.env.example

# Environment Configuration Example
# Copy this file to .env and customize as needed

# Server Configuration
PORT=1999
HOST=localhost
GO_ENV=development

# Template Configuration
TEMPLATE_DIR=templates
PARTIALS_DIR=templates/partials
TEMPLATE_HOT_RELOAD=true

# Data Configuration
DATA_DIR=data

# Server Timeouts (seconds)
# Write timeout must accommodate local LLM response times (Ollama ~60s for tool-calling queries)
READ_TIMEOUT=15
WRITE_TIMEOUT=120

# Security Configuration
# Allowed origins for API access (comma-separated domains)
# Prevents external sites from accessing your API/PDF endpoint
#
# DEFAULT: If empty, defaults to juan.andres.morenorub.io (the CV site domain)
# Plus localhost and 127.0.0.1 are always allowed in development
#
# For custom domains in production: ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
# Multiple domains: ALLOWED_ORIGINS=domain1.com,domain2.com,www.domain1.com
ALLOWED_ORIGINS=

# Rate Limiter Configuration
# CRITICAL: Prevents IP spoofing attacks that bypass rate limiting
#
# BEHIND_PROXY: Set to true ONLY if behind a trusted reverse proxy (nginx, caddy, cloudflare)
# - Development (default): false - Uses RemoteAddr only, immune to header spoofing
# - Production behind proxy: true - Trusts X-Forwarded-For from proxy
#
# TRUSTED_PROXY_IP: Optional - IP address of your reverse proxy
# - If set, only X-Forwarded-For headers from this IP are trusted
# - Example: 127.0.0.1 (for local nginx), 10.0.0.1 (for load balancer)
# - Leave empty to trust X-Forwarded-For from any source (less secure)
#
# Security Impact:
# - BEHIND_PROXY=false (dev): Ignores all X-Forwarded-For headers, uses actual connection IP
# - BEHIND_PROXY=true (prod): Trusts proxy, extracts client IP from X-Forwarded-For
# - Logs all suspicious spoofing attempts for security monitoring
#
BEHIND_PROXY=false
TRUSTED_PROXY_IP=

# Email Configuration (Contact Form)
#
# Supported providers:
#
# DreamHost (port 465 - SSL):
#   SMTP_HOST=smtp.dreamhost.com
#   SMTP_PORT=465
#   SMTP_USER=your-email@yourdomain.com
#   SMTP_PASSWORD=your-email-password
#   SMTP_FROM_EMAIL=your-email@yourdomain.com
#
# Gmail (port 587 - TLS):
#   1. Enable 2FA in your Google account
#   2. Go to https://myaccount.google.com/apppasswords
#   3. Generate an App Password
#   SMTP_HOST=smtp.gmail.com
#   SMTP_PORT=587
#   SMTP_USER=your-email@gmail.com
#   SMTP_PASSWORD=your-app-password-here
#   SMTP_FROM_EMAIL=your-email@gmail.com
#
# Port 465 = SSL (direct TLS connection)
# Port 587 = TLS/STARTTLS (upgrades to TLS)
#
SMTP_HOST=smtp.dreamhost.com
SMTP_PORT=465
SMTP_USER=your-email@yourdomain.com
SMTP_PASSWORD=your-password
SMTP_FROM_EMAIL=your-email@yourdomain.com
CONTACT_EMAIL=recipient@example.com

# Chat AI Configuration
#
# MODEL_PROVIDER: "gemini" (default) or "ollama"
# MODEL_PROVIDER=gemini
#
# Gemini settings (when MODEL_PROVIDER=gemini):
# GOOGLE_API_KEY=your-google-api-key
# MODEL_NAME=gemini-2.5-flash
#
# Ollama settings (when MODEL_PROVIDER=ollama):
# OLLAMA_HOST=http://localhost:11434
# OLLAMA_MODEL=gemma4:26b

# Production Settings
# Uncomment for production:
# GO_ENV=production
# TEMPLATE_HOT_RELOAD=false
# READ_TIMEOUT=30
# WRITE_TIMEOUT=30
# ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com
#
# Production behind reverse proxy:
# BEHIND_PROXY=true
# TRUSTED_PROXY_IP=127.0.0.1
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00			`# Environment Configuration Example`
			`# Copy this file to .env and customize as needed`

			`# Server Configuration`
refactor: standardize port to 1999 across all files 2025-10-29 14:04:24 +00:00			`PORT=1999`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00			`HOST=localhost`
			`GO_ENV=development`

			`# Template Configuration`
			`TEMPLATE_DIR=templates`
			`PARTIALS_DIR=templates/partials`
			`TEMPLATE_HOT_RELOAD=true`

			`# Data Configuration`
			`DATA_DIR=data`

			`# Server Timeouts (seconds)`
feat: chat UX overhaul — GLM local model, icons, layout modes, instant bubbles 2026-04-09 10:54:23 +01:00			`# Write timeout must accommodate local LLM response times (Ollama ~60s for tool-calling queries)`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00			`READ_TIMEOUT=15`
feat: chat UX overhaul — GLM local model, icons, layout modes, instant bubbles 2026-04-09 10:54:23 +01:00			`WRITE_TIMEOUT=120`
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`# Security Configuration`
			`# Allowed origins for API access (comma-separated domains)`
			`# Prevents external sites from accessing your API/PDF endpoint`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:13:22 +00:00			`#`
			`# DEFAULT: If empty, defaults to juan.andres.morenorub.io (the CV site domain)`
			`# Plus localhost and 127.0.0.1 are always allowed in development`
			`#`
			`# For custom domains in production: ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com`
			`# Multiple domains: ALLOWED_ORIGINS=domain1.com,domain2.com,www.domain1.com`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`ALLOWED_ORIGINS=`

feat: add comprehensive testing infrastructure and security hardening 2025-11-11 21:43:12 +00:00			`# Rate Limiter Configuration`
			`# CRITICAL: Prevents IP spoofing attacks that bypass rate limiting`
			`#`
			`# BEHIND_PROXY: Set to true ONLY if behind a trusted reverse proxy (nginx, caddy, cloudflare)`
			`# - Development (default): false - Uses RemoteAddr only, immune to header spoofing`
			`# - Production behind proxy: true - Trusts X-Forwarded-For from proxy`
			`#`
			`# TRUSTED_PROXY_IP: Optional - IP address of your reverse proxy`
			`# - If set, only X-Forwarded-For headers from this IP are trusted`
			`# - Example: 127.0.0.1 (for local nginx), 10.0.0.1 (for load balancer)`
			`# - Leave empty to trust X-Forwarded-For from any source (less secure)`
			`#`
			`# Security Impact:`
			`# - BEHIND_PROXY=false (dev): Ignores all X-Forwarded-For headers, uses actual connection IP`
			`# - BEHIND_PROXY=true (prod): Trusts proxy, extracts client IP from X-Forwarded-For`
			`# - Logs all suspicious spoofing attempts for security monitoring`
			`#`
			`BEHIND_PROXY=false`
			`TRUSTED_PROXY_IP=`

feat: Add plain text CV endpoint and contact form with security 2025-11-30 13:47:49 +00:00			`# Email Configuration (Contact Form)`
feat: responsive HTML email templates with DreamHost SMTP 2025-12-02 13:42:36 +00:00			`#`
			`# Supported providers:`
			`#`
			`# DreamHost (port 465 - SSL):`
			`# SMTP_HOST=smtp.dreamhost.com`
			`# SMTP_PORT=465`
			`# SMTP_USER=your-email@yourdomain.com`
			`# SMTP_PASSWORD=your-email-password`
			`# SMTP_FROM_EMAIL=your-email@yourdomain.com`
			`#`
			`# Gmail (port 587 - TLS):`
			`# 1. Enable 2FA in your Google account`
			`# 2. Go to https://myaccount.google.com/apppasswords`
			`# 3. Generate an App Password`
			`# SMTP_HOST=smtp.gmail.com`
			`# SMTP_PORT=587`
			`# SMTP_USER=your-email@gmail.com`
			`# SMTP_PASSWORD=your-app-password-here`
			`# SMTP_FROM_EMAIL=your-email@gmail.com`
			`#`
			`# Port 465 = SSL (direct TLS connection)`
			`# Port 587 = TLS/STARTTLS (upgrades to TLS)`
			`#`
			`SMTP_HOST=smtp.dreamhost.com`
			`SMTP_PORT=465`
			`SMTP_USER=your-email@yourdomain.com`
			`SMTP_PASSWORD=your-password`
			`SMTP_FROM_EMAIL=your-email@yourdomain.com`
			`CONTACT_EMAIL=recipient@example.com`
feat: Add plain text CV endpoint and contact form with security 2025-11-30 13:47:49 +00:00
feat: Ollama adapter + chat rate limiter (30 req/hour) 2026-04-08 14:47:14 +01:00			`# Chat AI Configuration`
			`#`
			`# MODEL_PROVIDER: "gemini" (default) or "ollama"`
			`# MODEL_PROVIDER=gemini`
			`#`
			`# Gemini settings (when MODEL_PROVIDER=gemini):`
			`# GOOGLE_API_KEY=your-google-api-key`
			`# MODEL_NAME=gemini-2.5-flash`
			`#`
			`# Ollama settings (when MODEL_PROVIDER=ollama):`
			`# OLLAMA_HOST=http://localhost:11434`
config: switch default Ollama model to Gemma 4 26B MoE (3-4x faster than GLM) 2026-04-09 20:42:41 +01:00			`# OLLAMA_MODEL=gemma4:26b`
feat: Ollama adapter + chat rate limiter (30 req/hour) 2026-04-08 14:47:14 +01:00
Initial commit: Go + HTMX CV Site 2025-10-20 08:54:21 +01:00			`# Production Settings`
			`# Uncomment for production:`
			`# GO_ENV=production`
			`# TEMPLATE_HOT_RELOAD=false`
			`# READ_TIMEOUT=30`
			`# WRITE_TIMEOUT=30`
feat: add origin validation and rate limiting for PDF endpoint 2025-11-09 14:00:10 +00:00			`# ALLOWED_ORIGINS=yourdomain.com,www.yourdomain.com`
feat: add comprehensive testing infrastructure and security hardening 2025-11-11 21:43:12 +00:00			`#`
			`# Production behind reverse proxy:`
			`# BEHIND_PROXY=true`
			`# TRUSTED_PROXY_IP=127.0.0.1`