# Copy to .env for local dev. In production these come from Gitea Actions secrets
# (Settings → Actions → Secrets), NOT from a committed file.
#
# Generate strong values:
#   for s in AUTH_SECRET JWT_SECRET DB_PASSWORD; do echo "$s=$(openssl rand -base64 32)"; done

# NextAuth v5 (Auth.js) session secret. Rotating invalidates all sessions.
AUTH_SECRET=changeme-base64-32

# Backend HMAC signing key (base64; JwtService base64-decodes it).
# Rotating invalidates all previously issued access/refresh tokens.
JWT_SECRET=changeme-base64-32

# Postgres role password for the live DB role.
# NOTE: only applies on FIRST volume init; the deploy reconciles existing
# volumes via ALTER USER (see .gitea/workflows/deploy.yml).
DB_PASSWORD=changeme-base64-24

# ── Local-only frontend origin (override in compose for public phase) ──
# For LOCAL phase point these at the LAN host:
#   NEXTAUTH_URL=http://192.168.188.119:__FRONTEND_PORT__
#   AUTH_URL=http://192.168.188.119:__FRONTEND_PORT__
# For PUBLIC phase the TrueNAS override sets them to https://__SUBDOMAIN__
NEXTAUTH_URL=http://localhost:3000
AUTH_URL=http://localhost:3000
AUTH_TRUST_HOST=true
BACKEND_URL=http://backend:8080