# --- Application --- # Public port used by the production server and the Vite web server in local development. PORT="3000" # Port used by the Hono server in local development. Vite proxies API requests to this port. SERVER_PORT="3001" # Public URL where the app is served. Used for auth callbacks, OAuth issuer URLs, # OpenGraph metadata, and absolute upload URLs. APP_URL="http://localhost:3000" # --- Database (PostgreSQL) --- # PostgreSQL connection URL. In Docker Compose, the hostname is usually `postgres`; # when running directly on your machine, `localhost` is typical. DATABASE_URL="postgresql://postgres:postgres@postgres:5432/postgres" # --- Authentication --- # Generated using `openssl rand -hex 32` AUTH_SECRET="change-me-to-a-secure-secret-key-in-production" # Better Auth Dashboard (optional) # Enables the Better Auth Dashboard plugin when set, you probably don't need this. BETTER_AUTH_API_KEY="" # Social Auth (Google, optional) # Set both values to enable Google sign-in. GOOGLE_CLIENT_ID="" GOOGLE_CLIENT_SECRET="" # Social Auth (GitHub, optional) # Set both values to enable GitHub sign-in. GITHUB_CLIENT_ID="" GITHUB_CLIENT_SECRET="" # Social Auth (LinkedIn, optional) # Set both values to enable LinkedIn sign-in. LINKEDIN_CLIENT_ID="" LINKEDIN_CLIENT_SECRET="" # Custom OAuth Provider (optional) # Set OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET plus either OAUTH_DISCOVERY_URL or # the three manual endpoint URLs below. OAUTH_PROVIDER_NAME="" OAUTH_CLIENT_ID="" OAUTH_CLIENT_SECRET="" OAUTH_DISCOVERY_URL="" OAUTH_AUTHORIZATION_URL="" OAUTH_TOKEN_URL="" OAUTH_USER_INFO_URL="" # Space-separated scopes requested from the custom OAuth provider. OAUTH_SCOPES="openid profile email" # --- Email (optional) --- # If SMTP_HOST, SMTP_USER, SMTP_PASS, or SMTP_FROM is missing, the app logs the # email to the console instead. SMTP_HOST="" SMTP_PORT="" SMTP_USER="" SMTP_PASS="" SMTP_FROM="Reactive Resume " SMTP_SECURE="false" # --- Storage (optional) --- # If all S3 keys are disabled, the app uses local filesystem storage instead. # Make sure to mount this directory to a volume or the host filesystem to ensure data integrity. # LOCAL_STORAGE_PATH overrides where local uploads/cache are written. # Defaults to /app/data in the official Docker image; in dev, defaults to /data. # LOCAL_STORAGE_PATH="/app/data" # Seaweedfs S3_ACCESS_KEY_ID="seaweedfs" S3_SECRET_ACCESS_KEY="seaweedfs" S3_REGION="us-east-1" S3_ENDPOINT="http://seaweedfs:8333" S3_BUCKET="reactive-resume" S3_FORCE_PATH_STYLE="true" # --- AI Agent Workspace (optional) --- # Required only for the authenticated /agent workspace and saved AI providers. REDIS_URL="redis://redis:6379" ENCRYPTION_SECRET="change-me-to-a-secure-agent-secret-in-production" # --- Feature Flags --- # This flag disables new signups, both on the web app and the server. FLAG_DISABLE_SIGNUPS="false" # This flag disables email/password login. Disables email verification, forgot password, and reset password flows. # Users can still sign up via social auth (Google/GitHub/Custom OAuth), unless FLAG_DISABLE_SIGNUPS is also set to true. FLAG_DISABLE_EMAIL_AUTH="false" # This flag disables the image processing. # This is useful if you are using a machine with limited resources, like a Raspberry Pi. FLAG_DISABLE_IMAGE_PROCESSING="false" # This flag disables API rate limiting for authentication endpoints. # Rate limiting is enabled by default in production to prevent abuse. FLAG_DISABLE_API_RATE_LIMIT="false" # This flag shows sponsor placements on the public landing page. FLAG_SHOW_SPONSORS="false" # Allows dynamic OAuth client registration to use any parseable redirect URI, # including custom schemes, private hosts, and non-loopback http:// URLs. # WARNING: Enabling this on a public or multi-tenant deployment can enable phishing # or token exfiltration. Only enable this on a trusted, self-hosted instance. FLAG_ALLOW_UNSAFE_OAUTH_REDIRECT_URI="false" # Allows AI providers to be configured with any base URL, including http:// and # private/loopback addresses (e.g. http://localhost:11434 for a local Ollama instance). # WARNING: Enabling this on a multi-tenant deployment is a Server-Side Request Forgery (SSRF) # risk. Only enable this on a trusted, single-tenant self-hosted instance. FLAG_ALLOW_UNSAFE_AI_BASE_URL="false" # --- Others --- # Google Cloud API Key (optional) # For font-list generation tooling. # Requires "Google Fonts Developer API" to be enabled. GOOGLE_CLOUD_API_KEY="" # Crowdin (optional) # For translation tooling. CROWDIN_PROJECT_ID="" CROWDIN_API_TOKEN=""