# Stupid Simple Network Inventory — environment variables
# Copy this file to .env and fill in the values.
# NEVER commit .env to version control.

# ── JWT Secret ───────────────────────────────────────────────────────���──────
# Required in production. If unset, a random key is auto-generated and stored
# in db_data/secret_key.txt (0600 permissions). All sessions are invalidated
# when this key changes (key rotation).
#
# Generate a strong secret:
#   python3 -c "import secrets; print(secrets.token_hex(32))"
# Or use a Docker secret (recommended for production).
SECRET_KEY=

# ── Initial admin password ──────────────────────────────────────────────────
# Set this before the first run to bypass the admin/admin bootstrap.
# When set: admin is created with this password and must_change_password=0.
# When unset: admin is created with password "admin" and must_change_password=1
#             (forced password change on first login).
#
# This variable is only read when the users table is empty (first run).
# It has no effect on subsequent starts.
INITIAL_ADMIN_PASSWORD=

# ── CORS allowed origins ─────────────────────────────────────────────────────
# Comma-separated list of allowed origins, or "*" for all (default).
# The app is designed for same-origin access via the Nginx reverse proxy.
# Restrict this if you expose the API to multiple origins.
#
# Examples:
#   ALLOWED_ORIGINS=*                           (default — permissive)
#   ALLOWED_ORIGINS=https://inventory.example.com
#   ALLOWED_ORIGINS=https://a.example.com,https://b.example.com
#   ALLOWED_ORIGINS=                            (empty — disables CORS headers)
ALLOWED_ORIGINS=*

# ── Bind address ─────────────────────────────────────────────────────────────
# IP address the application listens on (port 8080).
# Default: 0.0.0.0 (all interfaces).
# Set to the IP of the interface facing the reverse proxy when the reverse proxy
# runs on a separate machine — avoids exposing the app on unintended interfaces.
#
# Examples:
#   BIND_ADDRESS=0.0.0.0        (default — all interfaces)
#   BIND_ADDRESS=192.168.1.10   (LAN interface only)
#   BIND_ADDRESS=127.0.0.1      (loopback — reverse proxy on the same host)
BIND_ADDRESS=0.0.0.0

# ── Container user IDs ───────────────────────────────────────────────────────
# UID and GID used to run the backend process inside the container.
# Must match the host user owning ./db_data/ to allow read/write on the
# bind-mounted volume without root privileges.
#
# Get your values:  id -u && id -g
# Then create the data directory before the first run:
#   mkdir -p db_data
#
DOCKER_UID=1000
DOCKER_GID=1000