From 35e2b6edc943f84ad5dc93476efc10ad900ea46c Mon Sep 17 00:00:00 2001
From: Priec <filippriec@gmail.com>
Date: Fri, 19 Jun 2026 00:35:48 +0200
Subject: [PATCH] hide .env credentials

---
 .gitignore              |  2 ++
 config/development.yaml | 21 +++++++++++++--------
 2 files changed, 15 insertions(+), 8 deletions(-)

diff --git a/.gitignore b/.gitignore
index 12993df..ee8edf9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,8 @@ target/
 *.sqlite-*
 .env
 .env.production
+.envrc
+.direnv/
 uploads/
 *.report.html
 favicon_io.zip
diff --git a/config/development.yaml b/config/development.yaml
index a74175b..6909ecc 100644
--- a/config/development.yaml
+++ b/config/development.yaml
@@ -45,19 +45,24 @@ workers:
 
 # Mailer Configuration.
 mailer:
-  # SMTP mailer configuration.
+  # SMTP mailer configuration. Defaults target a local catcher (MailHog/Mailpit
+  # on localhost:1025); set the SMTP_* env vars to point at a real server. The
+  # auth block is only emitted when SMTP_PASSWORD is provided, so the secret is
+  # never stored here — pass it in at launch (e.g. from `pass`).
   smtp:
     # Enable/Disable smtp mailer.
-    enable: true
+    enable: {{ get_env(name="SMTP_ENABLE", default="true") }}
     # SMTP server host. e.x localhost, smtp.gmail.com
-    host: localhost
+    host: "{{ get_env(name="SMTP_HOST", default="localhost") }}"
     # SMTP server port
-    port: 1025
+    port: {{ get_env(name="SMTP_PORT", default="1025") }}
     # Use secure connection (SSL/TLS).
-    secure: false
-    # auth:
-    #   user:
-    #   password:
+    secure: {{ get_env(name="SMTP_SECURE", default="false") }}
+{% if get_env(name="SMTP_PASSWORD", default="") != "" %}
+    auth:
+      user: "{{ get_env(name="SMTP_USER", default="") }}"
+      password: "{{ get_env(name="SMTP_PASSWORD", default="") }}"
+{% endif %}
     # Override the SMTP hello name (default is the machine's hostname)
     # hello_name: