# La Suite Numérique — Docs (impress chart).
# Env vars use the chart's dict-based envVars schema:
#   string value → rendered as env.value
#   map value    → rendered as env.valueFrom (configMapKeyRef / secretKeyRef)
# DOMAIN_SUFFIX is substituted by sed at deploy time.
#
# Required secrets (created by seed script):
#   oidc-docs                — CLIENT_ID, CLIENT_SECRET (created by Hydra Maester)
#   docs-db-credentials      — password (VaultDynamicSecret, DB engine)
#   docs-django-secret       — DJANGO_SECRET_KEY (VaultStaticSecret)
#   seaweedfs-s3-credentials — S3_ACCESS_KEY, S3_SECRET_KEY (shared)

fullnameOverride: docs

backend:
  createsuperuser:
    # No superuser — users authenticate via OIDC.
    # The chart always renders this Job; override command so it exits 0.
    command: ["true"]

  envVars: &backendEnvVars
    # ── Database ──────────────────────────────────────────────────────────────
    DB_NAME: docs_db
    DB_USER: docs
    DB_HOST:
      configMapKeyRef:
        name: lasuite-postgres
        key: DB_HOST
    DB_PORT:
      configMapKeyRef:
        name: lasuite-postgres
        key: DB_PORT
    DB_ENGINE:
      configMapKeyRef:
        name: lasuite-postgres
        key: DB_ENGINE
    DB_PASSWORD:
      secretKeyRef:
        name: docs-db-credentials
        key: password

    # ── Redis / Celery ────────────────────────────────────────────────────────
    REDIS_URL:
      configMapKeyRef:
        name: lasuite-valkey
        key: REDIS_URL
    CELERY_BROKER_URL:
      configMapKeyRef:
        name: lasuite-valkey
        key: CELERY_BROKER_URL

    # ── S3 ────────────────────────────────────────────────────────────────────
    AWS_STORAGE_BUCKET_NAME: sunbeam-docs
    AWS_S3_ENDPOINT_URL:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_S3_ENDPOINT_URL
    AWS_S3_REGION_NAME:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_S3_REGION_NAME
    AWS_DEFAULT_ACL:
      configMapKeyRef:
        name: lasuite-s3
        key: AWS_DEFAULT_ACL
    AWS_ACCESS_KEY_ID:
      secretKeyRef:
        name: seaweedfs-s3-credentials
        key: S3_ACCESS_KEY
    AWS_SECRET_ACCESS_KEY:
      secretKeyRef:
        name: seaweedfs-s3-credentials
        key: S3_SECRET_KEY

    # ── OIDC (Hydra) ──────────────────────────────────────────────────────────
    OIDC_RP_CLIENT_ID:
      secretKeyRef:
        name: oidc-docs
        key: CLIENT_ID
    OIDC_RP_CLIENT_SECRET:
      secretKeyRef:
        name: oidc-docs
        key: CLIENT_SECRET
    OIDC_RP_SIGN_ALGO:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_RP_SIGN_ALGO
    OIDC_RP_SCOPES:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_RP_SCOPES
    OIDC_OP_JWKS_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_JWKS_ENDPOINT
    OIDC_OP_AUTHORIZATION_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_AUTHORIZATION_ENDPOINT
    OIDC_OP_TOKEN_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_TOKEN_ENDPOINT
    OIDC_OP_USER_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_USER_ENDPOINT
    OIDC_OP_LOGOUT_ENDPOINT:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_OP_LOGOUT_ENDPOINT
    OIDC_VERIFY_SSL:
      configMapKeyRef:
        name: lasuite-oidc-provider
        key: OIDC_VERIFY_SSL

    # ── Django ────────────────────────────────────────────────────────────────
    DJANGO_SECRET_KEY:
      secretKeyRef:
        name: docs-django-secret
        key: DJANGO_SECRET_KEY
    DJANGO_CONFIGURATION:             Production
    FRONTEND_THEME:                   estudio
    ALLOWED_HOSTS:                    docs.DOMAIN_SUFFIX
    DJANGO_ALLOWED_HOSTS:             docs.DOMAIN_SUFFIX
    DJANGO_CSRF_TRUSTED_ORIGINS:      https://docs.DOMAIN_SUFFIX
    LOGIN_REDIRECT_URL:               /
    LOGOUT_REDIRECT_URL:              /
    FRONTEND_HOMEPAGE_FEATURE_ENABLED: "false"
    # Low cache timeout so theme changes propagate without pod restarts.
    THEME_CUSTOMIZATION_CACHE_TIMEOUT: "30"
    # 1h sessions: silent OIDC re-auth via Kratos keeps users logged in.
    # Lockout window: disabled identity cannot re-auth within 1h of expiry.
    SESSION_COOKIE_AGE: "3600"

    # ── Y-Provider ────────────────────────────────────────────────────────────
    # Shared secret for backend ↔ y-provider auth.
    COLLABORATION_SERVER_SECRET:
      secretKeyRef:
        name: docs-collaboration-secret
        key: secret
    COLLABORATION_SERVER_URL:    http://docs-y-provider.lasuite.svc.cluster.local:4444

  themeCustomization:
    enabled: true
    # La Gaufre v2: point at our self-hosted integration service.
    # DOMAIN_SUFFIX is substituted by kustomize_build at deploy time.
    file_content:
      header:
        logo: {}
        icon:
          src: "https://integration.DOMAIN_SUFFIX/logos/docs.svg?v=2"
          style:
            width: "32px"
            height: "auto"
          alt: ""
          withTitle: true
      css_url: "https://integration.DOMAIN_SUFFIX/api/v2/theme.css"
      waffle:
        apiUrl: "https://integration.DOMAIN_SUFFIX/api/v2/services.json"
        widgetPath: "https://integration.DOMAIN_SUFFIX/api/v2/lagaufre.js"
        label: "O Estúdio"
        closeLabel: "Fechar"
        newWindowLabelSuffix: " · nova janela"

frontend:
  envVars:
    NEXT_PUBLIC_API_URL:              https://docs.DOMAIN_SUFFIX
    NEXT_PUBLIC_COLLABORATION_WS_URL: wss://docs.DOMAIN_SUFFIX/collaboration/ws/

yProvider:
  envVars:
    # Shared secret so y-provider can verify requests from the backend.
    COLLABORATION_SERVER_SECRET:
      secretKeyRef:
        name: docs-collaboration-secret
        key: secret
    # Impress backend URL for document access verification.
    APP_URL:                       http://docs-backend.lasuite.svc.cluster.local:80

ingress:
  enabled: false

ingressCollaborationWS:
  enabled: false

ingressAdmin:
  enabled: false

ingressMedia:
  enabled: false