apiVersion: v1
kind: ConfigMap
metadata:
  name: tuwunel-config
  namespace: matrix
data:
  tuwunel.toml: |
    [global]
    server_name = "sunbeam.pt"
    database_path = "/data"
    address = "0.0.0.0"
    port = 6167
    max_request_size = 104857600
    allow_registration = false
    allow_guest_registration = false
    login_with_password = false
    single_sso = true
    allow_encryption = true

    # Search — OpenSearch with hybrid neural search
    search_backend = "opensearch"
    search_opensearch_url = "http://opensearch.data.svc.cluster.local:9200"
    search_opensearch_index = "tuwunel_messages"
    search_opensearch_hybrid = true
    # model_id is injected via TUWUNEL_SEARCH_OPENSEARCH_MODEL_ID env var
    # (set by sunbeam CLI post-apply hook from OpenSearch ML state)
    search_opensearch_embedding_dim = 768
    search_opensearch_pipeline = "tuwunel_embedding_pipeline"
    search_opensearch_batch_size = 100
    search_opensearch_flush_interval_ms = 1000

    # TURN via LiveKit's built-in TURN server
    turn_uris = ["turn:meet.DOMAIN_SUFFIX:3478?transport=udp", "turns:meet.DOMAIN_SUFFIX:5349?transport=tcp"]
    turn_secret = ""

    # Well-known delegation
    [global.well_known]
    client = "https://messages.DOMAIN_SUFFIX"
    server = "messages.DOMAIN_SUFFIX:443"
    livekit_url = "wss://livekit.DOMAIN_SUFFIX"

    # OIDC via Ory Hydra — identity_provider is configured entirely
    # via env vars because client_id/client_secret are injected from
    # the hydra-maester-managed oidc-tuwunel Secret.