# mcvsphere OAuth Configuration Template
# Copy to .env and configure for your environment
#
# Usage:
#   cp .env.oauth.example .env
#   # Edit .env with your values
#   docker compose -f docker-compose.oauth-standalone.yml up -d

# ─────────────────────────────────────────────────────────────────────────────
# Docker Compose
# ─────────────────────────────────────────────────────────────────────────────
COMPOSE_PROJECT_NAME=mcvsphere

# ─────────────────────────────────────────────────────────────────────────────
# vCenter Connection (Required)
# ─────────────────────────────────────────────────────────────────────────────
VCENTER_HOST=vcenter.example.com
VCENTER_USER=mcpservice@vsphere.local
VCENTER_PASSWORD=your-secure-password

# Optional: Skip SSL verification (dev only - use false in production)
VCENTER_INSECURE=false

# Optional: Specify defaults (auto-detected if not set)
# VCENTER_DATACENTER=Datacenter
# VCENTER_CLUSTER=Cluster
# VCENTER_DATASTORE=datastore1
# VCENTER_NETWORK=VM Network

# ─────────────────────────────────────────────────────────────────────────────
# MCP Transport (Required for OAuth)
# ─────────────────────────────────────────────────────────────────────────────
MCP_TRANSPORT=streamable-http
MCP_HOST=0.0.0.0
MCP_PORT=8080

# Your public domain (must match Caddy proxy)
MCP_DOMAIN=mcp.example.com

# TLS mode: 'internal' for self-signed (dev), remove for auto HTTPS (prod)
MCP_TLS_MODE=internal

# ─────────────────────────────────────────────────────────────────────────────
# OAuth / OIDC Provider (Required)
# ─────────────────────────────────────────────────────────────────────────────
OAUTH_ENABLED=true

# OIDC Discovery URL (ends with /.well-known/openid-configuration)
# Examples:
#   Authentik: https://auth.example.com/application/o/mcvsphere/
#   Keycloak:  https://keycloak.example.com/realms/myrealm
#   Auth0:     https://myapp.auth0.com/
#   Okta:      https://myorg.okta.com/oauth2/default
OAUTH_ISSUER_URL=https://auth.example.com/application/o/mcvsphere/

# OAuth Client Credentials (from your OIDC provider)
OAUTH_CLIENT_ID=your-client-id
OAUTH_CLIENT_SECRET=your-client-secret

# Public callback URL (must be accessible from browser)
OAUTH_BASE_URL=https://mcp.example.com

# ─────────────────────────────────────────────────────────────────────────────
# RBAC Permission Groups
# ─────────────────────────────────────────────────────────────────────────────
# Create these groups in your OIDC provider and assign users:
#
# | Group                  | Access Level                    |
# |------------------------|---------------------------------|
# | vsphere-super-admins   | Full control (all 94 tools)     |
# | vsphere-host-admins    | Host operations + VM management |
# | vsphere-admins         | VM lifecycle management         |
# | vsphere-operators      | Power ops + snapshots           |
# | vsphere-readers        | Read-only                       |
#
# Users without any vsphere-* group will be denied access (default-deny).

# ─────────────────────────────────────────────────────────────────────────────
# Optional Settings
# ─────────────────────────────────────────────────────────────────────────────
# LOG_LEVEL=INFO
# MCVSPHERE_VERSION=0.2.2