# ------------------------------------------------------------------
#  OpenWebUI – core image / container
# ------------------------------------------------------------------
WEBUI_IMAGE=ghcr.io/open-webui/open-webui:main        # default image
WEBUI_NAME=open-webui                                # container name
WEBUI_PORT=3000                                      # host port to expose
WEBUI_VOLUME=open-webui_data                         # persistent data volume

# ------------------------------------------------------------------
#  OpenAI API key
# ------------------------------------------------------------------
OPENAI_API_KEY=sk-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# ------------------------------------------------------------------
#  OIDC / Keycloak configuration
# ------------------------------------------------------------------
# General
WEBUI_URL=https://ai.example.com

# Keycloak / OIDC Settings
OAUTH_CLIENT_ID=open-webui
OAUTH_CLIENT_SECRET=your_keycloak_client_secret_here
OPENID_PROVIDER_URL=https://auth.example.com/realms/your-realm/.well-known/openid-configuration
OAUTH_PROVIDER_NAME=Keycloak
OPENID_REDIRECT_URI=https://open.example.com/oauth/oidc/callback

# Logic & Scopes
ENABLE_OAUTH_SIGNUP=true
OAUTH_MERGE_ACCOUNTS_BY_EMAIL=true
OAUTH_SCOPES=openid email profile groups
OAUTH_CODE_CHALLENGE_METHOD=S256

# Role Management
ENABLE_OAUTH_ROLE_MANAGEMENT=true
OAUTH_ROLES_CLAIM=groups
OAUTH_ALLOWED_ROLES=openwebui,openwebui-admin
OAUTH_ADMIN_ROLES=openwebui-admin
LOG_LEVEL=debug