Containr/.env.production.example

# Production Environment Configuration
# Copy this file to .env.prod and update with your production values

# ============================================
# CRITICAL: Change all secrets before deploying
# ============================================

# Environment
ENVIRONMENT=production

# Domain Configuration
DOMAIN=yourdomain.com
ACME_EMAIL=admin@yourdomain.com

# Database Configuration (CHANGE PASSWORDS!)
POSTGRES_DB=containr
POSTGRES_USER=containr_user
POSTGRES_PASSWORD=CHANGE_ME_STRONG_PASSWORD_HERE
DATABASE_URL=postgres://containr_user:CHANGE_ME_STRONG_PASSWORD_HERE@postgres:5432/containr?sslmode=require
MAX_CONNECTIONS=50
MAX_IDLE_CONNECTIONS=10
CONN_MAX_LIFETIME=10m
CONN_MAX_IDLE_TIME=5m
AUTO_MIGRATE=true
MIGRATION_LOCK_TIMEOUT=5m
SEED_DATA_ON_START=false

# Redis Configuration (CHANGE PASSWORD!)
REDIS_PASSWORD=CHANGE_ME_STRONG_REDIS_PASSWORD
REDIS_URL=redis://:CHANGE_ME_STRONG_REDIS_PASSWORD@redis:6379/0

# Security Configuration (GENERATE STRONG SECRETS!)
# Generate with: openssl rand -base64 32
JWT_SECRET=CHANGE_ME_MINIMUM_32_CHARACTERS_STRONG_SECRET_HERE
BETTER_AUTH_SECRET=CHANGE_ME_MINIMUM_32_CHARACTERS_STRONG_SECRET_HERE
BETTER_AUTH_INTERNAL_TOKEN=CHANGE_ME_STRONG_INTERNAL_TOKEN_HERE
CONTAINR_AGENT_AUTH_TOKEN=CHANGE_ME_STRONG_AGENT_SECRET_HERE

# Cookie Configuration (MUST BE TRUE IN PRODUCTION!)
COOKIE_SECURE=true
COOKIE_DOMAIN=yourdomain.com
COOKIE_PATH=/
COOKIE_SAME_SITE=strict

# CORS Configuration (SET YOUR ACTUAL DOMAINS!)
CORS_ORIGINS=https://yourdomain.com,https://api.yourdomain.com
CORS_CREDENTIALS=true

# Application URLs
VITE_API_URL=https://api.yourdomain.com
VITE_AUTH_URL=https://api.yourdomain.com/api/auth
BETTER_AUTH_URL=https://api.yourdomain.com
BETTER_AUTH_PROXY_URL=http://127.0.0.1:3001
BETTER_AUTH_INTERNAL_URL=http://127.0.0.1:3001/internal/session
BETTER_AUTH_TRUSTED_ORIGINS=https://yourdomain.com,https://api.yourdomain.com
BETTER_AUTH_AUTO_MIGRATE=true

# Server Configuration
PORT=8080
HOST=0.0.0.0
AUTH_PORT=3001
MAX_REQUEST_BODY_BYTES=10485760
READ_TIMEOUT=30s
WRITE_TIMEOUT=30s
IDLE_TIMEOUT=60s
SHUTDOWN_TIMEOUT=30s

# Security
BCRYPT_COST=12
TRUSTED_PROXY_CIDR=172.20.0.0/16

# Rate Limiting
FREE_RPM=60
PRO_RPM=600
BUSINESS_RPM=3000
FREE_MONTHLY_QUOTA=10000
PRO_MONTHLY_QUOTA=100000
BUSINESS_MONTHLY_QUOTA=500000

# Logging
LOG_LEVEL=info
LOG_FORMAT=json
LOG_OUTPUT=stdout
DEBUG=false

# Traefik Configuration
TRAEFIK_API_INSECURE=false
# Generate with: htpasswd -nb admin yourpassword
TRAEFIK_AUTH=admin:$$apr1$$CHANGE_ME_HASH_HERE

# Database Connection (for Better Auth)
DB_HOST=postgres
DB_PORT=5432
DB_NAME=containr
DB_USER=containr_user
DB_PASSWORD=CHANGE_ME_STRONG_PASSWORD_HERE

# Optional: OAuth Providers (if using)
# GITHUB_CLIENT_ID=your_github_client_id
# GITHUB_CLIENT_SECRET=your_github_client_secret
# GITLAB_CLIENT_ID=your_gitlab_client_id
# GITLAB_CLIENT_SECRET=your_gitlab_client_secret

# Optional: Monitoring & Analytics
# SENTRY_DSN=your_sentry_dsn
# UMAMI_BASE_URL=your_umami_url
# UMAMI_API_KEY=your_umami_key
# UMAMI_WEBSITE_ID=your_website_id

# Optional: Cloudflare Tunnel
# CLOUDFLARED_TOKEN=your_cloudflare_tunnel_token

# Optional: Docker Registry
# DOCKER_REGISTRY_URL=registry.yourdomain.com
# DOCKER_REGISTRY_USERNAME=your_username
# DOCKER_REGISTRY_PASSWORD=your_password

# Optional: External Services
# SLACK_WEBHOOK_URL=your_slack_webhook
# SMTP_HOST=smtp.yourdomain.com
# SMTP_PORT=587
# SMTP_USER=noreply@yourdomain.com
# SMTP_PASSWORD=your_smtp_password
# SMTP_FROM=noreply@yourdomain.com

# ============================================
# PRODUCTION DEPLOYMENT CHECKLIST
# ============================================
# [ ] Changed all passwords and secrets
# [ ] Set COOKIE_SECURE=true
# [ ] Set ENVIRONMENT=production
# [ ] Configured proper CORS_ORIGINS
# [ ] Set up SSL certificates
# [ ] Configured domain DNS
# [ ] Set up database backups
# [ ] Configured monitoring
# [ ] Set up log aggregation
# [ ] Tested in staging first
# [ ] Have rollback plan ready