# SPIRE Server configuration with Guildhouse plugins.
#
# This is a reference configuration — adapt paths and addresses for your cluster.
# See docs/deployment.md for full deployment instructions.

server:
  bind_address: 0.0.0.0
  bind_port: 8081
  data_dir: /var/lib/spire/server
  log_level: INFO
  trust_domain: guildhouse.example.org
  ca_ttl: 24h
  default_x509_svid_ttl: 1h
  default_jwt_svid_ttl: 5m

plugins:
  DataStore:
    sql:
      plugin_data:
        database_type: sqlite3
        connection_string: /var/lib/spire/server/datastore.sqlite3

  NodeAttestor:
    k8s_psat:
      plugin_data:
        clusters:
          guildhouse:
            service_account_allow_list:
              - spire:spire-agent

  KeyManager:
    # Guildhouse Substrate KeyManager — governance-aware key management.
    guildhouse_substrate:
      plugin_cmd: /opt/spire/plugins/substrate-keymanager
      plugin_data:
        trust_domain: guildhouse.example.org
        governance_addr: governance.quartermaster.svc.cluster.local:50051
        notary_addr: notary.quartermaster.svc.cluster.local:50051
        cluster_id: guildhouse-prod

  CredentialComposer:
    # Guildhouse SSH Credential Composer — SSH certificate + Shellstream extensions.
    guildhouse_ssh:
      plugin_cmd: /opt/spire/plugins/ssh-credential-composer
      plugin_data:
        trust_domain: guildhouse.example.org
        governance_addr: governance.quartermaster.svc.cluster.local:50051
        default_cert_ttl: 5m
        max_cert_ttl: 1h

  Notifier:
    # Guildhouse Governance Notifier — credential lifecycle → governance events.
    guildhouse_governance:
      plugin_cmd: /opt/spire/plugins/governance-notifier
      plugin_data:
        governance_addr: governance.quartermaster.svc.cluster.local:50051
        ceremony_addr: ceremony.bascule.svc.cluster.local:50052
        notary_addr: notary.quartermaster.svc.cluster.local:50051
        cluster_id: guildhouse-prod
        trust_domain: guildhouse.example.org