# @see https://docs.joinmastodon.org/admin/config

LOCAL_DOMAIN={{domain}}
ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}"
SINGLE_USER_MODE={{applications.mastodon.single_user_mode}}
SECRET_KEY_BASE={{mastodon_secret_key_base}}
OTP_SECRET={{mastodon_otp_secret}}
VAPID_PRIVATE_KEY={{mastodon_vapid_private_key}}
VAPID_PUBLIC_KEY={{mastodon_vapid_public_key}}

DB_HOST={{database_host}}
DB_PORT={{database_port}}
DB_NAME={{database_name}}
DB_USER={{database_username}}
DB_PASS={{database_password}}

REDIS_HOST=redis
REDIS_PORT=6379
REDIS_PASSWORD=

SMTP_SERVER={{system_email.host}}
SMTP_PORT={{system_email.port}}
SMTP_LOGIN={{system_email.username}}
SMTP_PASSWORD={{system_email.password}}
SMTP_AUTH_METHOD=plain
SMTP_OPENSSL_VERIFY_MODE=none
SMTP_ENABLE_STARTTLS=auto
SMTP_FROM_ADDRESS=Mastodon <{{system_email.from}}>

ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY= {{mastodon_active_record_encryption_deterministic_key}}
ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{mastodon_active_record_encryption_key_derivation_salt}}
ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{mastodon_active_record_encryption_primary_key}}

{% if oidc.enabled | bool %}
################################### 
# OpenID Connect settings
###################################
# @see https://github.com/mastodon/mastodon/pull/16221
# @see https://stackoverflow.com/questions/72081776/how-mastodon-configured-login-using-sso

OIDC_ENABLED={{ oidc.enabled | string | lower }}
OIDC_DISPLAY_NAME="{{primary_domain | upper}} SSO"
OIDC_ISSUER={{oidc.client.issuer_url}}
OIDC_DISCOVERY=true
OIDC_SCOPE="openid,profile,email"
OIDC_UID_FIELD=preferred_username                       # @see https://stackoverflow.com/questions/72108087/how-to-set-the-username-of-mastodon-by-log-in-via-keycloak
OIDC_CLIENT_ID={{oidc.client.id}}
OIDC_REDIRECT_URI=https://{{domain}}/auth/auth/openid_connect/callback
OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED=true
OIDC_CLIENT_SECRET={{oidc.client.secret}}
OMNIAUTH_ONLY=true                                      # uncomment to only use OIDC for login / registration buttons
ALLOW_UNSAFE_AUTH_PROVIDER_REATTACH=true
ONE_CLICK_SSO_LOGIN=true
{% endif %}