# ─── Required ───────────────────────────────────────────────────────────────
# PostgreSQL connection string
DATABASE_URL=postgres://forgebucket:password@localhost:5432/forgebucket?sslmode=disable

# Session cookie signing key — must be at least 32 characters
# Generate: openssl rand -hex 32
SESSION_SECRET=

# CSRF protection key — must be exactly 32 characters
# Generate: openssl rand -hex 16
CSRF_SECRET=

# ─── Server ──────────────────────────────────────────────────────────────────
PORT=8080

# Absolute path where bare git repositories are stored on disk
REPO_ROOT=/var/lib/forgebucket/repos

# ─── Federation (ActivityPub) ─────────────────────────────────────────────────
# Public URL of this instance (no trailing slash)
INSTANCE_URL=https://your-instance.example.com
INSTANCE_NAME=ForgeBucket

# ─── OIDC / OAuth2 (optional) ────────────────────────────────────────────────
# OIDC_ISSUER=https://accounts.google.com
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=

# ─── GitOps ──────────────────────────────────────────────────────────────────
# Seconds between periodic drift checks (0 disables the ticker; push-triggered checks always run).
GITOPS_RECONCILE_INTERVAL=300

# ─── Event Bus (NATS) ────────────────────────────────────────────────────────
# Leave empty to disable event publishing (no-op mode).
# Start NATS with: make docker-up
NATS_URL=nats://localhost:4222

# ─── Artifact Signing (Phase 4) ───────────────────────────────────────────────
# PEM-encoded ECDSA P-256 private key.  If empty, an ephemeral key is generated
# at startup (signatures will not survive restart).  Generate with:
#   openssl ecparam -genkey -name prime256v1 -noout -out signing-key.pem
# ARTIFACT_SIGNING_KEY=

# ─── SSH Server ────────────────────────────────────────────────────────────────
# Hostname shown in SSH clone URLs. Auto-detected from INSTANCE_URL or request
# Host header when empty.
# SSH_HOST=ssh.example.com
# SSH_PORT=2222
# Path to PEM-encoded SSH host key. If empty, an ephemeral RSA-4096 key is
# generated at startup (host key changes on restart — warns clients).
# SSH_HOST_KEY_PATH=

# ─── OCI Registry (Phase 4) ───────────────────────────────────────────────────
# Root directory for the OCI Distribution Spec blob and upload storage.
OCI_ROOT=/var/lib/forgebucket/oci

# ─── Dev only ─────────────────────────────────────────────────────────────────
# Set to true to disable Secure cookies and enable verbose logging
DEBUG=false