till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 18:01:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
managarten/.env.macmini.example
Till JS b1b9bbc269
Some checks are pending
CD Mac Mini / Detect Changes (push) Waiting to run
Details
CD Mac Mini / Deploy (push) Blocked by required conditions
Details
CI / Detect Changes (push) Waiting to run
Details
CI / Validate (push) Waiting to run
Details
CI / Build mana-search (push) Blocked by required conditions
Details
CI / Build mana-sync (push) Blocked by required conditions
Details
CI / Build mana-api-gateway (push) Blocked by required conditions
Details
CI / Build mana-crawler (push) Blocked by required conditions
Details
Docker Validate / Validate Dockerfiles (push) Waiting to run
Details
Docker Validate / Build calendar-web (push) Blocked by required conditions
Details
Docker Validate / Build quotes-web (push) Blocked by required conditions
Details
Docker Validate / Build todo-backend (push) Blocked by required conditions
Details
Docker Validate / Build todo-web (push) Blocked by required conditions
Details
Docker Validate / Build mana-auth (push) Blocked by required conditions
Details
Docker Validate / Build mana-sync (push) Blocked by required conditions
Details
Docker Validate / Build mana-media (push) Blocked by required conditions
Details
Mirror to Forgejo / Push to Forgejo (push) Waiting to run
Details
chore: rename repo mana-monorepo → managarten 
Phase-3-Rename des ehemaligen Multi-App-Monorepos zum eigenständigen
Produkt-Repo. Verein heißt mana e.V., Plattform-Domain bleibt mana.how,
apps/mana/ bleibt unverändert — nur der Repo-Container kriegt den
neuen Namen "managarten" (Garten der mana-Apps).

Geändert:
- package.json#name + #description
- README.md (Titel + erster Absatz)
- TROUBLESHOOTING.md
- alle Mac-Mini-Skripte (Pfade ~/projects/mana-monorepo → ~/projects/managarten)
- COMPOSE_PROJECT_NAME-default in scripts/mac-mini/status.sh
- .github/workflows/cd-macmini.yml + mirror-to-forgejo.yml
- apps/docs (astro.config.mjs + content)
- .claude/settings.local.json (Bash-Permission-Pfade)
- alle docs/*.md Pfad-Referenzen
- launchd plists, .env.macmini.example, infrastructure/

Forgejo-Repo + GitHub-Repo bereits via API umbenannt. Lokales
Verzeichnis-Rename + Mac-Mini-Cutover folgen separat.
2026-05-09 01:16:02 +02:00

246 lines
11 KiB
Text
Raw Blame History

# =============================================================================
# Mac Mini Production Environment
# =============================================================================
#
# Copy to .env.macmini (gitignored) and fill in the values. This file is
# loaded by `docker compose -f docker-compose.macmini.yml ...` on the
# Mac Mini host. The compose file references vars via ${VAR} (REQUIRED —
# missing means container fails to start) and ${VAR:-default} (OPTIONAL
# — falls back to the inline default if unset).
#
# Sections below mirror that split:
# 1. REQUIRED — production deployment cannot boot without these
# 2. OPTIONAL — defaults exist in compose; only set to override
#
# Verify the example covers every var the compose file uses:
# grep -ohE '\$\{[A-Z_][A-Z0-9_]*' docker-compose.macmini.yml | sort -u
# (audit baseline established 2026-04-08, see
# docs/REFACTORING_AUDIT_2026_04.md item #9)
# ============================================
# Compose project name (pinned, do not change)
# ============================================
# All Mac Mini containers were originally created under this project
# name, which mismatches the current directory name (managarten).
# Pinning the project name here means anyone running 'docker compose ...'
# from the repo root automatically lands in the same project as the
# already-running containers, instead of silently spawning a duplicate
# project with the same compose file. Removing this line WILL break
# the next deployment.
COMPOSE_PROJECT_NAME=manacore-monorepo
# ============================================
# Database (PostgreSQL)
# ============================================
POSTGRES_PASSWORD=your-secure-password-here
# ============================================
# Redis
# ============================================
REDIS_PASSWORD=your-redis-password-here
# ============================================
# JWT Keys (generate with: openssl rand -base64 32)
# For EdDSA keys, use mana-auth key generation
# ============================================
JWT_SECRET=your-jwt-secret-here
# Leave empty to use auto-generated keys
JWT_PUBLIC_KEY=
JWT_PRIVATE_KEY=
# ============================================
# Encryption Vault Key Encryption Key (KEK) — REQUIRED
# ============================================
# Wraps every user's master key in auth.encryption_vaults.
# Generate with: openssl rand -base64 32
#
# Without a real value, mana-auth boots with a 32-zero-byte fallback
# and prints a loud warning every startup. Production must set this.
# Treat it like a database root password — store as a Docker secret,
# KMS-injected env var, or Vault-served value.
#
# Rotation requires planned downtime today (no background re-wrap job
# yet). The kek_id column on encryption_vaults is reserved for the
# future migration path.
MANA_AUTH_KEK=
# ============================================
# Supabase (optional, for legacy features)
# ============================================
SUPABASE_URL=
SUPABASE_SERVICE_ROLE_KEY=
# ============================================
# Azure OpenAI (for Chat AI features)
# ============================================
AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com/
AZURE_OPENAI_API_KEY=your-api-key-here
# ============================================
# OpenAI (direct, non-Azure)
# ============================================
# Consumed by mana-research (deep research) and mana-api picture module
# for gpt-image-2 image generation. Distinct from AZURE_OPENAI_* above.
OPENAI_API_KEY=
# ============================================
# Monitoring (Grafana)
# ============================================
GRAFANA_PASSWORD=your-grafana-admin-password
# ============================================
# Web Analytics (Umami)
# ============================================
UMAMI_APP_SECRET=your-umami-secret-here
# =============================================================================
# REQUIRED — production cannot boot without these
# =============================================================================
# ─── Azure OpenAI ───────────────────────────────────────────
# Some compose entries reference ${AZURE_OPENAI_KEY} (no default), distinct
# from the ${AZURE_OPENAI_API_KEY:-} above. Provide both — they may be the
# same value or different keys depending on which deployment they hit.
AZURE_OPENAI_KEY=
AZURE_OPENAI_DEPLOYMENT=
# ─── Azure Speech (mana-stt / mana-tts fallback) ────────────
# Four rotation keys + endpoint. Get from Azure Portal → Speech resource.
AZURE_SPEECH_ENDPOINT=
AZURE_SPEECH_KEY_1=
AZURE_SPEECH_KEY_2=
AZURE_SPEECH_KEY_3=
AZURE_SPEECH_KEY_4=
# ─── Azure Blob Storage (Memoro batch audio) ────────────────
AZURE_STORAGE_ACCOUNT_NAME=
AZURE_STORAGE_ACCOUNT_KEY=
# ─── Google Gemini ──────────────────────────────────────────
# Used by mana-llm + several Gemini-Vision modules (planta, food).
# GOOGLE_GEMINI_API_KEY and GOOGLE_GENAI_API_KEY are SDK-specific aliases
# consumed by mana-research's Deep-Research provider (@google/genai) and
# mana-ai's planner. In practice all three hold the same value.
GEMINI_API_KEY=
GOOGLE_GEMINI_API_KEY=
GOOGLE_GENAI_API_KEY=
# ─── Mission Grants (AI Workbench) ──────────────────────────
# EdDSA keypair used by mana-ai to unwrap server-side decryption grants.
# Must be Ed25519 in PEM form, base64-encoded. Generate with:
# openssl genpkey -algorithm Ed25519 -out key.pem
# openssl pkey -in key.pem -pubout -out pub.pem
# base64 -w0 key.pem # → MANA_AI_PRIVATE_KEY_PEM
# base64 -w0 pub.pem # → MANA_AI_PUBLIC_KEY_PEM
# Keep the private half server-only; the public half goes into the
# browser so users can wrap grants for specific missions.
MANA_AI_PRIVATE_KEY_PEM=
MANA_AI_PUBLIC_KEY_PEM=
# ─── AI feature flags ───────────────────────────────────────
# MANA_AI_DEEP_RESEARCH_ENABLED gates the async deep-research provider
# in mana-research. PUBLIC_AI_MISSION_GRANTS surfaces the Mission-Grant
# UI in the webapp. Both default off; set to "true" in production.
MANA_AI_DEEP_RESEARCH_ENABLED=false
PUBLIC_AI_MISSION_GRANTS=false
# ─── Service-to-service auth keys ───────────────────────────
# Shared secrets backends use to call each other without going through
# user JWTs. Generate with: openssl rand -base64 32
# MANA_SERVICE_KEY appears in compose with BOTH a default and a no-default
# reference, so it MUST be set to a real value in production.
# MANA_CORE_SERVICE_KEY is a legacy alias consumed by games/arcade +
# mana-ai's internal client; keep it in sync with MANA_SERVICE_KEY until
# the rename is finished.
MANA_SERVICE_KEY=
MANA_CORE_SERVICE_KEY=
MANA_CREDITS_SERVICE_KEY=
MEMORO_SERVICE_KEY=
# ─── STT / TTS internal keys ────────────────────────────────
# Shared secrets between mana-api and the GPU-hosted STT/TTS services
# (see docs/WINDOWS_GPU_SERVER_SETUP.md). Required only if voice
# features are enabled.
STT_INTERNAL_API_KEY=
TTS_INTERNAL_API_KEY=
# ─── Memoro Supabase (legacy) ───────────────────────────────
# Memoro still keeps recording metadata in Supabase. Move to mana_platform
# is tracked in the Memoro CLAUDE.md.
MEMORO_SUPABASE_URL=
MEMORO_SUPABASE_SERVICE_KEY=
# =============================================================================
# OPTIONAL — defaults baked into docker-compose.macmini.yml
# =============================================================================
# Only uncomment + set if you want to override the in-compose default.
# Each line shows the default that ships in the compose file so you know
# what you're overriding.
# ─── Database / Cache (defaults are insecure!) ──────────────
# POSTGRES_PASSWORD=devpassword # CHANGE for prod
# REDIS_PASSWORD=redis123 # CHANGE for prod
# ─── MinIO (defaults are insecure!) ─────────────────────────
# MINIO_ACCESS_KEY=minioadmin # CHANGE for prod
# MINIO_SECRET_KEY=minioadmin # CHANGE for prod
# ─── Better Auth ────────────────────────────────────────────
# Default falls back to ${JWT_SECRET}. Override only if you want a
# distinct session-signing key.
# BETTER_AUTH_SECRET=
# ─── LLM models ─────────────────────────────────────────────
# MANA_LLM_API_KEY= # default empty (open llm.mana.how)
# MANA_LLM_MODEL=ollama/gemma3:12b
# OLLAMA_URL=http://host.docker.internal:13434
# OLLAMA_MODEL=gemma3:12b
# ─── Third-party AI APIs (optional) ─────────────────────────
# OPENROUTER_API_KEY=
# GROQ_API_KEY=
# GOOGLE_API_KEY=
# TOGETHER_API_KEY=
# ─── STT / TTS (defaults point to GPU box on LAN) ───────────
# STT_SERVICE_URL=http://192.168.178.11:3020
# TTS_SERVICE_URL=http://192.168.178.11:3022
# MANA_STT_API_KEY=
# ─── Stripe (defaults empty — billing disabled if unset) ────
# STRIPE_SECRET_KEY=
# STRIPE_CREDITS_WEBHOOK_SECRET=
# STRIPE_SUBSCRIPTIONS_WEBHOOK_SECRET=
# ─── Mail (Stalwart) — defaults work for the bundled stack ──
# SMTP_HOST=stalwart
# SMTP_PORT=587
# SMTP_USER=noreply
# SMTP_PASSWORD=ManaNoReply2026! # CHANGE for prod
# STALWART_ADMIN_PASSWORD=ChangeMe123! # CHANGE for prod
# ─── Search (SearXNG) ───────────────────────────────────────
# SEARXNG_SECRET=change-me-searxng-secret
# ─── Error tracking (GlitchTip / Sentry) ────────────────────
# GLITCHTIP_DSN_MANA_WEB=
# GLITCHTIP_SECRET_KEY=change-me-in-production
# ─── Notifications ──────────────────────────────────────────
# NTFY_TOPIC=
# TELEGRAM_BOT_TOKEN=
# TELEGRAM_CHAT_ID=
# ─── Cloudflare (only if deploying landings via wrangler) ───
# CLOUDFLARE_ACCOUNT_ID=
# CLOUDFLARE_API_TOKEN=
# EXPO_ACCESS_TOKEN=
# ─── Admin / abuse limits ───────────────────────────────────
# ADMIN_USER_IDS= # comma-separated user IDs
# MAX_DAILY_SIGNUPS=0 # 0 = unlimited
# ─── Misc ───────────────────────────────────────────────────
# AZURE_OPENAI_API_VERSION=
# AZURE_STORAGE_CONTAINER=memoro-batch-audio
# AZURE_SPEECH_REGION=germanywestcentral
Reference in a new issue View git blame Copy permalink