## 
## This is an example configuration for Zero-TOTP.
##

## If a value is commented out, the default value will be used.


api:
    ## The internal port the API will listen on. Default is 8080.
    # port: 8080

   

    ## Trusted proxy IP addresses.
    ## If the API is behind a reverse proxy, you must specify the IP addresses of the proxy.
    ## The API will trust the X-Forwarded-For header from these IP addresses.
    ## MAKE SURE TO CONTROL AT 100% THIS HEADER TO AVOID ANY IP SPOOFING. 
    ## Read this before anything else : https://esd.io/blog/flask-apps-heroku-real-ip-spoofing.html
    ## It can be IP or IP subnet
    #trusted_proxy:
        # - 192.168.9.5
        # - 10.80.3.0/24
        # - 2606:4700:4700::1111



    ## Absolute path to the API private key used to sign the vault to guarantee its authenticity.
    ## This must be a PEM encoded RSA private key.
    ## If the file does not exist, it will be generated at startup.
    private_key_path: "/api/secret/private.pem"

    ## Absolute path to the API public key used to verify vault the vault signature before opening it in the frontend.
    ## This must be a PEM encoded RSA public key.
    ## If the file does not exist, it will be generated at startup.
    public_key_path: "/api/secret/public.pem"

    ## Secret used to encrypt flask session.
    ## A random 128 alphanumeric string is required.
    flask_secret_key: "unsafe_secret"

    ## Server side encryption key used to encrypt data stored in the database that is not Encrypted by the ZKE flow
    ## A random 128 alphanumeric string is required.
    ## BE CAREFULL WITHOUT THIS KEY SOME OF SAVED DATA WILL BE UNREADABLE
    ## DO NOT LOOSE THIS KEY
    ## DO NOT COMPROMISE THIS KEY
    server_side_encryption_key: "unsafe_secret" 

    ## Configuration of google drive Oauth. 
    ## See https://developers.google.com/identity/protocols/oauth2 for more information.
    # oauth:
          ## See https://developers.google.com/identity/protocols/oauth2 for more information.
        # client_secret_file_path: "path/to/client_secret.json"

    ## Token validity in seconds.
    ## The access token is used to authenticate the user.
    ## Default: 10 minutes
    # session_token_validity: 600 # 10 minutes

    ## The refresh token is used to generate new access tokens.
    ## Default: 1day 
    # refresh_token_validity: 86400 

     ## Health check endpoint used to check if the API is running correctly.
    # health_check:
        ## Node name check. This check is used to determine which api node is answering API calls. 
        ## This is useful for load balancing. 
        ## The API will return the SHA256-HMAC(node_name, node_name_hmac_secret) in the response.
        # node_check_enabled: false 
        # node_name: "example" 
        # node_name_hmac_secret: "changeme"







environment:
  ## The environment the API is running in.
  ## This value is used to determine the logging level, CORS and other settings.
  ## Possible values are "local", "development" and "production".
  ## Running non production type can cause security issues.
    type: "production"
  ## DO NOT MODIFY THIS VALUE
  ## THIS VALUE IS AUTOMATICALLY GENERATED/UPDATED
  ## MODIFICATION OF THIS VALUE WILL CAUSE THE API TO FAIL OR NEVER START
    config_version: 1.0
   ## Domain used by your app. 
   ## This is used to enforce the security of the API.
   ## The API must be served over HTTPS.
   ## Only include the domain name, without the protocol or path.
   ## The domain MUST be the same as the one used in the frontend.
   ## If developing locally, use localhost and specify the port.
    domain : example.com

database:
    ## The URI of the database to connect to.
    ## The URI must be in the format of "mysql://user:password@host:port/db_name"
    database_uri: "mysql://user:password@host:port/db_name"



features:

    
    ## Email notifications configuration
    emails:
        ## Optional 
        ## Require email validation for new users.
        ## If set to true, users will have to validate their email address before they can use the service.
        ## If set to false, users will be able to use the service without validating their email address.
        require_email_validation: false

        ## Required if require_email_validation is set to true
        ## Configuration of the SMTP server used to send emails.
        # email_sender_address: "Zero-TOTP <zero-totp@example.com>"
        # email_smtp_server: "smtp.example.com"
        # email_smtp_port: 587
        # email_smtp_username: "username"
        # email_smtp_password: "password"

    ## Optional
    ## Configuration of the rate limiting protection
    #  rate_limiting:
        
        ## Max consecutives failed login per IP in 1h
        ## Default : 10
        # login_attempts_limit_per_ip: 10

        ## Ban time per IP in minutes
        ## Default : 15 min
        #  login_ban_time: 15



        ## Max email verification request per user in 1h
        ## Default : 5
        # send_email_attempts_limit_per_user: 5

        ## Email ban time per user in minutes
        ## Default : 60 min
        #  email_ban_time: 60
    

    ## Optional
    ## Sentry configuration to centralize error tracking
    ## Keep commented to disable
    #  sentry:
        ## Sentry DSN
        ## See https://docs.sentry.io/platforms/python/flask/ for more information.
        # dsn: ""

    ## Optional
    ## Default backup configuration for users
    ## Users can change their backup configuration in their settings
    ## The default configuration will be used if the user does not change it.
    #  default_backup_configuration:
        ## The minimum number of backups to keep no matter their age. 
        # backup_minimum_count: 20
        ## The minimum age of backups to keep in days (older backups will be deleted if the number of backups is above the minimum count see above).
        #  max_age_in_days: 30


    ## Optional
    ## Signup enabled 
    ## If set to false, the API will not allow new users to sign up. Existing users will still be able to log in.
    ## Default: true
    # signup_enabled: true

    ## Optional
    ## Google Drive automatic backup
    ## Allow the users to link their Google Drive account to the API and automatically backup their vaults.
    ## Follow the documentation to set up the Google Drive OAuth credentials.
    # google_drive_backup:
        ## Enable or disable the Google Drive automatic backup feature.
        ## Default: false
        # enabled: false

        ## The path to the client secret file used to authenticate with Google Drive.
        ## This file must be in JSON format and contain the OAuth credentials.
        ## See https://developers.google.com/identity/protocols/oauth2 for more information.
        # client_secret_file_path: ".secret/client_secret.json"


    ## Optional
    #ip_geolocation:
        ## Optional
        ## Enable or disable the IP geolocation feature.
        ## This feature is used to when sending email notification containing information about the login location.
        ## Default: false
        #enabled: false

        ## The path to the GeoLite2 database file used to lookup IP addresses.
        ## This file must be in MMDB format.
        ## See https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en for more information.
        #geoip_database_path: "path/to/GeoLite2-City.mmdb"