shard_id: "gc-test-001"

listen:
  http: "0.0.0.0:9080"
  https: ""
  ws:   "0.0.0.0:9081"

tls:
  enable: false
  cert_file: "/etc/greencoast/tls/cert.pem"
  key_file:  "/etc/greencoast/tls/key.pem"

federation:
  mtls_enable: false
  listen: "0.0.0.0:9443"
  cert_file: "/etc/greencoast/fed/cert.pem"
  key_file:  "/etc/greencoast/fed/key.pem"
  client_ca_file: "/etc/greencoast/fed/clients_ca.pem"

ui:
  enable: true
  path: "./client"
  base_url: "/"
  frontend_http: "0.0.0.0:9082"

storage:
  backend: "fs"
  path: "/var/lib/greencoast/objects"
  max_object_kb: 128

security:
  zero_trust: true
  require_mtls_for_federation: true
  accept_client_signed_tokens: true
  log_level: "warn"

privacy:
  retain_ip: "no"
  retain_user_agent: "no"
  retain_timestamps: "coarse"
  allow_anon_plaintext: true

auth:
  # Choose either YAML OR env for the signing secret — not both.
  # If you keep it here, make sure it's EXACTLY the same as the env value.
  signing_secret: GC_SIGNING_SECRET_HEX
  sso:
    discord:
      enabled: true
      client_id: GC_DISCORD_CLIENT_ID
      client_secret: GC_DISCORD_CLIENT_SECRET
      redirect_uri: GC_DISCORD_REDIRECT_URI
    google:   { enabled: false, client_id: "", client_secret: "", redirect_uri: "" }
    facebook: { enabled: false, client_id: "", client_secret: "", redirect_uri: "" }
  two_factor:
    webauthn_enabled: false
    totp_enabled: false

limits:
  rate:
    burst: 20
    per_minute: 60