# Production env for ambrosio — copy to .env on the server and fill in secrets. # Generate JWT triplet: bash infra/scripts/rotate-jwt.sh # ── Domains (change if you migrate to new hostnames) ──────────────────────── PUBLIC_APP_URL=https://erosi.oier.ovh PUBLIC_SUPABASE_URL=https://erosi.oier.ovh PUBLIC_KEYCLOAK_URL=https://auth.oier.ovh PUBLIC_KEYCLOAK_REALM=colectivo PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web # Keycloak sees this as its canonical hostname (KC_HOSTNAME). KEYCLOAK_HOSTNAME=auth.oier.ovh # ── Postgres (single password for all internal roles) ─────────────────────── POSTGRES_PASSWORD=CHANGEME-strong-random-password # ── Supabase JWT triplet (regenerate every 90 days) ───────────────────────── # Produce all three with: bash infra/scripts/rotate-jwt.sh SUPABASE_JWT_SECRET=CHANGEME-openssl-rand-base64-48 PUBLIC_SUPABASE_ANON_KEY=CHANGEME-sign-with-above SUPABASE_SERVICE_ROLE_KEY=CHANGEME-sign-with-above # ── Keycloak admin + client secret ────────────────────────────────────────── KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD=CHANGEME-strong-random-password # Must match the `secret` field of the colectivo-web client in realm-export.erosi.json. KEYCLOAK_CLIENT_SECRET=CHANGEME-client-secret-32-chars # ── Realtime encryption ───────────────────────────────────────────────────── # DB_ENC_KEY: exactly 16 characters. SECRET_KEY_BASE: ≥ 64 characters. REALTIME_ENC_KEY=CHANGEME16charkey REALTIME_SECRET_KEY_BASE=CHANGEME-openssl-rand-base64-64-at-minimum-so-phoenix-is-happy