# Hermes Service Configuration for Nginx Deployment
# This configuration file controls security features when running behind Nginx

# Security settings
security:
  # Enable IP address checking
  enable_ip_check: false
  
  # List of allowed IP addresses or CIDR ranges
  # If empty, all IPs are allowed (when IP check is disabled)
  allowed_ips:
    - "127.0.0.1"
    - "::1"
    # - "192.168.1.0/24"
    # - "10.0.0.0/8"
  
  # Enable API key authentication
  enable_api_key: false
  
  # Authentication method: "header" or "bearer"
  auth_method: "header"
  
  # Header name for API key (used when auth_method is "header")
  api_key_header: "X-API-Key"
  
  # List of valid API keys
  # Each key can have a description and optional expiration
  api_keys:
    # - key: "your-api-key-here"
    #   description: "Main production key"
    #   expires_at: null  # null means never expires, or use ISO format: "2025-12-31T23:59:59Z"

# Nginx integration settings
nginx:
  # Trust X-Forwarded-For header from these proxies
  # Only set this if you're behind a trusted proxy like Nginx
  trusted_proxies:
    - "127.0.0.1"
    - "::1"
  
  # Enable real IP detection from X-Forwarded-For
  enable_real_ip: true

# Service settings
service:
  # Host to bind to (should be 127.0.0.1 when behind Nginx)
  host: "127.0.0.1"
  
  # Port to listen on
  port: 9120
  
  # Log level
  log_level: "info"

# CORS settings (usually handled by Nginx in production)
cors:
  allow_origins:
    - "*"
  allow_credentials: true
  allow_methods:
    - "*"
  allow_headers:
    - "*"