# StellaOps Authority configuration template.
# Copy to ../etc/authority.yaml (relative to the Authority content root)
# and adjust values to fit your environment. Environment variables
# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com

schemaVersion: 1

# Absolute issuer URI advertised to clients. Use HTTPS for anything
# beyond loopback development.
issuer: "https://authority.stella-ops.local"

# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
accessTokenLifetime: "00:15:00"
refreshTokenLifetime: "30.00:00:00"
identityTokenLifetime: "00:05:00"
authorizationCodeLifetime: "00:05:00"
deviceCodeLifetime: "00:15:00"

# MongoDB storage connection details.
storage:
  connectionString: "mongodb://localhost:27017/stellaops-authority"
  # databaseName: "stellaops_authority"
  commandTimeout: "00:00:30"

# Bootstrap administrative endpoints (initial provisioning).
bootstrap:
  enabled: false
  apiKey: "change-me"
  defaultIdentityProvider: "standard"

# Directories scanned for Authority plug-ins. Relative paths resolve
# against the application content root, enabling air-gapped deployments
# that package plug-ins alongside binaries.
pluginDirectories:
  - "../PluginBinaries/Authority"
  # "/var/lib/stellaops/authority/plugins"

# Plug-in manifests live in descriptors below; per-plugin settings are stored
# in the configurationDirectory (YAML files). Authority will load any enabled
# plugins and surface their metadata/capabilities to the host.
plugins:
  configurationDirectory: "../etc/authority.plugins"
  descriptors:
    standard:
      type: "standard"
      assemblyName: "StellaOps.Authority.Plugin.Standard"
      enabled: true
      configFile: "standard.yaml"
      capabilities:
        - password
        - bootstrap
        - clientProvisioning
      metadata:
        defaultRole: "operators"
    # Example for an external identity provider plugin. Leave disabled unless
    # the plug-in package exists under PluginBinaries/Authority.
    ldap:
      type: "ldap"
      assemblyName: "StellaOps.Authority.Plugin.Ldap"
      enabled: false
      configFile: "ldap.yaml"
      capabilities:
        - password
        - mfa

# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
# Keep the list tight: localhost is sufficient for most air-gapped installs.
bypassNetworks:
  - "127.0.0.1/32"
  - "::1/128"