extenddb/extenddb.sample.toml at main · ExtendDB/extenddb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
# Copyright 2026 ExtendDB contributors
# SPDX-License-Identifier: Apache-2.0
# extenddb configuration — sample template
#
# Copy this file to extenddb.toml and edit as needed.
# Or run `extenddb init` to generate one automatically.
#
# SECURITY: This file may contain the encryption key for credential storage.
# Set permissions to 0600 (owner read/write only): chmod 600 extenddb.toml
# The server refuses to start if permissions are more permissive.
#
# All values shown are defaults. Uncomment and change to override.
#
# Environment variable overrides use the EXTENDDB__ prefix with __ as separator:
#   EXTENDDB__SERVER__PORT=9000
#   EXTENDDB__STORAGE__POSTGRES__CONNECTION_STRING="postgresql://..."

# Path to the rendered documentation directory (HTML + PDF files).
# Generated by `python3 docs/build-docs.py`. When set, the web console
# serves documentation at /console/docs. When absent, the docs routes
# show a "not configured" message.
# `extenddb init` auto-discovers this directory if it exists.
# docs_dir = "/path/to/docs/rendered"

[server]
# bind_addr = "127.0.0.1"      # Network interface to bind (default: localhost only)
# port = 8000                  # HTTP port
# region = "us-east-1"         # AWS region for ARN generation
# run_dir = "~/.extenddb/run"     # Directory for PID file (~ is expanded to $HOME)

[storage]
# backend = "postgres"         # Storage backend (only "postgres" supported)

[storage.postgres]
# Connection string points to the CATALOG database.
# The catalog stores table metadata and the data database connection info.
# Multiple independent catalogs can coexist on one PostgreSQL instance.
# connection_string = "postgresql://extenddb:extenddb-local-dev@localhost:5432/extenddb_catalog"
# pool_size = 20               # Maximum concurrent database connections
                                # for DynamoDB data operations. Default: 20.
                                # Minimum: 10 (smaller values are clamped with
                                # a startup warning). Total PostgreSQL
                                # connections used: pool_size + catalog_pool_size + 1
                                # (log-level poller: 1). Increase for
                                # higher concurrency; ensure PostgreSQL
                                # max_connections >= pool_size + catalog_pool_size + 1.
# catalog_pool_size = 20       # Maximum concurrent connections for the
                                # management/catalog pool (authz, IAM, console).
                                # Defaults to pool_size if not set.
                                # Minimum: 10 (smaller values are clamped with
                                # a startup warning). With auth enabled, each
                                # DynamoDB request makes concurrent authz queries
                                # — size this to match expected concurrency.

[auth]
# provider = "builtin"          # Auth provider:
                                #   "builtin" — SigV4 verification with local credential
                                #               store and IAM policy evaluation.
                                # Authentication is mandatory. The server refuses to start
                                # with provider = "none". Run `extenddb init` to create the
                                # encryption key and admin user before first start.

# Management web console is served at /console/ on the same port as the
# DynamoDB API. No separate configuration needed — it uses the same bind
# address and port as [server]. The console requires auth.provider = "builtin"
# (it authenticates against the admin_users and iam_users tables).

# Provisioned throughput throttling via in-memory token buckets.
# When enabled, tables with provisioned capacity are rate-limited to their
# configured RCU/WCU. On-demand tables use default ceilings (12,000 RCU /
# 4,000 WCU). Account-level aggregate limits also apply.
# Disabled by default — enable for production-like behavior.
# throttling_enabled = false

[server.tls]
# TLS is mandatory. The server refuses to start with enabled = false.
# cert_path = "~/.extenddb/tls/cert.pem"   # PEM certificate file
# key_path = "~/.extenddb/tls/key.pem"     # PEM private key file
# `extenddb init` generates a self-signed certificate automatically.
# Replace with a CA-signed certificate for production use.

[limits]
# All defaults match real DynamoDB limits.
# Override only for testing edge cases.
#
# max_attribute_name_bytes = 65535  # REQ-LIM-004: 64 KB
#
# Preview extension: allow multi-part (composite) keys on base tables.
# GSIs always support multi-part keys regardless of this setting.
# allow_multipart_table_keys = false

[logging]
# level = "info"               # Log level: trace, debug, info, warn, error
# format = "pretty"            # Log format: "pretty" (human) or "json" (structured)
#
# Logging output is determined by the launch mode:
#   extenddb serve → syslog (facility: daemon, ident: extenddb)
#   Read logs with: journalctl -t extenddb
# No configuration needed — output always goes to syslog.

# Import/Export file operations are disabled by default (secure default).
# Configure allowed directories separately for imports and exports.
# All file paths are canonicalized and must resolve under one of the
# configured roots. Symlinks escaping a root are rejected.
#
# [import]
# paths = ["/var/lib/extenddb/imports", "/mnt/shared/data"]
#
# [export]
# paths = ["/var/lib/extenddb/exports"]
#
# max_import_bytes = 10737418240  # 10 GB default
#
# Deprecated: import_export_root sets a single root for both import and
# export. If [import]/[export] sections are present, import_export_root
# is ignored.
# import_export_root = "/var/lib/extenddb/data"

# Runtime settings are managed via `extenddb settings set <key> <value>`, not this file.
# See docs/getting-started.md for available runtime settings and their defaults.

# --- Production Configuration Example ---
# Uncomment and adapt the following for production deployments:
#
# [server]
# bind_addr = "0.0.0.0"
# port = 8000
#
# [server.tls]
# cert_path = "/etc/extenddb/tls/cert.pem"
# key_path = "/etc/extenddb/tls/key.pem"
#
# [storage.postgres]
# connection_string = "postgresql://extenddb:<password>@db.example.com:5432/extenddb_catalog?sslmode=require"
# pool_size = 50
# catalog_pool_size = 50
#
# [auth]
# provider = "builtin"
#
# [logging]
# level = "info"
# format = "json"