Configuration

CVSM API dikonfigurasi lewat environment variable. Kalau self-host pakai Docker Compose, masukkan ke .env atau docker-compose.yml service api.environment.

Required

Variable	Keterangan
DATABASE_URL	Postgres connection string. postgres://user:pass@host:5432/dbname
JWT_SECRET	Secret untuk sign JWT session. Min 32 bytes hex. Generate: openssl rand -hex 32
ENCRYPTION_KEY	Secret untuk AES-256-GCM encrypt secrets di DB. 32 bytes hex wajib. Generate: openssl rand -hex 32

Danger

ENCRYPTION_KEY tidak bisa diubah setelah ada secret tersimpan. Kalau hilang, semua secret di DB jadi sampah.
Backup di tempat terpisah dari database backup.

Optional — App behavior

Variable	Default	Keterangan
PORT	8080	HTTP listen port
BCRYPT_COST	12	Work factor bcrypt untuk password. 10-14 range
ALLOWED_ORIGINS	*	CORS whitelist. Production: set eksplisit
APP_URL	https://calvery.xyz	URL publik frontend, dipakai di email link

Optional — SMTP (email verification, password reset, team invite)

Variable	Example
SMTP_HOST	smtp.resend.com, smtp.gmail.com
SMTP_PORT	587 (STARTTLS) atau 465 (TLS)
SMTP_USER	resend (Resend) atau email penuh
SMTP_PASSWORD	API key / app password
SMTP_FROM	CVSM <[email protected]>

Tanpa SMTP config, email verification + invite tidak jalan (user tetap bisa signup tapi tidak bisa verify).

Rekomendasi provider:

• Resend — 3000 email/bulan gratis, DX terbaik. Butuh DNS verified.
• Cloudflare Email Routing — gratis untuk receive, tapi tidak bisa send (pair dengan Resend).
• Gmail SMTP — cuma untuk testing, rate limit rendah.

Optional — Google OAuth SSO

Variable	Example
GOOGLE_CLIENT_ID	xxxxxx.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET	GOCSPX-xxxxxxxxxxx
GOOGLE_REDIRECT_URL	https://api.vault.company.com/api/v1/auth/google/callback

Kalau kosong → Google SSO button disabled di login page.

Setup: console.cloud.google.com → OAuth 2.0 Client ID → Web application → Authorized redirect URI harus match GOOGLE_REDIRECT_URL.

Rate limits

Hardcoded defaults:

• /auth/* → 10 req/min/IP (login, register, reset)
• /api/v1/* → 60 req/min/token
• /public/* → 30 req/min/IP

Belum configurable via env (coming v0.3).

Logging

CVSM log ke stdout (JSON format rekomendasi production). Pipe ke:

• Docker: docker compose logs -f api
• systemd: journalctl -u cvsm-api -f
• K8s: kubectl logs -f deploy/cvsm-api

Untuk aggregation, pakai:

• Grafana Loki (self-host)
• Datadog / New Relic (SaaS)
• CloudWatch (AWS)

Production checklist

Sebelum production, verifikasi:

• JWT_SECRET & ENCRYPTION_KEY generated fresh (bukan dari doc)
• ALLOWED_ORIGINS eksplisit (bukan *)
• SMTP config valid (test kirim ke diri sendiri)
• Postgres backup daily
• TLS active (https, bukan http)
• Nginx proxy_body_size set 1m (match API limit)
• Firewall: postgres port 5432 tidak ter-expose public
• .env file permission 600
• Dedicated user cvsm untuk run service (bukan root)
• Uptime monitoring aktif
• Backup ENCRYPTION_KEY di tempat terpisah

Env variable reference: full list

Ekstrak dari internal/config/config.go:

# Core
PORT=8080
DATABASE_URL=
JWT_SECRET=
ENCRYPTION_KEY=
BCRYPT_COST=12
ALLOWED_ORIGINS=*

# SMTP
SMTP_HOST=
SMTP_PORT=587
SMTP_USER=
SMTP_PASSWORD=
SMTP_FROM=CVSM <[email protected]>

# App
APP_URL=https://calvery.xyz

# Google OAuth (optional)
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
GOOGLE_REDIRECT_URL=