21343cdf23
Closes #513. UserDataInitializer reads `@Value("${app.admin.email:...}")` but application.yaml mapped APP_ADMIN_USERNAME to `app.admin.username`. The keys never connected — env vars APP_ADMIN_USERNAME and APP_ADMIN_PASSWORD were silently ignored and the admin user got seeded with the hardcoded defaults admin@familyarchive.local / admin123. For production this is HIGH severity: DEPLOYMENT.md §3.5 documents the admin password as permanently locked on first deploy. The bug locked the lock-in to dev defaults, not to whatever an operator set in PROD_APP_ADMIN_PASSWORD. Rename yaml key from `username:` to `email:` so the Spring property `app.admin.email` actually exists. Keep env-var name APP_ADMIN_USERNAME (matches the already-set Gitea secrets and DEPLOYMENT.md §3.3). Default value updated to an email-shape. Added AdminSeedPropertyKeyTest (Binder pattern, no Spring context): verifies both `app.admin.email` and `app.admin.password` resolve from the yaml. Confirmed red without the fix, green with it. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
96 lines
2.2 KiB
YAML
96 lines
2.2 KiB
YAML
spring:
|
|
application:
|
|
name: Familienarchiv
|
|
|
|
datasource:
|
|
url: ${SPRING_DATASOURCE_URL}
|
|
username: ${SPRING_DATASOURCE_USERNAME}
|
|
password: ${SPRING_DATASOURCE_PASSWORD}
|
|
driver-class-name: org.postgresql.Driver
|
|
|
|
flyway:
|
|
enabled: false # Managed explicitly via FlywayConfig bean
|
|
|
|
jpa:
|
|
open-in-view: false # Prevents holding DB connections for the full HTTP request lifecycle
|
|
hibernate:
|
|
ddl-auto: none
|
|
properties:
|
|
hibernate:
|
|
dialect: org.hibernate.dialect.PostgreSQLDialect
|
|
show-sql: false
|
|
|
|
servlet:
|
|
multipart:
|
|
max-file-size: 50MB
|
|
max-request-size: 500MB # supports 10-file chunk at max per-file size; see #317
|
|
file-size-threshold: 2KB
|
|
|
|
mail:
|
|
host: ${MAIL_HOST:}
|
|
port: ${MAIL_PORT:587}
|
|
username: ${MAIL_USERNAME:}
|
|
password: ${MAIL_PASSWORD:}
|
|
properties:
|
|
mail:
|
|
smtp:
|
|
auth: true
|
|
starttls:
|
|
enable: true
|
|
|
|
server:
|
|
# Behind Caddy/reverse proxy: trust X-Forwarded-{Proto,For,Host} so that
|
|
# request.getScheme(), redirect URLs, and Spring Session "Secure" cookies
|
|
# reflect the original https client request, not the http hop from Caddy.
|
|
forward-headers-strategy: native
|
|
|
|
management:
|
|
health:
|
|
mail:
|
|
enabled: false
|
|
|
|
springdoc:
|
|
api-docs:
|
|
enabled: false
|
|
swagger-ui:
|
|
enabled: false
|
|
|
|
app:
|
|
s3:
|
|
endpoint: ${S3_ENDPOINT}
|
|
access-key: ${S3_ACCESS_KEY}
|
|
secret-key: ${S3_SECRET_KEY}
|
|
bucket: ${S3_BUCKET_NAME}
|
|
region: ${S3_REGION}
|
|
|
|
base-url: ${APP_BASE_URL:http://localhost:3000}
|
|
|
|
mail:
|
|
from: ${APP_MAIL_FROM:noreply@familienarchiv.local}
|
|
|
|
admin:
|
|
# Key must be `email`, not `username` — UserDataInitializer reads
|
|
# `${app.admin.email:...}`. The env-var name stays APP_ADMIN_USERNAME
|
|
# to match the existing Gitea secrets and DEPLOYMENT.md §3.3.
|
|
# See #513.
|
|
email: ${APP_ADMIN_USERNAME:admin@familienarchiv.local}
|
|
password: ${APP_ADMIN_PASSWORD:admin123}
|
|
|
|
import:
|
|
col:
|
|
index: 0
|
|
box: 1
|
|
folder: 2
|
|
sender: 3
|
|
receivers: 5
|
|
date: 7
|
|
location: 9
|
|
tags: 10
|
|
summary: 11
|
|
transcription: 13
|
|
|
|
ocr:
|
|
sender-model:
|
|
activation-threshold: 100
|
|
retrain-delta: 50
|