shard_id: "gc-test-001"

listen:
  http: "0.0.0.0:9080"      # API for testers
  https: ""                 # if you terminate TLS at a proxy, leave empty
  ws:   "0.0.0.0:9081"      # reserved

tls:
  enable: false             # set true only if serving HTTPS directly here
  cert_file: "/etc/greencoast/tls/cert.pem"
  key_file: "/etc/greencoast/tls/key.pem"

federation:
  mtls_enable: false
  listen: "0.0.0.0:9443"
  cert_file: "/etc/greencoast/fed/cert.pem"
  key_file: "/etc/greencoast/fed/key.pem"
  client_ca_file: "/etc/greencoast/fed/clients_ca.pem"

ui:
  enable: true
  path: "./client"
  base_url: "/"
  frontend_http: "0.0.0.0:9082"   # static client for testers

storage:
  backend: "fs"
  path: "/var/lib/greencoast/objects"
  max_object_kb: 128              # lower if you want to constrain uploads

security:
  zero_trust: true
  require_mtls_for_federation: true
  accept_client_signed_tokens: true
  log_level: "warn"

privacy:
  retain_ip: "no"
  retain_user_agent: "no"
  retain_timestamps: "coarse"

auth:
  # IMPORTANT: rotate this per environment (use `openssl rand -hex 32`)
  signing_secret: "D941C4F91D0046D28CDBC3F425DE0B4EA26BD2A80434E0F160D1B7C813EB43F8"
  sso:
    discord:
      enabled: true
      client_id: "1408292766319906946"
      client_secret: "zJ6GnUUykHbMFbWsPPneNxNK-PtOXYg1"
      # must exactly match your Discord app's allowed redirect
      redirect_uri: "https://greencoast.fullmooncyberworks.com/auth-callback.html"
    google:
      enabled: false
      client_id: ""
      client_secret: ""
      redirect_uri: ""
    facebook:
      enabled: false
      client_id: ""
      client_secret: ""
      redirect_uri: ""
  two_factor:
    webauthn_enabled: false
    totp_enabled: false

limits:
  rate:
    burst: 20
    per_minute: 60            # slightly tighter for external testing