# ─────────────────────────────────────────────────────────────────
# Dezky Local Development — Environment Variables
# ─────────────────────────────────────────────────────────────────
#
# Copy this file to .env and fill in the values.
# Generate secure random values with: openssl rand -hex 32
#
# DO NOT commit .env to git.
# ─────────────────────────────────────────────────────────────────

# ────────────────────────────────────────
# Database root passwords
# ────────────────────────────────────────
POSTGRES_ROOT_PASSWORD=changeme_use_openssl_rand
MONGO_ROOT_PASSWORD=changeme_use_openssl_rand
REDIS_PASSWORD=changeme_use_openssl_rand

# ────────────────────────────────────────
# Per-service DB passwords
# ────────────────────────────────────────
AUTHENTIK_DB_PASSWORD=changeme_use_openssl_rand
OCIS_DB_PASSWORD=changeme_use_openssl_rand

# ────────────────────────────────────────
# Authentik
# ────────────────────────────────────────
# AUTHENTIK_SECRET_KEY must be 50+ chars
AUTHENTIK_SECRET_KEY=changeme_run_openssl_rand_hex_50
AUTHENTIK_BOOTSTRAP_PASSWORD=admin_change_this_after_first_login
# AUTHENTIK_BOOTSTRAP_TOKEN is used by the provisioning service to call Authentik API
AUTHENTIK_BOOTSTRAP_TOKEN=changeme_use_openssl_rand_hex_32

# ────────────────────────────────────────
# Operator OIDC (dezky-operator)
# ────────────────────────────────────────
# The operator app differs from the portal: its OAuth provider is provisioned
# declaratively by the operator-application blueprint, which CONSUMES the secret
# below (rather than Authentik generating one for you to copy out). You must set
# a value BEFORE first boot — on a fresh environment the blueprint creates the
# provider with exactly this secret, and the operator container authenticates
# with the same value, so the two only agree if it's set here first.
# Generate with: openssl rand -hex 64
OPERATOR_OIDC_CLIENT_ID=dezky-operator
OPERATOR_OIDC_CLIENT_SECRET=changeme_run_openssl_rand_hex_64

# ────────────────────────────────────────
# Stalwart Mail
# ────────────────────────────────────────
STALWART_ADMIN_PASSWORD=changeme_use_openssl_rand

# ────────────────────────────────────────
# OCIS
# ────────────────────────────────────────
OCIS_ADMIN_PASSWORD=changeme_use_openssl_rand

# ────────────────────────────────────────
# Collabora
# ────────────────────────────────────────
COLLABORA_ADMIN_PASSWORD=changeme_use_openssl_rand