# Silo Configuration
# Copy to config.yaml and adjust for your environment

server:
  host: "0.0.0.0"
  port: 8080
  base_url: "http://localhost:8080"
  # read_only: false  # Reject all write operations; toggle at runtime with SIGUSR1

database:
  host: "localhost" # Use "postgres" for Docker Compose
  port: 5432
  name: "silo"
  user: "silo"
  password: "" # Use SILO_DB_PASSWORD env var
  sslmode: "require" # Use "disable" for Docker Compose (internal network)
  max_connections: 10

storage:
  backend: "filesystem"
  filesystem:
    root_dir: "/opt/silo/data" # Override with SILO_STORAGE_ROOT_DIR env var

schemas:
  # Directory containing YAML schema files
  directory: "/etc/silo/schemas"
  # Default schema for new items
  default: "kindred-rd"

freecad:
  # URI scheme for "Open in FreeCAD" links
  uri_scheme: "silo"
  # Path to FreeCAD executable (for CLI operations)
  executable: "/usr/bin/freecad"

# Authentication
# Set enabled: true to require login. When false, all routes are open
# with a synthetic "dev" user (admin role).
auth:
  enabled: false
  session_secret: "" # Use SILO_SESSION_SECRET env var in production

  # Local accounts (username/password stored in Silo database)
  local:
    enabled: true
    # Default admin account created on first startup (if username and password are set)
    default_admin_username: "admin" # Use SILO_ADMIN_USERNAME env var
    default_admin_password: "" # Use SILO_ADMIN_PASSWORD env var

  # LDAP / FreeIPA
  ldap:
    enabled: false
    url: "ldaps://ipa.example.internal"
    base_dn: "dc=kindred,dc=internal"
    user_search_dn: "cn=users,cn=accounts,dc=kindred,dc=internal"
    # Optional service account for user search (omit for direct user bind)
    # bind_dn: "uid=silo-service,cn=users,cn=accounts,dc=kindred,dc=internal"
    # bind_password: ""  # Use SILO_LDAP_BIND_PASSWORD env var
    user_attr: "uid"
    email_attr: "mail"
    display_attr: "displayName"
    group_attr: "memberOf"
    # Map LDAP groups to Silo roles (checked in order: admin, editor, viewer)
    role_mapping:
      admin:
        - "cn=silo-admins,cn=groups,cn=accounts,dc=kindred,dc=internal"
      editor:
        - "cn=silo-users,cn=groups,cn=accounts,dc=kindred,dc=internal"
        - "cn=engineers,cn=groups,cn=accounts,dc=kindred,dc=internal"
      viewer:
        - "cn=silo-viewers,cn=groups,cn=accounts,dc=kindred,dc=internal"
    tls_skip_verify: false

  # OIDC / Keycloak
  oidc:
    enabled: false
    issuer_url: "https://keycloak.example.internal/realms/silo"
    client_id: "silo"
    client_secret: "" # Use SILO_OIDC_CLIENT_SECRET env var
    redirect_url: "https://silo.example.internal/auth/callback"
    scopes: ["openid", "profile", "email"]
    # Map Keycloak realm roles to Silo roles
    admin_role: "silo-admin"
    editor_role: "silo-editor"
    default_role: "viewer" # Fallback if no role claim matches

  # CORS origins (locked down when auth is enabled)
  cors:
    allowed_origins:
      - "https://silo.example.internal"