# your domain, e.g https://example.com
APP_URL=http://localhost:3000
PORT=3000

# minimum of 32 characters. Generate one with: openssl rand -hex 32
APP_SECRET=REPLACE_WITH_LONG_SECRET

JWT_TOKEN_EXPIRES_IN=30d

DATABASE_URL="postgresql://postgres:password@localhost:5432/docmost?schema=public"
REDIS_URL=redis://127.0.0.1:6379

# options: local | s3
STORAGE_DRIVER=local

# S3 driver config
AWS_S3_ACCESS_KEY_ID=
AWS_S3_SECRET_ACCESS_KEY=
AWS_S3_REGION=
AWS_S3_BUCKET=
AWS_S3_ENDPOINT=
AWS_S3_FORCE_PATH_STYLE=

# default: 50mb
FILE_UPLOAD_SIZE_LIMIT=

# options: smtp | postmark
MAIL_DRIVER=smtp
MAIL_FROM_ADDRESS=hello@example.com
MAIL_FROM_NAME=Docmost

# SMTP driver config
SMTP_HOST=127.0.0.1
SMTP_PORT=587
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_SECURE=false
SMTP_IGNORETLS=false

# Postmark driver config
POSTMARK_TOKEN=

# for custom drawio server
DRAWIO_URL=

# Gotenberg URL for server-side PDF export
GOTENBERG_URL=

DISABLE_TELEMETRY=false

# Enable debug logging in production (default: false)
DEBUG_MODE=false

# Log database queries
DEBUG_DB=false

# Log http requests
LOG_HTTP=false

# ─── Branding ──────────────────────────────────────────────────────────
# Le branding (nom, couleurs, logo) se gere desormais UNIQUEMENT via l'UI
# admin: /settings/branding (couleurs + nom workspace) et /settings/general
# (logo). Pas de variable d'env a definir ici. Le defaut hardcode est
# "AcadeDoc" + bleu #2563eb / violet #7c3aed.

# ─── SMTP Brevo (recommande pour AcadeDoc) ─────────────────────────────
# Compte Brevo : https://app.brevo.com/settings/keys/smtp
# Pas le mot de passe du compte — generer une "SMTP key" dans le dashboard.
# Plan free Brevo : 300 emails/jour (suffisant pour usage interne).
#
# MAIL_DRIVER=smtp
# SMTP_HOST=smtp-relay.brevo.com
# SMTP_PORT=587
# SMTP_USERNAME=<login-email-brevo>
# SMTP_PASSWORD=<smtp-master-key-brevo>
# SMTP_SECURE=false
# SMTP_IGNORETLS=false
#
# MAIL_FROM_ADDRESS=noreply@acadenice.fr
# MAIL_FROM_NAME=AcadeDoc

# ─── OIDC (Authentik) — Bloc 4b ──────────────────────────────────────
# Disabled by default. Set OIDC_ENABLED=true and fill the block below
# to expose /api/auth/oidc/login and the SSO button on the login page.
#
# OIDC_ENABLED=true
# OIDC_ISSUER=https://auth.example.com/application/o/docadenice/
# OIDC_CLIENT_ID=
# OIDC_CLIENT_SECRET=
# OIDC_REDIRECT_URI=http://localhost:3000/api/auth/oidc/callback
# Authentik : 'groups' n'est pas un scope standard — les groups arrivent
# dans le claim 'groups' du scope 'profile' par defaut.
# OIDC_SCOPES=openid email profile
# OIDC_PROVIDER_NAME=Authentik
#
# Just-in-time provisioning for unknown emails. Strict by default — set
# to true to auto-create a user in the default workspace on first login.
# OIDC_AUTO_PROVISION=false
# OIDC_DEFAULT_WORKSPACE_ID=