# Cauldron — copy to /mnt/cache/appdata/secrets/cauldron.env on Lucy
# (chmod 600, root:root). Some values are already populated by the deploy
# bootstrap (CLAWDFORGE_*); fill in the rest before first start.

# Flask
SECRET_KEY=change-me-32-bytes-of-entropy

# Bind
BIND_HOST=0.0.0.0
BIND_PORT=7790

# Mealie (recipes.sulkta.com is already wired with Authentik OIDC)
MEALIE_BASE_URL=https://recipes.sulkta.com
MEALIE_API_TOKEN=

# clawdforge (centralized claude-runner on Lucy)
CLAWDFORGE_URL=http://192.168.0.5:8800
CLAWDFORGE_TOKEN=
DEFAULT_MODEL=sonnet
DEFAULT_TIMEOUT_SECS=120

# Admin bearer for batch ops (sterilize-all, etc.) — separate from user OIDC
ADMIN_BEARER=change-me-this-is-the-cauldron-admin-batch-token

# Authentik OIDC (provisioned 2026-04-28; client_id + secret minted by Authentik)
OIDC_ISSUER=https://auth.sulkta.com/application/o/cauldron/
OIDC_CLIENT_ID=
OIDC_CLIENT_SECRET=
OIDC_REDIRECT_URI=http://192.168.0.5:7790/auth/callback

# DB (sulkta-mariadb on the sulkta bridge)
DB_HOST=sulkta-mariadb
DB_PORT=3306
DB_NAME=cauldron
DB_USER=cauldron_app
DB_PASSWORD=

# Fernet master key for at-rest encryption of per-user Mealie tokens.
# Generate with: python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"
CAULDRON_FERNET_KEY=