# Example: IIIF Auth 2.0 — kiosk pattern
#
# Automatic, no-UI access for clients whose IP is on a configured
# allowlist. The viewer loads the login URL in an iframe; iiiris
# checks the originating IP against `allowed_ips` and either mints a
# session silently or returns 401.
#
# Typical use cases:
#   - Reading-room terminals on a known subnet
#   - Managed kiosks at a specific IP
#   - Conference / event networks
#
# Note: when iiirisd is behind a reverse proxy (nginx, Traefik, CDN),
# the client IP arrives via X-Forwarded-For. iiiris only honors that
# header from the CIDRs listed in `trusted_proxies` — without that
# allowlist a kiosk request would be matched against the proxy's IP,
# not the actual client.

server:
  addr: ":8080"

sources:
  filesystem:
    root: /var/iiiris/images

auth:
  profiles:
    reading-room-terminal:
      pattern: kiosk
      label:
        en: ["Reading Room Terminal"]
      access_service:
        backend: builtin
      kiosk:
        allowed_ips:
          - 10.1.50.0/24        # the reading-room subnet
          - 10.1.51.42          # a specific kiosk
          - 2001:db8:1::/48     # IPv6 also supported
      session_ttl: 12h
      token_ttl: 10m

  rules:
    - match: "kiosk-only/*"
      profile: reading-room-terminal

  cors:
    token_origins:
      - https://viewer.example.org

  # The reverse-proxy CIDRs whose X-Forwarded-For iiiris honors. Set
  # to the network address of nginx / Traefik / your ingress —
  # without this, the kiosk match runs against the proxy's IP, not
  # the user's.
  trusted_proxies:
    - 10.0.0.0/8       # private RFC1918 — typical for a same-LAN proxy
    - 192.168.0.0/16
