Add a server compose (full stack, Postgres on the LAN, scheduler on, host-visible pgdata bind mount) and a localdev compose (webapp only, no DB, scheduler off) that points at the central DB. Document the single-shared-database topology, the exactly-one-scheduler rule, and YOUTUBE_API_KEY for unattended backfill that does not depend on a 7-day OAuth refresh token.
50 lines
2.4 KiB
Text
50 lines
2.4 KiB
Text
# ---- Copy this file to .env and fill in the values ----
|
|
|
|
# Postgres (used by docker-compose for the db service and the DATABASE_URL)
|
|
POSTGRES_USER=subfeed
|
|
POSTGRES_PASSWORD=change-this-password
|
|
POSTGRES_DB=subfeed
|
|
|
|
# Host port the app is exposed on (http://localhost:<APP_PORT>)
|
|
APP_PORT=8080
|
|
|
|
# Session signing key. Generate with: python -c "import secrets;print(secrets.token_urlsafe(48))"
|
|
SECRET_KEY=change-me-session-key
|
|
|
|
# Fernet key for encrypting stored OAuth refresh tokens. Generate with:
|
|
# python -c "import base64,os;print(base64.urlsafe_b64encode(os.urandom(32)).decode())"
|
|
TOKEN_ENCRYPTION_KEY=change-me-fernet-key
|
|
|
|
# Google OAuth client (Google Cloud Console -> APIs & Services -> Credentials -> OAuth client ID, type "Web application").
|
|
# Authorized redirect URI must match OAUTH_REDIRECT_URL exactly.
|
|
GOOGLE_CLIENT_ID=
|
|
GOOGLE_CLIENT_SECRET=
|
|
OAUTH_REDIRECT_URL=http://localhost:8080/auth/callback
|
|
|
|
# Invite list: only these Google account emails may sign in (comma-separated).
|
|
ALLOWED_EMAILS=
|
|
# Admin emails (subset of the above) get the admin role.
|
|
ADMIN_EMAILS=
|
|
|
|
# Optional: origin of a separately-served frontend dev server (enables CORS). Leave empty in production.
|
|
FRONTEND_ORIGIN=
|
|
|
|
# Optional YouTube Data API key (Google Cloud Console -> Credentials -> Create API key).
|
|
# When set, all public reads (channels/videos/playlist backfill + enrichment) use the key
|
|
# instead of a user's OAuth token, so 24/7 backfill never depends on a refresh token that
|
|
# would otherwise expire (Google expires refresh tokens after 7 days while the OAuth consent
|
|
# screen is in "Testing"). Strongly recommended for the always-on server instance.
|
|
YOUTUBE_API_KEY=
|
|
|
|
# --- Deployment role ---
|
|
# DATABASE_URL is set automatically by docker-compose.yml / docker-compose.server.yml to the
|
|
# bundled `db` service. Override it only for local dev against the central server DB, e.g.:
|
|
# DATABASE_URL=postgresql+psycopg://subfeed:<password>@192.168.1.118:5432/subfeed
|
|
# Exactly one instance may run the background scheduler. The central server keeps it on; every
|
|
# other instance (local dev, etc.) must set SCHEDULER_ENABLED=false. The compose files set this
|
|
# for you (server=true via docker-compose.server.yml, local=false via docker-compose.localdev.yml).
|
|
SCHEDULER_ENABLED=true
|
|
|
|
# On the central server, set this so backup.sh / restore.sh and plain `docker compose` commands
|
|
# target the server stack automatically:
|
|
# COMPOSE_FILE=docker-compose.server.yml
|