From 08e0edba4a56fabd27ba290d16c5b67ee7d83453 Mon Sep 17 00:00:00 2001
From: Stefan Mogeritsch <stefan.mo.co@gmail.com>
Date: Sat, 14 Mar 2026 09:34:51 +0100
Subject: [PATCH] config: update `.env.example` with enhanced structure and
 secure defaults

- Improved organization with clear section headers for readability.
- Replaced placeholder values with clearer examples and added secure defaults.
- Introduced new environment variables for advanced configurations (e.g., `JVM_OPTS_ARM64`, `ZIPKIN_ENDPOINT`, `POSTGRES_SHARED_BUFFERS`).

Signed-off-by: Stefan Mogeritsch <stefan.mo.co@gmail.com>
---
 .env.example | 56 ++++++++++++++++++++++++++++++++--------------------
 1 file changed, 35 insertions(+), 21 deletions(-)

diff --git a/.env.example b/.env.example
index a4c81151..072ba892 100644
--- a/.env.example
+++ b/.env.example
@@ -17,22 +17,31 @@ PROJECT_NAME=meldestelle
 BACKUP_DIR=/home/<USER>/backups/meldestelle
 BACKUP_RETENTION_DAYS=7
 
-# Docker build versions (optional overrides)
+# --- DOCKER BUILD & REGISTRY ---
+DOCKER_REGISTRY=git.mo-code.at/mo-code
+DOCKER_TAG=latest
 DOCKER_VERSION=1.0.0-SNAPSHOT
 DOCKER_BUILD_DATE=2026-02-02T15:00:00Z
 DOCKER_GRADLE_VERSION=9.3.1
-# Check if 25 is intended (Early Access) or if LTS 21 was meant
+# Java 25 = Early Access; für LTS auf 21 setzen
 DOCKER_JAVA_VERSION=25
 DOCKER_NODE_VERSION=24.12.0
-DOCKER_NGINX_VERSION=1.28.0-alpine
+# Caddy Version für den Web-App Container
+DOCKER_CADDY_VERSION=2.11-alpine
+# ARM64 spezifische JVM-Optionen (leer lassen auf x86/amd64, z.B. auf Apple Silicon)
+# Beispiel ARM64: JVM_OPTS_ARM64=-XX:UseSVE=0
+JVM_OPTS_ARM64=
 
-# Postgres
+# --- POSTGRES ---
 POSTGRES_IMAGE=postgres:16-alpine
-POSTGRES_USER=pg-user
-POSTGRES_PASSWORD=pg-password
+POSTGRES_USER=<DB_USER>
+POSTGRES_PASSWORD=<SICHERES_PASSWORT>
 POSTGRES_DB=pg-meldestelle-db
 POSTGRES_PORT=5432:5432
 POSTGRES_DB_URL=jdbc:postgresql://postgres:5432/pg-meldestelle-db
+# PostgreSQL Performance Tuning
+POSTGRES_SHARED_BUFFERS=256MB
+POSTGRES_EFFECTIVE_CACHE_SIZE=768MB
 
 # --- VALKEY (formerly Redis) ---
 VALKEY_IMAGE=valkey/valkey:9-alpine
@@ -42,7 +51,7 @@ VALKEY_SERVER_HOSTNAME=valkey
 VALKEY_SERVER_PORT=6379
 VALKEY_SERVER_CONNECT_TIMEOUT=5s
 VALKEY_POLICY=allkeys-lru
-VALKEY_MAXMEMORY=256mb
+VALKEY_MAX_MEMORY=256mb
 
 # --- KEYCLOAK ---
 KEYCLOAK_IMAGE_TAG=26.4
@@ -56,7 +65,7 @@ KC_ADMIN_PASSWORD=<SICHERES_PASSWORT>
 KC_DB=postgres
 KC_DB_SCHEMA=keycloak
 KC_DB_PASSWORD=<SICHERES_PASSWORT>
-# SERVER: Public Domain (z.B. auth.mo-code.at) - ohne http/https Prefix!
+# SERVER: Public Domain (z.B. auth.mo-code.at) – ohne http/https Prefix!
 # LOKAL:  localhost
 KC_HOSTNAME=<SERVER_IP_ODER_DOMAIN>
 # false = Zugriff über beliebige Hostnamen erlaubt (nötig ohne TLS / für HTTP-Betrieb)
@@ -69,22 +78,33 @@ KC_MANAGEMENT_PORT=9000:9000
 # Public Issuer URI: muss mit dem Hostname übereinstimmen, den Browser/App sieht
 # LOKAL:  http://localhost:8180/realms/meldestelle
 # SERVER: https://auth.mo-code.at/realms/meldestelle (via Pangolin)
-SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_ISSUER_URI=http://<SERVER_IP_ODER_DOMAIN>:8180/realms/meldestelle
+KC_ISSUER_URI=http://<SERVER_IP_ODER_DOMAIN>:8180/realms/meldestelle
 # Internal JWK Set URI: Service-zu-Service innerhalb Docker (immer keycloak:8080)
-SPRING_SECURITY_OAUTH2_RESOURCESERVER_JWT_JWK_SET_URI=http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs
+KC_JWK_SET_URI=http://keycloak:8080/realms/meldestelle/protocol/openid-connect/certs
 
 # --- CONSUL ---
 CONSUL_IMAGE=hashicorp/consul:1.22.1
 CONSUL_PORT=8500:8500
 CONSUL_UDP_PORT=8600:8600/udp
 CONSUL_HOST=consul
+# Separater HTTP-Port (ohne Mapping) für Service-zu-Service Kommunikation (ping-service)
+CONSUL_HTTP_PORT=8500
 
-# --- Zipkin ---
+# --- SPRING CLOUD CONSUL (api-gateway) ---
+SPRING_CLOUD_CONSUL_HOST=consul
+SPRING_CLOUD_CONSUL_PORT=8500
+SPRING_CLOUD_CONSUL_DISCOVERY_SERVICE_NAME=api-gateway
+SPRING_CLOUD_CONSUL_DISCOVERY_PREFER_IP_ADDRESS=true
+
+# --- ZIPKIN ---
 ZIPKIN_IMAGE=openzipkin/zipkin:3
-ZIPKIN_HEAP=256m
+ZIPKIN_MIN_HEAP=256M
+ZIPKIN_MAX_HEAP=512M
 ZIPKIN_PORT=9411:9411
+ZIPKIN_ENDPOINT=http://zipkin:9411/api/v2/spans
+ZIPKIN_SAMPLING_PROBABILITY=1.0
 
-# --- Mailpit ---
+# --- MAILPIT ---
 MAILPIT_IMAGE=axllent/mailpit:v1.29
 MAILPIT_WEB_PORT=8025:8025
 MAILPIT_SMTP_PORT=1025:1025
@@ -92,7 +112,7 @@ MAILPIT_SMTP_PORT=1025:1025
 # --- PGADMIN ---
 PGADMIN_IMAGE=dpage/pgadmin4:8
 PGADMIN_EMAIL=meldestelle@mo-code.at
-PGADMIN_PASSWORD=pgadmin
+PGADMIN_PASSWORD=<SICHERES_PASSWORT>
 PGADMIN_PORT=8888:80
 
 # --- POSTGRES-EXPORTER ---
@@ -109,7 +129,7 @@ PROMETHEUS_PORT=9090:9090
 # --- GRAFANA ---
 GF_IMAGE=grafana/grafana:12.3
 GF_ADMIN_USER=gf-admin
-GF_ADMIN_PASSWORD=gf-password
+GF_ADMIN_PASSWORD=<SICHERES_PASSWORT>
 GF_PORT=3000:3000
 
 # --- API-GATEWAY ---
@@ -118,9 +138,6 @@ GATEWAY_DEBUG_PORT=5005:5005
 GATEWAY_SERVER_PORT=8081
 GATEWAY_SPRING_PROFILES_ACTIVE=docker
 GATEWAY_DEBUG=true
-GATEWAY_SERVICE_NAME=api-gateway
-GATEWAY_CONSUL_HOSTNAME=api-gateway
-GATEWAY_CONSUL_PREFER_IP=true
 
 # --- PING-SERVICE ---
 PING_SPRING_PROFILES_ACTIVE=docker
@@ -129,13 +146,10 @@ PING_DEBUG_PORT=5006:5006
 PING_SERVER_PORT=8082
 PING_DEBUG=true
 PING_SERVICE_NAME=ping-service
-PING_CONSUL_HOSTNAME=ping-service
 PING_CONSUL_PREFER_IP=true
 
 # --- WEB-APP ---
-CADDY_VERSION=2.11-alpine
 WEB_APP_PORT=4000:4000
-WEB_BUILD_PROFILE=dev
 # URL für API-Zugriffe vom Browser (Public URL via Pangolin)
 # LOKAL:  http://localhost:8081
 # SERVER: https://api.mo-code.at