# =============================================================================
# Meldestelle - Production Environment Variables Template
# =============================================================================
# This file contains all necessary environment variables for running the
# Meldestelle application in a PRODUCTION environment.
#
# IMPORTANT SECURITY NOTES:
# - Copy this file to .env.prod and fill in actual production values
# - NEVER commit .env.prod to version control
# - Use strong, randomly generated passwords
# - Rotate secrets regularly
# - Store secrets securely (e.g., using secret management systems)
# =============================================================================

# =============================================================================
# APPLICATION CONFIGURATION
# =============================================================================

# Server Configuration
API_HOST=0.0.0.0
API_PORT=8081

# Application Information
APP_NAME=Meldestelle
APP_VERSION=1.0.0
APP_DESCRIPTION='Pferdesport Meldestelle System'

# Environment
APP_ENVIRONMENT=production

# =============================================================================
# DATABASE CONFIGURATION (PostgreSQL)
# =============================================================================

# Database Connection
DB_HOST=postgres
DB_PORT=5432
DB_NAME=meldestelle_prod
DB_USER=meldestelle_prod
# CHANGE THIS: Use a strong, randomly generated password
DB_PASSWORD=CHANGE_ME_STRONG_DB_PASSWORD_HERE

# Connection Pool Settings
DB_MAX_POOL_SIZE=20
DB_MIN_POOL_SIZE=10
DB_AUTO_MIGRATE=false

# PostgreSQL Docker Service Configuration
POSTGRES_USER=meldestelle_prod
# CHANGE THIS: Use the same strong password as DB_PASSWORD
POSTGRES_PASSWORD=CHANGE_ME_STRONG_DB_PASSWORD_HERE
POSTGRES_DB=meldestelle_prod

# =============================================================================
# REDIS CONFIGURATION
# =============================================================================

# CHANGE THIS: Use a strong, randomly generated password
REDIS_PASSWORD=CHANGE_ME_STRONG_REDIS_PASSWORD_HERE

# Redis Event Store Configuration
REDIS_EVENT_STORE_HOST=redis
REDIS_EVENT_STORE_PORT=6379
REDIS_EVENT_STORE_PASSWORD=CHANGE_ME_STRONG_REDIS_PASSWORD_HERE
REDIS_EVENT_STORE_DATABASE=0
REDIS_EVENT_STORE_CONNECTION_TIMEOUT=5000
REDIS_EVENT_STORE_READ_TIMEOUT=5000
REDIS_EVENT_STORE_USE_POOLING=true
REDIS_EVENT_STORE_MAX_POOL_SIZE=20
REDIS_EVENT_STORE_MIN_POOL_SIZE=5
REDIS_EVENT_STORE_CONSUMER_GROUP=event-processors-prod
REDIS_EVENT_STORE_CONSUMER_NAME=event-consumer-prod
REDIS_EVENT_STORE_STREAM_PREFIX=event-stream:
REDIS_EVENT_STORE_ALL_EVENTS_STREAM=all-events
REDIS_EVENT_STORE_CLAIM_IDLE_TIMEOUT=PT5M
REDIS_EVENT_STORE_POLL_TIMEOUT=PT1S
REDIS_EVENT_STORE_MAX_BATCH_SIZE=50
REDIS_EVENT_STORE_CREATE_CONSUMER_GROUP_IF_NOT_EXISTS=true

# Redis Cache Configuration
REDIS_CACHE_HOST=redis
REDIS_CACHE_PORT=6379
REDIS_CACHE_PASSWORD=CHANGE_ME_STRONG_REDIS_PASSWORD_HERE
REDIS_CACHE_DATABASE=1
REDIS_CACHE_CONNECTION_TIMEOUT=5000
REDIS_CACHE_READ_TIMEOUT=5000

# =============================================================================
# SECURITY CONFIGURATION
# =============================================================================

# JWT Configuration
# CHANGE THIS: Use a strong, randomly generated secret (at least 256 bits)
JWT_SECRET=CHANGE_ME_STRONG_JWT_SECRET_AT_LEAST_256_BITS_HERE
JWT_ISSUER=meldestelle-api-prod
JWT_AUDIENCE=meldestelle-clients-prod
JWT_REALM=meldestelle-prod

# API Key for internal services
# CHANGE THIS: Use a strong, randomly generated API key
API_KEY=CHANGE_ME_STRONG_API_KEY_HERE

# =============================================================================
# KEYCLOAK CONFIGURATION
# =============================================================================

# Keycloak Admin Configuration
# CHANGE THIS: Use strong admin credentials
KEYCLOAK_ADMIN=CHANGE_ME_ADMIN_USERNAME
KEYCLOAK_ADMIN_PASSWORD=CHANGE_ME_STRONG_ADMIN_PASSWORD_HERE

# Keycloak Hostname (your production domain)
KC_HOSTNAME=auth.yourdomain.com

# Keycloak Database Configuration
KC_DB=postgres
KC_DB_URL=jdbc:postgresql://postgres:5432/keycloak_prod
KC_DB_USERNAME=keycloak_prod
# CHANGE THIS: Use a strong password for Keycloak DB user
KC_DB_PASSWORD=CHANGE_ME_STRONG_KEYCLOAK_DB_PASSWORD_HERE

# =============================================================================
# SERVICE DISCOVERY CONFIGURATION
# =============================================================================

# Consul Configuration (if used)
CONSUL_HOST=consul
CONSUL_PORT=8500

# Service Discovery Settings
SERVICE_DISCOVERY_ENABLED=true
SERVICE_DISCOVERY_REGISTER_SERVICES=true
SERVICE_DISCOVERY_HEALTH_CHECK_PATH=/health
SERVICE_DISCOVERY_HEALTH_CHECK_INTERVAL=30

# =============================================================================
# MESSAGING CONFIGURATION (Kafka)
# =============================================================================

# Zookeeper Configuration
ZOOKEEPER_CLIENT_PORT=2181

# Kafka Configuration
KAFKA_BROKER_ID=1
KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181

# =============================================================================
# MONITORING CONFIGURATION
# =============================================================================

# Grafana Configuration
# CHANGE THIS: Use strong admin credentials
GF_SECURITY_ADMIN_USER=CHANGE_ME_GRAFANA_ADMIN_USERNAME
GF_SECURITY_ADMIN_PASSWORD=CHANGE_ME_STRONG_GRAFANA_PASSWORD_HERE

# Grafana Hostname (your production domain)
GRAFANA_HOSTNAME=monitoring.yourdomain.com

# Prometheus Hostname (your production domain)
PROMETHEUS_HOSTNAME=metrics.yourdomain.com

# Metrics Authentication
# CHANGE THIS: Use strong credentials for metrics endpoints
METRICS_AUTH_USERNAME=CHANGE_ME_METRICS_USERNAME
METRICS_AUTH_PASSWORD=CHANGE_ME_STRONG_METRICS_PASSWORD_HERE

# =============================================================================
# LOGGING CONFIGURATION
# =============================================================================

# Logging Level (INFO or WARN for production)
LOGGING_LEVEL=INFO

# Request/Response Logging (disable sensitive data logging in production)
LOGGING_REQUESTS=false
LOGGING_RESPONSES=false
LOGGING_REQUEST_HEADERS=false
LOGGING_REQUEST_BODY=false
LOGGING_RESPONSE_HEADERS=false
LOGGING_RESPONSE_BODY=false

# Structured Logging
LOGGING_STRUCTURED=true
LOGGING_CORRELATION_ID=true
LOGGING_REQUEST_ID_HEADER=X-Request-ID

# Log Sampling (enable for high-traffic production)
LOGGING_SAMPLING_ENABLED=true
LOGGING_SAMPLING_RATE=10
LOGGING_SAMPLING_HIGH_TRAFFIC_THRESHOLD=1000

# =============================================================================
# CORS CONFIGURATION
# =============================================================================

# CORS Settings (restrict to your production domains)
SERVER_CORS_ENABLED=true
SERVER_CORS_ALLOWED_ORIGINS=https://yourdomain.com,https://www.yourdomain.com

# =============================================================================
# RATE LIMITING CONFIGURATION
# =============================================================================

# Rate Limiting (more restrictive for production)
RATELIMIT_ENABLED=true
RATELIMIT_GLOBAL_LIMIT=1000
RATELIMIT_GLOBAL_PERIOD_MINUTES=1
RATELIMIT_INCLUDE_HEADERS=true

# =============================================================================
# PRODUCTION SPECIFIC SETTINGS
# =============================================================================

# Development Tools (disabled in production)
DEV_HOT_RELOAD=false
DEBUG_MODE=false

# =============================================================================
# SSL/TLS HOSTNAMES
# =============================================================================
# Configure these with your actual production domain names

# Main application hostname
APP_HOSTNAME=app.yourdomain.com

# API hostname
API_HOSTNAME=api.yourdomain.com

# =============================================================================
# BACKUP AND MAINTENANCE
# =============================================================================

# Database backup settings
DB_BACKUP_ENABLED=true
DB_BACKUP_SCHEDULE='0 2 * * *'
DB_BACKUP_RETENTION_DAYS=30

# Redis backup settings
REDIS_BACKUP_ENABLED=true
REDIS_BACKUP_SCHEDULE='0 3 * * *'

# =============================================================================
# SECURITY NOTES
# =============================================================================
# 1. Generate strong passwords using: openssl rand -base64 32
# 2. Generate JWT secrets using: openssl rand -base64 64
# 3. Use different passwords for each service
# 4. Store this file securely and never commit to version control
# 5. Rotate passwords regularly
# 6. Use a secret management system in production (e.g., HashiCorp Vault)
# 7. Enable audit logging for all services
# 8. Monitor for security events
# 9. Keep all services updated with security patches
# 10. Use network segmentation and firewalls
# =============================================================================