# certctl Docker Compose environment variables (Bundle 2 — 2026-05-12)
#
# Copy this file to deploy/.env and customize. The production-shaped base
# compose (docker-compose.yml) requires every variable below to be set;
# the Bundle 2 fail-closed startup guards REFUSE TO BOOT if any value
# remains at a "change-me-..." or "replace-with-..." placeholder outside
# demo mode (CERTCTL_DEMO_MODE_ACK=true).
#
# DEMO PATH (zero-config, populated dashboard, demo-mode auth):
#   docker compose -f deploy/docker-compose.yml \
#                  -f deploy/docker-compose.demo.yml up -d --build
# The demo overlay supplies its own placeholder values plus DEMO_MODE_ACK
# so this .env is NOT needed.
#
# PRODUCTION PATH (this .env is required):
#   docker compose -f deploy/docker-compose.yml up -d

# PostgreSQL password — openssl rand -hex 32
POSTGRES_PASSWORD=replace-with-openssl-rand-hex-32

# Server API-key secret — openssl rand -base64 32
CERTCTL_AUTH_SECRET=replace-with-openssl-rand-base64-32

# Bundled-agent API key (matches one of the server's AUTH_SECRET rotation
# values). Generate with: openssl rand -base64 32
CERTCTL_API_KEY=replace-with-openssl-rand-base64-32

# AES-256-GCM key for encrypting issuer/target config secrets at rest.
# Minimum 32 bytes. Generate with: openssl rand -base64 32
CERTCTL_CONFIG_ENCRYPTION_KEY=replace-with-openssl-rand-base64-32

# Agent ID returned from `POST /api/v1/agents` during agent enrollment.
# Without this the bundled certctl-agent service fail-fasts at startup.
# CERTCTL_AGENT_ID=agent-from-registration-response

# Day-0 admin bootstrap token (optional — generate with: openssl rand -hex 32).
# When set, POST /api/v1/auth/bootstrap mints the first admin actor + API
# key. When unset (default), that endpoint returns 410 Gone.
# CERTCTL_BOOTSTRAP_TOKEN=