# =============================================================================
# PatchMon Environment Configuration For Docker
# =============================================================================
# Copy this file to .env and fill in the required values.
#
#   cp env.example .env
#
# Generate strong secrets with:
#   openssl rand -hex 32   (for passwords)
#   openssl rand -hex 64   (for JWT secret)
#
# For full documentation, see: https://docs.patchmon.net
# =============================================================================


# =============================================================================
# REQUIRED - These MUST be set before starting PatchMon
# =============================================================================

POSTGRES_PASSWORD=70e328a30c425984e04ecedc42df7bdd07d4aa43cfee389d3463677b6e0dc35c
REDIS_PASSWORD=2e1ae4f929c526f26b7c9b9231040ec8627ced38b2a8e279de99b127f93f2cf1
JWT_SECRET=3ae7831c99afab708f86746bd68c4e86743b01a7dbcaf64203a1195b1f8abf63a1f5a22afae7b57aa237d7e7afea179734bde944fc67f18a4b0d965396ba8702

# Server access - how agents and browsers reach PatchMon.
# CORS_ORIGIN should match the full URL you access PatchMon from in your browser.

SERVER_PROTOCOL=http
SERVER_HOST=192.168.20.226
SERVER_PORT=3030
CORS_ORIGIN=http://192.168.20.226:3030


# =============================================================================
# OPTIONAL - Uncomment and change any values below to override defaults
# =============================================================================

# --- Environment ---
# Set to 'development' for development mode, 'production' for production
# Development mode enables hot reload, more verbose logging, and dev tools
# NODE_ENV=production

# --- Logging ---

# LOG_LEVEL=info
# ENABLE_LOGGING=true
# PM_LOG_TO_CONSOLE=false
# PM_LOG_REQUESTS_IN_DEV=false
# PRISMA_LOG_QUERIES=false


# --- Authentication ---

# JWT_EXPIRES_IN=1h
# JWT_REFRESH_EXPIRES_IN=7d
# SESSION_INACTIVITY_TIMEOUT_MINUTES=30
# DEFAULT_USER_ROLE=user

# --- Network ---

# ENABLE_HSTS=true

# TRUST_PROXY: Trust proxy headers when behind a reverse proxy (nginx, Apache, etc.)
# SECURITY: Setting this to 'true' allows IP spoofing. Use specific values instead:
#   - '1' or 'loopback' for single trusted proxy (recommended for Docker)
#   - 'false' if not behind a reverse proxy
#   - See https://expressjs.com/en/guide/behind-proxies.html for advanced options
# TRUST_PROXY=1

# Multiple CORS origins (comma-separated). Only needed if PatchMon is accessed
# from more than one domain. Overrides CORS_ORIGIN above when set.
# CORS_ORIGINS=https://patchmon.example.com,https://patchmon-alt.example.com


# --- Body size limits ---

# JSON_BODY_LIMIT=5mb
# AGENT_UPDATE_BODY_LIMIT=2mb


# --- Timezone ---
# Controls timestamps in logs and the UI (e.g. UTC, Europe/London, America/New_York).

# TZ=UTC


# --- Database connection pool (Prisma) ---
# Adjust based on deployment size. See documentation for guidance.

# DB_CONNECTION_LIMIT=30
# DB_POOL_TIMEOUT=20
# DB_CONNECT_TIMEOUT=10
# DB_IDLE_TIMEOUT=300
# DB_MAX_LIFETIME=1800


# --- Database transaction timeouts (milliseconds) ---

# DB_TRANSACTION_MAX_WAIT=10000
# DB_TRANSACTION_TIMEOUT=30000
# DB_TRANSACTION_LONG_TIMEOUT=60000


# --- Database connection retry ---

# PM_DB_CONN_MAX_ATTEMPTS=30
# PM_DB_CONN_WAIT_INTERVAL=2


# --- Redis Configuration ---
# These settings control Redis connection and BullMQ job queue behavior.

# REDIS_HOST=redis
# REDIS_PORT=6379
# REDIS_USER=
# REDIS_DB=0

# Redis Connection Timeouts (milliseconds)
# Increase these if you see "Command timed out" errors
# Common causes: Redis memory pressure, slow disk I/O, connection pool exhaustion
# REDIS_CONNECT_TIMEOUT_MS=60000    # Time to wait for initial connection (default: 60s)
# REDIS_COMMAND_TIMEOUT_MS=60000    # Time to wait for Redis commands to complete (default: 60s)
# 
# Note: enableReadyCheck is set to true by default to prevent commands from queueing
# before Redis is ready. This prevents timeout errors caused by command queueing.

# BullMQ Lock Configuration (milliseconds)
# These settings prevent "Missing lock" or "could not renew lock" errors when Redis is slow.
# lockDuration: How long a job can run before its lock expires (default: 120000 = 120s)
# lockRenewTime: How often to renew the lock to prevent expiration (default: 20000 = 20s)
# Increase lockDuration if you see lock expiration errors with long-running jobs
# Decrease lockRenewTime if lock renewals are timing out (must be < lockDuration and < REDIS_COMMAND_TIMEOUT_MS)
# BULLMQ_LOCK_DURATION_MS=120000
# BULLMQ_LOCK_RENEW_TIME_MS=20000


# --- Rate limiting (values in milliseconds) ---

# RATE_LIMIT_WINDOW_MS=900000
# RATE_LIMIT_MAX=5000
# AUTH_RATE_LIMIT_WINDOW_MS=600000
# AUTH_RATE_LIMIT_MAX=500
# AGENT_RATE_LIMIT_WINDOW_MS=60000
# AGENT_RATE_LIMIT_MAX=1000


# --- Password policy ---

# PASSWORD_MIN_LENGTH=8
# PASSWORD_REQUIRE_UPPERCASE=true
# PASSWORD_REQUIRE_LOWERCASE=true
# PASSWORD_REQUIRE_NUMBER=true
# PASSWORD_REQUIRE_SPECIAL=true
# PASSWORD_RATE_LIMIT_WINDOW_MS=900000
# PASSWORD_RATE_LIMIT_MAX=5

# --- Account lockout ---

# MAX_LOGIN_ATTEMPTS=5
# LOCKOUT_DURATION_MINUTES=15

# --- Two-Factor Authentication (TFA) ---

# MAX_TFA_ATTEMPTS=5
# TFA_LOCKOUT_DURATION_MINUTES=30
# TFA_REMEMBER_ME_EXPIRES_IN=30d
# TFA_MAX_REMEMBER_SESSIONS=5
# TFA_SUSPICIOUS_ACTIVITY_THRESHOLD=3


# --- OIDC / SSO ---
# Set OIDC_ENABLED=true and fill in the provider details to enable SSO.

# OIDC_ENABLED=false
# OIDC_ISSUER_URL=
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_REDIRECT_URI=https://patchmon.example.com/api/v1/auth/oidc/callback
# OIDC_SCOPES=openid email profile groups
# OIDC_AUTO_CREATE_USERS=true
# OIDC_DEFAULT_ROLE=user
# OIDC_DISABLE_LOCAL_AUTH=false
# OIDC_BUTTON_TEXT=Login with SSO

# OIDC group-to-role mapping
# OIDC_ADMIN_GROUP=PatchMon Admins
# OIDC_USER_GROUP=PatchMon Users
# OIDC_SYNC_ROLES=true

# --- Encryption ---
# Used to encrypt sensitive data (e.g. AI provider keys) at rest.
# If not set, a key is derived automatically. Set this for consistent
# encryption across container restarts and replicas

# AI_ENCRYPTION_KEY=
# SESSION_SECRET=


