# =============================================================================
# IRDB — IP Reputation Database — environment configuration
# =============================================================================
# Copy this file to `.env` and fill in the blanks.
# Generate 32-byte hex secrets with: openssl rand -hex 32
# =============================================================================

# -----------------------------------------------------------------------------
# Shared (consumed by both api and ui containers)
# -----------------------------------------------------------------------------
# IRDB-format service token. The api uses this to authenticate the ui's
# calls; the ui presents it on every API request together with
# X-Acting-User-Id. Format: irdb_svc_<32 base32 chars>. Generate one with:
#   docker compose run --rm -T api php -r 'require "/app/vendor/autoload.php";
#       echo (new App\Domain\Auth\TokenIssuer())->issue(App\Domain\Auth\TokenKind::Service);'
UI_SERVICE_TOKEN=

# -----------------------------------------------------------------------------
# api container
# -----------------------------------------------------------------------------
APP_ENV=production           # development | production
LOG_LEVEL=info
APP_SECRET=                  # 32-byte hex; used internally for signing things like ETags

# Database
DB_DRIVER=sqlite             # sqlite | mysql
DB_SQLITE_PATH=/data/irdb.sqlite
DB_MYSQL_HOST=
DB_MYSQL_PORT=3306
DB_MYSQL_DATABASE=
DB_MYSQL_USERNAME=
DB_MYSQL_PASSWORD=

# OIDC role mapping (defaults applied if no group mapping matches)
OIDC_DEFAULT_ROLE=viewer     # viewer | none

# Reputation engine
SCORE_RECOMPUTE_INTERVAL_SECONDS=300
SCORE_REPORT_HARD_CUTOFF_DAYS=365

# Internal jobs
INTERNAL_JOB_TOKEN=                       # 32-byte hex
JOB_RECOMPUTE_MAX_RUNTIME_SECONDS=240
JOB_RECOMPUTE_MAX_ROWS_PER_TICK=5000
JOB_AUDIT_RETENTION_DAYS=180
JOB_GEOIP_REFRESH_INTERVAL_DAYS=7

# GeoIP
GEOIP_ENABLED=true
GEOIP_COUNTRY_DB=/data/geoip/GeoLite2-Country.mmdb
GEOIP_ASN_DB=/data/geoip/GeoLite2-ASN.mmdb
MAXMIND_LICENSE_KEY=

# CORS — origin of the ui container (or future SPA frontend)
UI_ORIGIN=http://localhost:8080

# Rate limiting (public API)
API_RATE_LIMIT_PER_SECOND=60

# -----------------------------------------------------------------------------
# ui container
# -----------------------------------------------------------------------------
# (APP_ENV / LOG_LEVEL above are reused; the ui reads its own copies of those.)
UI_SECRET=                   # 32-byte hex; signs session cookies
PUBLIC_URL=http://localhost:8080

# Where the ui finds the api (internal docker network DNS)
API_BASE_URL=http://api:8081

# OIDC (Entra ID) — lives in ui only
OIDC_ENABLED=true
OIDC_ISSUER=https://login.microsoftonline.com/<tenant>/v2.0
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URI=https://reputation.example.com/oidc/callback

# Local admin — lives in ui only
LOCAL_ADMIN_ENABLED=true
LOCAL_ADMIN_USERNAME=admin
# Generate with: php -r "echo password_hash('s3cret', PASSWORD_ARGON2ID);"
LOCAL_ADMIN_PASSWORD_HASH=