# ====================================
#  Invio – Environment Configuration
# ====================================
# Copy this file to .env:  cp .env.example .env
# Only the three values below are required. Everything else has sensible defaults.

# ─── Required ─────────────────────────────────────────────
ADMIN_USER=admin
ADMIN_PASS=supersecret
JWT_SECRET=change-me-in-production

# SvelteKit CSRF protection: the external origin where your frontend is served.
# For local Docker: http://localhost:8000
# For production:    https://yourdomain.com
ORIGIN=http://localhost:8000

# ─── Database ─────────────────────────────────────────────
# Docker (default):     /app/data/invio.db
# Local development:    ./invio.db
DATABASE_PATH=/app/data/invio.db

# ─── Networking ───────────────────────────────────────────
BACKEND_PORT=3000
FRONTEND_PORT=8000
# FRONTEND_PORT_INTERNAL=8000          # internal container port, rarely changed

# Frontend → Backend communication
# Docker Compose:       http://backend:3000
# Local development:    http://localhost:3000
BACKEND_URL=http://localhost:3000

# ─── PDF Rendering ───────────────────────────────────────
# Only needed when the path to your weasyprint is not standard, normal paths are checked automatically
# WEASYPRINT_BIN=/usr/bin/weasyprint

# ─── Security (sensible defaults – usually no changes needed) ─
# SESSION_TTL_SECONDS=3600             # JWT session lifetime (300–43200)
# COOKIE_SECURE=true                   # set to false for local HTTP dev
# ENABLE_HSTS=false                    # enable when serving over HTTPS
# SECURE_HEADERS_DISABLED=false        # set to true for local troubleshooting

# ─── Rate Limiting (Login) ───────────────────────────────
# RATE_LIMIT_ENABLED=true
# RATE_LIMIT_MAX_ATTEMPTS=5
# RATE_LIMIT_WINDOW_SECONDS=900        # 15 minutes
# RATE_LIMIT_TRUST_PROXY=false         # set to true behind a reverse proxy

# ─── Frontend Security Headers ───────────────────────────
# FRONTEND_SECURE_HEADERS_DISABLED=false
# FRONTEND_CONTENT_SECURITY_POLICY="..." # override if hosting assets elsewhere
# CONTENT_SECURITY_POLICY="..."          # override backend CSP

# ─── Demo Mode (optional) ────────────────────────────────
# DEMO_MODE=false
# DEMO_DB_PATH=/app/data/invio-demo.db
# DEMO_RESET_HOURS=0.5
# DEMO_RESET_ON_START=true
# ─── Email / SMTP ────────────────────────────────────────
# Enables the "Send via Email" button on invoice pages.
# Works with any SMTP server (Gmail, Outlook, SMTP2GO, Mailgun, self-hosted…).
#
# SMTP_HOST=mai-server
# SMTP_PORT=smtp-port                 # 587 = STARTTLS (default), 465 = TLS, 25 = plain
# SMTP_SECURE=true             # set true only for port 465 (direct TLS)
# SMTP_USER=username    # leave blank if the server needs no auth
# SMTP_PASS=secretpassword
# EMAIL_FROM_ADDRESS=email-address
# EMAIL_FROM_NAME=email-from-name  # optional display name shown in email clients

# ─── Authentik OIDC / SSO (optional) ─────────────────────
# Set OIDC_ENABLED=true and fill in the values below to add a
# "Login with SSO" button to the login page.
#
# In Authentik: create an OAuth2/OIDC Provider + Application,
# set the redirect URI to OIDC_REDIRECT_URI, and grant scopes:
#   openid email profile
#
# OIDC_ENABLED=false
# OIDC_ISSUER_URL=https://authentik.example.com/application/o/<app-slug>
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_REDIRECT_URI=https://invio.example.com/auth/callback
#
# Set to true to automatically create an Invio account on first SSO login.
# When false (default), the user's email must already match an existing account.
# OIDC_AUTO_PROVISION=false