---
GRAFANA_ADMIN_PASSWORD:
POSTGRES_PASSWORD:
S3_ACCESS_KEY_ID:
S3_SECRET_ACCESS_KEY:
TF_VAR_linode_token:
TF_VAR_root_pass:
TF_VAR_user_password:
TF_VAR_ssh_public_key:
CF_DNS_API_TOKEN:
CF_ZONE_API_TOKEN:
LLDAP_ADMIN_PASSWORD:
LLDAP_JWT_SECRET:
LLDAP_KEY_SEED:
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET:
AUTHELIA_SESSION_SECRET:
AUTHELIA_STORAGE_ENCRYPTION_KEY:
AUTHELIA_OIDC_HMAC_SECRET:
AUTHELIA_OIDC_PRIVATE_KEY_PEM:
AUTHELIA_OIDC_GRAFANA_CLIENT_SECRET:
AUTHELIA_OIDC_FORGEJO_CLIENT_SECRET:
AUTHELIA_SMTP_ADDRESS:
AUTHELIA_SMTP_USERNAME:
AUTHELIA_SMTP_PASSWORD:
AUTHELIA_SMTP_SENDER:
AUTHELIA_SMTP_IDENTIFIER:
AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS:
POSTFIX_RELAYHOST: "smtp.postmarkapp.com"
POSTFIX_RELAYHOST_PORT: "2525"
POSTFIX_RELAYHOST_USERNAME: "your-postmark-server-token"
POSTFIX_RELAYHOST_PASSWORD: "your-postmark-server-token"
FORGEJO_RUNNER_REGISTRATION_TOKEN:
FORGEJO_API_TOKEN:
FORGEJO_BASE_URL:

SERVICE_SSH_REGISTER_PUBLIC_KEY:
SERVICE_SSH_DEREGISTER_PUBLIC_KEY:

RESTIC_PASSWORD:
RESTIC_AWS_ACCESS_KEY_ID:
RESTIC_AWS_SECRET_ACCESS_KEY:
RESTIC_AWS_DEFAULT_REGION: "us-east-1"
# RESTIC_REPOSITORY: "s3:https://us-east-1.linodeobjects.com/bucket-name/infra"
RESTIC_KEEP_DAILY: 7
RESTIC_KEEP_WEEKLY: 4
RESTIC_KEEP_MONTHLY: 6
INFRA_BACKUP_ONCALENDAR: "daily"

ALERTMANAGER_SLACK_WEBHOOK_URL:
ALERTMANAGER_SLACK_CHANNEL: "#alerts"
ALERTMANAGER_SLACK_USERNAME: "alertmanager"
ALERTMANAGER_DISCORD_WEBHOOK_URL:

# Alertmanager Email Settings (uses Postfix on localhost:25 by default)
# ALERTMANAGER_SMTP_HOST: "localhost:25"
# ALERTMANAGER_SMTP_FROM: "no-reply@yourdomain.com"
# ALERTMANAGER_EMAIL_TO: "admin@yourdomain.com"

# Authelia SMTP Settings (uses Postfix container on proxy network)
# AUTHELIA_SMTP_ADDRESS: "postfix:25"
# AUTHELIA_SMTP_SENDER: "no-reply@yourdomain.com"
# AUTHELIA_SMTP_IDENTIFIER: "yourdomain.com"
# AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS: "test@yourdomain.com"
# AUTHELIA_SMTP_USERNAME: ""  # Leave empty for no auth (Postfix on local network)
# AUTHELIA_SMTP_PASSWORD: ""  # Leave empty for no auth

# Deployment token for webhook authentication (must match DEPLOY_TOKEN secret in app repos)
VAULT_DEPLOY_TOKEN: