# ──────────────────────────────────────────────────────────────
# Open TSA — Configuration Example
# ──────────────────────────────────────────────────────────────
# Copy this file to `.env` and adjust for your installation.
# Never commit the actual `.env` to version control.
# ──────────────────────────────────────────────────────────────

# ── Service binding ─────────────────────────────────────────
# The service listens on TSA_HOST:TSA_PORT.
# Default is localhost only — nginx/Apache reverse-proxies from
# the public interface. Do not bind to 0.0.0.0 in production.
TSA_HOST=127.0.0.1
TSA_PORT=3700

# ── Public-facing URL ───────────────────────────────────────
# Used in logs, health-check responses, and error messages.
# Should match the public HTTPS URL of your reverse proxy.
TSA_PUBLIC_URL=https://tsr.example.org

# ── CA hierarchy paths ──────────────────────────────────────
# Directory containing the 4-tier CA created by setup-ca.sh.
# The service only needs read access to the TSA signing tier.
CA_DIR=/opt/open-tsa/ca
TSA_CONFIG=/opt/open-tsa/ca/tsa/openssl-tsa.cnf

# ── TSA policy OID ──────────────────────────────────────────
# Your own enterprise OID (allocated by IANA) or a sub-OID under
# an existing one. Must be present in your TSA certificate's
# `certificatePolicies` extension. Do NOT reuse another
# project's OID in production.
TSA_POLICY_OID=1.3.6.1.4.1.59085.1.1

# ── Operational parameters ──────────────────────────────────
# Maximum size of an incoming TimeStampRequest in bytes.
# Real-world TSQ payloads are 200–500 bytes. 64 KiB is generous.
MAX_REQUEST_SIZE=65536

# Rate limit per source IP per minute (0 = disabled).
RATE_LIMIT_PER_MINUTE=60

# ── Logging ─────────────────────────────────────────────────
# Levels: error, warn, info, debug
LOG_LEVEL=info

# Log destination: stdout (recommended with systemd/journald)
# or absolute path to log file.
LOG_DESTINATION=stdout

# ── Audit log ───────────────────────────────────────────────
# Path to the append-only audit log of issued tokens.
# One JSON line per timestamp with: timestamp, serial, hash,
# client IP, response size. Used for transparency reporting.
AUDIT_LOG=/var/log/open-tsa/audit.jsonl

# ── Metrics endpoint ────────────────────────────────────────
# Prometheus-compatible metrics on /metrics. Bound to TSA_HOST.
# Disable in environments where this would be exposed publicly.
METRICS_ENABLED=true

# ── Health endpoint ─────────────────────────────────────────
# Path of the health-check endpoint. Returns 200 + JSON with
# version, openssl version, and current load.
HEALTH_PATH=/health

# ── OpenSSL binary ──────────────────────────────────────────
# Path to the OpenSSL 3.x binary. Leave as `openssl` to use the
# system default; override if multiple versions are installed.
OPENSSL_BIN=openssl

# ── Service user / group ────────────────────────────────────
# Used by setup-ca.sh to set permissions on the TSA tier.
# The Node.js service must run under this user.
SERVICE_USER=nodejs
SERVICE_GROUP=nodejs

# ── End of configuration ────────────────────────────────────