# ============================================================================
# Journiv Environment Configuration Template
# Copy this file to .env and customize for your deployment.
#
# Usage:
#   cp env.template .env
#   nano .env
# Required settings:
# - SECRET_KEY
# - DOMAIN_NAME
#
# If using PostgreSQL (DB_DRIVER=postgres), also set:
# - Either POSTGRES_PASSWORD (with optional components), OR
# - DATABASE_URL with a PostgreSQL URL (postgresql:// or postgres://)
#   NOT BOTH - specifying both will cause startup to fail
#
# All other settings are optional.
# ============================================================================


# ============================================================================
# REQUIRED SETTINGS
# ============================================================================

# Secret key for JWT token signing and encryption
# Generate with:
#   python -c "import secrets; print(secrets.token_urlsafe(32))"
# Or:
#   openssl rand -base64 32
SECRET_KEY=FSpqneEBW8NGKFOPU7STgBa428MbTvrOBfGbvxpH0Zg=


# ============================================================================
# DOMAIN CONFIGURATION
# ============================================================================

# Public domain name where Journiv is accessible.
# DO NOT include http:// or https://.
# DO NOT include trailing slashes.
#
# Examples:
#   DOMAIN_NAME=journiv.example.com
#   DOMAIN_NAME=journiv.mydomain.net
#   DOMAIN_NAME=192.168.1.10
#
# WRONG:
#   DOMAIN_NAME=https://journiv.example.com
#   DOMAIN_NAME=journiv.example.com/
DOMAIN_NAME=journiv.asgardlabs.net

# Protocol scheme for public URLs: http or https
# IMPORTANT: Set to "https" for production deployments, especially when behind a reverse proxy (Traefik, Caddy, Nginx, etc.).
#   - Default: "http" (for local development only)
#   - Production: "https" (REQUIRED when behind reverse proxy or using SSL/TLS)
#
# Journiv uses this to generate correct public redirect URLs:
#   {DOMAIN_SCHEME}://{DOMAIN_NAME}/#/oidc-finish
#   {DOMAIN_SCHEME}://{DOMAIN_NAME}/#/login?logout=success
#
DOMAIN_SCHEME=https


# ============================================================================
# DATABASE CONFIGURATION
# ============================================================================

# Database driver selection: "sqlite" (default) or "postgres"
# DB_DRIVER=sqlite

# Primary database URL (defaults to SQLite)
# For SQLite: sqlite:////data/journiv.db
# For PostgreSQL: postgresql://user:password@host:5432/dbname
# DATABASE_URL=sqlite:////data/journiv.db

# When DB_DRIVER=postgres, you must specify EITHER:
#   Option 1: POSTGRES_PASSWORD (with optional components below)
#   Option 2: DATABASE_URL with a PostgreSQL URL (postgresql:// or postgres://)
#   NOT BOTH - specifying both will cause startup to fail

# PostgreSQL password (required when DB_DRIVER=postgres and using Option 1)
# POSTGRES_PASSWORD=super-strong-password

# (Optional) PostgreSQL components for Docker deployments (used with POSTGRES_PASSWORD)
# Defaults are used if not specified:
#   POSTGRES_HOST=postgres
#   POSTGRES_USER=journiv
#   POSTGRES_DB=journiv_prod (production) or journiv_dev (development)
#   POSTGRES_PORT=5432
# POSTGRES_HOST=
# POSTGRES_USER=journiv
# POSTGRES_DB=journiv_prod
# POSTGRES_PORT=5432



# ============================================================================
# APPLICATION SETTINGS
# ============================================================================

# APP_NAME=Journiv
# APP_VERSION=latest # Pin to a specific version for production if needed
# DEBUG=false
# ENVIRONMENT=production
# APP_PORT=8000


# ============================================================================
# API CONFIGURATION
# ============================================================================

# API_V1_PREFIX=/api/v1

# Enable CORS only when the frontend runs on a different origin.
# ENABLE_CORS=false

# Required when ENABLE_CORS=true.
# Example:
# CORS_ORIGINS=https://journiv.example.com,https://myapp.example.net
# CORS_ORIGINS=


# ============================================================================
# SECURITY SETTINGS
# ============================================================================

# ALGORITHM=HS256
# ACCESS_TOKEN_EXPIRE_MINUTES=15
# REFRESH_TOKEN_EXPIRE_DAYS=7

# Disable user signup
# DISABLE_SIGNUP=false


# ============================================================================
# OIDC CONFIGURATION
# ============================================================================

# Enable OIDC login (Pocket-ID, Keycloak, Authentik, etc.)
# OIDC_ENABLED=true

# OIDC provider issuer
# Example: https://id.example.com or https://auth.example.com/realms/default
# OIDC_ISSUER=https://pocketid.example.com

# OIDC client credentials
# OIDC_CLIENT_ID=journiv-app
# OIDC_CLIENT_SECRET=change_me

# OIDC redirect URI
# Must match provider configuration EXACTLY.
# Example:
#   OIDC_REDIRECT_URI=https://journiv.example.com/api/v1/auth/oidc/callback
# OIDC_REDIRECT_URI=

# OIDC scopes to request
# OIDC_SCOPES="openid email profile"

# Automatically create users from OIDC claims
# OIDC_AUTO_PROVISION=true

# Disable SSL verification (ONLY for local development with self-signed certs)
# OIDC_DISABLE_SSL_VERIFY=false

# Allow OIDC over HTTP (INSECURE). Recommended only for advanced users in isolated homelabs.
# Default: false
# OIDC_ALLOW_INSECURE_PROD=false

# Journiv requires the OIDC provider to indicate the email address has been verified
# with the email_verified claim. Some providers do not expose this claim due to implicit
# email verification (e.g., MS Entra ID). Set the following to false to disable this requirement.
# OIDC_REQUIRE_VERIFIED_EMAIL=true

# OIDC-only mode: When enabled, disable password authentication and only allow OIDC login.
# Users can still be created via OIDC auto-provisioning (controlled by OIDC_AUTO_PROVISION).
# Existing password users can still log in via OIDC if their email matches.
# OIDC_ONLY=false



# ============================================================================
# REDIS CONFIGURATION (Optional)
# ============================================================================

# Optional Redis URL for OIDC state caching, rate-limit persistence, and Celery
# Example: redis://localhost:6379/0
# REDIS_URL=


# ============================================================================
# CELERY CONFIGURATION (For Import/Export)
# ============================================================================

# Celery broker and result backend
# If not set, defaults to REDIS_URL
# Examples:
#   CELERY_BROKER_URL=redis://localhost:6379/0
#   CELERY_RESULT_BACKEND=redis://localhost:6379/0
# CELERY_BROKER_URL=
# CELERY_RESULT_BACKEND=

# Celery task serialization (default: json)
# CELERY_TASK_SERIALIZER=json
# CELERY_RESULT_SERIALIZER=json
# CELERY_TIMEZONE=UTC
# CELERY_ENABLE_UTC=true

# Celery worker runtime tuning (docker-compose defaults)
# Helps reduce idle memory footprint on small hosts.
# CELERY_WORKER_CONCURRENCY=1
# CELERY_WORKER_MAX_MEMORY_PER_CHILD_KB=300000
# CELERY_WORKER_MAX_TASKS_PER_CHILD=200


# ============================================================================
# IMPORT/EXPORT CONFIGURATION
# ============================================================================

# Maximum file size for import/export operations (in MB)
# IMPORT_EXPORT_MAX_FILE_SIZE_MB=500

# Days to keep export files before automatic cleanup
# Set to -1 to disable automatic cleanup.
# EXPORT_CLEANUP_DAYS=7

# Directories for import/export operations
# IMPORT_TEMP_DIR=/data/imports/temp
# EXPORT_DIR=/data/exports


# ============================================================================
# INTEGRATIONS (IMMICH)
# ============================================================================

# Default Immich base URL for all users on the instance.
# If set, users can leave the Immich URL field empty in the UI.
# Immich URL specified per user level in settting screens can be used to override this.
# Example: IMMICH_BASE_URL=https://immich.example.com
# Example: IMMICH_BASE_URL=http://192.168.1.1:2283
# IMMICH_BASE_URL=


# ============================================================================
# CONTENT SECURITY POLICY (CSP)
# ============================================================================

# ENABLE_CSP=true
# ENABLE_HSTS=true
# ENABLE_CSP_REPORTING=true

# Where browsers should POST CSP violation reports
# CSP_REPORT_URI=/api/v1/security/csp-report


# ============================================================================
# FILE STORAGE
# ============================================================================

# Directory for user-uploaded files and media
# MEDIA_ROOT=/data/media

# Maximum allowed upload size in MB
# MAX_FILE_SIZE_MB=50

# Allowed media MIME types (comma-separated)
# ALLOWED_MEDIA_TYPES=image/jpeg,image/png,image/gif,image/webp,image/heic,image/heif,image/heic-sequence,image/heif-sequence,video/mp4,video/avi,video/mov,video/quicktime,video/webm,video/x-m4v,audio/mpeg,audio/wav,audio/ogg,audio/m4a,audio/aac

# Allowed file extensions (comma-separated)
# ALLOWED_FILE_EXTENSIONS=.jpg,.jpeg,.png,.gif,.webp,.heic,.heif,.mp4,.avi,.mov,.webm,.m4v,.mp3,.wav,.ogg,.m4a,.aac

# Signed media URL TTL in seconds (for images and general media)
# Default 5 minutes
# MEDIA_SIGNED_URL_TTL_SECONDS=300

# Signed video URL TTL in seconds (for video streaming, longer to support playback of large files)
# Default 20 mins
# MEDIA_SIGNED_URL_VIDEO_TTL_SECONDS=1200

# Signed thumbnail URL TTL in seconds (used for caching thumbnails)
# Default 24 hours
# MEDIA_THUMBNAIL_SIGNED_URL_TTL_SECONDS=86400

# Grace period in seconds for signed media URL expiration checks
# MEDIA_SIGNED_URL_GRACE_SECONDS=60


# ============================================================================
# LOGGING
# ============================================================================

# LOG_LEVEL=INFO
# LOG_FILE=
# LOG_DIR=/data/logs
# LOG_SQL_REQUESTS=false


# ============================================================================
# EXTERNAL API CONFIGURATION
# ============================================================================

# OpenWeather API keys for weather data fetching
# Get your free API key at: https://openweathermap.org/api
# Weather service is optional - if not configured, weather features will be disabled
# OPEN_WEATHER_API_KEY_25=your-openweather-2-5-api-key-here
# OPEN_WEATHER_API_KEY_30=your-openweather-3-0-api-key-here


# ============================================================================
# RATE LIMITING
# ============================================================================

# Enable rate limiting (protects login endpoints)
# RATE_LIMITING_ENABLED=true

# Backend for rate-limit storage (default: in-memory)
# Example for Redis: redis://localhost:6379/1
# RATE_LIMIT_STORAGE_URI=memory://
