# Traefik Upstream Mode Configuration
# Connect to an existing external Traefik instance
#
# Prerequisites:
#   1. External Traefik instance must be running
#   2. External network must exist: docker network create traefik-public
#   3. Copy docker-compose.override.yml.example to docker-compose.override.yml
#   4. Uncomment upstream mode network configuration in override file
#
# Usage:
#   cp .env.traefik-upstream.example .env
#   docker compose up -d

# ======================
# Traefik Configuration
# ======================
TRAEFIK_MODE=upstream
TRAEFIK_ENABLE=true
TRAEFIK_ENTRYPOINT=websecure
TRAEFIK_DOCKER_NETWORK=traefik-public
TRAEFIK_NETWORK=traefik-public

# Domain configuration
# These domains must be configured in your DNS or /etc/hosts
MOSAIC_API_DOMAIN=api.mosaic.uscllc.com
MOSAIC_WEB_DOMAIN=mosaic.uscllc.com
MOSAIC_AUTH_DOMAIN=auth.mosaic.uscllc.com

# TLS/SSL Configuration
TRAEFIK_TLS_ENABLED=true
# ACME/Certresolver managed by upstream Traefik
TRAEFIK_CERTRESOLVER=

# ======================
# Application Ports (not exposed when using Traefik)
# ======================
# These ports are only used internally within Docker network
API_PORT=3001
WEB_PORT=3000

# ======================
# PostgreSQL Database
# ======================
POSTGRES_USER=mosaic
POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
POSTGRES_DB=mosaic
POSTGRES_PORT=5432

# ======================
# Valkey Cache
# ======================
VALKEY_PORT=6379
VALKEY_MAXMEMORY=256mb

# ======================
# Authentication (Authentik OIDC)
# ======================
OIDC_ISSUER=https://auth.mosaic.uscllc.com/application/o/mosaic-stack/
OIDC_CLIENT_ID=your-client-id-here
OIDC_CLIENT_SECRET=your-client-secret-here
OIDC_REDIRECT_URI=https://api.mosaic.uscllc.com/auth/callback

# Authentik Configuration
AUTHENTIK_SECRET_KEY=REPLACE_WITH_RANDOM_SECRET_MINIMUM_50_CHARS
AUTHENTIK_BOOTSTRAP_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
AUTHENTIK_BOOTSTRAP_EMAIL=admin@localhost
AUTHENTIK_COOKIE_DOMAIN=.mosaic.uscllc.com

AUTHENTIK_POSTGRES_USER=authentik
AUTHENTIK_POSTGRES_PASSWORD=REPLACE_WITH_SECURE_PASSWORD
AUTHENTIK_POSTGRES_DB=authentik

# ======================
# JWT Configuration
# ======================
JWT_SECRET=REPLACE_WITH_RANDOM_SECRET_MINIMUM_32_CHARS
JWT_EXPIRATION=24h

# ======================
# Docker Compose Profiles
# ======================
# Enable optional services (do NOT enable traefik-bundled in upstream mode)
COMPOSE_PROFILES=authentik