# Copy to .env.production before running production compose

# Public gateway URL
PUBLIC_DOMAIN=app.example.com
PUBLIC_URL=https://app.example.com
TLS_EMAIL=ops@example.com

# Security (required)
BETTER_AUTH_SECRET=replace-with-a-long-random-secret
MAIL_ENCRYPTION_KEY=replace-with-a-different-long-random-secret
CORS_ALLOW_ORIGINS=https://app.example.com

# Better Auth magic-link delivery (required for staging/production)
AUTH_MAGIC_LINK_PROVIDER=smtp
AUTH_MAIL_FROM=no-reply@example.com
AUTH_SMTP_HOST=smtp.example.com
AUTH_SMTP_PORT=587
AUTH_SMTP_SECURE=false
AUTH_SMTP_USER=smtp-user
AUTH_SMTP_PASSWORD=replace-with-smtp-password
AUTH_DEV_MAILBOX_ENABLED=false
# Optional: protect /v1/metrics and /v1/metrics/prometheus
# METRICS_AUTH_TOKEN=replace-with-metrics-token

# Optional backup-job alerts
# OPS_ALERT_WEBHOOK_URL=https://hooks.example.com/productier-backup
# OPS_ALERT_WEBHOOK_BEARER_TOKEN=replace-with-webhook-token
# OPS_NOTIFY_ON_SUCCESS=false
# OPS_ALERT_TIMEOUT_SECONDS=10

# Optional restore-drill webhook override (defaults to OPS_ALERT_* if unset)
# DRILL_WEBHOOK_URL=https://hooks.example.com/productier-drill
# DRILL_WEBHOOK_BEARER_TOKEN=replace-with-drill-webhook-token
# DRILL_NOTIFY_ON_SUCCESS=true
# DRILL_WEBHOOK_TIMEOUT_SECONDS=10
# OPS_SMOKE_TIMEOUT_SECONDS=15
# OPS_SMOKE_INSECURE_TLS=false
# VERIFY_HTTP_REDIRECT=true
# DEPLOY_PULL=true
# DEPLOY_BUILD=true
# DEPLOY_RUN_SMOKE=true
# DEPLOY_REMOVE_ORPHANS=true
# DEPLOY_HEALTH_TIMEOUT_SECONDS=240
# DEPLOY_HEALTH_POLL_SECONDS=2
# DEPLOY_PRINT_LOGS_ON_FAILURE=true
# DEPLOY_LOG_TAIL_LINES=200

# Postgres
POSTGRES_PASSWORD=replace-with-strong-password

# S3-compatible storage (RustFS by default in compose)
S3_REGION=us-east-1
S3_BUCKET=productier
S3_ACCESS_KEY=replace-with-access-key
S3_SECRET_KEY=replace-with-secret-key