Add production env template

.env.production.example

@@ -0,0 +1,101 @@
+# Monaco USA Portal - Production Environment Configuration
+# ========================================================
+# Copy this file to .env on your production server and configure all values
+#
+# IMPORTANT: Never commit .env files to version control!
+
+# ===========================================
+# DOMAIN CONFIGURATION
+# ===========================================
+# Your domain name (without https://)
+DOMAIN=portal.monacousa.org
+
+# Email for Let's Encrypt SSL certificate notifications
+ACME_EMAIL=matt@monacousa.org
+
+# ===========================================
+# POSTGRES DATABASE
+# ===========================================
+# Use strong, unique passwords - generate with: openssl rand -base64 32
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=CHANGE_ME_use_openssl_rand_base64_32
+POSTGRES_DB=postgres
+
+# ===========================================
+# JWT CONFIGURATION
+# ===========================================
+# CRITICAL: Generate a unique secret for production!
+# Generate with: openssl rand -base64 32
+JWT_SECRET=CHANGE_ME_use_openssl_rand_base64_32
+JWT_EXPIRY=3600
+
+# ===========================================
+# SUPABASE API KEYS
+# ===========================================
+# Generate these using your JWT_SECRET at:
+# https://supabase.com/docs/guides/self-hosting#api-keys
+#
+# Or use this command to generate (requires jwt-cli):
+# jwt encode --secret YOUR_JWT_SECRET --alg HS256 --exp '+100y' '{"role":"anon","iss":"supabase"}'
+# jwt encode --secret YOUR_JWT_SECRET --alg HS256 --exp '+100y' '{"role":"service_role","iss":"supabase"}'
+
+ANON_KEY=CHANGE_ME_generate_with_jwt_tool
+SERVICE_ROLE_KEY=CHANGE_ME_generate_with_jwt_tool
+
+# ===========================================
+# AUTH CONFIGURATION
+# ===========================================
+# Set to true to disable public signups (invite-only)
+DISABLE_SIGNUP=false
+
+# Set to false in production to require email verification
+ENABLE_EMAIL_AUTOCONFIRM=false
+
+# Allowed redirect URLs after auth (comma-separated)
+ADDITIONAL_REDIRECT_URLS=https://portal.monacousa.org/auth/callback,https://portal.monacousa.org/auth/verify
+
+# Rate limit for emails (per hour)
+RATE_LIMIT_EMAIL_SENT=100
+
+# ===========================================
+# SMTP EMAIL CONFIGURATION
+# ===========================================
+# Required for email verification, password reset, invites
+SMTP_HOST=mail.monacousa.org
+SMTP_PORT=587
+SMTP_USER=noreply@monacousa.org
+SMTP_PASS=CHANGE_ME_smtp_password
+SMTP_ADMIN_EMAIL=noreply@monacousa.org
+SMTP_SENDER_NAME=Monaco USA
+
+# ===========================================
+# REALTIME / SECURITY
+# ===========================================
+# Generate with: openssl rand -base64 64
+SECRET_KEY_BASE=CHANGE_ME_use_openssl_rand_base64_64
+
+# ===========================================
+# POSTGREST
+# ===========================================
+PGRST_DB_SCHEMAS=public,storage,graphql_public
+
+# ===========================================
+# SVELTEKIT CONFIGURATION
+# ===========================================
+# Body size limit for file uploads (50MB = 52428800 bytes)
+BODY_SIZE_LIMIT=52428800
+
+# ===========================================
+# TRAEFIK DASHBOARD AUTH (Optional)
+# ===========================================
+# Generate with: htpasswd -nb admin yourpassword
+# Or use: echo $(htpasswd -nb admin yourpassword) | sed -e s/\\$/\\$\\$/g
+# The double $$ is required for docker-compose
+TRAEFIK_DASHBOARD_AUTH=admin:$$apr1$$CHANGE_ME
+
+# ===========================================
+# STUDIO AUTH (Optional - for Supabase Studio access)
+# ===========================================
+# Generate with: htpasswd -nb admin yourpassword
+# Or use: echo $(htpasswd -nb admin yourpassword) | sed -e s/\\$/\\$\\$/g
+STUDIO_AUTH=admin:$$apr1$$CHANGE_ME

.gitignore

@@ -16,6 +16,7 @@ Thumbs.db
 .env
 .env.*
 !.env.example
+!.env.production.example
 !.env.test
 
 # Vite