# =============================================================================
# Azaion Admin API — environment variable template
# Copy to `.env` (git-ignored) and fill in real values for your environment.
# Production secrets MUST come from the secret manager, not from a checked-in
# file. See _docs/04_deploy/reports/deploy_status_report.md for the full table.
# =============================================================================

# ---------- ASP.NET Core runtime --------------------------------------------
ASPNETCORE_ENVIRONMENT=Development            # Development | Staging | Production
ASPNETCORE_URLS=http://+:8080                 # Kestrel bind address inside the container

# ---------- Database (PostgreSQL on port 4312 in prod, 5432 in test) --------
# Two roles: reader (read-only) and admin (read/write). See env/db/01_permissions.sql.
ASPNETCORE_ConnectionStrings__AzaionDb=Host=localhost;Port=4312;Database=azaion;Username=azaion_reader;Password=CHANGE_ME
ASPNETCORE_ConnectionStrings__AzaionDbAdmin=Host=localhost;Port=4312;Database=azaion;Username=azaion_admin;Password=CHANGE_ME

# ---------- JWT (ES256, 15 min access, 8/12 h refresh — AZ-531/AZ-532) ------
# AZ-532 — admin signs access tokens with ES256. Keys live as PEM files in the
# folder named by KeysFolder (the kid is the filename without `.pem`); generate
# with scripts/generate-jwt-key.sh. The cycle-1 symmetric secret was removed in
# cycle 2; verifiers now fetch the public key from /.well-known/jwks.json.
ASPNETCORE_JwtConfig__Issuer=AzaionApi
ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins
ASPNETCORE_JwtConfig__KeysFolder=/etc/azaion/jwt-keys
# AZ-552/AZ-553 — ActiveKid is REQUIRED in production deployments. The
# preflight in scripts/start-services.sh fails fast if it is unset.
ASPNETCORE_JwtConfig__ActiveKid=kid-20260514-000000
ASPNETCORE_JwtConfig__AccessTokenLifetimeMinutes=15

# AZ-553 — host-side directory holding the ES256 PEMs. Bind-mounted RO into
# the container at $JwtConfig__KeysFolder. Must be owned by (or readable by)
# the container's `app` UID. See secrets/README.md "Host-side directories".
DEPLOY_HOST_JWT_KEYS_DIR=/var/lib/azaion/jwt-keys

# AZ-531 — refresh-token windows. Sliding extends on every rotation; absolute
# caps the family lifetime regardless of activity.
ASPNETCORE_SessionConfig__RefreshSlidingHours=8
ASPNETCORE_SessionConfig__RefreshAbsoluteHours=12

# ---------- DataProtection (AZ-554) -----------------------------------------
# AZ-554 — DataProtection master keys MUST persist across container restarts;
# otherwise the cycle-2 MFA secret ciphertexts become unreadable and every
# MFA-enrolled user is locked out at the next deploy. Production deployments
# MUST set this; non-prod uses the ephemeral default if unset.
ASPNETCORE_DataProtection__KeysFolder=/var/lib/azaion/dp-keys

# AZ-554 — host-side directory holding the DataProtection key ring. Bind-mounted
# RW into the container at $DataProtection__KeysFolder. Must be writable by the
# container's `app` UID. NEVER world-readable (chmod 0700).
DEPLOY_HOST_DP_KEYS_DIR=/var/lib/azaion/dp-keys

# ---------- Resource storage (filesystem) -----------------------------------
ASPNETCORE_ResourcesConfig__ResourcesFolder=Content

# ---------- Container build / image label ------------------------------------
# Injected at build time as --build-arg CI_COMMIT_SHA=… by Woodpecker.
# Local builds may leave it unset (Dockerfile defaults to "unknown").
# CI_COMMIT_SHA=

# ---------- Deploy targets (consumed by scripts/, not by the API process) ---
DEPLOY_HOST=admin.azaion.com                  # SSH target for scripts/deploy.sh
DEPLOY_SSH_USER=root                          # SSH user on DEPLOY_HOST
DEPLOY_CONTAINER_NAME=azaion.api              # Docker container name on the host
DEPLOY_HOST_PORT=4000                         # Port published on DEPLOY_HOST (mapped to 8080 in container)
DEPLOY_HOST_CONTENT_DIR=/root/api/content     # Bind-mount for resource files
DEPLOY_HOST_LOGS_DIR=/root/api/logs           # Bind-mount for Serilog rolling files

# ---------- Container registry ----------------------------------------------
REGISTRY_HOST=docker.azaion.com               # Private registry; CI may use localhost:5000
REGISTRY_IMAGE=azaion/admin                   # Image path inside REGISTRY_HOST
REGISTRY_TAG=dev-arm                          # main→arm, stage→stage-arm, dev→dev-arm
REGISTRY_USER=                                # CI / scripts only — leave empty in dev .env
REGISTRY_TOKEN=                               # CI / scripts only — leave empty in dev .env