-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.env.example
More file actions
338 lines (296 loc) · 14.1 KB
/
.env.example
File metadata and controls
338 lines (296 loc) · 14.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
# =============================================================================
# Lion Reader Environment Variables
# =============================================================================
# Copy this file to .env and fill in the values for local development.
# For production (Fly.io), set these as secrets using: fly secrets set KEY=value
# =============================================================================
# Database (Required)
# =============================================================================
# PostgreSQL connection string
# Local development: postgresql://lionreader:lionreader@localhost:5432/lionreader
# Fly.io: Set automatically when attaching a Postgres database, or use:
# fly secrets set DATABASE_URL="postgres://..."
#
# Note: Integration tests use a separate database (lionreader_test) configured
# in .env.test to avoid wiping dev data. The test database is created
# automatically by docker-compose. Run `pnpm db:migrate:test` to apply migrations.
DATABASE_URL=postgresql://lionreader:lionreader@localhost:5432/lionreader
# =============================================================================
# Redis (Required)
# =============================================================================
# Redis connection string for caching and pub/sub
# Local development: redis://localhost:6379
# Fly.io (Upstash): fly secrets set REDIS_URL="redis://..."
REDIS_URL=redis://localhost:6379
# =============================================================================
# Application (Required for Production)
# =============================================================================
# Environment: development | production | test
NODE_ENV=development
# Port for the application server (default: 3000)
# Usually set automatically by the hosting platform
PORT=3000
# Base URL for the application (used for generating absolute URLs)
# Required for OAuth callbacks and WebSub
# Example: https://lionreader.com or https://yourdomain.com
# NEXT_PUBLIC_APP_URL=http://localhost:3000
# =============================================================================
# Signup & Admin (Optional)
# =============================================================================
# By default, Lion Reader runs in invite-only mode.
# Set to "true" to allow anyone to register without an invite.
ALLOW_ALL_SIGNUPS=false
# Secret for admin API endpoints (invite management).
# Required when running in invite-only mode (ALLOW_ALL_SIGNUPS=false).
# Generate a secure random string: openssl rand -base64 32
# ALLOWLIST_SECRET=your-secure-secret-here
# =============================================================================
# Email Newsletters (Optional)
# =============================================================================
# Lion Reader can receive email newsletters via custom ingest addresses.
# Each user gets unique addresses like: {token}@ingest.yourdomain.com
#
# Setup with Mailgun:
# 1. Add your domain to Mailgun and verify DNS records
# 2. Create a Route in Mailgun (Receiving -> Create Route):
# - Expression Type: Match Recipient
# - Recipient: .*@ingest.yourdomain.com (catch-all for your ingest domain)
# - Actions: Forward to https://your-app.com/api/webhooks/email/mailgun
# - Enable "Store and notify"
# 3. Copy the Webhook signing key from Sending -> Webhooks
# Domain for ingest email addresses
# This domain must have MX records pointing to Mailgun
# Default: ingest.lionreader.com
# INGEST_EMAIL_DOMAIN=ingest.yourdomain.com
# Mailgun webhook signing key for HMAC signature verification
# Find this in: Mailgun Dashboard -> Sending -> Webhooks -> Webhook signing key
# Required to enable email newsletter feature
# MAILGUN_WEBHOOK_SIGNING_KEY=your-mailgun-signing-key
# =============================================================================
# Security (Required for User API Keys)
# =============================================================================
# Encryption key for user API keys stored in the database (AES-256-GCM).
# Required to enable per-user Groq/Anthropic API key configuration.
# If not set, users cannot configure their own API keys (global keys still work).
# Generate with: openssl rand -base64 32
# API_KEY_ENCRYPTION_KEY=
# =============================================================================
# AI Features (Optional)
# =============================================================================
# --- Narration (Text Processing) ---
# Groq API key for AI-powered narration text processing
# Get from: https://console.groq.com/keys
# If not set, narration falls back to simple HTML-to-text conversion
# GROQ_API_KEY=gsk_...
# --- Article Summarization ---
# Anthropic API key for AI-powered article summaries
# Get from: https://console.anthropic.com/settings/keys
# If not set, summarization feature will be disabled
# ANTHROPIC_API_KEY=sk-ant-...
# Model to use for summarization (default: claude-sonnet-4-6)
# SUMMARIZATION_MODEL=claude-sonnet-4-6
# Maximum words for generated summaries
# SUMMARIZATION_MAX_WORDS=150
# =============================================================================
# Google Integration (Optional)
# =============================================================================
# Google Service Account - Required for fetching public Google Docs via API
# This provides cleaner content extraction compared to HTML scraping.
# The Google Docs API requires OAuth2 tokens (not API keys), so we use a
# service account to get tokens for server-side access.
#
# Setup:
# 1. Go to: https://console.cloud.google.com/iam-admin/serviceaccounts
# 2. Create or select a project
# 3. Create a service account (no special roles needed for public docs)
# 4. Create a JSON key for the service account (Keys tab -> Add Key -> JSON)
# 5. Enable "Google Docs API" at: https://console.cloud.google.com/apis/library/docs.googleapis.com
# 6. Base64 encode the JSON key file:
# cat service-account-key.json | base64 -w 0
# 7. Set the base64 string as the environment variable below
#
# If not set, Google Docs URLs will fall back to HTML scraping.
# GOOGLE_SERVICE_ACCOUNT_JSON=eyJ0eXBlIjoic2VydmljZV9hY2NvdW50Ii...
# Google OAuth - Enable "Sign in with Google" and private Google Docs access
#
# Setup:
# 1. Go to: https://console.cloud.google.com/apis/credentials
# 2. Create OAuth 2.0 Client ID (Web application type)
# 3. Add authorized redirect URI: {NEXT_PUBLIC_APP_URL}/auth/oauth/callback
# - Local dev: http://localhost:3000/auth/oauth/callback
# - Production: https://yourdomain.com/auth/oauth/callback
# 4. Copy the Client ID and Client Secret below
#
# GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
# GOOGLE_CLIENT_SECRET=your-client-secret
# =============================================================================
# Object Storage (Optional - for Google Docs images)
# =============================================================================
# S3-compatible storage for uploading images from Google Docs.
# If not configured, images will use their original Google URLs (which may expire).
#
# For Fly.io Tigris:
# 1. Create a bucket: fly storage create
# 2. Set the credentials from the output below
# 3. Endpoint: https://fly.storage.tigris.dev
#
# For AWS S3:
# 1. Create an S3 bucket with public read access
# 2. Create IAM credentials with S3 write access
# 3. Leave endpoint empty for AWS
# S3 bucket name
# STORAGE_BUCKET=your-bucket-name
# AWS/Tigris access key ID
# STORAGE_ACCESS_KEY_ID=your-access-key
# AWS/Tigris secret access key
# STORAGE_SECRET_ACCESS_KEY=your-secret-key
# S3-compatible endpoint (required for Tigris, optional for AWS)
# For Tigris: https://fly.storage.tigris.dev
# STORAGE_ENDPOINT=https://fly.storage.tigris.dev
# AWS region (default: auto for Tigris)
# STORAGE_REGION=auto
# Public URL base for accessing stored objects (optional)
# If not set, uses default bucket URL pattern
# For Tigris: https://{bucket}.fly.storage.tigris.dev
# STORAGE_PUBLIC_URL_BASE=https://your-bucket.fly.storage.tigris.dev
# =============================================================================
# GitHub Integration (Optional)
# =============================================================================
# GitHub API token for fetching gists and repository files.
# Improves rate limits from 60 requests/hour to 5,000/hour.
#
# Create a fine-grained token at: https://github.com/settings/tokens?type=beta
# No permissions/scopes are needed for public repos and gists.
#
# If not set, the GitHub plugin will still work but with lower rate limits.
# GITHUB_API_TOKEN=github_pat_...
# Apple OAuth - Enable "Sign in with Apple"
# Create a Service ID at: https://developer.apple.com/account/resources/identifiers
# APPLE_CLIENT_ID=com.yourdomain.lionreader
# APPLE_TEAM_ID=your-team-id
# APPLE_KEY_ID=your-key-id
# APPLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
# Discord OAuth - Enable "Sign in with Discord"
#
# Setup:
# 1. Go to: https://discord.com/developers/applications
# 2. Create a new application (or select existing)
# 3. Go to OAuth2 in the sidebar
# 4. Add redirect URI: {NEXT_PUBLIC_APP_URL}/api/v1/auth/oauth/discord/callback
# - Local dev: http://localhost:3000/api/v1/auth/oauth/discord/callback
# - Production: https://yourdomain.com/api/v1/auth/oauth/discord/callback
# 5. Copy the Client ID and Client Secret below
#
# DISCORD_CLIENT_ID=your-discord-client-id
# DISCORD_CLIENT_SECRET=your-discord-client-secret
# Discord Bot - Save articles by reacting with an emoji
#
# Uses the same Discord application as OAuth above. To enable the bot:
# 1. In Discord Developer Portal, go to Bot > Add Bot
# 2. Enable "Message Content Intent" under Privileged Gateway Intents
# 3. Copy the bot token below
# 4. Invite bot to servers with: OAuth2 > URL Generator
# - Scopes: bot, applications.commands
# - Permissions: Read Messages, Send Messages, Add Reactions, Read Message History
#
# Run with: pnpm discord-bot
#
# DISCORD_BOT_TOKEN=your-bot-token
# DISCORD_SAVE_EMOJI=🦁
# DISCORD_SUCCESS_EMOJI=salutinglionreader
# DISCORD_ERROR_EMOJI=😿
# =============================================================================
# Usage Limits (Optional)
# =============================================================================
# These limits protect against abuse and prevent out-of-memory crashes from
# oversized content. All limits have sane defaults. Adjust as needed.
# Maximum number of active subscriptions per user (default: 500)
# MAX_SUBSCRIPTIONS_PER_USER=500
# Maximum feed response size in bytes (default: 10MB = 10485760)
# Feeds larger than this are rejected during streaming (no OOM risk).
# MAX_FEED_SIZE_BYTES=10485760
# Maximum number of entries parsed from a single feed (default: 100)
# Entries beyond this limit are silently dropped.
# MAX_FEED_ENTRIES=100
# Maximum saved article page size in bytes (default: 5MB = 5242880)
# Also applies to uploaded articles.
# MAX_SAVED_ARTICLE_SIZE_BYTES=5242880
# Maximum email newsletter content size in bytes (default: 2MB = 2097152)
# Emails exceeding this are rejected before processing.
# MAX_EMAIL_SIZE_BYTES=2097152
# =============================================================================
# Observability (Optional)
# =============================================================================
# Sentry DSN for error tracking
# Get from: https://sentry.io/settings/projects/<project>/keys/
# For server-side errors:
# SENTRY_DSN=https://...@sentry.io/...
# For client-side errors (must be NEXT_PUBLIC_ for browser access):
# NEXT_PUBLIC_SENTRY_DSN=https://...@sentry.io/...
# Auth token for uploading source maps (CI/CD only):
# SENTRY_AUTH_TOKEN=sntrys_...
# Prometheus metrics endpoint (/api/metrics)
# Set to "true" to enable metrics collection
# METRICS_ENABLED=false
# Basic auth for /api/metrics endpoint (recommended if METRICS_ENABLED=true)
# METRICS_USERNAME=prometheus
# METRICS_PASSWORD=your-secure-password
# =============================================================================
# Fly.io Secrets (Production)
# =============================================================================
# The following should be set as Fly.io secrets, NOT in environment files:
#
# Required:
# fly secrets set DATABASE_URL="postgres://..."
# fly secrets set REDIS_URL="redis://..."
#
# Signup/Admin:
# fly secrets set ALLOW_ALL_SIGNUPS="true" # or keep false for invite-only
# fly secrets set ALLOWLIST_SECRET="your-secure-secret"
#
# Security:
# fly secrets set API_KEY_ENCRYPTION_KEY="$(openssl rand -base64 32)"
#
# AI Features:
# fly secrets set GROQ_API_KEY="gsk_..."
# fly secrets set ANTHROPIC_API_KEY="sk-ant-..."
# fly secrets set SUMMARIZATION_MODEL="claude-sonnet-4-6"
# fly secrets set SUMMARIZATION_MAX_WORDS="300"
#
# Google Integration:
# fly secrets set GOOGLE_SERVICE_ACCOUNT_JSON="eyJ0eXBlIjoi..." # For public Google Docs (base64 encoded)
# fly secrets set GOOGLE_CLIENT_ID="..." # For OAuth sign-in
# fly secrets set GOOGLE_CLIENT_SECRET="..."
# fly secrets set APPLE_CLIENT_ID="..."
# fly secrets set APPLE_TEAM_ID="..."
# fly secrets set APPLE_KEY_ID="..."
# fly secrets set APPLE_PRIVATE_KEY="..."
# fly secrets set DISCORD_CLIENT_ID="..."
# fly secrets set DISCORD_CLIENT_SECRET="..."
# fly secrets set DISCORD_BOT_TOKEN="..."
#
# GitHub Integration:
# fly secrets set GITHUB_API_TOKEN="github_pat_..."
#
# Email Newsletters (Mailgun):
# fly secrets set INGEST_EMAIL_DOMAIN="ingest.yourdomain.com"
# fly secrets set MAILGUN_WEBHOOK_SIGNING_KEY="your-mailgun-signing-key"
#
# Object Storage (for Google Docs images):
# fly storage create # Creates Tigris bucket and credentials
# fly secrets set STORAGE_BUCKET="your-bucket-name"
# fly secrets set STORAGE_ACCESS_KEY_ID="..."
# fly secrets set STORAGE_SECRET_ACCESS_KEY="..."
# fly secrets set STORAGE_ENDPOINT="https://fly.storage.tigris.dev"
# fly secrets set STORAGE_REGION="auto"
#
# Observability:
# fly secrets set SENTRY_DSN="https://...@sentry.io/..."
# fly secrets set NEXT_PUBLIC_SENTRY_DSN="https://...@sentry.io/..."
# fly secrets set SENTRY_AUTH_TOKEN="sntrys_..."
# fly secrets set METRICS_ENABLED="true"
# fly secrets set METRICS_USERNAME="prometheus"
# fly secrets set METRICS_PASSWORD="..."
#
# The DATABASE_URL is typically set automatically when you run:
# fly postgres attach <postgres-app-name>