# Triton Manage Server environment template.
# Copy to .env in this directory; install.sh does that automatically.
#
# Required values are flagged. Generated values get auto-filled by install.sh.

# ─── PostgreSQL (auto-generated) ─────────────────────────────────────────
POSTGRES_USER=triton
POSTGRES_PASSWORD=__GENERATED_BY_INSTALL_SH__
POSTGRES_DB=triton_manage
POSTGRES_PORT=5435

# ─── Manage Server core (REQUIRED) ───────────────────────────────────────
# 32-byte HS256 secret as 64 hex chars. Generated once at install.
# Rotating this invalidates every active session — users re-login.
TRITON_MANAGE_JWT_SIGNING_KEY=__GENERATED_BY_INSTALL_SH__

# Public half of the License Server's Ed25519 keypair as 64 hex chars.
# Get this from the License Server operator: it's the last 64 hex
# characters of TRITON_LICENSE_SERVER_SIGNING_KEY.
TRITON_MANAGE_LICENSE_SERVER_PUBKEY=__SET_BY_INSTALL_FLAG__

# ─── Listener ────────────────────────────────────────────────────────────
TRITON_MANAGE_LISTEN=:8082
TRITON_MANAGE_HOST_PORT=8082

# Agent gateway (mTLS). Hostname must be reachable from agents.
TRITON_MANAGE_GATEWAY_LISTEN=:8443
TRITON_MANAGE_GATEWAY_HOST_PORT=8443
TRITON_MANAGE_GATEWAY_HOSTNAME=manage.example.com
# Full URL pushed to enrolled agents. Defaults to https://${HOSTNAME}:${PORT}.
TRITON_MANAGE_GATEWAY_URL=

# Host LAN IP/hostname for "+ This machine" auto-registration. Required in
# containers because the auto-detect picks up the container's own IP.
TRITON_MANAGE_HOST_IP=
TRITON_MANAGE_HOST_HOSTNAME=

# ─── License Server connection (REQUIRED to activate) ────────────────────
# URL of YOUR vendor's License Server.
TRITON_LICENSE_SERVER_URL=https://license.vendor.example.com
# License token issued by the vendor (paste into setup wizard, or here).
TRITON_LICENSE_TOKEN=
# Optional fallback key embedded in binary at build time. Usually empty.
TRITON_LICENSE_KEY=

# ─── Workers ─────────────────────────────────────────────────────────────
# Shared secret presented by sshagent / portscan workers when claiming jobs.
TRITON_MANAGE_WORKER_KEY=__GENERATED_BY_INSTALL_SH__

# Concurrent scan jobs (1–50). Higher = more CPU + RAM.
TRITON_MANAGE_PARALLELISM=10

# ─── Credential vault ────────────────────────────────────────────────────
# PostgreSQL AES-256-GCM vault. Back this up — losing the key makes
# all stored host credentials unreadable.
TRITON_VAULT_KEY=__GENERATED_BY_INSTALL_SH__

# ─── TLS (recommended for production) ────────────────────────────────────
# Two paths:
#   A) Reverse proxy terminates TLS — leave these blank.
#   B) Container terminates TLS — set CERT + KEY paths inside the container.
TRITON_MANAGE_TLS_CERT=
TRITON_MANAGE_TLS_KEY=
TLS_CERT_HOST_DIR=/etc/triton/tls

# ─── Sessions ────────────────────────────────────────────────────────────
TRITON_MANAGE_SESSION_TTL=24h

# ─── Image ───────────────────────────────────────────────────────────────
TRITON_MANAGE_IMAGE=ghcr.io/amiryahaya/triton-manageserver:latest