# Triton License Server environment template.
# Copy to .env in this directory; install.sh does that automatically.
#
# Required values are flagged. Generated values get auto-filled by install.sh
# when run without flags.

# ─── PostgreSQL (auto-generated) ─────────────────────────────────────────
POSTGRES_USER=triton
POSTGRES_PASSWORD=__GENERATED_BY_INSTALL_SH__   # openssl rand -hex 24
POSTGRES_DB=triton_license
POSTGRES_PORT=5436                              # localhost-bound

# ─── License Server core (REQUIRED) ──────────────────────────────────────
# Ed25519 keypair as 128 hex chars (seed||pub). Generated once at install
# time. Back this up — losing it forces every customer to re-activate.
TRITON_LICENSE_SERVER_SIGNING_KEY=__GENERATED_BY_INSTALL_SH__

# Initial superadmin seeded on first boot. After login, rotate this.
TRITON_LICENSE_SERVER_ADMIN_EMAIL=admin@example.com
TRITON_LICENSE_SERVER_ADMIN_PASSWORD=__GENERATED_BY_INSTALL_SH__

# ─── Listener ────────────────────────────────────────────────────────────
TRITON_LICENSE_SERVER_LISTEN=:8081
TRITON_LICENSE_SERVER_HOST_PORT=8081           # host port to publish

# ─── TLS (recommended for production) ────────────────────────────────────
# Two paths:
#   A) Reverse proxy terminates TLS — leave these blank, set ALLOW_INSECURE=1.
#   B) Container terminates TLS — set CERT + KEY (paths inside container)
#      and mount your /etc/triton/tls directory via TLS_CERT_HOST_DIR.
TRITON_LICENSE_SERVER_TLS_CERT=
TRITON_LICENSE_SERVER_TLS_KEY=
TRITON_LICENSE_SERVER_ALLOW_INSECURE=
TLS_CERT_HOST_DIR=/etc/triton/tls

# ─── Operations ──────────────────────────────────────────────────────────
# Hours after which a license is considered stale (offline grace window).
# 336h = 14 days. Increase for longer offline tolerance.
TRITON_LICENSE_SERVER_STALE_THRESHOLD=336h

# Public URL of this server. Used in invite emails and pushed to clients
# during validation. Leave blank if no email/external clients yet.
TRITON_LICENSE_SERVER_PUBLIC_URL=

# ─── Email (optional) ────────────────────────────────────────────────────
# Resend.com keys for sending platform-admin invites + temp passwords.
# Leave blank to disable email — invites are still issued, the password
# just isn't auto-mailed.
RESEND_API_KEY=
RESEND_FROM_EMAIL=

# ─── Worker binaries ─────────────────────────────────────────────────────
# Host directory bind-mounted into the container at /data/binaries.
# Binaries (triton-agent, triton-sshagent, triton-portscan) are stored as
# files — not in the DB — so this directory must survive container rebuilds.
# Created automatically by install.sh if it does not exist.
TRITON_LICENSE_SERVER_HOST_BIN_DIR=/opt/triton/binaries

# ─── Image ───────────────────────────────────────────────────────────────
# Override to pin a specific build. Default tracks :latest from ghcr.io.
TRITON_LICENSE_IMAGE=ghcr.io/amiryahaya/triton-licenseserver:latest