.env.dev at feat/vote-xrpc-endpoints · bretton.dev/coves

bretton.dev / coves
A community based topic aggregation platform built on atproto
coves / .env.dev
at feat/vote-xrpc-endpoints 9.1 kB view raw
  1# Coves Local Development Environment Configuration
  2# This file contains all environment variables for the local atProto development stack
  3# DO NOT commit secrets to version control in production!
  4
  5# =============================================================================
  6# PostgreSQL Configuration (Development Database)
  7# =============================================================================
  8# Development database for Coves AppView (runs on port 5435)
  9POSTGRES_HOST=localhost
 10POSTGRES_PORT=5435
 11POSTGRES_DB=coves_dev
 12POSTGRES_USER=dev_user
 13POSTGRES_PASSWORD=dev_password
 14
 15# =============================================================================
 16# PDS (Personal Data Server) Configuration
 17# =============================================================================
 18# PDS runs on port 3001 (to avoid conflict with production PDS on :3000)
 19PDS_HOSTNAME=localhost
 20PDS_PORT=3001
 21
 22# PDS Service Endpoint for DIDs
 23# This is the URL that goes in DID documents' atproto_pds service endpoint
 24# Must match what the PDS thinks its public URL is (internal port 3000)
 25# Development: http://localhost:3000 (PDS's internal view)
 26# Production: https://pds.coves.social
 27PDS_SERVICE_ENDPOINT=http://localhost:3000
 28
 29# DID PLC Directory for PDS
 30# For local E2E testing: Use local PLC (requires --profile plc)
 31# Note: Use container hostname for PDS to reach PLC within Docker network
 32PDS_DID_PLC_URL=http://plc-directory:3000
 33
 34# JWT Secret (for signing tokens - change in production!)
 35PDS_JWT_SECRET=local-dev-jwt-secret-change-in-production
 36
 37# Admin password for PDS management
 38PDS_ADMIN_PASSWORD=admin
 39
 40# Handle domains (users will get handles like alice.local.coves.dev)
 41# Communities will use .community.coves.social (singular per atProto conventions)
 42PDS_SERVICE_HANDLE_DOMAINS=.local.coves.dev,.community.coves.social
 43
 44# PLC Rotation Key (k256 private key in hex format - for local dev only)
 45# This is a randomly generated key for testing - DO NOT use in production
 46PDS_PLC_ROTATION_KEY=af514fb84c4356241deed29feb392d1ee359f99c05a7b8f7bff2e5f2614f64b2
 47
 48# =============================================================================
 49# AppView Configuration (Your Go Application)
 50# =============================================================================
 51# AppView runs on port 8081 (to avoid conflicts)
 52APPVIEW_PORT=8081
 53
 54# PDS Firehose URL (WebSocket connection - direct to PDS, no relay)
 55FIREHOSE_URL=ws://localhost:3001/xrpc/com.atproto.sync.subscribeRepos
 56
 57# PDS URL (for XRPC calls)
 58PDS_URL=http://localhost:3001
 59
 60# =============================================================================
 61# Test Database Configuration
 62# =============================================================================
 63# Test database runs on port 5434 (separate from dev on 5433)
 64POSTGRES_TEST_DB=coves_test
 65POSTGRES_TEST_USER=test_user
 66POSTGRES_TEST_PASSWORD=test_password
 67POSTGRES_TEST_PORT=5434
 68
 69# =============================================================================
 70# Jetstream Configuration (Read-Forward User Indexing)
 71# =============================================================================
 72# Jetstream WebSocket URL for real-time atProto events
 73#
 74# Production: Use Bluesky's public Jetstream (indexes entire network)
 75# JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=app.bsky.actor.profile
 76#
 77# Local E2E Testing: Use local Jetstream (indexes only local PDS)
 78# 1. Start local Jetstream: docker-compose --profile jetstream up pds jetstream
 79# 2. Use this URL:
 80JETSTREAM_URL=ws://localhost:6008/subscribe
 81
 82# Optional: Filter events to specific PDS
 83# JETSTREAM_PDS_FILTER=http://localhost:3001
 84
 85# =============================================================================
 86# Identity Resolution Configuration
 87# =============================================================================
 88# IMPORTANT: In dev mode (IS_DEV_ENV=true), identity resolution automatically
 89# uses PLC_DIRECTORY_URL to ensure E2E tests stay local. In production, you
 90# can optionally set IDENTITY_PLC_URL to use a different URL for read operations.
 91#
 92# For local dev: Leave IDENTITY_PLC_URL unset (uses PLC_DIRECTORY_URL)
 93# For production: Optionally set IDENTITY_PLC_URL=https://plc.directory
 94
 95# Cache TTL for resolved identities (Go duration format: 24h, 1h30m, etc.)
 96IDENTITY_CACHE_TTL=24h
 97
 98# =============================================================================
 99# OAuth Configuration
100# =============================================================================
101# OAuth client private key (ES256 keypair - generate with: go run cmd/genjwks/main.go)
102# DO NOT commit this to version control in production!
103#
104# Supports two formats:
105# 1. Plain JSON (easier for local development):
106#    OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256",...}
107#
108# 2. Base64 encoded (recommended for production to avoid shell escaping):
109#    OAUTH_PRIVATE_JWK=base64:eyJhbGciOiJFUzI1NiIsImNydiI6IlAtMjU2Ii...
110#    Generate with: echo '{"alg":...}' | base64 -w 0
111#
112OAUTH_PRIVATE_JWK={"alg":"ES256","crv":"P-256","d":"9tCMceYSgyZfO5KYOCm3rWEhXLqq2l4LjP7-PJtJKyk","kid":"oauth-client-key","kty":"EC","use":"sig","x":"EOYWEgZ2d-smTO6jh0f-9B7YSFYdlrvlryjuXTCrOjE","y":"_FR2jBcWNxoJl5cd1eq9sYtAs33No9AVtd42UyyWYi4"}
113
114# Cookie secret for session encryption (generate with: openssl rand -hex 32)
115# Also supports base64: prefix for consistency
116OAUTH_COOKIE_SECRET=f1132c01b1a625a865c6c455a75ee793572cedb059cebe0c4c1ae4c446598f7d
117
118# Seal secret for OAuth session tokens (AES-256-GCM encryption)
119# Generate with: openssl rand -base64 32
120# This must be 32 bytes when base64-decoded for AES-256
121# OAUTH_SEAL_SECRET=ryW6xNVxYhP6hCDA90NGCmK58Q2ONnkYXbHL0oZN2no=
122
123# AppView public URL (used for OAuth callback and client metadata)
124# Dev: http://127.0.0.1:8081 (use 127.0.0.1 instead of localhost per RFC 8252)
125# Prod: https://coves.social
126APPVIEW_PUBLIC_URL=http://127.0.0.1:8081
127
128# =============================================================================
129# Coves Instance PDS Authentication
130# =============================================================================
131# The Coves instance needs a PDS account to write community records
132# Create this account once: curl -X POST http://localhost:3001/xrpc/com.atproto.server.createAccount
133PDS_INSTANCE_HANDLE=testuser123.local.coves.dev
134PDS_INSTANCE_PASSWORD=test-password-123
135
136# Kagi News Aggregator DID (for trusted thumbnail URLs)
137KAGI_AGGREGATOR_DID=did:plc:yyf34padpfjknejyutxtionr
138
139# =============================================================================
140# Development Settings
141# =============================================================================
142# Environment
143ENV=development
144NODE_ENV=development
145# Always true for local development (use PLC_DIRECTORY_URL to control registration)
146IS_DEV_ENV=true
147
148# Security: Skip did:web domain verification for local development
149# IMPORTANT: Set to false in production to prevent domain spoofing attacks
150# When true, communities can claim any hostedByDID without verification
151# When false, hostedByDID must match the community handle domain
152SKIP_DID_WEB_VERIFICATION=true
153
154# Authentication: Skip JWT signature verification for local development (Phase 1)
155# IMPORTANT: Set to false in production for full signature verification
156# When true, only parses JWT without verifying signature (trusts any valid JWT format)
157# When false, verifies JWT signature against issuer's JWKS
158AUTH_SKIP_VERIFY=true
159
160# HS256 Issuers: PDSes allowed to use HS256 (shared secret) authentication
161# Must share PDS_JWT_SECRET with Coves instance. External PDSes use ES256 via DID resolution.
162# For local dev, allow the local PDS or turn AUTH_SKIP_VERIFY = true
163HS256_ISSUERS=http://localhost:3001
164
165# Logging
166LOG_LEVEL=debug
167LOG_ENABLED=true
168
169# =============================================================================
170# PLC Directory Configuration
171# =============================================================================
172# URL for PLC (Public Ledger of Credentials) directory
173#
174# For local E2E testing with registration: http://localhost:3002 (requires --profile plc)
175#   - Registers DIDs with local PLC directory
176#   - Safe for testing, won't pollute production plc.directory
177#   - PDS must also be configured to use local PLC (see PDS_DID_PLC_URL)
178#
179# Production: https://plc.directory (currently Bluesky's, will transfer to third party)
180#   - DO NOT use production PLC for testing!
181#
182PLC_DIRECTORY_URL=http://localhost:3002
183
184# =============================================================================
185# Notes
186# =============================================================================
187# All local development configuration in one file!
188# - Dev PostgreSQL:  port 5435
189# - Test PostgreSQL: port 5434 (via --profile test)
190# - PDS:             port 3001 (avoids conflict with production on :3000)
191# - AppView:         port 8081
192# - PDS is self-contained (SQLite + CAR files)
193# - PostgreSQL is only for Coves AppView indexing
194# - AppView subscribes directly to PDS firehose (no relay needed)
195# - PDS firehose: ws://localhost:3001/xrpc/com.atproto.sync.subscribeRepos