# vi: ft=sh
# shellcheck disable=SC2034

# http route prefix (will listen to $KEIBI_PREFIX/users for example)
KEIBI_PREFIX=""

# path of the private key used to sign jwts. If this is empty, a new one will be generated on startup
RSA_PRIVATE_KEY_PATH=""

# json object with the claims to add to every jwt (this is read when creating a new user)
EXTRA_CLAIMS='{}'
# json object with the claims to add to every jwt of the FIRST user (this can be used to mark the first user as admin).
# Those claims are merged with the `EXTRA_CLAIMS`.
FIRST_USER_CLAIMS='{"permissions": ["users.read", "users.write", "users.delete"]}'
# If this is not empty, calls to `/jwt` without an `Authorization` header will still create a jwt (with `null` in `sub`)
GUEST_CLAIMS=""
# Comma separated list of claims that users without the `user.write` permissions should NOT be able to edit
# (if you don't specify this an user could make themself administrator for example)
# PS: `permissions` is always a protected claim since keibi uses it for user.read/user.write
PROTECTED_CLAIMS="permissions"

# The url you can use to reach your kyoo instance. This is used during oidc to redirect users to your instance.
PUBLIC_URL=http://localhost:8901

# Database things
POSTGRES_USER=kyoo
POSTGRES_PASSWORD=password
POSTGRES_DB=kyoo
POSTGRES_SERVER=postgres
POSTGRES_PORT=5432
# Default is keibi, you can specify "disabled" to use the default search_path of the user.
#  If this is not "disabled", the schema will be created (if it does not exists) and
#  the search_path of the user will be ignored (only the schema specified will be used).
POSTGRES_SCHEMA=keibi