# Caddy Proxy Manager Environment Configuration
# Copy this file to .env and update with your secure values
# IMPORTANT: chmod 600 .env after creating it

# =============================================================================
# REQUIRED SECURITY SETTINGS (PRODUCTION)
# =============================================================================

# Session Secret (REQUIRED)
# Generate with: openssl rand -base64 32
# Must be at least 32 characters in production
SESSION_SECRET=your-secure-session-secret-here-min-32-chars

# Admin Credentials (REQUIRED)
# USERNAME: Any username (e.g., "admin" is fine)
# PASSWORD: Must be 12+ characters with:
#   - Uppercase letters (A-Z)
#   - Lowercase letters (a-z)
#   - Numbers (0-9)
#   - Special characters (!@#$%^&* etc.)
ADMIN_USERNAME=admin
ADMIN_PASSWORD=Your-Secure-P@ssw0rd-Here!

# =============================================================================
# APPLICATION CONFIGURATION
# =============================================================================

# Public base URL for the application (IMPORTANT!)
# This is the URL where users access your Caddy Proxy Manager interface.
#
# ** REQUIRED FOR OAUTH: If using OAuth2/OIDC authentication, this MUST match
#    the redirect URI configured in your OAuth provider exactly.
#    The redirect URI will be: {BASE_URL}/api/auth/callback/oauth2
#
# Examples:
#   - Local development: http://localhost:3000
#   - Production with domain: https://caddy-manager.example.com
#   - Production with IP: http://192.168.1.100:3000
#
# IMPORTANT: Do not include a trailing slash
BASE_URL=http://localhost:3000

# =============================================================================
# ROOTLESS OPERATION (OPTIONAL)
# =============================================================================

# User and Group IDs for running containers as non-root
# Set these to match your host user to avoid permission issues with volumes
# Find your UID/GID with: id -u / id -g
#
# Defaults:
#   - Web service: PUID=10001, PGID=10001
#   - Caddy service: PUID=10000, PGID=10000
#
# For matching your host user (recommended for development):
# PUID=1000
# PGID=1000

# =============================================================================
# OAUTH2/OIDC AUTHENTICATION (OPTIONAL)
# =============================================================================

# OAuth2/OIDC Provider (works with Authentik, Authelia, Keycloak, etc.)
# Enable OAuth2 authentication with any OIDC-compliant provider
OAUTH_ENABLED=false
OAUTH_PROVIDER_NAME=OAuth2             # Display name (e.g., "Authentik", "Keycloak")
OAUTH_CLIENT_ID=
OAUTH_CLIENT_SECRET=
OAUTH_ISSUER=                          # OIDC discovery URL (e.g., https://auth.example.com/application/o/app/)

# Optional: Override auto-discovered URLs (only if OIDC discovery doesn't work)
# OAUTH_AUTHORIZATION_URL=
# OAUTH_TOKEN_URL=
# OAUTH_USERINFO_URL=

# OAuth Settings
OAUTH_ALLOW_AUTO_LINKING=false         # Auto-link OAuth to accounts without passwords

# Example for Authentik:
# OAUTH_ENABLED=true
# OAUTH_PROVIDER_NAME=Authentik
# OAUTH_CLIENT_ID=your-client-id
# OAUTH_CLIENT_SECRET=your-client-secret
# OAUTH_ISSUER=https://auth.example.com/application/o/caddy-proxy/
#
# IMPORTANT: Configure the redirect URI in your OAuth provider:
#   Redirect URI = {BASE_URL}/api/auth/callback/oauth2
#   Example: http://localhost:3000/api/auth/callback/oauth2
#   or: https://caddy-manager.example.com/api/auth/callback/oauth2

# =============================================================================
# OPTIONAL: ADVANCED CONFIGURATION
# =============================================================================

# Database configuration (usually no need to change)
# DATABASE_URL=file:/app/data/caddy-proxy-manager.db

# Caddy Admin API endpoint (usually no need to change)
# CADDY_API_URL=http://caddy:2019

# Certificate storage directory (usually no need to change)
# CERTS_DIRECTORY=./data/certs

# Login rate limiting (optional, for custom rate limit settings)
# LOGIN_MAX_ATTEMPTS=5
# LOGIN_WINDOW_MS=300000
# LOGIN_BLOCK_MS=900000


# =============================================================================
# CLICKHOUSE ANALYTICS (OPTIONAL)
# =============================================================================

# ClickHouse is used for analytics data (traffic events, WAF events).
# Data is automatically retained for 90 days via ClickHouse TTL.
# CLICKHOUSE_PASSWORD is required — generate with: openssl rand -base64 32
CLICKHOUSE_PASSWORD=your-clickhouse-password-here
# CLICKHOUSE_URL=http://clickhouse:8123
# CLICKHOUSE_USER=cpm
# CLICKHOUSE_DB=analytics

# =============================================================================
# GEOIP UPDATE (OPTIONAL)
# =============================================================================

# GeoIP Update (Optional - for geoblocking support)
# To enable the geoipupdate container, set COMPOSE_PROFILES=geoipupdate
# Get credentials at: https://www.maxmind.com/en/geolite2/signup
COMPOSE_PROFILES=
GEOIPUPDATE_ACCOUNT_ID=
GEOIPUPDATE_LICENSE_KEY=