# Non-secret runtime config for platform-api. Cluster-internal service
# addresses and integration toggles. Secrets (Mongo URI, credential key,
# Stalwart password, webhook secret) live in the platform-api-secrets Secret.
apiVersion: v1
kind: ConfigMap
metadata:
  name: platform-api-config
  namespace: dezky-apps
  labels:
    app.kubernetes.io/name: platform-api
data:
  # Stalwart runs on the HOST (not k3s). Pods reach it via the cni0 gateway IP
  # on the JMAP management port; the firewall lets the pod CIDR through.
  STALWART_API_URL: "http://10.42.0.1:8080"
  # Full address, not bare "admin": Stalwart v0.16 has no fallback admin —
  # the management credential is a real account (admin@dezky.eu, Admin role)
  # created during the 2026-06-10 recovery-mode bootstrap, and v0.16 logins
  # use the full address.
  STALWART_ADMIN_USER: "admin@dezky.eu"
  STALWART_PROVISIONING_ENABLED: "true"
  # Base for per-tenant service mail domains ({slug}.dezky.eu) AND the
  # reserved namespace for customer domains: only the company's own tenant
  # (PLATFORM_TENANT_SLUG) may claim the apex; nothing under it can be added
  # as a customer domain.
  PLATFORM_TENANT_DOMAIN: "dezky.eu"
  PLATFORM_TENANT_SLUG: "dezky-aps"
  # No auto-seeded tenants in production — the dezky company tenant is
  # created and owned through the operator like any other.
  SEED_ENABLED: "false"
  # JWT validation for portal/operator-issued access tokens. Public Authentik
  # URLs on purpose: the token `iss` claim is the public URL, and the pod can
  # hairpin to it through the node's public IP.
  AUTHENTIK_ISSUER: "https://auth.dezky.eu/application/o/dezky-portal/,https://auth.dezky.eu/application/o/dezky-operator/"
  AUTHENTIK_AUDIENCE: "dezky-portal,dezky-operator"
  AUTHENTIK_JWKS_URI: "https://auth.dezky.eu/application/o/dezky-portal/jwks/"
  AUTHENTIK_API_URL: "https://auth.dezky.eu/api/v3"
  # OCIS is not deployed in production yet. The client is instantiated at boot
  # (so the URL must exist) but only fails when a files feature is actually
  # used. Swap to the real URL when the files tier lands.
  OCIS_API_URL: "https://files.dezky.eu"
  OCIS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
  OCIS_OIDC_CLIENT_ID: "ocis-web"
  OCIS_SVC_USERNAME: "svc-platform-api"
  # Audit cold storage (Hetzner Object Storage) is not provisioned yet —
  # archive stays off; the S3 client boots against the placeholder endpoint.
  AUDIT_COLD_ENDPOINT: "https://fsn1.your-objectstorage.com"
  AUDIT_COLD_REGION: "fsn1"
  AUDIT_COLD_BUCKET: "dezky-audit"
  AUDIT_HOT_RETENTION_DAYS: "90"
  ARCHIVE_ENABLED: "false"
  # Stripe billing dark-launched off in prod until live keys are wired.
  BILLING_STRIPE_ENABLED: "false"
  BOOKING_PUBLIC_URL: "https://booking.dezky.eu"
  MEET_PUBLIC_URL: "https://meet.dezky.eu"
  # Infrastructure health-probe targets (operator → /health/platform). The
  # code defaults are docker-compose hostnames; these are the k3s addresses.
  # "disabled" omits a service from the report until that tier is deployed.
  HEALTH_STALWART_HOSTPORT: "10.42.0.1:8080"
  HEALTH_AUTHENTIK_URL: "http://authentik-server.dezky-auth.svc.cluster.local/-/health/ready/"
  HEALTH_POSTGRES_HOSTPORT: "postgres.dezky-data.svc.cluster.local:5432"
  HEALTH_REDIS_HOSTPORT: "redis.dezky-data.svc.cluster.local:6379"
  HEALTH_TRAEFIK_HOSTPORT: "traefik.kube-system.svc.cluster.local:80"
  HEALTH_OCIS_URL: "disabled"
  HEALTH_COLLABORA_URL: "disabled"