# Non-secret runtime config for platform-api. Cluster-internal service # addresses and integration toggles. Secrets (Mongo URI, credential key, # Stalwart password, webhook secret) live in the platform-api-secrets Secret. apiVersion: v1 kind: ConfigMap metadata: name: platform-api-config namespace: dezky-apps labels: app.kubernetes.io/name: platform-api data: # Stalwart runs on the HOST (not k3s). Pods reach it via the cni0 gateway IP # on the JMAP management port; the firewall lets the pod CIDR through. STALWART_API_URL: "http://10.42.0.1:8080" STALWART_ADMIN_USER: "admin" STALWART_PROVISIONING_ENABLED: "true" # JWT validation for portal/operator-issued access tokens. Public Authentik # URLs on purpose: the token `iss` claim is the public URL, and the pod can # hairpin to it through the node's public IP. AUTHENTIK_ISSUER: "https://auth.dezky.eu/application/o/dezky-portal/,https://auth.dezky.eu/application/o/dezky-operator/" AUTHENTIK_AUDIENCE: "dezky-portal,dezky-operator" AUTHENTIK_JWKS_URI: "https://auth.dezky.eu/application/o/dezky-portal/jwks/" AUTHENTIK_API_URL: "https://auth.dezky.eu/api/v3" # OCIS is not deployed in production yet. The client is instantiated at boot # (so the URL must exist) but only fails when a files feature is actually # used. Swap to the real URL when the files tier lands. OCIS_API_URL: "https://files.dezky.eu" OCIS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/" OCIS_OIDC_CLIENT_ID: "ocis-web" OCIS_SVC_USERNAME: "svc-platform-api" # Audit cold storage (Hetzner Object Storage) is not provisioned yet — # archive stays off; the S3 client boots against the placeholder endpoint. AUDIT_COLD_ENDPOINT: "https://fsn1.your-objectstorage.com" AUDIT_COLD_REGION: "fsn1" AUDIT_COLD_BUCKET: "dezky-audit" AUDIT_HOT_RETENTION_DAYS: "90" ARCHIVE_ENABLED: "false" # Stripe billing dark-launched off in prod until live keys are wired. BILLING_STRIPE_ENABLED: "false" BOOKING_PUBLIC_URL: "https://booking.dezky.eu" MEET_PUBLIC_URL: "https://meet.dezky.eu"