config-database-prod.yaml

# Example configuration for production deployment with PostgreSQL database
#
# This configuration demonstrates production-ready PostgreSQL setup with:
#   - Two-user security model (separate users for operations and migrations)
#   - pgpass file for secure password management
#   - SSL enabled with full certificate verification
#   - Optimized connection pool settings
#   - Appropriate sync intervals
#
# Two-User Security Model:
# This configuration uses two separate database users for enhanced security:
#   - thv_production_user: Application user with limited privileges
#     (SELECT, INSERT, UPDATE, DELETE on application tables)
#   - thv_production_migrator: Migration user with elevated privileges
#     (CREATE, ALTER, DROP for schema changes)
#
# Security Considerations:
#   - Use pgpass file with restricted permissions (chmod 600)
#   - Mount pgpass file from secrets management system (e.g., Kubernetes Secret)
#   - Use SSL/TLS with certificate verification (sslMode: verify-full)
#   - Regularly rotate database credentials
#   - Migration user should only be accessible during deployment/startup
#
# Prerequisites:
#   1. PostgreSQL server with SSL/TLS enabled
#   2. Database created with proper permissions
#   3. Both users created with appropriate privileges
#   4. pgpass file created at /run/secrets/pgpass (or similar secure location)
#   5. SSL certificates configured if using verify-ca or verify-full
#
# pgpass file format (/run/secrets/pgpass):
#   db.production.example.com:5432:toolhive_registry:thv_production_user:secure_app_password
#   db.production.example.com:5432:toolhive_registry:thv_production_migrator:secure_migration_password
#
# Usage:
#   # Set PGPASSFILE to point to the pgpass file
#   export PGPASSFILE=/run/secrets/pgpass
#   # Start server (migrations run automatically)
#   thv-registry-api serve --config examples/config-database-prod.yaml
#
# Note: Database migrations run automatically when the server starts

# Sources configuration (can have multiple sources)
sources:
  - name: toolhive

    # Git repository configuration
    git:
      repository: https://github.com/stacklok/toolhive-catalog.git
      # Use a specific tag for production stability
      tag: v1.0.0
      path: pkg/catalog/toolhive/data/registry-legacy.json

    # Per-registry automatic synchronization policy
    syncPolicy:
      # Less frequent syncs for production to reduce load
      interval: "1h"

    # Optional: Per-registry filter configuration to ensure only stable servers
    filter:
      tags:
        include:
          - "production"
          - "stable"
        exclude:
          - "experimental"
          - "beta"
          - "alpha"

registries:
  - name: default
    sources: ["toolhive"]

auth:
  mode: anonymous

# PostgreSQL database configuration for production
# Uses two-user security model: separate users for operations and migrations
database:
  # Production database server
  # Can be a managed service (e.g., RDS, Cloud SQL) or self-hosted
  host: db.production.example.com
  port: 5432

  # Application user (limited privileges for runtime operations)
  # Credentials provided via pgpass file
  user: thv_production_user

  # Migration user (elevated privileges for schema changes)
  # Used only during startup to run migrations
  # Credentials provided via pgpass file
  migrationUser: thv_production_migrator

  # Database name
  database: toolhive_registry

  # SSL mode for production (use verify-full for maximum security)
  # Options:
  #   - require: Require SSL but don't verify certificates
  #   - verify-ca: Verify server certificate against CA
  #   - verify-full: Verify certificate and hostname (RECOMMENDED)
  sslMode: verify-full

  # Connection pool settings optimized for production
  # Adjust based on your workload and database capacity
  maxOpenConns: 25
  maxIdleConns: 5
  connMaxLifetime: "1h"