# FILE: infra/environments/production/.env.example
# Production Environment Configuration
# Copy this to .env and customize for your production server
# WARNING: This file contains sensitive credentials. DO NOT commit to git!

# Domain Configuration
DOMAIN=harkon.co.uk
EMAIL=info@harkon.co.uk
# ACME email for Traefik certificate resolver
ACME_EMAIL=ops@harkon.co.uk

# Database Passwords (CHANGE THESE!)
POSTGRES_PASSWORD=CHANGE_ME_POSTGRES_PASSWORD
NEO4J_PASSWORD=CHANGE_ME_NEO4J_PASSWORD
AUTHENTIK_DB_PASSWORD=CHANGE_ME_AUTHENTIK_DB_PASSWORD

# Object Storage (CHANGE THESE!)
MINIO_ROOT_USER=admin
MINIO_ROOT_PASSWORD=CHANGE_ME_MINIO_ROOT_PASSWORD
MINIO_ACCESS_KEY=admin
MINIO_SECRET_KEY=CHANGE_ME_MINIO_SECRET_KEY

# Vector Database
QDRANT__SERVICE__GRPC_PORT=6334

# Secrets Management (CHANGE THIS!)
VAULT_DEV_ROOT_TOKEN_ID=CHANGE_ME_VAULT_TOKEN

# Identity & SSO (CHANGE THESE!)
# Generate with: openssl rand -base64 32
AUTHENTIK_SECRET_KEY=CHANGE_ME_AUTHENTIK_SECRET
AUTHENTIK_OUTPOST_TOKEN=CHANGE_ME_OUTPOST_TOKEN
AUTHENTIK_BOOTSTRAP_EMAIL=admin@harkon.co.uk
AUTHENTIK_BOOTSTRAP_PASSWORD=CHANGE_ME_ADMIN_PASSWORD
AUTHENTIK_BOOTSTRAP_TOKEN=

# Monitoring (CHANGE THIS!)
GRAFANA_PASSWORD=CHANGE_ME_GRAFANA_PASSWORD
GRAFANA_OAUTH_CLIENT_ID=grafana-prod
# MUST MATCH AUTHENTIK_GRAFANA_CLIENT_SECRET below
GRAFANA_OAUTH_CLIENT_SECRET=CHANGE_ME_GRAFANA_OAUTH_SECRET

# OAuth Client Secrets for Authentik Providers (CHANGE THESE!)
AUTHENTIK_API_CLIENT_SECRET=CHANGE_ME_API_SECRET
AUTHENTIK_UI_REVIEW_CLIENT_SECRET=CHANGE_ME_UI_SECRET
AUTHENTIK_GRAFANA_CLIENT_SECRET=CHANGE_ME_GRAFANA_SECRET
AUTHENTIK_MINIO_CLIENT_SECRET=CHANGE_ME_MINIO_SECRET
AUTHENTIK_VAULT_CLIENT_SECRET=CHANGE_ME_VAULT_SECRET

# Feature Flags
UNLEASH_ADMIN_TOKEN=production.unleash-admin-api-token

# Application Configuration (CHANGE THIS!)
NEXTAUTH_SECRET=CHANGE_ME_NEXTAUTH_SECRET

# Redis Configuration
REDIS_PASSWORD=CHANGE_ME_REDIS_PASSWORD

# NATS Configuration
NATS_USER=nats
NATS_PASSWORD=CHANGE_ME_NATS_PASSWORD

# Application Secrets
JWT_SECRET=CHANGE_ME_JWT_SECRET_32_CHARS_MIN
ENCRYPTION_KEY=CHANGE_ME_ENCRYPTION_KEY_32_CHARS

# API Keys
OPENAI_API_KEY=sk-your-production-openai-key
ANTHROPIC_API_KEY=sk-ant-your-production-anthropic-key

# Registry Configuration
REGISTRY=gitea.harkon.co.uk
REGISTRY_USER=harkon
REGISTRY_PASSWORD=CHANGE_ME_GITEA_TOKEN
IMAGE_TAG=v1.0.1
OWNER=harkon