# Plain-text overlay for staging — committed; safe to read.
# Loaded BEFORE the sops-decrypted overlay; secret values stay encrypted.

ASPNETCORE_ENVIRONMENT=Staging
ASPNETCORE_URLS=http://+:8080

# Idempotent appsettings overrides — these match production for parity.
ASPNETCORE_JwtConfig__Issuer=AzaionApi
ASPNETCORE_JwtConfig__Audience=Annotators/OrangePi/Admins
# AZ-532: cycle-2 access tokens are 15 min, refresh tokens own the longer window.
ASPNETCORE_JwtConfig__AccessTokenLifetimeMinutes=15
# AZ-552/AZ-553: container-side path is fixed; host dir is bind-mounted by start-services.sh.
ASPNETCORE_JwtConfig__KeysFolder=/etc/azaion/jwt-keys
# AZ-553: ActiveKid MUST be set on every deploy. Set in operator shell during
# generate-jwt-key.sh rotation.
# ASPNETCORE_JwtConfig__ActiveKid=<set in operator shell or encrypted overlay>
# AZ-554: persisted DataProtection key ring. Container-side path; host dir is RW bind-mount.
ASPNETCORE_DataProtection__KeysFolder=/var/lib/azaion/dp-keys
ASPNETCORE_ResourcesConfig__ResourcesFolder=Content

# Deploy-host plumbing.
DEPLOY_CONTAINER_NAME=azaion.api
DEPLOY_HOST_PORT=4000
DEPLOY_HOST_CONTENT_DIR=/root/api/content
DEPLOY_HOST_LOGS_DIR=/root/api/logs
# AZ-553/AZ-554: host-side directories bind-mounted into the container.
DEPLOY_HOST_JWT_KEYS_DIR=/var/lib/azaion/jwt-keys
DEPLOY_HOST_DP_KEYS_DIR=/var/lib/azaion/dp-keys

# Registry. REGISTRY_USER / REGISTRY_TOKEN come from the encrypted overlay.
REGISTRY_HOST=docker.azaion.com
REGISTRY_IMAGE=azaion/admin