deploy.env.template

APP_VERSION=4.0.1
TZ=Pacific/Auckland

POSTGRES_DB=goodwalk
POSTGRES_USER=goodwalk
POSTGRES_PASSWORD=gw_Pg_7Jm9!Qx4#Ld2@Vr8
POSTGRES_PASSWORD_URLENCODED=gw_Pg_7Jm9%21Qx4%23Ld2%40Vr8

RESEND_API_KEY=re_hcDByLp8_HEBW93wDirr7o9g16FgCeYNF
OWNER_EMAIL=info@goodwalk.co.nz
SECONDARY_CP_EMAIL=mattcohen0@gmail.com
SECONDARY_CP_EMAILS=
OWNER_BCC=mattcohen0@gmail.com
CLIENT_BCC=mattcohen0@gmail.com
FROM_EMAIL=GoodWalk <info@goodwalk.co.nz>
REPLY_TO=info@goodwalk.co.nz
MAIL_API_DATA_DIR=/app/data
ENABLE_GENERAL_ENQUIRIES=false
PUBLIC_ENABLE_MOBILE_CTA_BUTTON=false
PUBLIC_ENABLE_ENHANCED_CONTENT_IMAGES=false

# Server-side GA4 (ad-block-resistant fallback). See docs/server-side-analytics.md.
# GA4_MEASUREMENT_ID matches the ID in src/app.html.
# GA4_API_SECRET: GA4 admin → Data Streams → web stream → Measurement Protocol API secrets → Create.
# Leave blank to disable the forwarder (endpoint still accepts requests but skips the GA4 call).
GA4_MEASUREMENT_ID=G-K7TLSFJVP1
GA4_API_SECRET=

FORM_MIN_SECONDS=4
FORM_MAX_SECONDS=7200
RATE_LIMIT_WINDOW_SECONDS=900
RATE_LIMIT_MAX_PER_IP=5
RATE_LIMIT_MAX_PER_EMAIL=3
RATE_LIMIT_MIN_INTERVAL_SECONDS=20
EMAIL_SEND_TIMEOUT_SECONDS=20

# Shared secret for the post-deploy form smoke tests. The deploy script reads
# this from the live remote .env and presents it via X-Deploy-Smoke; the
# mail-api short-circuits matching requests before email/db side effects.
# Rotate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
DEPLOY_SMOKE_SECRET=ed7261d3d7a5ac0a51e0cfb2bf4e2bd4009503605d2963d3ee766b7e885e76eb

# Security hardening — sensible defaults are in mail_api/config.py.
# Override only if the public domains change or you need to allow extra origins.
# CORS_ALLOWED_ORIGINS=https://goodwalk.co.nz,https://www.goodwalk.co.nz,https://clients.goodwalk.co.nz,https://cp.goodwalk.co.nz
# TRUSTED_HOSTS=goodwalk.co.nz,www.goodwalk.co.nz,clients.goodwalk.co.nz,cp.goodwalk.co.nz,localhost,127.0.0.1
# MAX_REQUEST_BODY_BYTES=2097152
v4.0.0.1 2026-05-19 23:36:58 +12:00			`APP_VERSION=4.0.1`
4.0.1 - fixes 2026-05-02 19:44:45 +12:00			`TZ=Pacific/Auckland`

Deployment script updates 2026-05-02 12:39:55 +12:00			`POSTGRES_DB=goodwalk`
			`POSTGRES_USER=goodwalk`
			`POSTGRES_PASSWORD=gw_Pg_7Jm9!Qx4#Ld2@Vr8`
4.0.1 - fixes 2026-05-02 19:44:45 +12:00			`POSTGRES_PASSWORD_URLENCODED=gw_Pg_7Jm9%21Qx4%23Ld2%40Vr8`
Deployment script updates 2026-05-02 12:39:55 +12:00
			`RESEND_API_KEY=re_hcDByLp8_HEBW93wDirr7o9g16FgCeYNF`
instagram cta changes, mail fixes 2026-05-04 23:47:26 +12:00			`OWNER_EMAIL=info@goodwalk.co.nz`
v4.0.0.1 2026-05-19 23:36:58 +12:00			`SECONDARY_CP_EMAIL=mattcohen0@gmail.com`
			`SECONDARY_CP_EMAILS=`
instagram cta changes, mail fixes 2026-05-04 23:47:26 +12:00			`OWNER_BCC=mattcohen0@gmail.com`
			`CLIENT_BCC=mattcohen0@gmail.com`
Deployment script updates 2026-05-02 12:39:55 +12:00			`FROM_EMAIL=GoodWalk <info@goodwalk.co.nz>`
4.0.1 - fixes 2026-05-02 19:44:45 +12:00			`REPLY_TO=info@goodwalk.co.nz`
v4.1 - Admin/onboarding 2026-05-18 22:25:43 +12:00			`MAIL_API_DATA_DIR=/app/data`
General enquries feature 2026-05-04 20:32:24 +12:00			`ENABLE_GENERAL_ENQUIRIES=false`
Remove CTA button from mobile 2026-05-07 07:57:52 +12:00			`PUBLIC_ENABLE_MOBILE_CTA_BUTTON=false`
v4.1 - Admin/onboarding 2026-05-18 22:25:43 +12:00			`PUBLIC_ENABLE_ENHANCED_CONTENT_IMAGES=false`
Deployment script updates 2026-05-02 12:39:55 +12:00
v4.0.0.3 2026-05-26 23:30:22 +12:00			`# Server-side GA4 (ad-block-resistant fallback). See docs/server-side-analytics.md.`
			`# GA4_MEASUREMENT_ID matches the ID in src/app.html.`
			`# GA4_API_SECRET: GA4 admin → Data Streams → web stream → Measurement Protocol API secrets → Create.`
			`# Leave blank to disable the forwarder (endpoint still accepts requests but skips the GA4 call).`
			`GA4_MEASUREMENT_ID=G-K7TLSFJVP1`
			`GA4_API_SECRET=`

Deployment script updates 2026-05-02 12:39:55 +12:00			`FORM_MIN_SECONDS=4`
			`FORM_MAX_SECONDS=7200`
			`RATE_LIMIT_WINDOW_SECONDS=900`
			`RATE_LIMIT_MAX_PER_IP=5`
			`RATE_LIMIT_MAX_PER_EMAIL=3`
4.0.1 - fixes 2026-05-02 19:44:45 +12:00			`RATE_LIMIT_MIN_INTERVAL_SECONDS=20`
v4.0.0.1 2026-05-19 23:36:58 +12:00			`EMAIL_SEND_TIMEOUT_SECONDS=20`

v4.0.0.2 2026-05-26 08:30:08 +12:00			`# Shared secret for the post-deploy form smoke tests. The deploy script reads`
			`# this from the live remote .env and presents it via X-Deploy-Smoke; the`
			`# mail-api short-circuits matching requests before email/db side effects.`
			`# Rotate with: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"`
			`DEPLOY_SMOKE_SECRET=ed7261d3d7a5ac0a51e0cfb2bf4e2bd4009503605d2963d3ee766b7e885e76eb`

v4.0.0.1 2026-05-19 23:36:58 +12:00			`# Security hardening — sensible defaults are in mail_api/config.py.`
			`# Override only if the public domains change or you need to allow extra origins.`
			`# CORS_ALLOWED_ORIGINS=https://goodwalk.co.nz,https://www.goodwalk.co.nz,https://clients.goodwalk.co.nz,https://cp.goodwalk.co.nz`
			`# TRUSTED_HOSTS=goodwalk.co.nz,www.goodwalk.co.nz,clients.goodwalk.co.nz,cp.goodwalk.co.nz,localhost,127.0.0.1`
			`# MAX_REQUEST_BODY_BYTES=2097152`