# Silo Production Configuration
# Single-binary deployment: silod serves API + React SPA
#
# Layout on silo.example.internal:
#   /opt/silo/bin/silod          - server binary
#   /opt/silo/web/dist/          - built React frontend (served automatically)
#   /opt/silo/schemas/           - part number schemas
#   /etc/silo/config.yaml        - this file
#   /etc/silo/silod.env          - secrets (env vars)
#
# Credentials via environment variables (set in /etc/silo/silod.env):
#   SILO_DB_PASSWORD
#   SILO_SESSION_SECRET
#   SILO_ADMIN_PASSWORD

server:
  host: "0.0.0.0"
  port: 8080
  base_url: "https://silo.example.internal"

database:
  host: "psql.example.internal"
  port: 5432
  name: "silo"
  user: "silo"
  password: "" # Set via SILO_DB_PASSWORD
  sslmode: "require"
  max_connections: 20

storage:
  backend: "filesystem"
  filesystem:
    root_dir: "/opt/silo/data"

schemas:
  directory: "/opt/silo/schemas"
  default: "kindred-rd"

freecad:
  uri_scheme: "silo"

auth:
  enabled: true
  session_secret: "" # Set via SILO_SESSION_SECRET
  local:
    enabled: true
    default_admin_username: "admin"
    default_admin_password: "" # Set via SILO_ADMIN_PASSWORD
  ldap:
    enabled: true
    url: "ldaps://ipa.example.internal"
    base_dn: "dc=kindred,dc=internal"
    user_search_dn: "cn=users,cn=accounts,dc=kindred,dc=internal"
    user_attr: "uid"
    email_attr: "mail"
    display_attr: "displayName"
    group_attr: "memberOf"
    role_mapping:
      admin:
        - "cn=silo-admins,cn=groups,cn=accounts,dc=kindred,dc=internal"
      editor:
        - "cn=silo-users,cn=groups,cn=accounts,dc=kindred,dc=internal"
        - "cn=engineers,cn=groups,cn=accounts,dc=kindred,dc=internal"
      viewer:
        - "cn=silo-viewers,cn=groups,cn=accounts,dc=kindred,dc=internal"
    tls_skip_verify: false
  oidc:
    enabled: false
  cors:
    allowed_origins:
      - "https://silo.example.internal"