Sure, that works as well, for example on some deploys I set the settings in systemd service file. However, it's more convenient to just have .env right there.

> On production keep things like API keys that need to be kept secret elsewhere - as a minimum outside the project directories and owned by a different user.

Curious what extra protection this gives you, considering the environment variables are, well, in the environment, and can be read by process. If someone does a remote code execution attack on the server, they can just read the environment.

The only thing I can imagine it does protect is if you mistakenly expose project root folder on the web server.