# Metacrypt production configuration
# Copy to /srv/metacrypt/metacrypt.toml and adjust for your environment.

[server]
# Address to listen on. Use "0.0.0.0:8443" to listen on all interfaces.
listen_addr = ":8443"

# TLS certificate and key. Metacrypt always terminates TLS.
tls_cert = "/srv/metacrypt/certs/server.crt"
tls_key  = "/srv/metacrypt/certs/server.key"

[database]
# SQLite database path. Created automatically on first run.
# The directory must be writable by the metacrypt user.
path = "/srv/metacrypt/metacrypt.db"

[mcias]
# MCIAS server URL for authentication.
server_url = "https://mcias.metacircular.net:8443"

# CA certificate for verifying the MCIAS server's TLS certificate.
# Omit if MCIAS uses a publicly trusted certificate.
# ca_cert = "/srv/metacrypt/certs/mcias-ca.crt"

[seal]
# Argon2id parameters for key derivation.
# These are applied during initialization and stored alongside the encrypted
# master key. Changing them here after init has no effect.
#
# Defaults are tuned for server hardware (3 iterations, 128 MiB, 4 threads).
# Increase argon2_memory on machines with more RAM for stronger protection.
# argon2_time    = 3
# argon2_memory  = 131072   # KiB (128 MiB)
# argon2_threads = 4

[log]
# Log level: debug, info, warn, error
level = "info"