diff --git a/.env b/.env
new file mode 100644
index 0000000..4e40dc9
--- /dev/null
+++ b/.env
@@ -0,0 +1,316 @@
+# ============================================================================
+# Journiv Environment Configuration Template
+# Copy this file to .env and customize for your deployment.
+#
+# Usage:
+#   cp env.template .env
+#   nano .env
+# Required settings:
+# - SECRET_KEY
+# - DOMAIN_NAME
+#
+# If using PostgreSQL (DB_DRIVER=postgres), also set:
+# - Either POSTGRES_PASSWORD (with optional components), OR
+# - DATABASE_URL with a PostgreSQL URL (postgresql:// or postgres://)
+#   NOT BOTH - specifying both will cause startup to fail
+#
+# All other settings are optional.
+# ============================================================================
+
+
+# ============================================================================
+# REQUIRED SETTINGS
+# ============================================================================
+
+# Secret key for JWT token signing and encryption
+# Generate with:
+#   python -c "import secrets; print(secrets.token_urlsafe(32))"
+# Or:
+#   openssl rand -base64 32
+SECRET_KEY=FSpqneEBW8NGKFOPU7STgBa428MbTvrOBfGbvxpH0Zg=
+
+
+# ============================================================================
+# DOMAIN CONFIGURATION
+# ============================================================================
+
+# Public domain name where Journiv is accessible.
+# DO NOT include http:// or https://.
+# DO NOT include trailing slashes.
+#
+# Examples:
+#   DOMAIN_NAME=journiv.example.com
+#   DOMAIN_NAME=journiv.mydomain.net
+#   DOMAIN_NAME=192.168.1.10
+#
+# WRONG:
+#   DOMAIN_NAME=https://journiv.example.com
+#   DOMAIN_NAME=journiv.example.com/
+DOMAIN_NAME=journiv.asgardlabs.net
+
+# Protocol scheme for public URLs: http or https
+# IMPORTANT: Set to "https" for production deployments, especially when behind a reverse proxy (Traefik, Caddy, Nginx, etc.).
+#   - Default: "http" (for local development only)
+#   - Production: "https" (REQUIRED when behind reverse proxy or using SSL/TLS)
+#
+# Journiv uses this to generate correct public redirect URLs:
+#   {DOMAIN_SCHEME}://{DOMAIN_NAME}/#/oidc-finish
+#   {DOMAIN_SCHEME}://{DOMAIN_NAME}/#/login?logout=success
+#
+DOMAIN_SCHEME=https
+
+
+# ============================================================================
+# DATABASE CONFIGURATION
+# ============================================================================
+
+# Database driver selection: "sqlite" (default) or "postgres"
+# DB_DRIVER=sqlite
+
+# Primary database URL (defaults to SQLite)
+# For SQLite: sqlite:////data/journiv.db
+# For PostgreSQL: postgresql://user:password@host:5432/dbname
+# DATABASE_URL=sqlite:////data/journiv.db
+
+# When DB_DRIVER=postgres, you must specify EITHER:
+#   Option 1: POSTGRES_PASSWORD (with optional components below)
+#   Option 2: DATABASE_URL with a PostgreSQL URL (postgresql:// or postgres://)
+#   NOT BOTH - specifying both will cause startup to fail
+
+# PostgreSQL password (required when DB_DRIVER=postgres and using Option 1)
+# POSTGRES_PASSWORD=super-strong-password
+
+# (Optional) PostgreSQL components for Docker deployments (used with POSTGRES_PASSWORD)
+# Defaults are used if not specified:
+#   POSTGRES_HOST=postgres
+#   POSTGRES_USER=journiv
+#   POSTGRES_DB=journiv_prod (production) or journiv_dev (development)
+#   POSTGRES_PORT=5432
+# POSTGRES_HOST=
+# POSTGRES_USER=journiv
+# POSTGRES_DB=journiv_prod
+# POSTGRES_PORT=5432
+
+
+
+# ============================================================================
+# APPLICATION SETTINGS
+# ============================================================================
+
+# APP_NAME=Journiv
+# APP_VERSION=latest # Pin to a specific version for production if needed
+# DEBUG=false
+# ENVIRONMENT=production
+# APP_PORT=8000
+
+
+# ============================================================================
+# API CONFIGURATION
+# ============================================================================
+
+# API_V1_PREFIX=/api/v1
+
+# Enable CORS only when the frontend runs on a different origin.
+# ENABLE_CORS=false
+
+# Required when ENABLE_CORS=true.
+# Example:
+# CORS_ORIGINS=https://journiv.example.com,https://myapp.example.net
+# CORS_ORIGINS=
+
+
+# ============================================================================
+# SECURITY SETTINGS
+# ============================================================================
+
+# ALGORITHM=HS256
+# ACCESS_TOKEN_EXPIRE_MINUTES=15
+# REFRESH_TOKEN_EXPIRE_DAYS=7
+
+# Disable user signup
+# DISABLE_SIGNUP=false
+
+
+# ============================================================================
+# OIDC CONFIGURATION
+# ============================================================================
+
+# Enable OIDC login (Pocket-ID, Keycloak, Authentik, etc.)
+# OIDC_ENABLED=true
+
+# OIDC provider issuer
+# Example: https://id.example.com or https://auth.example.com/realms/default
+# OIDC_ISSUER=https://pocketid.example.com
+
+# OIDC client credentials
+# OIDC_CLIENT_ID=journiv-app
+# OIDC_CLIENT_SECRET=change_me
+
+# OIDC redirect URI
+# Must match provider configuration EXACTLY.
+# Example:
+#   OIDC_REDIRECT_URI=https://journiv.example.com/api/v1/auth/oidc/callback
+# OIDC_REDIRECT_URI=
+
+# OIDC scopes to request
+# OIDC_SCOPES="openid email profile"
+
+# Automatically create users from OIDC claims
+# OIDC_AUTO_PROVISION=true
+
+# Disable SSL verification (ONLY for local development with self-signed certs)
+# OIDC_DISABLE_SSL_VERIFY=false
+
+# Allow OIDC over HTTP (INSECURE). Recommended only for advanced users in isolated homelabs.
+# Default: false
+# OIDC_ALLOW_INSECURE_PROD=false
+
+# Journiv requires the OIDC provider to indicate the email address has been verified
+# with the email_verified claim. Some providers do not expose this claim due to implicit
+# email verification (e.g., MS Entra ID). Set the following to false to disable this requirement.
+# OIDC_REQUIRE_VERIFIED_EMAIL=true
+
+# OIDC-only mode: When enabled, disable password authentication and only allow OIDC login.
+# Users can still be created via OIDC auto-provisioning (controlled by OIDC_AUTO_PROVISION).
+# Existing password users can still log in via OIDC if their email matches.
+# OIDC_ONLY=false
+
+
+
+# ============================================================================
+# REDIS CONFIGURATION (Optional)
+# ============================================================================
+
+# Optional Redis URL for OIDC state caching, rate-limit persistence, and Celery
+# Example: redis://localhost:6379/0
+# REDIS_URL=
+
+
+# ============================================================================
+# CELERY CONFIGURATION (For Import/Export)
+# ============================================================================
+
+# Celery broker and result backend
+# If not set, defaults to REDIS_URL
+# Examples:
+#   CELERY_BROKER_URL=redis://localhost:6379/0
+#   CELERY_RESULT_BACKEND=redis://localhost:6379/0
+# CELERY_BROKER_URL=
+# CELERY_RESULT_BACKEND=
+
+# Celery task serialization (default: json)
+# CELERY_TASK_SERIALIZER=json
+# CELERY_RESULT_SERIALIZER=json
+# CELERY_TIMEZONE=UTC
+# CELERY_ENABLE_UTC=true
+
+# Celery worker runtime tuning (docker-compose defaults)
+# Helps reduce idle memory footprint on small hosts.
+# CELERY_WORKER_CONCURRENCY=1
+# CELERY_WORKER_MAX_MEMORY_PER_CHILD_KB=300000
+# CELERY_WORKER_MAX_TASKS_PER_CHILD=200
+
+
+# ============================================================================
+# IMPORT/EXPORT CONFIGURATION
+# ============================================================================
+
+# Maximum file size for import/export operations (in MB)
+# IMPORT_EXPORT_MAX_FILE_SIZE_MB=500
+
+# Days to keep export files before automatic cleanup
+# Set to -1 to disable automatic cleanup.
+# EXPORT_CLEANUP_DAYS=7
+
+# Directories for import/export operations
+# IMPORT_TEMP_DIR=/data/imports/temp
+# EXPORT_DIR=/data/exports
+
+
+# ============================================================================
+# INTEGRATIONS (IMMICH)
+# ============================================================================
+
+# Default Immich base URL for all users on the instance.
+# If set, users can leave the Immich URL field empty in the UI.
+# Immich URL specified per user level in settting screens can be used to override this.
+# Example: IMMICH_BASE_URL=https://immich.example.com
+# Example: IMMICH_BASE_URL=http://192.168.1.1:2283
+# IMMICH_BASE_URL=
+
+
+# ============================================================================
+# CONTENT SECURITY POLICY (CSP)
+# ============================================================================
+
+# ENABLE_CSP=true
+# ENABLE_HSTS=true
+# ENABLE_CSP_REPORTING=true
+
+# Where browsers should POST CSP violation reports
+# CSP_REPORT_URI=/api/v1/security/csp-report
+
+
+# ============================================================================
+# FILE STORAGE
+# ============================================================================
+
+# Directory for user-uploaded files and media
+# MEDIA_ROOT=/data/media
+
+# Maximum allowed upload size in MB
+# MAX_FILE_SIZE_MB=50
+
+# Allowed media MIME types (comma-separated)
+# ALLOWED_MEDIA_TYPES=image/jpeg,image/png,image/gif,image/webp,image/heic,image/heif,image/heic-sequence,image/heif-sequence,video/mp4,video/avi,video/mov,video/quicktime,video/webm,video/x-m4v,audio/mpeg,audio/wav,audio/ogg,audio/m4a,audio/aac
+
+# Allowed file extensions (comma-separated)
+# ALLOWED_FILE_EXTENSIONS=.jpg,.jpeg,.png,.gif,.webp,.heic,.heif,.mp4,.avi,.mov,.webm,.m4v,.mp3,.wav,.ogg,.m4a,.aac
+
+# Signed media URL TTL in seconds (for images and general media)
+# Default 5 minutes
+# MEDIA_SIGNED_URL_TTL_SECONDS=300
+
+# Signed video URL TTL in seconds (for video streaming, longer to support playback of large files)
+# Default 20 mins
+# MEDIA_SIGNED_URL_VIDEO_TTL_SECONDS=1200
+
+# Signed thumbnail URL TTL in seconds (used for caching thumbnails)
+# Default 24 hours
+# MEDIA_THUMBNAIL_SIGNED_URL_TTL_SECONDS=86400
+
+# Grace period in seconds for signed media URL expiration checks
+# MEDIA_SIGNED_URL_GRACE_SECONDS=60
+
+
+# ============================================================================
+# LOGGING
+# ============================================================================
+
+# LOG_LEVEL=INFO
+# LOG_FILE=
+# LOG_DIR=/data/logs
+# LOG_SQL_REQUESTS=false
+
+
+# ============================================================================
+# EXTERNAL API CONFIGURATION
+# ============================================================================
+
+# OpenWeather API keys for weather data fetching
+# Get your free API key at: https://openweathermap.org/api
+# Weather service is optional - if not configured, weather features will be disabled
+# OPEN_WEATHER_API_KEY_25=your-openweather-2-5-api-key-here
+# OPEN_WEATHER_API_KEY_30=your-openweather-3-0-api-key-here
+
+
+# ============================================================================
+# RATE LIMITING
+# ============================================================================
+
+# Enable rate limiting (protects login endpoints)
+# RATE_LIMITING_ENABLED=true
+
+# Backend for rate-limit storage (default: in-memory)
+# Example for Redis: redis://localhost:6379/1
+# RATE_LIMIT_STORAGE_URI=memory://