# ConfigMap: privacyidea-cfg
#
# Provides /etc/privacyidea/pi.cfg (the privacyIDEA Python config file).
# Mounted as a subPath into the privacyidea-data PVC, so it overlays just
# that one file while the rest of /etc/privacyidea/ remains on the PVC.
#
# Sensitive values (SECRET_KEY, PI_PEPPER, SQLALCHEMY_DATABASE_URI) are
# injected as environment variables from the privacyidea-config Secret.

apiVersion: v1
kind: ConfigMap
metadata:
  name: privacyidea-cfg
  namespace: mfa
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: mfa
data:
  pi.cfg: |
    # /etc/privacyidea/pi.cfg
    # Sensitive values injected via environment (privacyidea-config Secret).
    import os

    # Flask session secret — never type this; comes from vault/KeePassXC.
    SECRET_KEY = os.environ["PI_SECRET_KEY"]

    # Password hashing pepper — added to all hashed passwords.
    PI_PEPPER = os.environ["PI_PEPPER"]

    # Encryption key for token secrets (auto-generated on first start if missing).
    PI_ENCFILE = "/etc/privacyidea/enckey"

    # Audit log RSA signing keys (generated by pi-manage create_audit_keys).
    PI_AUDIT_KEY_PRIVATE = "/etc/privacyidea/private.pem"
    PI_AUDIT_KEY_PUBLIC  = "/etc/privacyidea/public.pem"

    # Database connection (full URI, password from vault/KeePassXC).
    SQLALCHEMY_DATABASE_URI = os.environ["PI_SQLALCHEMY_DATABASE_URI"]

    # Application logging.
    PI_LOGFILE  = "/var/log/privacyidea/privacyidea.log"
    PI_LOGLEVEL = 20   # 10=DEBUG  20=INFO  30=WARNING  40=ERROR

    # Scripts folder for event handlers (leave default unless customising).
    PI_SCRIPT_FOLDER = "/etc/privacyidea/scripts"