# Host port for the Tube Archivist web UI
TA_PORT=8000

# Public URL for Tube Archivist, including protocol and port
TA_HOST=http://localhost:8000

# Initial Tube Archivist credentials
TA_USERNAME=tubearchivist
TA_PASSWORD=your_secure_tubearchivist_password

# Elasticsearch password used by both Tube Archivist and archivist-es
ELASTIC_PASSWORD=your_secure_elasticsearch_password

# Host user/group ownership for downloaded files
HOST_UID=1000
HOST_GID=1000

# Timezone
TZ=UTC

# Host path for downloaded YouTube media
TA_YOUTUBE_PATH=/mnt/media/youtube

# Elasticsearch heap sizing; Tube Archivist recommends 1g for the default stack
ES_JAVA_OPTS=-Xms1g -Xmx1g

# LDAP authentication
# Modes: single | local | ldap | forwardauth | ldap_local
# ldap_local lets LDAP users sign in but keeps the local TA_USERNAME admin so
# you can promote LDAP users to staff/superuser. Switch to `ldap` once ready.
TA_LOGIN_AUTH_MODE=ldap_local

# Authentik LDAP outpost (komodo/auth/Authentik). Replace host with the
# Authentik LDAP outpost address reachable from the tubearchivist container
# (e.g. the Docker host's LAN IP or hostname). Use ldaps://...:6636 for TLS.
TA_LDAP_SERVER_URI=ldap://authentik-ldap.lan:3389
# Set to any non-empty value to skip certificate verification on LDAPS
TA_LDAP_DISABLE_CERT_CHECK=

# Service account configured in Authentik for the LDAP outpost search bind
TA_LDAP_BIND_DN=cn=ldap-bind,ou=users,dc=ldap,dc=goauthentik,dc=io
TA_LDAP_BIND_PASSWORD=your_secure_ldap_bind_password

# Search base and filter for users in the directory
TA_LDAP_USER_BASE=ou=users,dc=ldap,dc=goauthentik,dc=io
TA_LDAP_USER_FILTER=(objectClass=user)

# LDAP attribute mapping (Authentik LDAP outpost defaults to cn for username)
TA_LDAP_USER_ATTR_MAP_USERNAME=cn
TA_LDAP_USER_ATTR_MAP_PERSONALNAME=givenName
TA_LDAP_USER_ATTR_MAP_SURNAME=sn
TA_LDAP_USER_ATTR_MAP_EMAIL=mail

# Comma-separated lists of LDAP usernames auto-promoted on first login
TA_LDAP_PROMOTE_USERNAMES_TO_SUPERUSER=
TA_LDAP_PROMOTE_USERNAMES_TO_STAFF=