# TLS config file
# We require client certs and pull the user from the cert itself.

listen: 127.0.0.1:9333

tls {
  # Server cert
  cert_file: "./configs/certs/server-cert.pem"
  # Server private key
  key_file:  "./configs/certs/server-key.pem"
  # Specified time for handshake to complete
  timeout: 2
  # Optional certificate authority for clients
  ca_file:   "./configs/certs/ca.pem"
  # Require a client certificate and map user id from certificate
  verify_and_map: true
}

# User authenticated from above in certificate.
authorization {
  users = [
    {user: derek@nats.io, permissions: { publish:"foo" }}
  ]
}