# Entra ID / OIDC
ENTRA_TENANT_ID=
ENTRA_CLIENT_ID=
ENTRA_CLIENT_SECRET=

# Base URL the app is reachable at (no trailing slash).
# Used to build the OIDC redirect URI {APP_BASE_URL}/auth/callback
APP_BASE_URL=http://localhost:8080

# Path to the SQLite database file inside the container. Leave as-is unless
# you have a specific reason to change it. The parent dir is the mounted
# volume (/var/www/data).
DB_PATH=/var/www/data/app.sqlite

# Session handler files directory.
SESSION_PATH=/var/www/data/sessions

# 'production' disables verbose error output. Anything else is treated as dev.
APP_ENV=production

# ---------------------------------------------------------------------------
# Local admin (optional) — lets you sign in without Entra, e.g. during initial
# setup or for a fully on-prem deployment. Set BOTH email and the password
# hash to enable; leave blank to disable. The password is verified with PHP's
# password_verify() against LOCAL_ADMIN_PASSWORD_HASH, so .env never contains
# the password itself. Generate the hash with:
#     docker run --rm php:8.3-cli php -r \
#       'echo password_hash(readline("Password: "), PASSWORD_DEFAULT), PHP_EOL;'
# (Or `php -r '...'` directly if you have PHP 8 on the host.) Paste the
# resulting `$2y$...` string verbatim. Single quotes recommended in .env so
# the `$` in the hash isn't interpreted by the shell.
# The resulting user is stored with entra_oid = "local:<email>" and is_admin=1.
# ---------------------------------------------------------------------------
LOCAL_ADMIN_EMAIL=
LOCAL_ADMIN_PASSWORD_HASH=
LOCAL_ADMIN_NAME=Local Admin