on average by disabling javascript. Enable to improve website compatibility
-WEBSEARCH_TIMEOUT = 3500 # in milliseconds, determines how long to wait to load a page before timing out
-
-# Parameters to enable open id login
-OPENID_CONFIG=`{
-  "PROVIDER_URL": "",
-  "CLIENT_ID": "",
-  "CLIENT_SECRET": "",
-  "SCOPES": "",
-  "NAME_CLAIM": ""
-}`
-
-# /!\ legacy openid settings, prefer the config above
-OPENID_CLIENT_ID=
-OPENID_CLIENT_SECRET=
-OPENID_SCOPES="openid profile" # Add "email" for some providers like Google that do not provide preferred_username
-OPENID_NAME_CLAIM="name" # Change to "username" for some providers that do not provide name
-OPENID_PROVIDER_URL=https://huggingface.co # for Google, use https://accounts.google.com
-OPENID_TOLERANCE=
-OPENID_RESOURCE=
-
-TEXT_EMBEDDING_MODELS = `[
-  {
-    "name": "Xenova/gte-small",
-    "displayName": "Xenova/gte-small",
-    "description": "Local embedding model running on the server.",
-    "chunkCharLength": 512,
-    "endpoints": [
-      { "type": "transformersjs" }
-    ]
-  }
-]`
 
-# 'name', 'userMessageToken', 'assistantMessageToken' are required
+### Models ###
+## Models can support many different endpoints, check the documentation for more details
 MODELS=`[
     {
-      "name": "HuggingFaceTB/SmolLM2-1.7B-Instruct",
-      "description": "SmolLM2-1.7B is the latest lightweight model from the Hugging Face TB Research team.",
+      "name": "NousResearch/Hermes-3-Llama-3.1-8B",
+      "description": "Nous Research's latest Hermes 3 release in 8B size.",
       "promptExamples": [
         {
           "title": "Write an email from bullet list",
@@ -87,14 +41,79 @@ MODELS=`[
       ]
     }
 ]`
+## Text Embedding Models used for websearch
+# Default is a model that runs locally on CPU.
+TEXT_EMBEDDING_MODELS = `[
+  {
+    "name": "Xenova/gte-small",
+    "displayName": "Xenova/gte-small",
+    "description": "Local embedding model running on the server.",
+    "chunkCharLength": 512,
+    "endpoints": [
+      { "type": "transformersjs" }
+    ]
+  }
+]`
 
-OLD_MODELS=`[]`# any removed models, `{ name: string, displayName?: string, id?: string }`
-TASK_MODEL= # name of the model used for tasks such as summarizing title, creating query, etc.
+## Removed models, useful for migrating conversations
+# { name: string, displayName?: string, id?: string, transferTo?: string }`
+OLD_MODELS=`[]`
 
-PUBLIC_ORIGIN=#https://huggingface.co
-PUBLIC_SHARE_PREFIX=#https://hf.co/chat
-PUBLIC_GOOGLE_ANALYTICS_ID=#G-XXXXXXXX / Leave empty to disable
-PUBLIC_PLAUSIBLE_SCRIPT_URL=#/js/script.js / Leave empty to disable
+## Task model
+# name of the model used for tasks such as summarizing title, creating query, etc.
+# if not set, the first model in MODELS will be used
+TASK_MODEL=
+
+
+### Authentication ###
+# Parameters to enable open id login
+OPENID_CONFIG=`{
+  "PROVIDER_URL": "",
+  "CLIENT_ID": "",
+  "CLIENT_SECRET": "",
+  "SCOPES": "",
+  "NAME_CLAIM": ""
+}`
+MESSAGES_BEFORE_LOGIN=# how many messages a user can send in a conversation before having to login. set to 0 to force login right away
+# if it's defined, only these emails will be allowed to use login
+ALLOWED_USER_EMAILS=`[]` 
+# valid alternative redirect URLs for OAuth, used for HuggingChat apps
+ALTERNATIVE_REDIRECT_URLS=`[]` 
+### Cookies
+# name of the cookie used to store the session
+COOKIE_NAME=hf-chat
+# specify secure behaviour for cookies 
+COOKIE_SAMESITE=# can be "lax", "strict", "none" or left empty
+COOKIE_SECURE=# set to true to only allow cookies over https
+
+
+### Websearch ###
+## API Keys used to activate search with web functionality. websearch is disabled if none are defined. choose one of the following:
+YDC_API_KEY=#your docs.you.com api key here
+SERPER_API_KEY=#your serper.dev api key here
+SERPAPI_KEY=#your serpapi key here
+SERPSTACK_API_KEY=#your serpstack api key here
+SEARCHAPI_KEY=#your searchapi api key here
+USE_LOCAL_WEBSEARCH=#set to true to parse google results yourself, overrides other API keys
+SEARXNG_QUERY_URL=# where '<query>' will be replaced with query keywords see https://docs.searxng.org/dev/search_api.html eg https://searxng.yourdomain.com/search?q=<query>&engines=duckduckgo,google&format=json
+BING_SUBSCRIPTION_KEY=#your key
+## Websearch configuration
+PLAYWRIGHT_ADBLOCKER=true
+WEBSEARCH_ALLOWLIST=`[]` # if it's defined, allow websites from only this list.
+WEBSEARCH_BLOCKLIST=`[]` # if it's defined, block websites from this list.
+WEBSEARCH_JAVASCRIPT=true # CPU usage reduces by 60% on average by disabling javascript. Enable to improve website compatibility
+WEBSEARCH_TIMEOUT = 3500 # in milliseconds, determines how long to wait to load a page before timing out
+ENABLE_LOCAL_FETCH=false #set to true to allow fetches on the local network. /!\ Only enable this if you have the proper firewall rules to prevent SSRF attacks and understand the implications.
+
+
+## Public app configuration ##
+PUBLIC_APP_GUEST_MESSAGE=# a message to the guest user. If not set, no message will be shown. Only used if you have authentication enabled.
+PUBLIC_APP_NAME=ChatUI # name used as title throughout the app
+PUBLIC_APP_ASSETS=chatui # used to find logos & favicons in static/$PUBLIC_APP_ASSETS
+PUBLIC_APP_DESCRIPTION=# description used throughout the app
+PUBLIC_APP_DATA_SHARING=# Set to 1 to enable an option in the user settings to share conversations with model authors
+PUBLIC_APP_DISCLAIMER=# Set to 1 to show a disclaimer on login page
+PUBLIC_APP_DISCLAIMER_MESSAGE=# Message to show on the login page
 PUBLIC_ANNOUNCEMENT_BANNERS=`[
     {
     "title": "chat-ui is now open source!",
@@ -102,58 +121,86 @@ PUBLIC_ANNOUNCEMENT_BANNERS=`[
     "linkHref": "https://github.com/huggingface/chat-ui"
   }
 ]`
+PUBLIC_SMOOTH_UPDATES=false # set to true to enable smoothing of messages client-side, can be CPU intensive
+PUBLIC_ORIGIN=#https://huggingface.co
+PUBLIC_SHARE_PREFIX=#https://hf.co/chat
 
+# mostly huggingchat specific
+PUBLIC_GOOGLE_ANALYTICS_ID=#G-XXXXXXXX / Leave empty to disable
+PUBLIC_PLAUSIBLE_SCRIPT_URL=#/js/script.js / Leave empty to disable
 PUBLIC_APPLE_APP_ID=#1234567890 / Leave empty to disable
 
-PARQUET_EXPORT_DATASET=
-PARQUET_EXPORT_HF_TOKEN=
-ADMIN_API_SECRET=# secret to admin API calls, like computing usage stats or exporting parquet data
 
-PARQUET_EXPORT_SECRET=#DEPRECATED, use ADMIN_API_SECRET instead
+### Feature Flags ###
+LLM_SUMMARIZATION=true # generate conversation titles with LLMs
+ENABLE_ASSISTANTS=false #set to true to enable assistants feature
+ENABLE_ASSISTANTS_RAG=false # /!\ This will let users specify arbitrary URLs that the server will then request. Make sure you have the proper firewall rules in place. 
+REQUIRE_FEATURED_ASSISTANTS=false # require featured assistants to show in the list
+COMMUNITY_TOOLS=false # set to true to enable community tools
+EXPOSE_API=true # make the /api routes available
+ALLOW_IFRAME=true # Allow the app to be embedded in an iframe
 
-RATE_LIMIT= # /!\ Legacy definition of messages per minute. Use USAGE_LIMITS.messagesPerMinute instead
-MESSAGES_BEFORE_LOGIN=# how many messages a user can send in a conversation before having to login. set to 0 to force login right away
-PUBLIC_APP_GUEST_MESSAGE=# a message to the guest user. If not set, a default message will be used
 
-APP_BASE="" # base path of the app, e.g. /chat, left blank as default
-PUBLIC_APP_NAME=ChatUI # name used as title throughout the app
-PUBLIC_APP_ASSETS=chatui # used to find logos & favicons in static/$PUBLIC_APP_ASSETS
-PUBLIC_APP_COLOR=blue # can be any of tailwind colors: https://tailwindcss.com/docs/customizing-colors#default-color-palette
-PUBLIC_APP_DESCRIPTION=# description used throughout the app (if not set, a default one will be used)
-PUBLIC_APP_DATA_SHARING=#set to 1 to enable options & text regarding data sharing
-PUBLIC_APP_DISCLAIMER=#set to 1 to show a disclaimer on login page
-PUBLIC_APP_DISCLAIMER_MESSAGE="Disclaimer: AI is an area of active research with known problems such as biased generation and misinformation. Do not use this application for high-stakes decisions or advice. Do not insert your personal data, especially sensitive, like health data."
-LLM_SUMMARIZATION=true
+### Tools ###
+# Check out public config in `chart/env/prod.yaml` for more details
+TOOLS=`[]` 
 
-EXPOSE_API=true
-USE_HF_TOKEN_IN_API=false
+### Rate limits ### 
+# See `src/lib/server/usageLimits.ts`
+# {
+#   conversations: number, # how many conversations
+#   messages: number, # how many messages in a conversation
+#   assistants: number, # how many assistants
+#   messageLength: number, # how long can a message be before we cut it off
+#   messagesPerMinute: number, # how many messages per minute
+#   tools: number # how many tools
+# }
+USAGE_LIMITS=`{}`
 
 
-ENABLE_ASSISTANTS=false #set to true to enable assistants feature
-ENABLE_ASSISTANTS_RAG=false # /!\ This will let users specify arbitrary URLs that the server will then request. Make sure you have the proper firewall rules in place. 
-REQUIRE_FEATURED_ASSISTANTS=false
-ENABLE_LOCAL_FETCH=false #set to true to disable the blocklist for local fetches. Only enable this if you have the proper firewall rules to prevent SSRF attacks and understand the implications.
-ALTERNATIVE_REDIRECT_URLS=`[]` #valide alternative redirect URL for OAuth
-WEBHOOK_URL_REPORT_ASSISTANT=#provide webhook url to get notified when an assistant gets reported
+### HuggingFace specific ###
+# Let user authenticate with their HF token in the /api routes. This is only useful if you have OAuth configured with huggingface.
+USE_HF_TOKEN_IN_API=false
+## Feature flag & admin settings
+# Used for setting early access & admin flags to users
+HF_ORG_ADMIN=
+HF_ORG_EARLY_ACCESS=
+WEBHOOK_URL_REPORT_ASSISTANT=#provide slack webhook url to get notified for reports/feature requests
 
-ALLOWED_USER_EMAILS=`[]` # if it's defined, only these emails will be allowed to use the app
 
-USAGE_LIMITS=`{}`
 
-ALLOW_IFRAME=true
-ALLOW_INSECURE_COOKIES=false # recommended to keep this to false but set to true if you need to run over http without tls
+### Metrics ###
 METRICS_ENABLED=false
 METRICS_PORT=5565
 LOG_LEVEL=info
 
 
-TOOLS=`[]` 
-BODY_SIZE_LIMIT=15728640
+### Parquet export ###
+# Not in use anymore but useful to export conversations to a parquet file as a HuggingFace dataset
+PARQUET_EXPORT_DATASET=
+PARQUET_EXPORT_HF_TOKEN=
+ADMIN_API_SECRET=# secret to admin API calls, like computing usage stats or exporting parquet data
 
-HF_ORG_ADMIN=
-HF_ORG_EARLY_ACCESS=
 
-PUBLIC_SMOOTH_UPDATES=false
-COMMUNITY_TOOLS=false
+### Docker build variables ### 
+# These values cannot be updated at runtime
+# They need to be passed when building the docker image
+# See https://github.com/huggingface/chat-ui/main/.github/workflows/deploy-prod.yml#L44-L47
+APP_BASE="" # base path of the app, e.g. /chat, left blank as default
+PUBLIC_APP_COLOR=blue # can be any of tailwind colors: https://tailwindcss.com/docs/customizing-colors#default-color-palette
+### Body size limit for SvelteKit https://svelte.dev/docs/kit/adapter-node#Environment-variables-BODY_SIZE_LIMIT
+BODY_SIZE_LIMIT=15728640
+PUBLIC_COMMIT_SHA=
 
-PUBLIC_COMMIT_SHA=
+### LEGACY parameters
+HF_ACCESS_TOKEN=#LEGACY! Use HF_TOKEN instead
+ALLOW_INSECURE_COOKIES=false # LEGACY! Use COOKIE_SECURE and COOKIE_SAMESITE instead
+PARQUET_EXPORT_SECRET=#DEPRECATED, use ADMIN_API_SECRET instead
+RATE_LIMIT= # /!\ DEPRECATED definition of messages per minute. Use USAGE_LIMITS.messagesPerMinute instead
+OPENID_CLIENT_ID=
+OPENID_CLIENT_SECRET=
+OPENID_SCOPES="openid profile" # Add "email" for some providers like Google that do not provide preferred_username
+OPENID_NAME_CLAIM="name" # Change to "username" for some providers that do not provide name
+OPENID_PROVIDER_URL=https://huggingface.co # for Google, use https://accounts.google.com
+OPENID_TOLERANCE=
+OPENID_RESOURCE=