# ─────────────────────────────────────────────────────────────────────────
# Secret TEMPLATE — DO NOT COMMIT REAL VALUES.
#
# These are placeholders. In production, manage the real Secrets out-of-band
# (sealed-secrets / SOPS / Rancher secret store), NOT in git. Copy this file,
# fill in real values, and apply it separately — or render SealedSecrets from
# it. The Deployments reference these Secrets by name via envFrom.
#
# Generate strong values with:  openssl rand -hex 32
# ─────────────────────────────────────────────────────────────────────────
apiVersion: v1
kind: Secret
metadata:
  name: platform-api-secrets
  namespace: dezky-apps
type: Opaque
stringData:
  # Mongo connection string for the in-cluster MongoDB (data tier namespace).
  MONGODB_URI: "mongodb://USER:PASSWORD@mongo.dezky-data.svc.cluster.local:27017/dezky?authSource=admin"
  # AES key used to encrypt stored scheduling credentials (e.g. CalDAV creds).
  SCHEDULING_CREDENTIAL_KEY: "REPLACE_WITH_openssl_rand_hex_32"
  # MUST equal the host's STALWART_ADMIN_PASSWORD (config.env on the AX41).
  STALWART_ADMIN_PASSWORD: "REPLACE_WITH_SAME_AS_HOST"
  # MUST equal the host's STALWART_WEBHOOK_SECRET (audit webhook HMAC).
  STALWART_WEBHOOK_SECRET: "REPLACE_WITH_SAME_AS_HOST"
  # Authentik admin API token (tenant/user provisioning). The Helm bootstrap
  # token works: dezky-auth/authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN.
  AUTHENTIK_API_TOKEN: "REPLACE_WITH_authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN"
  # Tamper-evidence signing key for the audit hash chain. Rotating it closes
  # the current segment — back it up alongside SCHEDULING_CREDENTIAL_KEY.
  AUDIT_SIGNING_KEY: "REPLACE_WITH_openssl_rand_hex_32"
  # Hetzner Object Storage IAM pair for audit cold storage. Not provisioned
  # yet — keep the placeholders until the bucket exists (ARCHIVE_ENABLED is
  # false in platform-api-config.yaml; the client only fails when used).
  AUDIT_COLD_ACCESS_KEY: "not-configured"
  AUDIT_COLD_SECRET_KEY: "not-configured"
  # OCIS service-user password (files tier — not deployed in prod yet).
  OCIS_SVC_PASSWORD: "not-configured"
---
apiVersion: v1
kind: Secret
metadata:
  name: portal-secrets
  namespace: dezky-apps
type: Opaque
stringData:
  # Authentik OIDC client provisioned for the portal.
  NUXT_OIDC_CLIENT_ID: "REPLACE"
  NUXT_OIDC_CLIENT_SECRET: "REPLACE"
  NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
  # Public base URL of Authentik (used for login redirects + full sign-out).
  NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
  # nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
  NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
---
apiVersion: v1
kind: Secret
metadata:
  name: booking-secrets
  namespace: dezky-apps
type: Opaque
stringData:
  # Cloudflare Turnstile site key for the public booking form (public value,
  # env-injected so it can rotate without a rebuild).
  NUXT_PUBLIC_TURNSTILE_SITE_KEY: "REPLACE"
---
apiVersion: v1
kind: Secret
metadata:
  name: operator-secrets
  namespace: dezky-apps
type: Opaque
stringData:
  # Authentik OIDC client provisioned for the operator (dezky-operator).
  # NUXT_OIDC_CLIENT_SECRET MUST equal authentik-secret.OPERATOR_OIDC_CLIENT_SECRET.
  NUXT_OIDC_CLIENT_ID: "dezky-operator"
  NUXT_OIDC_CLIENT_SECRET: "REPLACE_WITH_authentik-secret.OPERATOR_OIDC_CLIENT_SECRET"
  NUXT_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
  # Public base URL of Authentik (used for login redirects + full sign-out).
  NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
  # nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
  NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"