# Shared (applies to both control plane and host agent)
WRENN_DIR=/var/lib/wrenn
LOG_LEVEL=info

# Database
DATABASE_URL=postgres://wrenn:wrenn@localhost:5432/wrenn?sslmode=disable

# Redis
REDIS_URL=redis://localhost:6379/0

# Control Plane
WRENN_CP_LISTEN_ADDR=:9725

# Host Agent
WRENN_HOST_LISTEN_ADDR=:50051
WRENN_HOST_INTERFACE=eth0
WRENN_CP_URL=http://localhost:9725
WRENN_DEFAULT_ROOTFS_SIZE=5Gi
WRENN_CH_BIN=/usr/local/bin/cloud-hypervisor
# Public domain sandboxes are served under; injected into envd so `envd ports`
# can build {port}-{sandbox_id}.{domain} URLs.
WRENN_PROXY_DOMAIN=wrenn.dev

# Inactivity activity sampler (all optional; shown values are the defaults).
# The host polls each running sandbox's guest liveness and refreshes its
# inactivity TTL when it is doing real work, so a long-running but
# non-interactive job (build, download) is not auto-paused. A sandbox counts
# as busy when guest CPU ≥ threshold, or net/disk throughput ≥ the floor.
# Busy requires the threshold to hold for 2 consecutive samples (debounced),
# so isolated idle-noise spikes do not keep a sandbox alive.
WRENN_ACTIVITY_SAMPLE_INTERVAL=5s
WRENN_CPU_BUSY_THRESHOLD=5.0
WRENN_NET_FLOOR_BPS=16384
WRENN_DISK_FLOOR_BPS=32768

# Auth
JWT_SECRET=

# mTLS — CP→Agent channel
# Generate a self-signed CA with:
#   openssl ecparam -genkey -name P-256 -noout -out ca.key
#   openssl req -new -x509 -key ca.key -days 3650 -out ca.crt -subj "/CN=wrenn-internal-ca"
# Then set these to the file contents (newlines replaced with \n or use multiline env).
WRENN_CA_CERT=
WRENN_CA_KEY=

# Channels (notification destinations)
# AES-256-GCM key for encrypting channel secrets. Generate with: openssl rand -hex 32
WRENN_ENCRYPTION_KEY=

# OAuth
OAUTH_GITHUB_CLIENT_ID=
OAUTH_GITHUB_CLIENT_SECRET=
OAUTH_REDIRECT_URL=https://app.wrenn.dev
CP_PUBLIC_URL=https://app.wrenn.dev

# SMTP — transactional email (optional; omit SMTP_HOST to disable)
SMTP_HOST=
SMTP_PORT=587
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_FROM_EMAIL=noreply@wrenn.dev