.env.prod.example at main · bretton.dev/coves

A community based topic aggregation platform built on atproto
coves / .env.prod.example
at main 205 lines 8.5 kB view raw
wrap content
  1# Coves Production Environment Variables
  2# Copy to .env.prod and fill in real values
  3# NEVER commit .env.prod to git!
  4
  5# =============================================================================
  6# PostgreSQL (AppView Database)
  7# =============================================================================
  8POSTGRES_DB=coves_prod
  9POSTGRES_USER=coves_user
 10POSTGRES_PASSWORD=CHANGE_ME_SECURE_PASSWORD_HERE
 11
 12# Full connection string (alternative to individual vars above)
 13# DATABASE_URL=postgres://coves_user:password@localhost:5432/coves_prod?sslmode=require
 14
 15# =============================================================================
 16# PDS (Personal Data Server)
 17# =============================================================================
 18# PDS URL for XRPC calls
 19PDS_URL=https://pds.coves.social
 20
 21# Generate with: openssl rand -hex 32
 22PDS_JWT_SECRET=CHANGE_ME_64_HEX_CHARS
 23
 24# Admin password for PDS management
 25PDS_ADMIN_PASSWORD=CHANGE_ME_SECURE_ADMIN_PASSWORD
 26
 27# K256 private key for DID rotation
 28# Generate with: openssl rand -hex 32
 29PDS_ROTATION_KEY=CHANGE_ME_64_HEX_CHARS
 30
 31# Coves instance PDS account (for creating community records)
 32PDS_INSTANCE_HANDLE=coves.social
 33PDS_INSTANCE_PASSWORD=CHANGE_ME_INSTANCE_PASSWORD
 34
 35# Optional: Email configuration for account recovery
 36# PDS_EMAIL_SMTP_URL=smtp://user:pass@smtp.example.com:587
 37# PDS_EMAIL_FROM_ADDRESS=noreply@coves.social
 38
 39# =============================================================================
 40# Identity & Federation
 41# =============================================================================
 42# PLC Directory URL for DID resolution
 43# Defaults to https://plc.directory if not set
 44# PLC_DIRECTORY_URL=https://plc.directory
 45
 46# Instance DID (did:web or did:plc)
 47INSTANCE_DID=did:web:coves.social
 48
 49# Instance domain (required if not using did:web)
 50# INSTANCE_DOMAIN=coves.social
 51
 52# Identity cache TTL (Go duration format)
 53# IDENTITY_CACHE_TTL=5m
 54
 55# =============================================================================
 56# JWT Authentication
 57# =============================================================================
 58# Coves supports two JWT verification methods:
 59#
 60# 1. HS256 (shared secret) - For your own PDS
 61#    - Fast, no network calls needed
 62#    - Requires shared PDS_JWT_SECRET
 63#    - Only for PDSes you control
 64#
 65# 2. ES256 (DID resolution) - For federated users
 66#    - Works with any PDS (bsky.social, etc.)
 67#    - Resolves user's DID document to get public key
 68#    - No shared secret needed
 69#
 70# HS256_ISSUERS: Comma-separated list of PDS URLs allowed to use HS256
 71# These PDSes MUST share the same PDS_JWT_SECRET with Coves
 72HS256_ISSUERS=https://pds.coves.social
 73
 74# Skip JWT signature verification (DEVELOPMENT ONLY!)
 75# Set to false in production for proper security
 76AUTH_SKIP_VERIFY=false
 77
 78# =============================================================================
 79# OAuth Configuration
 80# =============================================================================
 81# AppView public URL (used for OAuth callback and client metadata)
 82APPVIEW_PUBLIC_URL=https://coves.social
 83
 84# Seal secret for encrypting session tokens (AES-256-GCM)
 85# REQUIRED - Generate with: openssl rand -base64 32
 86OAUTH_SEAL_SECRET=CHANGE_ME_BASE64_32_BYTES
 87
 88# OAuth Confidential Client Configuration (optional)
 89# If both are set, Coves becomes a confidential OAuth client with 90-day session lifetime
 90# (Public clients are limited to 14 days by the auth server)
 91# Generate keys with: go run ./cmd/tools/generate-oauth-key
 92
 93# P-256 private key in multibase format (z-prefixed base58btc)
 94# OAUTH_CLIENT_PRIVATE_KEY=z...
 95
 96# Key identifier (arbitrary string, used in JWT header)
 97# OAUTH_CLIENT_KEY_ID=coves-prod-key-1
 98
 99# =============================================================================
100# Mobile Universal Links & App Links
101# =============================================================================
102# Required for iOS Universal Links
103# Format: <Team ID>.<Bundle ID>
104# Find Team ID: Apple Developer Portal -> Membership
105# Find Bundle ID: Xcode project -> General -> Bundle Identifier
106APPLE_APP_ID=ABCD1234EF.social.coves.app
107
108# Required for Android App Links
109# Format: Android package name (reverse domain notation)
110ANDROID_PACKAGE_NAME=social.coves.app
111
112# SHA-256 fingerprint of your Android app's signing certificate
113# Get with: keytool -list -v -keystore release.jks -alias release
114# Format: 64 hex characters with colons (AA:BB:CC:...)
115ANDROID_SHA256_FINGERPRINT=AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:11:22:33:44:55:66:77:88:99:00
116
117# =============================================================================
118# Security & Encryption
119# =============================================================================
120# For encrypting community credentials in database
121# Generate with: openssl rand -base64 32
122ENCRYPTION_KEY=CHANGE_ME_BASE64_ENCODED_KEY
123
124# Secret for HMAC signing of pagination cursors
125# Generate with: openssl rand -base64 32
126CURSOR_SECRET=CHANGE_ME_CURSOR_SECRET
127
128# Optional: Restrict community creation to specific DIDs
129# Comma-separated list. If not set, any authenticated user can create communities.
130# COMMUNITY_CREATORS=did:plc:abc123,did:plc:def456
131
132# =============================================================================
133# Jetstream Configuration (Real-time Event Indexing)
134# =============================================================================
135# User profile indexing
136JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.actor.profile
137
138# Optional: Filter Jetstream events to specific PDS
139# JETSTREAM_PDS_FILTER=pds.coves.social
140
141# Community event indexing (profiles and subscriptions)
142# COMMUNITY_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.profile&wantedCollections=social.coves.community.subscription
143
144# Post indexing
145# POST_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.post
146
147# Vote indexing
148# VOTE_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.feed.vote
149
150# Comment indexing
151# COMMENT_JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe?wantedCollections=social.coves.community.comment
152
153# Aggregator indexing
154# AGGREGATOR_JETSTREAM_URL=
155
156# =============================================================================
157# Cloudflare (for wildcard SSL certificates)
158# =============================================================================
159# Required for *.coves.social wildcard certificate
160# Create at: Cloudflare Dashboard -> My Profile -> API Tokens -> Create Token
161# Template: "Edit zone DNS" with permissions for coves.social zone
162CLOUDFLARE_API_TOKEN=CHANGE_ME_CLOUDFLARE_TOKEN
163
164# =============================================================================
165# Server Configuration
166# =============================================================================
167# HTTP server port
168PORT=8080
169
170# Environment
171ENV=production
172IS_DEV_ENV=false
173
174# Skip did:web domain verification (DEVELOPMENT ONLY!)
175# MUST be false in production to prevent domain spoofing
176SKIP_DID_WEB_VERIFICATION=false
177
178# =============================================================================
179# Image Proxy Configuration
180# =============================================================================
181# On-the-fly image resizing with disk caching
182# Enabled by default - gracefully falls back to direct PDS URLs on failure
183IMAGE_PROXY_ENABLED=true
184IMAGE_PROXY_BASE_URL=https://coves.social
185IMAGE_PROXY_CACHE_PATH=/var/cache/coves/images
186IMAGE_PROXY_CACHE_MAX_GB=10
187# Optional: CDN URL for edge caching (recommended for production)
188# IMAGE_PROXY_CDN_URL=https://cdn.coves.social
189IMAGE_PROXY_FETCH_TIMEOUT_SECONDS=30
190IMAGE_PROXY_MAX_SOURCE_SIZE_MB=10
191
192# =============================================================================
193# OpenTelemetry Observability (Optional)
194# =============================================================================
195# Enable with any OTLP-compatible backend (Axiom, Grafana, Jaeger, Honeycomb)
196OTEL_ENABLED=false
197# OTEL_EXPORTER_OTLP_ENDPOINT=https://api.axiom.co
198# OTEL_EXPORTER_OTLP_HEADERS=Authorization=Bearer xapt-xxx,X-Axiom-Dataset=coves
199# OTEL_SERVICE_NAME=coves-appview
200# OTEL_TRACES_SAMPLER_ARG=0.1
201
202# =============================================================================
203# Optional: Versioning
204# =============================================================================
205VERSION=latest