# CBM Portal Backend - Secure Environment Configuration
# Copy this file to: /etc/systemd/system/cbm-portal.service.d/environment.conf
#
# ⚠️ SECURITY: This file will contain production secrets!
# Make sure to set proper permissions after creating it.

[Service]
# Database Configuration
Environment="CBM_DB_USER=YOUR_DB_USERNAME"
Environment="CBM_DB_PASS=YOUR_DB_PASSWORD"
Environment="CBM_DB_PORT=5432"

# Email Configuration
Environment="CBM_MAIL_USER=cbmmailer@carlsonbuilding.com"
Environment="CBM_MAIL_PASS=YOUR_EMAIL_PASSWORD"

# Microsoft Graph API Configuration
Environment="MICROSOFT_TENANT_ID=YOUR_TENANT_ID"
Environment="MICROSOFT_CLIENT_ID=YOUR_CLIENT_ID"
Environment="MICROSOFT_CLIENT_SECRET=YOUR_CLIENT_SECRET"

# JWT Signing Secret (generate with: openssl rand -base64 64)
Environment="CBM_JWT_Signing=YOUR_JWT_SIGNING_SECRET"

# SSL Configuration
Environment="CBM_SSL_FILE=/path/to/your/keystore.p12"
Environment="CBM_SpringKeyStore=YOUR_KEYSTORE_PASSWORD"

# Installation Instructions:
#
# 1. Create the override directory:
#    sudo mkdir -p /etc/systemd/system/cbm-portal.service.d
#
# 2. Copy and edit this file with your actual secrets:
#    sudo nano /etc/systemd/system/cbm-portal.service.d/environment.conf
#
# 3. IMPORTANT - Secure the file (root-only access):
#    sudo chmod 600 /etc/systemd/system/cbm-portal.service.d/environment.conf
#    sudo chown root:root /etc/systemd/system/cbm-portal.service.d/environment.conf
#
# 4. Verify permissions (should show: -rw------- root root):
#    ls -la /etc/systemd/system/cbm-portal.service.d/environment.conf
#
# 5. Reload systemd to apply changes:
#    sudo systemctl daemon-reload
#
# 6. Restart the service:
#    sudo systemctl restart cbm-portal
#
# 7. Verify variables are loaded (won't show values):
#    sudo systemctl show cbm-portal | grep Environment
#
# Security Notes:
# - Only root can read this file (600 permissions)
# - Never commit this file to git
# - Never include in backups of user directories
# - Rotate secrets regularly
# - Use strong, unique passwords for each secret
#
# Generate strong secrets:
# - Database password:   pwgen -s 32 1
# - JWT signing secret:  openssl rand -base64 64
# - Keystore password:   openssl rand -base64 32