# Production environment template for Colectivo. # Copy to /srv/colectivo/.env on the production host and fill in the secrets. # NEVER commit the filled version. # ── Database ────────────────────────────────────────────────────────────── POSTGRES_PASSWORD= # ── Supabase signing key ────────────────────────────────────────────────── # Regenerate every 90 days (or immediately on a suspected leak). # Use infra/scripts/rotate-jwt.sh to produce the matching anon + service-role # JWTs; it signs both with the secret below, so they must stay in sync. SUPABASE_JWT_SECRET= # JWTs signed with the secret above. Produced by infra/scripts/rotate-jwt.sh. # Don't hand-edit these — run the script, copy its output. PUBLIC_SUPABASE_ANON_KEY= SUPABASE_SERVICE_ROLE_KEY= # ── Public URLs (production domain + subdomain) ─────────────────────────── PUBLIC_SUPABASE_URL=https://api.example.com PUBLIC_KEYCLOAK_URL=https://auth.example.com PUBLIC_KEYCLOAK_REALM=colectivo PUBLIC_KEYCLOAK_CLIENT_ID=colectivo-web PUBLIC_APP_URL=https://app.example.com # ── Keycloak ────────────────────────────────────────────────────────────── KEYCLOAK_ADMIN=admin KEYCLOAK_ADMIN_PASSWORD= # Client secret for the confidential OAuth client; must match the Keycloak # realm export. KEYCLOAK_CLIENT_SECRET= # ── Email (Resend) ──────────────────────────────────────────────────────── RESEND_API_KEY=re_... RESEND_FROM_EMAIL=noreply@example.com # ── Backup storage (Backblaze B2) ───────────────────────────────────────── B2_BUCKET_NAME=colectivo-prod-backups B2_APPLICATION_KEY_ID= B2_APPLICATION_KEY= # ── Supabase Studio ─────────────────────────────────────────────────────── # Basic-auth on the admin UI. Narrow to internal IPs via nginx when possible. DASHBOARD_USERNAME= DASHBOARD_PASSWORD= # ── Deploy target ───────────────────────────────────────────────────────── DEPLOY_HOST=deploy@prod.example.com DEPLOY_PATH=/srv/colectivo