# Copy to .env.local — never commit .env.local.

# Public origin must match the browser URL (NPM host), not the LAN upstream IP.
# Apex: https://sankofa.nexus — or use https://portal.sankofa.nexus if that is your vhost.
NEXTAUTH_URL=https://sankofa.nexus
NEXTAUTH_SECRET=generate-with-openssl-rand-base64-32

# Keycloak OIDC (optional). All three must be non-empty or the portal uses credentials only.
KEYCLOAK_URL=https://keycloak.sankofa.nexus
KEYCLOAK_REALM=master
KEYCLOAK_CLIENT_ID=sankofa-portal
KEYCLOAK_CLIENT_SECRET=

# Production email/password login when Keycloak client secret is not set (rotate after enabling SSO).
PORTAL_LOCAL_LOGIN_EMAIL=portal@sankofa.nexus
PORTAL_LOCAL_LOGIN_PASSWORD=change-me-strong-password

NEXT_PUBLIC_CROSSPLANE_API=https://crossplane-api.crossplane-system.svc.cluster.local
NEXT_PUBLIC_ARGOCD_URL=https://argocd.sankofa.nexus
NEXT_PUBLIC_GRAFANA_URL=https://grafana.sankofa.nexus
NEXT_PUBLIC_LOKI_URL=https://loki.monitoring.svc.cluster.local:3100

# Cloudflare Turnstile (public site key). When set, unauthenticated Sign In is gated until the widget succeeds.
# Same widget can be paired with dbis_core IRU inquiry (VITE_CLOUDFLARE_TURNSTILE_SITE_KEY there). Not a DNS API key.
# NEXT_PUBLIC_CLOUDFLARE_TURNSTILE_SITE_KEY=

# IT inventory read API (proxmox Phase 0). Server-side only — do not use NEXT_PUBLIC_* for the key.
# Base URL of sankofa-it-read-api (e.g. http://192.168.11.11:8787 or internal NPM upstream).
# IT_READ_API_URL=http://192.168.11.11:8787
# IT_READ_API_KEY=