netviper-talos 0.2.4

A Rust-based secure licensing system.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181

# Talos Configuration
# Copy this file to config.toml and customize for your environment.
#
# All settings have sensible defaults. You only need to specify
# values you want to override.
#
# Environment variables take precedence over this file:
# - TALOS_SERVER_HOST, TALOS_SERVER_PORT
# - TALOS_DATABASE_URL, TALOS_DATABASE_TYPE
# - TALOS_LICENSE_KEY_PREFIX
# - TALOS_LOG_LEVEL, TALOS_LOGGING_ENABLED
# - TALOS_AUTH_ENABLED, TALOS_JWT_SECRET
# - See .env.example for the full list

# =============================================================================
# Server Configuration
# =============================================================================
[server]
# Host address to bind to (default: "127.0.0.1")
# Use "0.0.0.0" to listen on all interfaces (required for Docker)
host = "127.0.0.1"

# Port to listen on (default: 8080)
port = 8080

# Heartbeat interval in seconds (default: 60)
# Clients should send heartbeats at this interval to confirm they're still active
heartbeat_interval = 60

# =============================================================================
# License Key Configuration
# =============================================================================
[license]
# Prefix for generated license keys (default: "LIC")
# Example: "LIC" -> "LIC-A1B2-C3D4-E5F6-G7H8"
# Customize this per product: "MYAPP", "PRO", etc.
key_prefix = "LIC"

# Number of segments in the license key (default: 4)
key_segments = 4

# Characters per segment (default: 4)
key_segment_length = 4

# =============================================================================
# Database Configuration
# =============================================================================
[database]
# Database type: "sqlite" or "postgres" (default: "sqlite")
db_type = "sqlite"

# SQLite connection URL (used when db_type = "sqlite")
# For file-based: sqlite://talos.db or sqlite:///absolute/path/talos.db
# For in-memory: sqlite::memory:
sqlite_url = "sqlite://talos.db"

# PostgreSQL connection URL (used when db_type = "postgres")
# Format: postgres://username:password@host:port/database
# postgres_url = "postgres://talos:secretpassword@localhost:5432/talos"

# =============================================================================
# Logging Configuration
# =============================================================================
[logging]
# Enable logging (default: false)
enabled = true

# Log level: trace, debug, info, warn, error (default: "info")
level = "info"

# =============================================================================
# JWT Authentication (requires "jwt-auth" feature)
# =============================================================================
[auth]
# Enable JWT authentication for admin API endpoints (default: false)
# When enabled, all /api/v1/* admin endpoints require a valid JWT token
enabled = false

# JWT secret key for signing/validating tokens
# IMPORTANT: Use a strong, random secret in production (minimum 32 characters)
# Can use "env:TALOS_JWT_SECRET" to read from environment variable
jwt_secret = ""

# JWT issuer claim (iss) - identifies who issued the token
jwt_issuer = "talos"

# JWT audience claim (aud) - identifies intended recipients
jwt_audience = "talos-api"

# Token expiration time in seconds (default: 3600 = 1 hour)
token_expiration_secs = 3600

# =============================================================================
# Rate Limiting (requires "rate-limiting" feature)
# =============================================================================
[rate_limit]
# Enable rate limiting for public client endpoints (default: true)
enabled = true

# Requests per minute for /api/v1/client/validate endpoint
validate_rpm = 100

# Requests per minute for /api/v1/client/heartbeat endpoint
heartbeat_rpm = 60

# Requests per minute for /api/v1/client/bind and /release endpoints
bind_rpm = 10

# Burst size - allows short bursts above the limit
burst_size = 5

# =============================================================================
# Admin API Security
# =============================================================================
[admin]
# IP whitelist for admin API access (default: empty = allow all)
#
# When non-empty, only requests from these IPs/CIDRs can access admin endpoints.
# Supports individual IPs and CIDR notation for network ranges.
#
# Example configurations:
# - Localhost only: ip_whitelist = ["127.0.0.1", "::1"]
# - Internal network: ip_whitelist = ["10.0.0.0/8", "192.168.0.0/16"]
# - Specific servers: ip_whitelist = ["10.0.1.5", "10.0.1.6"]
#
# IMPORTANT: When behind a reverse proxy, ensure X-Forwarded-For or X-Real-IP
# headers are set correctly, as the middleware uses these to determine client IP.
ip_whitelist = []

# Enable audit logging for admin actions (default: false)
# When enabled, logs all admin API actions with user/token ID
audit_logging = false

# =============================================================================
# Tier Configuration
# =============================================================================
# Define your license tiers here. Tiers are OPTIONAL - if you don't need
# tiered features, you can omit this entire section.
#
# Each tier has:
# - features: List of feature strings enabled for this tier
# - bandwidth_gb: Reference value for bandwidth allocation (see note below)
#
# IMPORTANT: Tier config is REFERENCE DATA ONLY
# -------------------------------------------------
# The bandwidth_gb value here is NOT automatically enforced or copied to
# licenses. Actual bandwidth tracking is done via the Admin API:
#   PATCH /api/v1/licenses/{id}/usage
#
# Your application is responsible for:
# 1. Tracking actual bandwidth usage
# 2. Calling the Admin API to update usage values
# 3. Deciding what to do when limits are exceeded
#
# Features are arbitrary strings - define whatever makes sense for your app.
# Common patterns:
# - "basic", "advanced", "premium" for feature levels
# - "api", "export", "analytics" for specific capabilities
# - "relay", "sync", "backup" for service features
#
# Example tiers (customize for your product):

[tiers.free]
features = []
# No bandwidth-related features for free tier

[tiers.starter]
features = ["basic", "export"]
bandwidth_gb = 100  # Reference: 100 GB allocation

[tiers.pro]
features = ["basic", "export", "advanced", "api"]
bandwidth_gb = 500  # Reference: 500 GB allocation

[tiers.team]
features = ["basic", "export", "advanced", "api", "premium"]
bandwidth_gb = 2000  # Reference: 2 TB allocation

[tiers.enterprise]
features = ["basic", "export", "advanced", "api", "premium", "white_label"]
# Enterprise: Custom/unlimited bandwidth (negotiate per customer)