# Service configuration
# ---------------------
LOCAL_DOMAIN=example.com
LOCAL_HTTPS=true
ALTERNATE_DOMAINS=localhost,127.0.0.1
# Use 'true' since you have an external proxy (Pangolin/Nginx) handling TLS
# This tells Mastodon to generate https:// links

# Trusted Proxy Configuration
# ---------------------------
# Allow Mastodon to trust headers (X-Forwarded-For, X-Forwarded-Proto) from your reverse proxy.
# We whitelist standard private ranges so the proxy's internal IP is trusted.
TRUSTED_PROXY_IP=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

# OIDC / Authentik Integration
# ----------------------------
OIDC_ENABLED=true
OIDC_DISPLAY_NAME=Authentik
OIDC_DISCOVERY=true
# Fill these in from Authentik:
OIDC_ISSUER=https://auth.example.com/application/o/mastodon/
OIDC_AUTH_ENDPOINT=https://auth.example.com/application/o/authorize/
OIDC_CLIENT_ID=<YOUR_CLIENT_ID>
OIDC_CLIENT_SECRET=<YOUR_CLIENT_SECRET>
OIDC_SCOPE=openid,profile,email
OIDC_UID_FIELD=preferred_username
OIDC_REDIRECT_URI=https://social.example.com/auth/auth/openid_connect/callback
# Automatically verify emails from Authentik
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
# To force users to log in with Authentik only:
# OMNIAUTH_ONLY=true

# Database configuration
# ----------------------
DB_HOST=db
DB_PORT=5432
DB_NAME=mastodon_production
DB_USER=mastodon
DB_PASS=<DB_PASSWORD>
# DB_PASS is used by the Mastodon application to connect

# Postgres container configuration (must match above)
POSTGRES_USER=mastodon
POSTGRES_PASSWORD=<DB_PASSWORD>
POSTGRES_DB=mastodon_production

# Redis configuration
# -------------------
REDIS_HOST=redis
REDIS_PORT=6379
# REDIS_PASSWORD=
# If you set a Redis password, also update REDIS_URL below

# Mastodon secrets
# ----------------
# Use `docker-compose run --rm web bundle exec rake secret` to generate new keys if needed
# Generate new secrets for production!
SECRET_KEY_BASE=<GENERATED_SECRET>
OTP_SECRET=<GENERATED_SECRET>

# VAPID keys (for push notifications)
# Required. Generate with `docker-compose run --rm web bundle exec rake mastodon:webpush:generate_vapid_key`
VAPID_PRIVATE_KEY=<GENERATED_VAPID_PRIVATE_KEY>
VAPID_PUBLIC_KEY=<GENERATED_VAPID_PUBLIC_KEY>

# ActiveRecord Encryption (Rails 7+)
# ----------------------------------
# Required. Do not change these once data is encrypted in the DB.
# Generate these!
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=<GENERATED_KEY>
ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=<GENERATED_KEY>
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=<GENERATED_SALT>

# S3 / Object Storage (Optional)
# ------------------------------
# S3_ENABLED=true
# S3_BUCKET=
# AWS_ACCESS_KEY_ID=
# AWS_SECRET_ACCESS_KEY=
# S3_REGION=
# S3_PROTOCOL=https
# S3_HOSTNAME=

# SMTP / Email
# ------------
SMTP_SERVER=smtp.gmail.com
SMTP_PORT=587
SMTP_LOGIN=notifications@example.com
SMTP_PASSWORD=<SMTP_PASSWORD>
SMTP_FROM_ADDRESS=notifications@example.com
SMTP_AUTH_METHOD=plain
SMTP_OPENSSL_VERIFY_MODE=require
# SMTP_ENABLE_STARTTLS_AUTO=true

# Application defaults
# --------------------
RAILS_ENV=production
NODE_ENV=production
RAILS_SERVE_STATIC_FILES=true