# Vault Service - Enterprise Mode Configuration
# Production HA, etcd cluster backend, full security

let vault_schema = import "../schemas/vault-service.ncl" in

{
  vault | vault_schema.VaultServiceConfig = {
    server = {
      host = "0.0.0.0",
      port = 8200,
      workers = 16,
      keep_alive = 75,
      max_connections = 500,
    },

    storage = {
      backend = "etcd",
      path = "/var/lib/provisioning/vault/data",
      encryption_key_path = "/var/lib/provisioning/vault/master.key",
    },

    vault = {
      server_url = "https://vault-ha:8200",
      storage_backend = "etcd",
      deployment_mode = "Service",
      mount_point = "transit",
      key_name = "provisioning-enterprise",
      tls_verify = true,
      tls_ca_cert = "/etc/vault/ca.crt",
    },

    ha = {
      enabled = true,
      mode = "raft",
    },

    security = {
      encryption_algorithm = "aes-256-gcm",
      key_rotation_days = 30,
    },

    monitoring = {
      enabled = true,
      metrics_interval = 30,
    },

    logging = {
      level = "info",
      format = "json",
    },
  },
}