# NATS config for kez-chat home server.
#
# - Native NATS protocol on 4222 for CLI clients (TLS terminated by your
#   reverse proxy in production).
# - WebSocket on 8443 for the browser SPA. Also TLS-terminated upstream.
# - JetStream on for offline message buffering (durable consumers).
# - auth_callout points at our chat-server's /internal/nats/auth endpoint.
#   The chat-server is the source of truth for which nkeys are allowed
#   to connect and what subjects they can publish/subscribe to.

# Standard NATS listener (CLI clients use this).
listen: 0.0.0.0:4222

# WebSocket listener (browser SPA uses this via nats.ws).
websocket {
  port: 8443
  no_tls: true                  # TLS terminated by Cloudflare tunnel / reverse proxy
}

# Persistent storage for durable consumers (offline buffering).
jetstream {
  store_dir: /data/jetstream
  max_mem: 1G
  max_file: 10G
}

# Monitoring / healthcheck.
http_port: 8222

# Auth callout: COMMENTED OUT for v0.1.
#
# When the chat-server's NATS auth callout endpoint is implemented in
# v0.2, we'll generate real nkeys with `nsc` and put this block back.
# Until then, NATS runs without auth — fine because:
#   - This deployment is behind a Cloudflare tunnel (not directly
#     internet-exposed).
#   - No KEZ client exists yet to connect.
#   - The chat-server's /internal/nats/auth endpoint is a 501 stub
#     anyway; even if NATS were configured to call it, every auth
#     attempt would fail.
#
# Re-enable in v0.2 with real nkeys:
#
# authorization {
#   auth_callout {
#     issuer: "<account nkey, generated via: nsc generate nkey -a>"
#     auth_users: ["<user nkey, generated via: nsc generate nkey -u>"]
#     account: "DEFAULT"
#   }
# }