.env.production.example at docs/plan-reorganization

malpercio.dev / atbb
fork atom
WIP! A BB-style forum, on the ATmosphere! We're still working... we'll be back soon when we have something to show off!
node typescript hono htmx atproto
fork atom
atbb / .env.production.example
at docs/plan-reorganization 239 lines 10 kB view raw
wrap content
Malpercio chore: remove spike package and references (#29) 4w ago
eb489aca
  1# ============================================================================
  2# atBB Production Environment Configuration
  3# ============================================================================
  4# Copy this file to .env.production and fill in your actual values.
  5# NEVER commit .env.production with real secrets to version control!
  6#
  7# After copying:
  8#   1. Generate SESSION_SECRET: openssl rand -hex 32
  9#   2. Fill in your AT Protocol credentials (FORUM_DID, PDS_URL, etc.)
 10#   3. Set strong passwords for FORUM_PASSWORD and database
 11#   4. Update URLs to match your deployment domain
 12#   5. Restrict file permissions: chmod 600 .env.production
 13#
 14# Security note: This file contains sensitive credentials. Protect it like
 15# you would protect SSH keys or API tokens.
 16# ============================================================================
 17
 18# ============================================================================
 19# Database Configuration
 20# ============================================================================
 21# PostgreSQL connection string
 22# Format: postgresql://username:password@hostname:port/database
 23#
 24# Production example (managed PostgreSQL):
 25#   DATABASE_URL=postgresql://atbb_prod:S3cureP@ssw0rd@db.example.com:5432/atbb_prod
 26#
 27# Docker Compose example (container name as hostname):
 28#   DATABASE_URL=postgresql://atbb:changeme@postgres:5432/atbb
 29#
 30# Notes:
 31#   - Use strong passwords (minimum 16 characters, alphanumeric + symbols)
 32#   - Enable SSL/TLS in production: ?sslmode=require
 33#   - Consider connection pooling for high traffic
 34DATABASE_URL=postgresql://atbb_user:CHANGE_ME_STRONG_PASSWORD@db.example.com:5432/atbb_production
 35
 36# ============================================================================
 37# AT Protocol Configuration
 38# ============================================================================
 39# These settings connect your forum to the AT Protocol network (Bluesky/atproto).
 40
 41# Forum's Decentralized Identifier (DID)
 42# This is your forum's unique identity on the AT Protocol network.
 43# Get this after creating your forum account on a PDS.
 44#
 45# Example: did:plc:abcdef1234567890
 46# Production: Use your actual forum DID from your PDS
 47FORUM_DID=did:plc:CHANGE_ME_YOUR_FORUM_DID
 48
 49# Personal Data Server URL
 50# The PDS where your forum's records are stored.
 51# This can be your own PDS instance or a hosted service.
 52#
 53# Examples:
 54#   - Self-hosted: https://pds.yourdomain.com
 55#   - Bluesky PDS: https://bsky.social
 56PDS_URL=https://pds.example.com
 57
 58# ============================================================================
 59# Application URLs
 60# ============================================================================
 61# These URLs determine how services communicate and handle OAuth.
 62
 63# Public URL where your forum is accessible to users
 64# Used for OAuth redirect URIs and client_id generation.
 65# MUST be HTTPS in production (HTTP only for local development).
 66#
 67# Examples:
 68#   - Production: https://forum.example.com
 69#   - Staging: https://staging.forum.example.com
 70OAUTH_PUBLIC_URL=https://forum.example.com
 71
 72# Internal URL for web service to reach appview API
 73# In single-container deployments: http://localhost:3000
 74# In multi-container deployments: http://appview:3000 (Docker service name)
 75# In Kubernetes: http://appview-service:3000
 76#
 77# Notes:
 78#   - Use container/service names, not external domains
 79#   - HTTP is fine for internal communication (encrypted at network layer)
 80#   - Must be reachable from web service container
 81APPVIEW_URL=http://localhost:3000
 82
 83# ============================================================================
 84# Session Management
 85# ============================================================================
 86# Session security is critical for protecting user accounts.
 87
 88# Secret key for encrypting and signing session cookies
 89# CRITICAL: Generate a strong random value, never use the default!
 90#
 91# Generate with: openssl rand -hex 32
 92#
 93# Security requirements:
 94#   - Minimum 32 bytes (64 hex characters)
 95#   - Use cryptographically secure random generation
 96#   - Unique per environment (dev, staging, production)
 97#   - Never commit to version control
 98#   - Rotate periodically (invalidates all active sessions)
 99#
100# Example output from openssl:
101#   a1b2c3d4e5f6789012345678901234567890abcdef1234567890abcdef123456
102SESSION_SECRET=
103
104# ============================================================================
105# Service Ports (Optional)
106# ============================================================================
107# Override default ports if needed for your deployment environment.
108# Most deployments can use the defaults.
109
110# AppView API server port (default: 3000)
111# This is the internal port the appview service listens on.
112# PORT=3000
113# WEB_PORT=3001
114
115# Note: In the Docker container, nginx listens on port 80 and proxies to both services.
116
117# ============================================================================
118# AT Protocol Features (Optional)
119# ============================================================================
120# Advanced AT Protocol configuration.
121
122# Jetstream firehose URL for real-time updates
123# Receives live events from the AT Protocol network to keep your forum
124# synchronized with user posts and profile changes.
125#
126# Default: wss://jetstream2.us-east.bsky.network/subscribe
127#
128# Notes:
129#   - Uses WebSocket (wss://) for real-time streaming
130#   - Alternative endpoints available for different regions
131#   - Required for live post indexing
132# JETSTREAM_URL=wss://jetstream2.us-east.bsky.network/subscribe
133
134# ============================================================================
135# Session Configuration (Optional)
136# ============================================================================
137# Fine-tune session behavior for your deployment.
138
139# Session cookie TTL (Time To Live) in days
140# How long users stay logged in before requiring re-authentication.
141#
142# Default: 7 days
143# Recommended ranges:
144#   - High security: 1-7 days (default)
145#   - Balanced: 14-30 days
146#   - Convenience: 90 days
147#
148# Notes:
149#   - Shorter TTL = more secure, more logins required
150#   - Longer TTL = less secure, better user experience
151#   - Consider your forum's security requirements
152# SESSION_TTL_DAYS=7
153
154# Redis session storage (optional, for multi-instance deployments)
155# If set, sessions are stored in Redis instead of memory.
156# Required for horizontal scaling (multiple appview instances).
157#
158# Format: redis://[username]:[password]@hostname:port/database
159#
160# Examples:
161#   - Local Redis: redis://localhost:6379
162#   - Docker Compose: redis://redis:6379
163#   - Managed Redis: redis://default:password@redis.example.com:6379/0
164#
165# Notes:
166#   - Leave blank/commented for single-instance deployments (uses in-memory)
167#   - Required for multi-instance deployments (shared session state)
168#   - Supports Redis Cluster and Sentinel configurations
169# REDIS_URL=redis://redis:6379
170
171# ============================================================================
172# Security Checklist
173# ============================================================================
174# Before deploying to production, verify:
175#
176# [ ] Generated SESSION_SECRET with: openssl rand -hex 32
177# [ ] Used strong, unique passwords (minimum 16 characters)
178# [ ] Never committed .env.production to version control
179# [ ] Set file permissions: chmod 600 .env.production
180# [ ] All URLs use HTTPS (except APPVIEW_URL for internal communication)
181# [ ] Database connection uses SSL/TLS (?sslmode=require)
182# [ ] Forum account password is unique (not reused)
183# [ ] SESSION_SECRET is different from dev/staging environments
184# [ ] Documented secret rotation schedule (every 90 days recommended)
185# [ ] Tested OAuth flow with OAUTH_PUBLIC_URL
186# [ ] Verified APPVIEW_URL is reachable from web service
187# [ ] Reviewed firewall rules (only expose necessary ports)
188#
189# ============================================================================
190# Deployment Notes
191# ============================================================================
192#
193# Single Container Deployment (appview + web in same container):
194#   - Use APPVIEW_URL=http://localhost:3000
195#   - No Redis required (in-memory sessions OK)
196#   - Simpler setup, suitable for small forums
197#
198# Multi Container Deployment (separate appview and web containers):
199#   - Use APPVIEW_URL=http://appview:3000 (Docker service name)
200#   - Consider Redis for session storage
201#   - Better scalability, suitable for larger forums
202#
203# Kubernetes Deployment:
204#   - Use APPVIEW_URL=http://appview-service:3000
205#   - Redis highly recommended for multi-replica deployments
206#   - Use Secrets for sensitive values (not ConfigMaps)
207#
208# Environment Variable Loading:
209#   - Docker: Use --env-file flag or docker-compose env_file
210#   - Kubernetes: Mount as Secret or use external-secrets
211#   - Systemd: Use EnvironmentFile=/path/to/.env.production
212#   - Node.js: Use --env-file flag (Node 20.6+)
213#
214# ============================================================================
215# Troubleshooting
216# ============================================================================
217#
218# "Database connection failed":
219#   - Verify DATABASE_URL is correct and accessible
220#   - Check network connectivity to database host
221#   - Ensure database exists and user has permissions
222#   - Enable SSL if required by your database provider
223#
224# "OAuth redirect URI mismatch":
225#   - Verify OAUTH_PUBLIC_URL matches your actual domain
226#   - Must use HTTPS in production (not HTTP)
227#   - Check for trailing slashes (should not have one)
228#
229# "Session errors / users logged out randomly":
230#   - Verify SESSION_SECRET is set (not blank)
231#   - For multi-instance: must use Redis (set REDIS_URL)
232#   - Check SESSION_TTL_DAYS is reasonable (default 7)
233#
234# "Cannot reach appview API":
235#   - Verify APPVIEW_URL uses correct hostname
236#   - In Docker: use service name, not localhost
237#   - Check container/service networking configuration
238#
239# ============================================================================