# Copy to `.env` next to deploy/docker-compose.yml ON racknerd2 (never commit the real .env).
# Compose loads it automatically.

# Image tag to deploy. The build workflow pushes both :latest and the commit
# SHA; use :latest for rolling validation or pin a SHA for a specific build.
ARCHNEST_TAG=latest

# Interface the app is published on. Mesh IP only — do NOT bind 0.0.0.0.
ARCHNEST_BIND_IP=100.96.217.250

# Origin the frontend is served from (used for CORS). Mesh URL for validation.
ARCHNEST_CORS_ORIGIN=http://100.96.217.250:8080

# 32-byte hex. Signs auth JWTs.        Generate: openssl rand -hex 32
ARCHNEST_JWT_SECRET=

# 32-byte hex. Encrypts integration secrets at rest (AES-256-GCM).
# Changing this after data exists makes existing secrets undecryptable.
# Generate: openssl rand -hex 32
ARCHNEST_SECRET_KEY=

# Exactly 32 ASCII chars (used literally as an AES-256-CBC key for Guacamole).
# Generate: openssl rand -base64 24 | cut -c1-32
ARCHNEST_GUAC_CRYPT_KEY=