···
POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE
+
# Full connection string (alternative to individual vars above)
+
# DATABASE_URL=postgres://coves_user:password@localhost:5432/coves_prod?sslmode=require
# =============================================================================
# PDS (Personal Data Server)
# =============================================================================
+
# PDS URL for XRPC calls
+
PDS_URL=https://pds.coves.social
# Generate with: openssl rand -hex 32
PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS
···
# Generate with: openssl rand -hex 32
PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS
+
# Coves instance PDS account (for creating community records)
+
PDS_INSTANCE_HANDLE=coves.social
+
PDS_INSTANCE_PASSWORD=CHANGE_ME_INSTANCE_PASSWORD
# Optional: Email configuration for account recovery
# PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587
+
# PDS_EMAIL_FROM_ADDRESS=noreply@coves.social
+
# =============================================================================
+
# Identity & Federation
+
# =============================================================================
+
# PLC Directory URL for DID resolution
+
# Defaults to https://plc.directory if not set
+
# PLC_DIRECTORY_URL=https://plc.directory
+
# Instance DID (did:web or did:plc)
+
INSTANCE_DID=did:web:coves.social
+
# Instance domain (required if not using did:web)
+
# INSTANCE_DOMAIN=coves.social
+
# Identity cache TTL (Go duration format)
+
# IDENTITY_CACHE_TTL=5m
# =============================================================================
···
# HS256_ISSUERS: Comma-separated list of PDS URLs allowed to use HS256
# These PDSes MUST share the same PDS_JWT_SECRET with Coves
+
HS256_ISSUERS=https://pds.coves.social
# Skip JWT signature verification (DEVELOPMENT ONLY!)
# Set to false in production for proper security
# =============================================================================
# =============================================================================
+
# AppView public URL (used for OAuth callback and client metadata)
+
APPVIEW_PUBLIC_URL=https://coves.social
+
# OAuth client ID (usually your client-metadata.json URL)
+
OAUTH_CLIENT_ID=https://coves.social/oauth/client-metadata.json
OAUTH_REDIRECT_URI=https://coves.social/oauth/callback
# Generate EC P-256 private key in JWK format
# See: https://atproto.com/specs/oauth#client-metadata
+
# Generate with: go run cmd/genjwks/main.go
OAUTH_PRIVATE_JWK={"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."}
+
# Seal secret for encrypting mobile session tokens (AES-256-GCM)
+
# Generate with: openssl rand -base64 32
+
OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES
+
# Optional: OAuth client secret and key ID (for confidential clients)
# =============================================================================
+
# Mobile Universal Links & App Links
+
# =============================================================================
+
# Required for iOS Universal Links
+
# Format: <Team ID>.<Bundle ID>
+
# Find Team ID: Apple Developer Portal -> Membership
+
# Find Bundle ID: Xcode project -> General -> Bundle Identifier
+
APPLE_APP_ID=ABCD1234EF.social.coves.app
+
# Required for Android App Links
+
# Format: Android package name (reverse domain notation)
+
ANDROID_PACKAGE_NAME=social.coves.app
+
# SHA-256 fingerprint of your Android app's signing certificate
+
# Get with: keytool -list -v -keystore release.jks -alias release
+
# Format: 64 hex characters with colons (AA:BB:CC:...)
+
ANDROID_SHA256_FINGERPRINT=AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00
+
# =============================================================================
+
# Security & Encryption
# =============================================================================
# For encrypting community credentials in database
# Generate with: openssl rand -base64 32
ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY
+
# Secret for HMAC signing of pagination cursors
+
# Generate with: openssl rand -base64 32
+
CURSOR_SECRET=CHANGE_ME_CURSOR_SECRET
+
# Optional: Restrict community creation to specific DIDs
+
# Comma-separated list. If not set, any authenticated user can create communities.
+
# COMMUNITY_CREATORS=did:plc:abc123,did:plc:def456
+
# =============================================================================
+
# Jetstream Configuration (Real-time Event Indexing)
+
# =============================================================================
+
# User profile indexing
+
JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=app.bsky.actor.profile
+
# Optional: Filter Jetstream events to specific PDS
+
# JETSTREAM_PDS_FILTER=pds.coves.social
+
# Community event indexing (profiles and subscriptions)
+
# COMMUNITY_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
+
# POST_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
+
# VOTE_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
+
# COMMENT_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
+
# AGGREGATOR_JETSTREAM_URL=
# =============================================================================
# Cloudflare (for wildcard SSL certificates)
# =============================================================================
# Required for *.coves.social wildcard certificate
+
# Create at: Cloudflare Dashboard -> My Profile -> API Tokens -> Create Token
# Template: "Edit zone DNS" with permissions for coves.social zone
CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN
+
# =============================================================================
+
# =============================================================================
+
# Skip did:web domain verification (DEVELOPMENT ONLY!)
+
# MUST be false in production to prevent domain spoofing
+
SKIP_DID_WEB_VERIFICATION=false
# =============================================================================
bretton.dev