# ─────────────────────────────────────────────────────────────────────────
# Secret TEMPLATE — DO NOT COMMIT REAL VALUES.
#
# These are placeholders. In production, manage the real Secrets out-of-band
# (sealed-secrets / SOPS / Rancher secret store), NOT in git. Copy this file,
# fill in real values, and apply it separately — or render SealedSecrets from
# it. The Deployments reference these Secrets by name via envFrom.
#
# Generate strong values with:  openssl rand -hex 32
# ─────────────────────────────────────────────────────────────────────────
apiVersion: v1
kind: Secret
metadata:
  name: platform-api-secrets
  namespace: dezky-apps
type: Opaque
stringData:
  # Mongo connection string for the in-cluster MongoDB (data tier namespace).
  MONGODB_URI: "mongodb://USER:PASSWORD@mongo.dezky-data.svc.cluster.local:27017/dezky?authSource=admin"
  # AES key used to encrypt stored scheduling credentials (e.g. CalDAV creds).
  SCHEDULING_CREDENTIAL_KEY: "REPLACE_WITH_openssl_rand_hex_32"
  # MUST equal the host's STALWART_ADMIN_PASSWORD (config.env on the AX41).
  STALWART_ADMIN_PASSWORD: "REPLACE_WITH_SAME_AS_HOST"
  # MUST equal the host's STALWART_WEBHOOK_SECRET (audit webhook HMAC).
  STALWART_WEBHOOK_SECRET: "REPLACE_WITH_SAME_AS_HOST"
  # Authentik admin API token (tenant/user provisioning). The Helm bootstrap
  # token works: dezky-auth/authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN.
  AUTHENTIK_API_TOKEN: "REPLACE_WITH_authentik-secret.AUTHENTIK_BOOTSTRAP_TOKEN"
  # Tamper-evidence signing key for the audit hash chain. Rotating it closes
  # the current segment — back it up alongside SCHEDULING_CREDENTIAL_KEY.
  AUDIT_SIGNING_KEY: "REPLACE_WITH_openssl_rand_hex_32"
  # Hetzner Object Storage IAM pair for audit cold storage. Not provisioned
  # yet — keep the placeholders until the bucket exists (ARCHIVE_ENABLED is
  # false in platform-api-config.yaml; the client only fails when used).
  AUDIT_COLD_ACCESS_KEY: "not-configured"
  AUDIT_COLD_SECRET_KEY: "not-configured"
  # OCIS service-user password (files tier — not deployed in prod yet).
  OCIS_SVC_PASSWORD: "not-configured"
---
apiVersion: v1
kind: Secret
metadata:
  name: portal-secrets
  namespace: dezky-apps
type: Opaque
stringData:
  # Authentik OIDC client provisioned for the portal.
  NUXT_OIDC_CLIENT_ID: "REPLACE"
  NUXT_OIDC_CLIENT_SECRET: "REPLACE"
  NUXT_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
  # Public base URL of Authentik (used for login redirects + full sign-out).
  NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
  # nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
  NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
  # ── Runtime overrides for the BAKED OIDC provider config ────────────────
  # The prod image is built in CI with no env, so nuxt.config bakes EMPTY
  # client creds and .local URLs into runtimeConfig. Nitro only overrides
  # runtimeConfig keys whose env name matches the config path —
  # oidc.providers.oidc.* → NUXT_OIDC_PROVIDERS_OIDC_*. The plain
  # NUXT_OIDC_* names above only work in dev (nuxt.config evaluated at
  # runtime); production needs BOTH sets.
  NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "REPLACE_same_as_NUXT_OIDC_CLIENT_ID"
  NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
  NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
  NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
  NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
  NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
  NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-portal/end-session/"
  NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-portal/.well-known/openid-configuration"
  # Refresh-token encryption + auth-session secret — without them sessions
  # die on every pod restart (random keys are generated per boot).
  NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
  NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
  # Shared session storage (server/plugins/session-storage.ts) — required for
  # >1 replica and for sessions to survive deploys. Password = dezky-data
  # redis-secret.REDIS_PASSWORD; db 1 keeps app sessions out of Authentik's
  # keyspace.
  SESSION_REDIS_URL: "redis://:REDIS_PASSWORD@redis.dezky-data.svc.cluster.local:6379/1"
---
apiVersion: v1
kind: Secret
metadata:
  name: booking-secrets
  namespace: dezky-apps
type: Opaque
stringData:
  # Cloudflare Turnstile site key for the public booking form (public value,
  # env-injected so it can rotate without a rebuild).
  NUXT_PUBLIC_TURNSTILE_SITE_KEY: "REPLACE"
---
apiVersion: v1
kind: Secret
metadata:
  name: operator-secrets
  namespace: dezky-apps
type: Opaque
stringData:
  # Authentik OIDC client provisioned for the operator (dezky-operator).
  # NUXT_OIDC_CLIENT_SECRET MUST equal authentik-secret.OPERATOR_OIDC_CLIENT_SECRET.
  NUXT_OIDC_CLIENT_ID: "dezky-operator"
  NUXT_OIDC_CLIENT_SECRET: "REPLACE_WITH_authentik-secret.OPERATOR_OIDC_CLIENT_SECRET"
  NUXT_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
  # Public base URL of Authentik (used for login redirects + full sign-out).
  NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
  # nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
  NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
  # Runtime overrides for the baked OIDC provider config — see the portal
  # section above for why production needs the NUXT_OIDC_PROVIDERS_OIDC_*
  # names in addition to the plain ones.
  NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "dezky-operator"
  NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
  NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
  NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
  NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
  NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
  NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-operator/end-session/"
  NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-operator/.well-known/openid-configuration"
  NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
  NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
  # Shared session storage — see the portal section above.
  SESSION_REDIS_URL: "redis://:REDIS_PASSWORD@redis.dezky-data.svc.cluster.local:6379/1"