# Hermes Service Configuration for Nginx Deployment
# This configuration file controls security features when running behind Nginx

# Security settings
security:
  # Enable IP address checking
  enable_ip_check: true
  
  # List of allowed IP addresses or CIDR ranges
  # If empty, all IPs are allowed (when IP check is disabled)
  allowed_ips:
    - "127.0.0.1"
    - "::1"
    - "8.222.165.87"
    - "47.237.201.139"
  
  # Enable API key authentication
  enable_api_key: true
  
  # Authentication method: "header" or "bearer"
  auth_method: "header"
  
  # Header name for API key (used when auth_method is "header")
  api_key_header: "X-API-Key"
  
  # List of valid API keys
  # Each key can have a description and optional expiration
  api_keys:
    - key: "5ftyuvhfhi3345"
      description: "Production API key"
      expires_at: null  # null means never expires, or use ISO format: "2025-12-31T23:59:59Z"

# Nginx integration settings
nginx:
  # Trust X-Forwarded-For header from these proxies
  # Only set this if you're behind a trusted proxy like Nginx
  trusted_proxies:
    - "127.0.0.1"
    - "::1"
  
  # Enable real IP detection from X-Forwarded-For header
  enable_real_ip: false

# Service settings
service:
  # Host to bind to (should be 127.0.0.1 when behind Nginx)
  host: "127.0.0.1"
  
  # Port to listen on
  port: 9123
  
  # Log level
  log_level: "info"

# CORS settings (usually handled by Nginx in production)
cors:
  allow_origins:
    - "*"
  allow_credentials: true
  allow_methods:
    - "*"
  allow_headers:
    - "*"