# Drexa Backend Configuration # Copy this file to config.yaml and adjust values for your environment. server: port: 8080 database: postgres_url: postgres://user:password@localhost:5432/drexa?sslmode=disable jwt: issuer: drexa audience: drexa-api # Secret key can be provided via (in order of precedence): # 1. JWT_SECRET_KEY environment variable (base64 encoded) # 2. secret_key_base64 below (base64 encoded) # 3. secret_key_path below (file with base64 encoded content) # secret_key_base64: "base64encodedkey" secret_key_path: /run/secrets/jwt_secret_key storage: # Mode: "flat" (UUID-based keys) or "hierarchical" (path-based keys) # Note: S3 backend only supports "flat" mode mode: flat # Backend: "fs" (filesystem) or "s3" (not yet implemented) backend: fs # Required when backend is "fs" root_path: /var/lib/drexa/blobs # Required when backend is "s3" # bucket: my-drexa-bucket cookie: # Domain for cross-subdomain auth cookies. # Set this when frontend and API are on different subdomains (e.g., "app.com" for web.app.com + api.app.com). # Leave empty for same-host cookies (localhost, single domain). # domain: app.com # Secure flag for cookies. If not set, automatically determined from request protocol (true for HTTPS, false for HTTP). # Set explicitly to override automatic detection (useful for local development with HTTPS). # secure: false cors: # Allowed origins for cross-origin requests. # Required when frontend and API are on different domains. # If not specified, CORS will be restrictive (only same-origin requests allowed). # Example for cross-domain setup: # allow_origins: # - http://localhost:3000 # - https://app.example.com # Allow credentials (cookies, authorization headers) in cross-origin requests. # Should be true when using cookies for authentication in cross-domain setups. # Note: When allow_credentials is true, you must explicitly specify allow_origins # (wildcard "*" is not allowed with credentials for security reasons). # allow_credentials: true