-
Notifications
You must be signed in to change notification settings - Fork 139
Expand file tree
/
Copy path.env.production.example
More file actions
62 lines (55 loc) · 3.53 KB
/
Copy path.env.production.example
File metadata and controls
62 lines (55 loc) · 3.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Production environment template.
#
# SQLite installs (default for most users):
# You can skip this file only if you are not configuring AI provider
# credentials. SQLite mode does not use Postgres at all. Just run:
# docker compose -f compose.prod.yml -f compose.sqlite.yml up -d
# Copy this file when you want to customize HOST_PORT, DOMAIN (TLS), the image
# to pull, or when you need AI credentials.
#
# Postgres installs:
# Copy this file to .env and set POSTGRES_PASSWORD to a real value:
# cp .env.production.example .env
# Generate a password with:
# openssl rand -hex 24
# ─── Image ───────────────────────────────────────────────────────────────────
# Image-pull installs use this as the image to pull.
# Source-build installs with compose.build.yml use this as the local tag to
# build. Change it to instatic:local if you do not want a GHCR-shaped local tag.
INSTATIC_IMAGE=ghcr.io/corebunch/instatic:latest
# ─── AI credential encryption ───────────────────────────────────────────────
# REQUIRED before adding Anthropic/OpenAI/OpenRouter credentials in production.
# Generate with:
# bun run scripts/generate-secret-key.ts
INSTATIC_SECRET_KEY=replace-with-output-of-generate-secret-key
# ─── Networking ──────────────────────────────────────────────────────────────
# HOST_PORT is the port the app is exposed on directly (no TLS).
# When you layer compose.tls.yml on top, Caddy listens on 80/443 instead and
# proxies to app:3001 internally; HOST_PORT is then unused.
HOST_PORT=3001
# Comma-separated CIDRs for reverse proxies whose X-Forwarded-For header may
# be trusted. Leave empty when exposing the app directly. compose.tls.yml sets
# a Docker bridge default automatically; override this only for custom proxy
# networks or a non-Docker reverse proxy.
TRUSTED_PROXY_CIDRS=
# ─── Database — Postgres mode only ───────────────────────────────────────────
# These three are consumed by the postgres service and embedded in DATABASE_URL.
# REQUIRED for Postgres deployments — set POSTGRES_PASSWORD to a real secret.
# UNUSED for SQLite deployments (compose.sqlite.yml disables the postgres
# service entirely); leave defaults or skip the file.
POSTGRES_DB=instatic
POSTGRES_USER=instatic
POSTGRES_PASSWORD=replace-with-a-long-random-hex-password
# ─── TLS — required when layering compose.tls.yml on top ─────────────────────
# DOMAIN: the public hostname Caddy will provision a Let's Encrypt cert for.
# DNS A/AAAA records must already point at this server.
# LETSENCRYPT_EMAIL: optional but recommended — Let's Encrypt sends expiry
# notifications and policy updates to this address.
DOMAIN=cms.example.com
LETSENCRYPT_EMAIL=
# PUBLIC_ORIGIN: comma-separated public origin(s) the CSRF check trusts. Caddy
# terminates TLS and hands the container plain HTTP, so the app cannot infer
# its public origin from the request URL — set this to https://<your DOMAIN>.
# compose.tls.yml defaults it to https://${DOMAIN}; set it here only to add a
# second origin (e.g. a custom domain) or to override the default.
PUBLIC_ORIGIN=