# Coves Production Environment Variables # Copy to .env.prod and fill in real values # NEVER commit .env.prod to git! # ============================================================================= # PostgreSQL (AppView Database) # ============================================================================= POSTGRES_DB=coves_prod POSTGRES_USER=coves_user POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE # ============================================================================= # PDS (Personal Data Server) # ============================================================================= # Generate with: openssl rand -hex 32 PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS # Admin password for PDS management PDS_ADMIN_PASSWORD=CHANGE_ME_SECURE_ADMIN_PASSWORD # K256 private key for DID rotation # Generate with: openssl rand -hex 32 PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS # Optional: Email configuration for account recovery # PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587 # PDS_EMAIL_FROM_ADDRESS=noreply@coves.me # ============================================================================= # JWT Authentication # ============================================================================= # Coves supports two JWT verification methods: # # 1. HS256 (shared secret) - For your own PDS # - Fast, no network calls needed # - Requires shared PDS_JWT_SECRET # - Only for PDSes you control # # 2. ES256 (DID resolution) - For federated users # - Works with any PDS (bsky.social, etc.) # - Resolves user's DID document to get public key # - No shared secret needed # # HS256_ISSUERS: Comma-separated list of PDS URLs allowed to use HS256 # These PDSes MUST share the same PDS_JWT_SECRET with Coves # Example: HS256_ISSUERS=https://pds.coves.social,https://pds.example.com HS256_ISSUERS=https://pds.coves.me # PLC Directory URL for DID resolution (optional) # Defaults to https://plc.directory if not set # PLC_DIRECTORY_URL=https://plc.directory # Skip JWT signature verification (DEVELOPMENT ONLY!) # Set to false in production for proper security AUTH_SKIP_VERIFY=false # ============================================================================= # AppView OAuth (for mobile app authentication) # ============================================================================= OAUTH_CLIENT_ID=https://coves.social/client-metadata.json OAUTH_REDIRECT_URI=https://coves.social/oauth/callback # Generate EC P-256 private key in JWK format # See: https://atproto.com/specs/oauth#client-metadata OAUTH_PRIVATE_JWK={"kty":"EC","crv":"P-256","x":"...","y":"...","d":"..."} # ============================================================================= # AppView Encryption # ============================================================================= # For encrypting community credentials in database # Generate with: openssl rand -base64 32 ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY # ============================================================================= # Cloudflare (for wildcard SSL certificates) # ============================================================================= # Required for *.coves.social wildcard certificate # Create at: Cloudflare Dashboard → My Profile → API Tokens → Create Token # Template: "Edit zone DNS" with permissions for coves.social zone CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN # ============================================================================= # Optional: Versioning # ============================================================================= VERSION=latest