A community based topic aggregation platform built on atproto
bretton.dev
1# Coves Production Environment Variables
2# Copy to .env.prod and fill in real values
3# NEVER commit .env.prod to git!
4
5# =============================================================================
6# PostgreSQL (AppView Database)
7# =============================================================================
8POSTGRES_DB=coves_prod
9POSTGRES_USER=coves_user
10POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE
11
12# =============================================================================
13# PDS (Personal Data Server)
14# =============================================================================
15# Generate with: openssl rand -hex 32
16PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS
17
18# Admin password for PDS management
19PDS_ADMIN_PASSWORD=CHANGE_ME_SECURE_ADMIN_PASSWORD
20
21# K256 private key for DID rotation
22# Generate with: openssl rand -hex 32
23PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS
24
25# Optional: Email configuration for account recovery
26# PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587
27# PDS_EMAIL_FROM_ADDRESS=noreply@coves.me
28
29# =============================================================================
30# JWT Authentication
31# =============================================================================
32# Coves supports two JWT verification methods:
33#
34# 1. HS256 (shared secret) - For your own PDS
35# - Fast, no network calls needed
36# - Requires shared PDS_JWT_SECRET
37# - Only for PDSes you control
38#
39# 2. ES256 (DID resolution) - For federated users
40# - Works with any PDS (bsky.social, etc.)
41# - Resolves user's DID document to get public key
42# - No shared secret needed
43#
44# HS256_ISSUERS: Comma-separated list of PDS URLs allowed to use HS256
45# These PDSes MUST share the same PDS_JWT_SECRET with Coves
46# Example: HS256_ISSUERS=https://pds.coves.social,https://pds.example.com
47HS256_ISSUERS=https://pds.coves.me
48
49# PLC Directory URL for DID resolution (optional)
50# Defaults to https://plc.directory if not set
51# PLC_DIRECTORY_URL=https://plc.directory
52
53# Skip JWT signature verification (DEVELOPMENT ONLY!)
54# Set to false in production for proper security
55AUTH_SKIP_VERIFY=false
56
57# =============================================================================
58# AppView OAuth (for mobile app authentication)
59# =============================================================================
60OAUTH_CLIENT_ID=https://coves.social/client-metadata.json
61OAUTH_REDIRECT_URI=https://coves.social/oauth/callback
62
63# Generate EC P-256 private key in JWK format
64# See: https://atproto.com/specs/oauth#client-metadata
65OAUTH_PRIVATE_JWK={"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."}
66
67# =============================================================================
68# AppView Encryption
69# =============================================================================
70# For encrypting community credentials in database
71# Generate with: openssl rand -base64 32
72ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY
73
74# =============================================================================
75# Cloudflare (for wildcard SSL certificates)
76# =============================================================================
77# Required for *.coves.social wildcard certificate
78# Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token
79# Template: "Edit zone DNS" with permissions for coves.social zone
80CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN
81
82# =============================================================================
83# Optional: Versioning
84# =============================================================================
85VERSION=latest