# La Suite Numérique — Drive (drive chart).
# Env vars use the chart's dict-based envVars schema:
#   string value → rendered as env.value
#   map value    → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
#   oidc-drive               — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
#   drive-db-credentials     — password (VaultDynamicSecret, DB engine)
#   drive-django-secret      — DJANGO_SECRET_KEY (VaultStaticSecret)
#   seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)

fullnameOverride: drive

backend:
  livenessProbe:
    initialDelaySeconds: 15
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3
  readinessProbe:
    initialDelaySeconds: 15
    periodSeconds: 10
    timeoutSeconds: 5
    failureThreshold: 3
  createsuperuser:
    # No superuser — users authenticate via OIDC.
    # The chart always renders this Job; override command so it exits 0.
    command: ["true"]

  envVars: &backendEnvVars
    # ── Database ──────────────────────────────────────────────────────────────
    DB_NAME: drive_db
    DB_USER: drive
    DB_HOST:
      configMapKeyRef:
        name: lasuite-postgres
        key: DB_HOST
    DB_PORT:
      configMapKeyRef:
        name: lasuite-postgres
        key: DB_PORT
    # Drive uses psycopg3 backend (no _psycopg2 suffix).
    DB_ENGINE: django.db.backends.postgresql
    DB_PASSWORD:
      secretKeyRef:
        name: drive-db-credentials
        key: password

    # ── Redis / Celery ────────────────────────────────────────────────────────
    REDIS_URL:
      configMapKeyRef:
        name: lasuite-valkey
        key: REDIS_URL
    # Drive uses DJANGO_CELERY_BROKER_URL (not CELERY_BROKER_URL).
    DJANGO_CELERY_BROKER_URL:
      configMapKeyRef:
        name: lasuite-valkey
        key: CELERY_BROKER_URL

    # ── S3 (file storage) ─────────────────────────────────────────────────────
    AWS_STORAGE_BUCKET_NAME: sunbeam-drive
    AWS_S3_ENDPOINT_URL:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_S3_ENDPOINT_URL
    AWS_S3_REGION_NAME:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_S3_REGION_NAME
    AWS_DEFAULT_ACL:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_DEFAULT_ACL
    # Drive uses AWS_S3_ACCESS_KEY_ID / AWS_S3_SECRET_ACCESS_KEY (with _S3_ prefix).
    AWS_S3_ACCESS_KEY_ID:
      secretKeyRef:
        name: seaweedfs-s3-credentials
        key: S3_ACCESS_KEY
    AWS_S3_SECRET_ACCESS_KEY:
      secretKeyRef:
        name: seaweedfs-s3-credentials
        key: S3_SECRET_KEY
    # Public S3 endpoint for browser-side presigned upload URLs.
    AWS_S3_DOMAIN_REPLACE: https://s3.DOMAIN_SUFFIX
    # Base URL for media file references so nginx auth proxy receives full paths.
    MEDIA_BASE_URL: https://drive.DOMAIN_SUFFIX

    # ── OIDC (Hydra) ──────────────────────────────────────────────────────────
    OIDC_RP_CLIENT_ID:
      secretKeyRef:
        name: oidc-drive
        key: CLIENT_ID
    OIDC_RP_CLIENT_SECRET:
      secretKeyRef:
        name: oidc-drive
        key: CLIENT_SECRET
    OIDC_RP_SIGN_ALGO:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_RP_SIGN_ALGO
    OIDC_RP_SCOPES:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_RP_SCOPES
    OIDC_OP_JWKS_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_JWKS_ENDPOINT
    OIDC_OP_AUTHORIZATION_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_AUTHORIZATION_ENDPOINT
    OIDC_OP_TOKEN_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_TOKEN_ENDPOINT
    OIDC_OP_USER_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_USER_ENDPOINT
    OIDC_OP_LOGOUT_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_LOGOUT_ENDPOINT
    OIDC_VERIFY_SSL:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_VERIFY_SSL

    # ── Resource Server (Drive as OAuth2 RS for Messages integration) ─────────
    OIDC_RESOURCE_SERVER_ENABLED: "True"
    # Hydra issuer URL — must match the `iss` claim in introspection responses.
    OIDC_OP_URL: https://auth.DOMAIN_SUFFIX/
    # Hydra token introspection endpoint (admin port — no client auth required).
    OIDC_OP_INTROSPECTION_ENDPOINT: http://hydra-admin.ory.svc.cluster.local:4445/admin/oauth2/introspect
    # Drive authenticates to Hydra introspection using its own OIDC client creds.
    OIDC_RS_CLIENT_ID:
      secretKeyRef:
        name: oidc-drive
        key: CLIENT_ID
    OIDC_RS_CLIENT_SECRET:
      secretKeyRef:
        name: oidc-drive
        key: CLIENT_SECRET
    # Only accept tokens issued to the messages OAuth2 client (ListValue, comma-separated).
    OIDC_RS_ALLOWED_AUDIENCES:
      secretKeyRef:
        name: oidc-messages
        key: CLIENT_ID

    # ── Django ────────────────────────────────────────────────────────────────
    DJANGO_SECRET_KEY:
      secretKeyRef:
        name: drive-django-secret
        key: DJANGO_SECRET_KEY
    DJANGO_CONFIGURATION:          Production
    ALLOWED_HOSTS:                 drive.DOMAIN_SUFFIX
    DJANGO_ALLOWED_HOSTS:          drive.DOMAIN_SUFFIX
    DJANGO_CSRF_TRUSTED_ORIGINS:   https://drive.DOMAIN_SUFFIX
    LOGIN_REDIRECT_URL:            /
    LOGOUT_REDIRECT_URL:           /
    SESSION_COOKIE_AGE:            "3600"
    # Session cache TTL must match SESSION_COOKIE_AGE; default is 30s which
    # causes sessions to expire in Valkey while the cookie remains valid.
    CACHES_SESSION_TIMEOUT:        "3600"
    # Silent login disabled: the callback redirects back to the returnTo URL
    # (not LOGIN_REDIRECT_URL) on login_required, causing an infinite reload loop
    # when the user has no Hydra session. UserProfile shows a Login button instead.
    FRONTEND_SILENT_LOGIN_ENABLED: "false"
    # Redirect unauthenticated visitors at / straight to OIDC login instead of
    # showing the La Suite marketing landing page. returnTo brings them to
    # their files after successful auth.
    FRONTEND_EXTERNAL_HOME_URL: "https://drive.DOMAIN_SUFFIX/api/v1.0/authenticate/?returnTo=https%3A%2F%2Fdrive.DOMAIN_SUFFIX%2Fexplorer%2Fitems%2Fmy-files"

    # Allow Messages to call Drive SDK relay cross-origin.
    SDK_CORS_ALLOWED_ORIGINS: "https://mail.DOMAIN_SUFFIX"
    CORS_ALLOWED_ORIGINS: "https://mail.DOMAIN_SUFFIX"

    # Allow all file types — self-hosted instance, no need to restrict uploads.
    RESTRICT_UPLOAD_FILE_TYPE: "False"

    # ── WOPI / Collabora ──────────────────────────────────────────────────────
    # Comma-separated list of enabled WOPI client names.
    # Inject Sunbeam theme CSS from the integration service.
    FRONTEND_CSS_URL: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"

    WOPI_CLIENTS: collabora
    # Discovery XML endpoint — Collabora registers supported MIME types here.
    WOPI_COLLABORA_DISCOVERY_URL: http://collabora.lasuite.svc.cluster.local:9980/hosting/discovery
    # Base URL Drive uses when building wopi_src callback URLs for Collabora.
    WOPI_SRC_BASE_URL: https://drive.DOMAIN_SUFFIX

  themeCustomization:
    enabled: true
    file_content:
      css_url: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"
      waffle:
        apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
        widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
        label: "O Estúdio"
        closeLabel: "Fechar"
        newWindowLabelSuffix: " · nova janela"

ingress:
  enabled: false

ingressAdmin:
  enabled: false

ingressMedia:
  enabled: false