apiVersion: v1
kind: ConfigMap
metadata:
  name: messages-config
  namespace: lasuite
data:
  DJANGO_CONFIGURATION:          Production
  DJANGO_SETTINGS_MODULE:        messages.settings
  DJANGO_ALLOWED_HOSTS:          mail.DOMAIN_SUFFIX,messages-backend.lasuite.svc.cluster.local
  ALLOWED_HOSTS:                 mail.DOMAIN_SUFFIX,messages-backend.lasuite.svc.cluster.local
  DJANGO_CSRF_TRUSTED_ORIGINS:   https://mail.DOMAIN_SUFFIX
  DB_NAME:                       messages_db
  DB_USER:                       messages
  OPENSEARCH_URL:                http://opensearch.data.svc.cluster.local:9200
  MDA_API_BASE_URL:              http://messages-backend.lasuite.svc.cluster.local:80/api/v1.0/
  MYHOSTNAME:                    mail.DOMAIN_SUFFIX
  # rspamd URL (auth token injected separately from messages-mpa-credentials secret)
  SPAM_RSPAMD_URL:               http://messages-mpa.lasuite.svc.cluster.local:8010/_api
  MESSAGES_FRONTEND_BACKEND_SERVER: messages-backend.lasuite.svc.cluster.local:80
  STORAGE_MESSAGE_IMPORTS_BUCKET_NAME:  sunbeam-messages-imports
  STORAGE_MESSAGE_IMPORTS_ENDPOINT_URL: http://seaweedfs-filer.storage.svc.cluster.local:8333
  AWS_STORAGE_BUCKET_NAME:       sunbeam-messages
  IDENTITY_PROVIDER:             oidc
  FRONTEND_THEME:                default
  DRIVE_BASE_URL:                https://drive.DOMAIN_SUFFIX
  LOGIN_REDIRECT_URL:            https://mail.DOMAIN_SUFFIX
  LOGOUT_REDIRECT_URL:           https://mail.DOMAIN_SUFFIX
  OIDC_REDIRECT_ALLOWED_HOSTS:   '["https://auth.DOMAIN_SUFFIX"]'
  MTA_OUT_MODE:                  direct
  # Create user accounts on first OIDC login (required — no pre-provisioning)
  OIDC_CREATE_USER:              "True"
  # Redirect to home on auth failure (avoids HttpResponseRedirect(None) → /callback/None 404)
  LOGIN_REDIRECT_URL_FAILURE:    https://mail.DOMAIN_SUFFIX
  # Store OIDC tokens in session so the Drive integration can proxy requests on behalf of the user.
  OIDC_STORE_ACCESS_TOKEN:       "True"
  OIDC_STORE_REFRESH_TOKEN:      "True"
  # Session lives 7 days — long enough to survive overnight/weekend without re-auth.
  # Default is 43200 (12h) which forces a login after a browser restart.
  SESSION_COOKIE_AGE:            "604800"
  # Renew the id token 60 s before it expires (access_token TTL = 1h).
  # Without this the default falls back to SESSION_COOKIE_AGE (7 days), which means
  # every request sees the 1h token as "expiring within 7 days" and triggers a
  # prompt=none renewal on every page load — causing repeated auth loops.
  OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS: "60"
  # offline_access scope is set directly in the deployment env (overrides lasuite-oidc-provider envFrom).