shard_id: "gc-001"

listen:
  http: "0.0.0.0:8080"     # API
  https: ""                # e.g., "0.0.0.0:8443" if tls.enable=true
  ws:   "0.0.0.0:8081"     # reserved

tls:
  enable: false
  cert_file: "/etc/greencoast/tls/cert.pem"
  key_file: "/etc/greencoast/tls/key.pem"

federation:
  mtls_enable: false
  listen: "0.0.0.0:9443"
  cert_file: "/etc/greencoast/fed/cert.pem"
  key_file: "/etc/greencoast/fed/key.pem"
  client_ca_file: "/etc/greencoast/fed/clients_ca.pem"

ui:
  enable: true
  path: "./client"
  base_url: "/"
  frontend_http: "0.0.0.0:8082"  # NEW: static client served on its own port

storage:
  backend: "fs"
  path: "/var/lib/greencoast/objects"
  max_object_kb: 128

security:
  zero_trust: true
  require_mtls_for_federation: true
  accept_client_signed_tokens: true
  log_level: "warn"

privacy:
  retain_ip: "no"
  retain_user_agent: "no"
  retain_timestamps: "coarse"

auth:
  signing_secret: "50A936BBA70A6F469260ABF2D86A425C07FA3228D1B24D2A9079708CE787F6B09C75C64AA26170B6B2580EC06F4C7C9F4268B2859F864D5925550FC1768E69F9E1A65B32A7A075DF5FF4992E05369362A1753ED5929B4FD48B1291CD2A281C7C54881BD377410EE8D1D210C47613B4CBA7A0E6055F66D4B9402BB871C224D4FE"
  sso:
    discord:
      enabled: false
      client_id: ""
      client_secret: ""
      redirect_uri: "http://localhost:8082/auth-callback.html"  # points to frontend port
    google:
      enabled: false
      client_id: ""
      client_secret: ""
      redirect_uri: ""
    facebook:
      enabled: false
      client_id: ""
      client_secret: ""
      redirect_uri: ""
  two_factor:
    webauthn_enabled: false
    totp_enabled: false

limits:
  rate:
    burst: 20
    per_minute: 120