# KMS Service Configuration Example
# Copy to kms.toml and configure for your environment

# ============================================================================
# RustyVault Backend Example (Self-hosted, Vault-compatible)
# ============================================================================
[kms]
type = "rustyvault"
server_url = "http://localhost:8200"
token = "${RUSTYVAULT_TOKEN}"  # Set via environment variable
mount_point = "transit"
key_name = "provisioning-main"
tls_verify = true

# ============================================================================
# Vault Backend Example (HashiCorp Vault)
# ============================================================================
# [kms]
# type = "vault"
# address = "https://vault.example.com:8200"
# token = "${VAULT_TOKEN}"  # Set via environment variable
# mount_point = "transit"
# namespace = "provisioning"  # Optional: Vault namespace
# auto_renew_token = true

# ============================================================================
# AWS KMS Backend Example
# ============================================================================
# [kms]
# type = "aws-kms"
# region = "us-east-1"
# key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
# assume_role = "arn:aws:iam::123456789012:role/provisioning-kms"  # Optional

# ============================================================================
# Service Configuration
# ============================================================================
[service]
bind_addr = "0.0.0.0:8081"
log_level = "info"
audit_logging = true
audit_log_path = "./logs/kms-audit.log"

# ============================================================================
# TLS Configuration (Recommended for Production)
# ============================================================================
[tls]
enabled = true
cert_path = "/etc/kms-service/certs/server.crt"
key_path = "/etc/kms-service/certs/server.key"

# ============================================================================
# Rate Limiting (Optional)
# ============================================================================
[rate_limit]
enabled = true
requests_per_minute = 1000

# ============================================================================
# Environment Variables
# ============================================================================
# The following environment variables are supported:
#
# General:
#   KMS_CONFIG_PATH - Path to configuration file (default: provisioning/config/kms.toml)
#   KMS_BACKEND - Backend type: rustyvault, vault, or aws-kms (default: rustyvault)
#   KMS_BIND_ADDR - Bind address (default: 0.0.0.0:8081)
#
# RustyVault:
#   RUSTYVAULT_ADDR - RustyVault server address (default: http://localhost:8200)
#   RUSTYVAULT_TOKEN - RustyVault authentication token (required)
#   RUSTYVAULT_MOUNT_POINT - Transit engine mount point (default: transit)
#   RUSTYVAULT_KEY_NAME - Key name to use (default: provisioning-main)
#   RUSTYVAULT_TLS_VERIFY - Verify TLS certificates (default: true)
#
# Vault (HashiCorp):
#   VAULT_ADDR - Vault server address
#   VAULT_TOKEN - Vault authentication token (required)
#   VAULT_MOUNT_POINT - Transit engine mount point (default: transit)
#   VAULT_NAMESPACE - Vault namespace (optional)
#   VAULT_AUTO_RENEW - Auto-renew token (default: true)
#
# AWS KMS:
#   AWS_REGION - AWS region (default: us-east-1)
#   AWS_KMS_KEY_ID - KMS key ARN (required)
#   AWS_ASSUME_ROLE_ARN - IAM role to assume (optional)
#   AWS_ACCESS_KEY_ID - AWS access key (optional, uses default credentials)
#   AWS_SECRET_ACCESS_KEY - AWS secret key (optional, uses default credentials)