# mcias.conf.docker.example — Config template for container deployment
#
# Mount this file into the container at /etc/mcias/mcias.conf:
#
#   docker run -d \
#     --name mcias \
#     -v /path/to/mcias.conf:/etc/mcias/mcias.conf:ro \
#     -v /path/to/certs:/etc/mcias:ro \
#     -v mcias-data:/data \
#     -e MCIAS_MASTER_PASSPHRASE=your-passphrase \
#     -p 8443:8443 \
#     -p 9443:9443 \
#     mcias:latest
#
# The container runs as uid 10001 (mcias). Ensure that:
#   - /data volume is writable by uid 10001
#   - TLS cert and key are readable by uid 10001
#
# TLS: The server performs TLS termination inside the container; there is no
# plain-text mode. Mount your certificate and key under /etc/mcias/.
# For Let's Encrypt certificates, mount the live/ directory read-only.

[server]
listen_addr = "0.0.0.0:8443"
grpc_addr   = "0.0.0.0:9443"
tls_cert    = "/etc/mcias/server.crt"
tls_key     = "/etc/mcias/server.key"

[database]
# VOLUME /data is declared in the Dockerfile; map a named volume here.
path = "/data/mcias.db"

[tokens]
issuer         = "https://auth.example.com"
default_expiry = "720h"
admin_expiry   = "8h"
service_expiry = "8760h"

[argon2]
time    = 3
memory  = 65536
threads = 4

[master_key]
# Pass the passphrase via the MCIAS_MASTER_PASSPHRASE environment variable.
# Set it with: docker run -e MCIAS_MASTER_PASSPHRASE=your-passphrase ...
# or with a Docker secret / Kubernetes secret.
passphrase_env = "MCIAS_MASTER_PASSPHRASE"