# =============================================================================
# 🔐 Siro Project - Secure Environment Configuration
# =============================================================================
# ⚠️ CRITICAL: NEVER commit this file to Git!
# Add .env to .gitignore immediately
# =============================================================================

# =============================================================================
# Database Configuration - MAIN DATABASE
# =============================================================================
DB_HOST=localhost
DB_PORT=3306
DB_NAME=siro_main
DB_USER=siro_user
DB_PASS=<CHANGE_ME_STRONG_PASSWORD>

# =============================================================================
# Encryption Configuration - CRITICAL FOR SECURITY
# =============================================================================
# 🔐 Generate 32-character hex key: openssl rand -hex 16
ENC_KEY=<CHANGE_ME_32_BYTE_HEX_KEY>
ENCRYPTION_KEY_PATH=/home/siro-api/env/.encryption_key

# =============================================================================
# JWT Configuration
# =============================================================================
JWT_SECRET=<CHANGE_ME_LONG_RANDOM_STRING>
JWT_ALGORITHM=HS256
JWT_EXPIRY=3600
JWT_REFRESH_EXPIRY=86400

# =============================================================================
# Redis Configuration
# =============================================================================
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_AUTH=<CHANGE_ME_REDIS_PASSWORD>
REDIS_DB=0

# =============================================================================
# Rate Limiter Configuration
# =============================================================================
RATE_LIMIT_LOGIN_ATTEMPTS=5
RATE_LIMIT_LOGIN_WINDOW=300
RATE_LIMIT_API_REQUESTS=100
RATE_LIMIT_API_WINDOW=60

# =============================================================================
# Wallet Configuration - S2S API
# =============================================================================
WALLET_API_URL=https://walletintaleq.intaleq.xyz/v2/main/
# 🔐 Generate HMAC secret: openssl rand -base64 32
WALLET_HMAC_SECRET=<CHANGE_ME_LONG_HMAC_SECRET>
BACKEND_ID=siromove-backend-01
ALLOWED_BACKEND_IDS=siromove-backend-01,siromove-backend-02

# =============================================================================
# Socket/Location Server Configuration
# =============================================================================
ALLOWED_SOCKET_URLS=https://location.siromove.com,https://socket.siromove.com
SOCKET_API_TIMEOUT=10
SOCKET_INTERNAL_KEY=<CHANGE_ME_INTERNAL_KEY>

# =============================================================================
# CORS Configuration
# =============================================================================
CORS_ALLOWED_ORIGINS=https://siromove.com,https://www.siromove.com
CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
CORS_ALLOWED_HEADERS=Content-Type,Authorization

# =============================================================================
# Logging Configuration
# =============================================================================
LOG_LEVEL=info
LOG_PATH=/var/log/siro-api/
SECURITY_LOG_PATH=/var/log/siro-api/security/

# =============================================================================
# Firebase Configuration
# =============================================================================
FIREBASE_PROJECT_ID=siro-project
FIREBASE_API_KEY=<CHANGE_ME_FIREBASE_KEY>

# =============================================================================
# SMS Configuration (for OTP)
# =============================================================================
SMS_PROVIDER=twilio
SMS_API_KEY=<CHANGE_ME_SMS_KEY>
SMS_API_SECRET=<CHANGE_ME_SMS_SECRET>

# =============================================================================
# Email Configuration
# =============================================================================
MAIL_HOST=smtp.gmail.com
MAIL_PORT=587
MAIL_USER=<CHANGE_ME_EMAIL>
MAIL_PASS=<CHANGE_ME_EMAIL_PASSWORD>

# =============================================================================
# Application Configuration
# =============================================================================
APP_ENV=production
APP_DEBUG=false
APP_NAME=Siro
APP_DOMAIN=api-syria.siromove.com

# =============================================================================
# Nabeh Integration (server-to-server API key)
# Must match NABEH_API_KEY in Nabeh's .env
# =============================================================================
NABEH_API_KEY=<CHANGE_ME_SHARED_SECRET>
SECRET_KEY_HMAC=<CHANGE_ME_HMAC_SECRET_FOR_SIGNED_URLS>

# =============================================================================
# Security Configuration - Fingerprint
# =============================================================================
FP_PEPPER=<CHANGE_ME_FINGERPRINT_PEPPER>

# =============================================================================
# Feature Flags
# =============================================================================
FEATURE_MFA_ENABLED=true
FEATURE_S2S_WALLET_ENABLED=true
FEATURE_CERTIFICATE_PINNING=true

# =============================================================================
# SECRETS - DO NOT EDIT OR COMMIT!
# =============================================================================
# This file contains secrets. Keep it secure!
# Permissions: chmod 600 .env
# Owner: www-data (or your web server user)