# === ThinkWatch — Environment Template ===
#
# Single source of truth for both dev and production env vars. Don't
# write .env / .env.production by hand — run:
#
#   bash deploy/generate-secrets.sh --dev    # writes .env
#   bash deploy/generate-secrets.sh --prod   # writes .env.production
#                                            # (+ deploy/clickhouse/users.d/default-user.xml)
#
# Both modes fill secrets via `openssl rand` and pick the right
# hostnames for their topology (localhost in dev, container names in
# prod). Edit ONLY this file to add new env vars — both outputs are
# regenerated from it, which is how dev and prod stay in lockstep.
#
# Syntax:
#   * lines prefixed `# dev:` or `# prod:` are mode-specific; the
#     generator uncomments the active mode's lines and drops the other
#   * lines with no tag apply to both
#   * tokens like `__SECRET_HEX_<N>__` are substituted with
#     `openssl rand -hex <N>` at generation time

# --- PostgreSQL ---
DB_USER=thinkwatch
DB_NAME=think_watch
DB_MAX_CONNECTIONS=10
DB_PASSWORD=__SECRET_HEX_16__
# dev:  DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@localhost:5432/${DB_NAME}
# prod: DATABASE_URL=postgres://${DB_USER}:${DB_PASSWORD}@postgres:5432/${DB_NAME}?sslmode=disable

# --- Redis ---
REDIS_PASSWORD=__SECRET_HEX_16__
# dev:  REDIS_URL=redis://:${REDIS_PASSWORD}@localhost:6379
# prod: REDIS_URL=redis://:${REDIS_PASSWORD}@redis:6379

# --- Application ---
JWT_SECRET=__SECRET_HEX_32__
ENCRYPTION_KEY=__SECRET_HEX_32__
# JWT verification clock-skew tolerance in seconds. Default 10; cap 300.
# Raise (e.g. 30-60) only if the deployment runs on hosts with chronic
# clock drift (KVM steal-time spikes, geographically split datacenters).
# Larger values effectively lengthen every token's exp window — fix
# time sync first, this knob second.
# JWT_LEEWAY_SECS=10
SERVER_HOST=0.0.0.0
GATEWAY_PORT=3000
CONSOLE_PORT=3001
# dev:  CORS_ORIGINS=http://localhost:5173
# prod: CORS_ORIGINS=https://console.yourdomain.com
# dev:  RUST_LOG=info,think_watch=debug
# prod: RUST_LOG=info,think_watch=info

# --- ClickHouse (audit log storage & search) ---
# dev:  CLICKHOUSE_URL=http://localhost:8123
# prod: CLICKHOUSE_URL=http://clickhouse:8123
CLICKHOUSE_DB=think_watch
CLICKHOUSE_USER=thinkwatch
CLICKHOUSE_PASSWORD=__SECRET_HEX_16__

# --- /metrics scraping ---
# Bearer token for Prometheus to scrape /metrics. When unset, the
# route is NOT mounted (returns 404) — safe default because the
# endpoint leaks cost / token / error signals. Dev leaves it commented
# (uncomment to test scraping locally); prod always sets one.
# dev:  # METRICS_BEARER_TOKEN=__SECRET_HEX_32__
# prod: METRICS_BEARER_TOKEN=__SECRET_HEX_32__

# --- Audit body offload (S3-compatible) ---
# Captured bodies bigger than audit.body_max_bytes (256 KiB default)
# get uploaded to this bucket instead of being truncated in CH. Both
# dev (bundled rustfs container) and prod use these. To disable
# offload entirely (truncate-only), unset S3_BUCKET.
S3_REGION=us-east-1
S3_BUCKET=thinkwatch-audit-bodies
S3_ACCESS_KEY_ID=__SECRET_HEX_12__
S3_SECRET_ACCESS_KEY=__SECRET_HEX_32__
S3_PATH_STYLE=true
# dev:  S3_ENDPOINT_URL=http://localhost:9100   # host port maps to rustfs:9000
# prod: S3_ENDPOINT_URL=http://rustfs:9000

# --- Zitadel (dev OIDC provider; not used in prod) ---
# dev: ZITADEL_PG_PASSWORD=__SECRET_HEX_16__
# dev: ZITADEL_MASTERKEY=__SECRET_HEX_16__