# SecretumVault Configuration Example
# Copy this file to svault.toml and customize for your environment

[vault]
# Crypto backend: "openssl" | "aws-lc" | "rustcrypto"
crypto_backend = "openssl"

[server]
# Listen address and port
address = "0.0.0.0:8200"

# TLS Configuration (optional)
# tls_cert = "/etc/secretumvault/tls/cert.pem"
# tls_key = "/etc/secretumvault/tls/key.pem"
# tls_client_ca = "/etc/secretumvault/tls/ca.pem"  # For mTLS

request_timeout_secs = 30

[storage]
# Storage backend: "filesystem" | "surrealdb" | "etcd" | "postgresql"
backend = "filesystem"

[storage.filesystem]
# Path for filesystem storage
path = "/var/lib/secretumvault/data"

# Example SurrealDB configuration
# [storage.surrealdb]
# endpoint = "ws://localhost:8000"
# namespace = "vault"
# database = "production"
# username = "vault"
# password = "${SURREAL_PASSWORD}"

# Example PostgreSQL configuration
# [storage.postgresql]
# url = "${DATABASE_URL}"

[crypto]
# OpenSSL specific configuration
[crypto.openssl]
# No specific options for OpenSSL backend

# AWS-LC specific configuration (if using aws-lc backend)
# [crypto.aws_lc]
# enable_pqc = false
# hybrid_mode = true

[seal]
# Seal mechanism: "shamir" | "auto" | "transit"
seal_type = "shamir"

# Shamir Secret Sharing configuration
[seal.shamir]
shares = 5      # Total number of key shares
threshold = 3   # Minimum shares needed to unseal

# Auto-unseal with KMS (optional)
# [seal.auto]
# unseal_type = "aws-kms"
# key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
# region = "us-east-1"

[auth.cedar]
# Cedar policy configuration
# policies_dir = "/etc/secretumvault/policies"
# entities_file = "/etc/secretumvault/entities.json"

[auth.token]
# Token TTL in seconds
default_ttl = 3600      # 1 hour
max_ttl = 86400         # 24 hours

[engines]
# Configure secrets engines with mount paths

# KV Engine (Key-Value secrets)
[engines.kv]
path = "/secret/"
versioned = true

# Transit Engine (Encryption as a Service)
[engines.transit]
path = "/transit/"

# PKI Engine (Certificate Authority)
# [engines.pki]
# path = "/pki/"

# Database Engine (Dynamic secrets)
# [engines.database]
# path = "/database/"

[logging]
# Log level: "trace" | "debug" | "info" | "warn" | "error"
level = "info"

# Log format: "json" | "pretty"
format = "json"

# Optional: log file path
# output = "/var/log/secretumvault/vault.log"

# Use ANSI colors in logs
ansi = true

[telemetry]
# Prometheus metrics port (optional)
# prometheus_port = 9090

# Enable distributed tracing
enable_trace = false