# ============================================================================
# K-Template Configuration
# ============================================================================
# Copy this file to .env and adjust values for your environment.
# All values shown are defaults or examples.

# ============================================================================
# Server Configuration
# ============================================================================
HOST=127.0.0.1
PORT=3000

# ============================================================================
# Database Configuration
# ============================================================================
# SQLite (default)
DATABASE_URL=sqlite:data.db?mode=rwc

# PostgreSQL (alternative - requires postgres feature)
# DATABASE_URL=postgres://user:password@localhost:5432/mydb

# Connection pool settings
DB_MAX_CONNECTIONS=5
DB_MIN_CONNECTIONS=1

# ============================================================================
# Authentication Mode
# ============================================================================
# Options: session, jwt, both
#   - session: Cookie-based sessions (requires auth-axum-login feature)
#   - jwt: Bearer token authentication (requires auth-jwt feature)
#   - both: Support both methods (try JWT first, fall back to session)
AUTH_MODE=jwt

# ============================================================================
# Session Configuration (for session/both modes)
# ============================================================================
# Must be at least 64 characters in production
SESSION_SECRET=your-super-secret-key-must-be-at-least-64-characters-long-for-security

# Set to true in production for HTTPS-only cookies
SECURE_COOKIE=false

# ============================================================================
# JWT Configuration (for jwt/both modes)
# ============================================================================
# Must be at least 32 characters in production
JWT_SECRET=your-jwt-secret-key-at-least-32-chars

# Optional: JWT issuer and audience for token validation
JWT_ISSUER=your-app-name
JWT_AUDIENCE=your-app-audience

# Token expiry in hours (default: 24)
JWT_EXPIRY_HOURS=24

# ============================================================================
# OIDC Configuration (optional - requires auth-oidc feature)
# ============================================================================
# Your OIDC provider's issuer URL (e.g., Keycloak, Auth0, Zitadel)
OIDC_ISSUER=https://your-oidc-provider.com

# Client credentials from your OIDC provider
OIDC_CLIENT_ID=your-client-id
OIDC_CLIENT_SECRET=your-client-secret

# Callback URL (must match what's configured in your OIDC provider)
OIDC_REDIRECT_URL=http://localhost:3000/api/v1/auth/callback

# Optional: Resource ID for audience verification
# OIDC_RESOURCE_ID=your-resource-id

# ============================================================================
# CORS Configuration
# ============================================================================
# Comma-separated list of allowed origins
CORS_ALLOWED_ORIGINS=http://localhost:5173,http://localhost:3000

# ============================================================================
# Production Mode
# ============================================================================
# Set to true/production/1 to enable production checks (secret length, etc.)
PRODUCTION=false