# Managed by Ansible — 0600, owned by {{ shithub_user }}.
# Sourced by shithubd-web.service via EnvironmentFile=.
#
# Naming contract: shithubd's config loader maps env vars by
# joining the TOML path with double underscores between segments
# (e.g., auth.email_from -> SHITHUB_AUTH__EMAIL_FROM). A handful
# of single-underscore names (SHITHUB_DATABASE_URL, SHITHUB_SESSION_KEY,
# SHITHUB_TOTP_KEY) are explicit aliases. Misnamed env vars are
# silently ignored — the binary falls back to defaults, which sends
# email to stdout instead of via Postmark. Match docs/internal/config.md
# for the canonical key names.

SHITHUB_DATABASE_URL=postgresql://shithub:{{ shithub_db_password }}@127.0.0.1:5432/shithub?sslmode=disable
SHITHUB_WEB__ADDR=127.0.0.1:8080

# auth surface
SHITHUB_AUTH__BASE_URL=https://{{ shithub_domain }}
SHITHUB_AUTH__SITE_NAME=shithub
SHITHUB_AUTH__EMAIL_FROM={{ shithub_email_from }}
SHITHUB_AUTH__EMAIL_BACKEND={{ shithub_email_backend }}

# SSH-git surface. Enabled flips the SSH clone URL on repo pages.
# The actual SSH service is sshd's Match-User-git block (see
# deploy/sshd_config.j2) calling shithubd's ssh-authkeys + ssh-shell
# subcommands. Both layers must be in place — toggling Enabled with
# no sshd config gives users an SSH URL that 5xx's at connect.
SHITHUB_AUTH__SSH__ENABLED=true
SHITHUB_AUTH__SSH__HOST=git@{{ shithub_domain }}

# storage
SHITHUB_STORAGE__REPOS_ROOT={{ shithub_data_root }}/repos
{% if s3_bucket | default("") %}
# DigitalOcean Spaces runtime bucket via its S3-compatible API.
SHITHUB_STORAGE__S3__ENDPOINT={{ s3_endpoint }}
SHITHUB_STORAGE__S3__REGION={{ s3_region | default("us-east-1") }}
SHITHUB_STORAGE__S3__ACCESS_KEY_ID={{ s3_access_key_id }}
SHITHUB_STORAGE__S3__SECRET_ACCESS_KEY={{ s3_secret_access_key }}
SHITHUB_STORAGE__S3__BUCKET={{ s3_bucket }}
SHITHUB_STORAGE__S3__USE_SSL={{ (s3_use_ssl | default(true)) | ternary("true", "false") }}
SHITHUB_STORAGE__S3__FORCE_PATH_STYLE={{ (s3_force_path_style | default(false)) | ternary("true", "false") }}
{% endif %}

# AEAD keys (32-byte base64). Aliased single-underscore names.
SHITHUB_SESSION_KEY={{ shithub_session_key_b64 }}
SHITHUB_TOTP_KEY={{ shithub_totp_key_b64 }}

# Transactional email credentials. DKIM/SPF for the chosen provider
# must be configured at the DNS layer before deploy.
{% if shithub_email_backend == "postmark" %}
SHITHUB_AUTH__POSTMARK__SERVER_TOKEN={{ shithub_postmark_token }}
{% elif shithub_email_backend == "resend" %}
SHITHUB_AUTH__RESEND__API_KEY={{ shithub_resend_api_key }}
{% endif %}