honeyDueAPI/deploy/prod.env.example

# API service settings
DEBUG=false
ALLOWED_HOSTS=api.honeyDue.treytartt.com,honeyDue.treytartt.com
CORS_ALLOWED_ORIGINS=https://honeyDue.treytartt.com,https://admin.honeyDue.treytartt.com
TIMEZONE=UTC
BASE_URL=https://honeyDue.treytartt.com
PORT=8000

# Admin service settings
NEXT_PUBLIC_API_URL=https://api.honeyDue.treytartt.com
ADMIN_PANEL_URL=https://admin.honeyDue.treytartt.com

# Database (Neon recommended)
DB_HOST=CHANGEME_NEON_HOST
DB_PORT=5432
POSTGRES_USER=CHANGEME_DB_USER
POSTGRES_DB=honeydue
DB_SSLMODE=require
DB_MAX_OPEN_CONNS=25
DB_MAX_IDLE_CONNS=10
DB_MAX_LIFETIME=600s

# Redis (in stack defaults to redis://redis:6379/0)
REDIS_URL=redis://redis:6379/0
REDIS_DB=0

# Email (password goes in deploy/secrets/email_host_password.txt)
EMAIL_HOST=smtp.gmail.com
EMAIL_PORT=587
EMAIL_USE_TLS=true
EMAIL_HOST_USER=CHANGEME_EMAIL_USER
DEFAULT_FROM_EMAIL=honeyDue <noreply@honeyDue.treytartt.com>

# Push notifications
# APNS private key goes in deploy/secrets/apns_auth_key.p8
APNS_AUTH_KEY_ID=CHANGEME_APNS_KEY_ID
APNS_TEAM_ID=CHANGEME_APNS_TEAM_ID
APNS_TOPIC=com.myhoneydue.honeyDue
APNS_USE_SANDBOX=false
APNS_PRODUCTION=true

# Worker schedules (UTC)
TASK_REMINDER_HOUR=14
OVERDUE_REMINDER_HOUR=15
DAILY_DIGEST_HOUR=3

# Storage
STORAGE_UPLOAD_DIR=/app/uploads
STORAGE_BASE_URL=/uploads
STORAGE_MAX_FILE_SIZE=10485760
STORAGE_ALLOWED_TYPES=image/jpeg,image/png,image/gif,image/webp,application/pdf

# Storage backend (S3-compatible: Backblaze B2 or MinIO)
#
# Leave all B2_* vars empty to use the local filesystem at STORAGE_UPLOAD_DIR.
#   - Safe for single-node setups (dev / single-VPS prod).
#   - NOT SAFE for multi-replica prod: named volumes are per-node in Swarm,
#     so uploads written on one node are invisible to the other replicas.
#
# Set ALL FOUR of B2_ENDPOINT, B2_KEY_ID, B2_APP_KEY, B2_BUCKET_NAME to
# switch to S3-compatible storage. The deploy script enforces all-or-none.
#
# Example for Backblaze B2 (us-west-004):
#   B2_ENDPOINT=s3.us-west-004.backblazeb2.com
#   B2_USE_SSL=true
#   B2_REGION=us-west-004
B2_ENDPOINT=
B2_KEY_ID=
B2_APP_KEY=
B2_BUCKET_NAME=
B2_USE_SSL=true
B2_REGION=us-east-1

# Feature flags
FEATURE_PUSH_ENABLED=true
FEATURE_EMAIL_ENABLED=true
FEATURE_WEBHOOKS_ENABLED=true
FEATURE_ONBOARDING_EMAILS_ENABLED=true
FEATURE_PDF_REPORTS_ENABLED=true
FEATURE_WORKER_ENABLED=true

# Optional auth/iap values
# APPLE_CLIENT_ID must equal the iOS Release bundle ID. The Apple
# identity-token `aud` claim is verified against this value
# (internal/services/apple_auth.go::verifyAudience). Leaving it empty
# with DEBUG=false rejects every Apple token as invalid audience.
APPLE_CLIENT_ID=com.myhoneydue.honeyDue
APPLE_TEAM_ID=
GOOGLE_CLIENT_ID=
GOOGLE_ANDROID_CLIENT_ID=
GOOGLE_IOS_CLIENT_ID=
APPLE_IAP_KEY_ID=
APPLE_IAP_ISSUER_ID=
APPLE_IAP_BUNDLE_ID=
APPLE_IAP_KEY_PATH=
APPLE_IAP_SANDBOX=false
GOOGLE_IAP_PACKAGE_NAME=
GOOGLE_IAP_SERVICE_ACCOUNT_PATH=