silo/config.example.yaml

# Silo Configuration
# Copy to config.yaml and adjust for your environment

server:
  host: "0.0.0.0"
  port: 8080
  base_url: "http://localhost:8080"

database:
  host: "psql.kindred.internal"
  port: 5432
  name: "silo"
  user: "silo"
  password: "" # Use SILO_DB_PASSWORD env var
  sslmode: "require"
  max_connections: 10

storage:
  endpoint: "minio.kindred.internal:9000"
  access_key: "" # Use SILO_MINIO_ACCESS_KEY env var
  secret_key: "" # Use SILO_MINIO_SECRET_KEY env var
  bucket: "silo-files"
  use_ssl: true
  region: "us-east-1"

schemas:
  # Directory containing YAML schema files
  directory: "/etc/silo/schemas"
  # Default schema for new items
  default: "kindred-rd"

freecad:
  # URI scheme for "Open in FreeCAD" links
  uri_scheme: "silo"
  # Path to FreeCAD executable (for CLI operations)
  executable: "/usr/bin/freecad"

# Authentication
# Set enabled: true to require login. When false, all routes are open
# with a synthetic "dev" user (admin role).
auth:
  enabled: false
  session_secret: "" # Use SILO_SESSION_SECRET env var in production

  # Local accounts (username/password stored in Silo database)
  local:
    enabled: true
    # Default admin account created on first startup (if username and password are set)
    default_admin_username: "admin" # Use SILO_ADMIN_USERNAME env var
    default_admin_password: "" # Use SILO_ADMIN_PASSWORD env var

  # LDAP / FreeIPA
  ldap:
    enabled: false
    url: "ldaps://ipa.kindred.internal"
    base_dn: "dc=kindred,dc=internal"
    user_search_dn: "cn=users,cn=accounts,dc=kindred,dc=internal"
    # Optional service account for user search (omit for direct user bind)
    # bind_dn: "uid=silo-service,cn=users,cn=accounts,dc=kindred,dc=internal"
    # bind_password: ""  # Use SILO_LDAP_BIND_PASSWORD env var
    user_attr: "uid"
    email_attr: "mail"
    display_attr: "displayName"
    group_attr: "memberOf"
    # Map LDAP groups to Silo roles (checked in order: admin, editor, viewer)
    role_mapping:
      admin:
        - "cn=silo-admins,cn=groups,cn=accounts,dc=kindred,dc=internal"
      editor:
        - "cn=silo-users,cn=groups,cn=accounts,dc=kindred,dc=internal"
        - "cn=engineers,cn=groups,cn=accounts,dc=kindred,dc=internal"
      viewer:
        - "cn=silo-viewers,cn=groups,cn=accounts,dc=kindred,dc=internal"
    tls_skip_verify: false

  # OIDC / Keycloak
  oidc:
    enabled: false
    issuer_url: "https://keycloak.kindred.internal/realms/silo"
    client_id: "silo"
    client_secret: "" # Use SILO_OIDC_CLIENT_SECRET env var
    redirect_url: "https://silo.kindred.internal/auth/callback"
    scopes: ["openid", "profile", "email"]
    # Map Keycloak realm roles to Silo roles
    admin_role: "silo-admin"
    editor_role: "silo-editor"
    default_role: "viewer" # Fallback if no role claim matches

  # CORS origins (locked down when auth is enabled)
  cors:
    allowed_origins:
      - "https://silo.kindred.internal"