.env.prod.example at main · bretton.dev/coves

bretton.dev / coves
A community based topic aggregation platform built on atproto
coves / .env.prod.example
at main 7.1 kB view raw
  1# Coves Production Environment Variables
  2# Copy to .env.prod and fill in real values
  3# NEVER commit .env.prod to git!
  4
  5# =============================================================================
  6# PostgreSQL (AppView Database)
  7# =============================================================================
  8POSTGRES_DB=coves_prod
  9POSTGRES_USER=coves_user
 10POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE
 11
 12# Full connection string (alternative to individual vars above)
 13# DATABASE_URL=postgres://coves_user:password@localhost:5432/coves_prod?sslmode=require
 14
 15# =============================================================================
 16# PDS (Personal Data Server)
 17# =============================================================================
 18# PDS URL for XRPC calls
 19PDS_URL=https://pds.coves.social
 20
 21# Generate with: openssl rand -hex 32
 22PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS
 23
 24# Admin password for PDS management
 25PDS_ADMIN_PASSWORD=CHANGE_ME_SECURE_ADMIN_PASSWORD
 26
 27# K256 private key for DID rotation
 28# Generate with: openssl rand -hex 32
 29PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS
 30
 31# Coves instance PDS account (for creating community records)
 32PDS_INSTANCE_HANDLE=coves.social
 33PDS_INSTANCE_PASSWORD=CHANGE_ME_INSTANCE_PASSWORD
 34
 35# Optional: Email configuration for account recovery
 36# PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587
 37# PDS_EMAIL_FROM_ADDRESS=noreply@coves.social
 38
 39# =============================================================================
 40# Identity & Federation
 41# =============================================================================
 42# PLC Directory URL for DID resolution
 43# Defaults to https://plc.directory if not set
 44# PLC_DIRECTORY_URL=https://plc.directory
 45
 46# Instance DID (did:web or did:plc)
 47INSTANCE_DID=did:web:coves.social
 48
 49# Instance domain (required if not using did:web)
 50# INSTANCE_DOMAIN=coves.social
 51
 52# Identity cache TTL (Go duration format)
 53# IDENTITY_CACHE_TTL=5m
 54
 55# =============================================================================
 56# JWT Authentication
 57# =============================================================================
 58# Coves supports two JWT verification methods:
 59#
 60# 1. HS256 (shared secret) - For your own PDS
 61#    - Fast, no network calls needed
 62#    - Requires shared PDS_JWT_SECRET
 63#    - Only for PDSes you control
 64#
 65# 2. ES256 (DID resolution) - For federated users
 66#    - Works with any PDS (bsky.social, etc.)
 67#    - Resolves user's DID document to get public key
 68#    - No shared secret needed
 69#
 70# HS256_ISSUERS: Comma-separated list of PDS URLs allowed to use HS256
 71# These PDSes MUST share the same PDS_JWT_SECRET with Coves
 72HS256_ISSUERS=https://pds.coves.social
 73
 74# Skip JWT signature verification (DEVELOPMENT ONLY!)
 75# Set to false in production for proper security
 76AUTH_SKIP_VERIFY=false
 77
 78# =============================================================================
 79# OAuth Configuration
 80# =============================================================================
 81# AppView public URL (used for OAuth callback and client metadata)
 82APPVIEW_PUBLIC_URL=https://coves.social
 83
 84# Seal secret for encrypting session tokens (AES-256-GCM)
 85# REQUIRED - Generate with: openssl rand -base64 32
 86OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES
 87
 88# Optional: OAuth client secret and key ID (for confidential clients only)
 89# Most deployments use public clients and don't need these
 90# OAUTH_CLIENT_SECRET=
 91# OAUTH_CLIENT_KID=
 92
 93# =============================================================================
 94# Mobile Universal Links & App Links
 95# =============================================================================
 96# Required for iOS Universal Links
 97# Format: <Team ID>.<Bundle ID>
 98# Find Team ID: Apple Developer Portal -> Membership
 99# Find Bundle ID: Xcode project -> General -> Bundle Identifier
100APPLE_APP_ID=ABCD1234EF.social.coves.app
101
102# Required for Android App Links
103# Format: Android package name (reverse domain notation)
104ANDROID_PACKAGE_NAME=social.coves.app
105
106# SHA-256 fingerprint of your Android app's signing certificate
107# Get with: keytool -list -v -keystore release.jks -alias release
108# Format: 64 hex characters with colons (AA:BB:CC:...)
109ANDROID_SHA256_FINGERPRINT=AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00
110
111# =============================================================================
112# Security & Encryption
113# =============================================================================
114# For encrypting community credentials in database
115# Generate with: openssl rand -base64 32
116ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY
117
118# Secret for HMAC signing of pagination cursors
119# Generate with: openssl rand -base64 32
120CURSOR_SECRET=CHANGE_ME_CURSOR_SECRET
121
122# Optional: Restrict community creation to specific DIDs
123# Comma-separated list. If not set, any authenticated user can create communities.
124# COMMUNITY_CREATORS=did:plc:abc123,did:plc:def456
125
126# =============================================================================
127# Jetstream Configuration (Real-time Event Indexing)
128# =============================================================================
129# User profile indexing
130JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=app.bsky.actor.profile
131
132# Optional: Filter Jetstream events to specific PDS
133# JETSTREAM_PDS_FILTER=pds.coves.social
134
135# Community event indexing (profiles and subscriptions)
136# COMMUNITY_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
137
138# Post indexing
139# POST_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
140
141# Vote indexing
142# VOTE_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
143
144# Comment indexing
145# COMMENT_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
146
147# Aggregator indexing
148# AGGREGATOR_JETSTREAM_URL=
149
150# =============================================================================
151# Cloudflare (for wildcard SSL certificates)
152# =============================================================================
153# Required for *.coves.social wildcard certificate
154# Create at: Cloudflare Dashboard -> My Profile -> API Tokens -> Create Token
155# Template: "Edit zone DNS" with permissions for coves.social zone
156CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN
157
158# =============================================================================
159# Server Configuration
160# =============================================================================
161# HTTP server port
162PORT=8080
163
164# Environment
165ENV=production
166IS_DEV_ENV=false
167
168# Skip did:web domain verification (DEVELOPMENT ONLY!)
169# MUST be false in production to prevent domain spoofing
170SKIP_DID_WEB_VERIFICATION=false
171
172# =============================================================================
173# Optional: Versioning
174# =============================================================================
175VERSION=latest