···
POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE
12
+
# Full connection string (alternative to individual vars above)
13
+
# DATABASE_URL=postgres://coves_user:password@localhost:5432/coves_prod?sslmode=require
# =============================================================================
# PDS (Personal Data Server)
# =============================================================================
18
+
# PDS URL for XRPC calls
19
+
PDS_URL=https://pds.coves.social
# Generate with: openssl rand -hex 32
PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS
···
# Generate with: openssl rand -hex 32
PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS
31
+
# Coves instance PDS account (for creating community records)
32
+
PDS_INSTANCE_HANDLE=coves.social
33
+
PDS_INSTANCE_PASSWORD=CHANGE_ME_INSTANCE_PASSWORD
# Optional: Email configuration for account recovery
# PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587
27
-
# PDS_EMAIL_FROM_ADDRESS=noreply@coves.me
37
+
# PDS_EMAIL_FROM_ADDRESS=noreply@coves.social
39
+
# =============================================================================
40
+
# Identity & Federation
41
+
# =============================================================================
42
+
# PLC Directory URL for DID resolution
43
+
# Defaults to https://plc.directory if not set
44
+
# PLC_DIRECTORY_URL=https://plc.directory
46
+
# Instance DID (did:web or did:plc)
47
+
INSTANCE_DID=did:web:coves.social
49
+
# Instance domain (required if not using did:web)
50
+
# INSTANCE_DOMAIN=coves.social
52
+
# Identity cache TTL (Go duration format)
53
+
# IDENTITY_CACHE_TTL=5m
# =============================================================================
···
# HS256_ISSUERS: Comma-separated list of PDS URLs allowed to use HS256
# These PDSes MUST share the same PDS_JWT_SECRET with Coves
46
-
# Example: HS256_ISSUERS=https://pds.coves.social,https://pds.example.com
47
-
HS256_ISSUERS=https://pds.coves.me
49
-
# PLC Directory URL for DID resolution (optional)
50
-
# Defaults to https://plc.directory if not set
51
-
# PLC_DIRECTORY_URL=https://plc.directory
72
+
HS256_ISSUERS=https://pds.coves.social
# Skip JWT signature verification (DEVELOPMENT ONLY!)
# Set to false in production for proper security
# =============================================================================
58
-
# AppView OAuth (for mobile app authentication)
79
+
# OAuth Configuration
# =============================================================================
60
-
OAUTH_CLIENT_ID=https://coves.social/client-metadata.json
81
+
# AppView public URL (used for OAuth callback and client metadata)
82
+
APPVIEW_PUBLIC_URL=https://coves.social
84
+
# OAuth client ID (usually your client-metadata.json URL)
85
+
OAUTH_CLIENT_ID=https://coves.social/oauth/client-metadata.json
87
+
# OAuth callback URI
OAUTH_REDIRECT_URI=https://coves.social/oauth/callback
# Generate EC P-256 private key in JWK format
# See: https://atproto.com/specs/oauth#client-metadata
92
+
# Generate with: go run cmd/genjwks/main.go
OAUTH_PRIVATE_JWK={"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."}
95
+
# Seal secret for encrypting mobile session tokens (AES-256-GCM)
96
+
# Generate with: openssl rand -base64 32
97
+
OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES
99
+
# Optional: OAuth client secret and key ID (for confidential clients)
100
+
# OAUTH_CLIENT_SECRET=
101
+
# OAUTH_CLIENT_KID=
# =============================================================================
68
-
# AppView Encryption
104
+
# Mobile Universal Links & App Links
105
+
# =============================================================================
106
+
# Required for iOS Universal Links
107
+
# Format: <Team ID>.<Bundle ID>
108
+
# Find Team ID: Apple Developer Portal -> Membership
109
+
# Find Bundle ID: Xcode project -> General -> Bundle Identifier
110
+
APPLE_APP_ID=ABCD1234EF.social.coves.app
112
+
# Required for Android App Links
113
+
# Format: Android package name (reverse domain notation)
114
+
ANDROID_PACKAGE_NAME=social.coves.app
116
+
# SHA-256 fingerprint of your Android app's signing certificate
117
+
# Get with: keytool -list -v -keystore release.jks -alias release
118
+
# Format: 64 hex characters with colons (AA:BB:CC:...)
119
+
ANDROID_SHA256_FINGERPRINT=AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00
121
+
# =============================================================================
122
+
# Security & Encryption
# =============================================================================
# For encrypting community credentials in database
# Generate with: openssl rand -base64 32
ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY
128
+
# Secret for HMAC signing of pagination cursors
129
+
# Generate with: openssl rand -base64 32
130
+
CURSOR_SECRET=CHANGE_ME_CURSOR_SECRET
132
+
# Optional: Restrict community creation to specific DIDs
133
+
# Comma-separated list. If not set, any authenticated user can create communities.
134
+
# COMMUNITY_CREATORS=did:plc:abc123,did:plc:def456
136
+
# =============================================================================
137
+
# Jetstream Configuration (Real-time Event Indexing)
138
+
# =============================================================================
139
+
# User profile indexing
140
+
JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=app.bsky.actor.profile
142
+
# Optional: Filter Jetstream events to specific PDS
143
+
# JETSTREAM_PDS_FILTER=pds.coves.social
145
+
# Community event indexing (profiles and subscriptions)
146
+
# COMMUNITY_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
149
+
# POST_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
152
+
# VOTE_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
155
+
# COMMENT_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
157
+
# Aggregator indexing
158
+
# AGGREGATOR_JETSTREAM_URL=
# =============================================================================
# Cloudflare (for wildcard SSL certificates)
# =============================================================================
# Required for *.coves.social wildcard certificate
78
-
# Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token
164
+
# Create at: Cloudflare Dashboard -> My Profile -> API Tokens -> Create Token
# Template: "Edit zone DNS" with permissions for coves.social zone
CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN
168
+
# =============================================================================
169
+
# Server Configuration
170
+
# =============================================================================
178
+
# Skip did:web domain verification (DEVELOPMENT ONLY!)
179
+
# MUST be false in production to prevent domain spoofing
180
+
SKIP_DID_WEB_VERIFICATION=false
# =============================================================================
bretton.dev