# Entra ID / OIDC
ENTRA_TENANT_ID=
ENTRA_CLIENT_ID=
ENTRA_CLIENT_SECRET=

# Base URL the app is reachable at (no trailing slash).
# Used to build the OIDC redirect URI {APP_BASE_URL}/auth/callback
APP_BASE_URL=http://localhost:8080

# Random string (>=32 bytes). Used to salt the session cookie name / CSRF tokens.
SESSION_SECRET=

# Path to the SQLite database file inside the container. Leave as-is unless
# you have a specific reason to change it. The parent dir is the mounted
# volume (/var/www/data).
DB_PATH=/var/www/data/app.sqlite

# Session handler files directory.
SESSION_PATH=/var/www/data/sessions

# 'production' disables verbose error output. Anything else is treated as dev.
APP_ENV=production

# ---------------------------------------------------------------------------
# Local admin (optional) — lets you sign in without Entra, e.g. during initial
# setup or for a fully on-prem deployment. Set BOTH email and password to
# enable; leave blank to disable. The password is compared in plain text
# against this env value — so .env must be readable only by the app user.
# The resulting user is stored with entra_oid = "local:<email>" and is_admin=1.
# ---------------------------------------------------------------------------
LOCAL_ADMIN_EMAIL=
LOCAL_ADMIN_PASSWORD=
LOCAL_ADMIN_NAME=Local Admin