Home/Config Reference

Config Reference

Complete config.toml schema with all fields, types, and defaults

merod init defaults

Running merod init generates a config.toml with these CLI-controllable defaults:

# Generate default config merod --home ~/.calimero --node my-node init # All flags and their defaults: --home ~/.calimero # base directory for data + config --node (required) # human-readable node name --swarm-port 2428 # libp2p swarm listen port --server-port 2528 # HTTP API listen port --server-host 127.0.0.1 # HTTP API listen host --mdns true # enable mDNS discovery --protocol /calimero/devnet/global # rendezvous namespace --boot-nodes [] # bootstrap multiaddrs --mock-tee false # enable mock TEE/attestation (dev/test only — refused when real KMS attestation is configured)

Top-Level Structure

# config.toml — Top-level sections [identity] # libp2p Ed25519 keypair (namespace identities are per root group in the datastore) [swarm] # libp2p listen addresses [bootstrap] # bootstrap node list [discovery] # mDNS, rendezvous, relay, autonat [server] # HTTP server config (listen, admin, jsonrpc, ws, sse, auth) [sync] # sync timeouts and intervals [datastore] # RocksDB data path [blobstore] # blob storage path [context] # context client config [tee.kms.phala] # optional TEE/KMS config (nested under [tee.kms]) [specialized_node] # specialized node settings
[identity] — Node Identity

Ed25519 keypair for the node. Generated automatically on merod init.

Rust type: IdentityConfig
FieldTypeDefaultDescription
mode
String
"Standard"
Node operation mode. Standard for full participation, ReadOnly for read-only sync.
secret_key
String (hex)
(generated)
Ed25519 secret key in hex. Auto-generated on init, never commit to source control.
(removed)
Group/namespace identities are now auto-generated per namespace and stored in the datastore (not in config). See Namespaces.
[identity] mode = "Standard" secret_key = "a1b2c3...hex..."
[swarm] — libp2p Swarm

Multiaddrs the libp2p swarm listens on for peer connections.

Rust type: SwarmConfig
FieldTypeDefaultDescription
listen
Vec<Multiaddr>
(see below)
Array of multiaddrs to listen on. Supports TCP and QUIC transports.
[swarm] listen = [ "/ip4/0.0.0.0/tcp/2428", "/ip4/0.0.0.0/udp/2428/quic-v1" ]
[bootstrap] — Bootstrap Nodes

List of bootstrap peers to connect to on startup for peer discovery.

Rust type: BootstrapConfig
FieldTypeDefaultDescription
nodes
Vec<Multiaddr>
[]
Multiaddrs of bootstrap peers (e.g., /ip4/1.2.3.4/tcp/2428/p2p/12D3...).
[bootstrap] nodes = [ "/ip4/35.123.45.67/tcp/2428/p2p/12D3KooW..." ]
[discovery] — Peer Discovery

Configures mDNS, rendezvous, relay circuit, autonat, and address advertisement.

Rust type: DiscoveryConfig
FieldTypeDefaultDescription
mdns
bool
true
Enable mDNS for local network peer discovery.
advertise_address
bool
false
Whether to advertise external addresses to the network.

[discovery.rendezvous]

FieldTypeDefaultDescription
namespace
String
"/calimero/devnet/global"
Rendezvous namespace for peer discovery grouping.
registrations_limit
usize
3
Max concurrent rendezvous registrations.

[discovery.relay]

FieldTypeDefaultDescription
registrations_limit
usize
3
Max concurrent relay circuit registrations.

[discovery.autonat]

FieldTypeDefaultDescription
probe_interval
Duration
10s
Interval between autonat probes for NAT detection.
max_candidates
usize
5
Maximum number of autonat probe candidates.
[discovery] mdns = true advertise_address = false [discovery.rendezvous] namespace = "/calimero/devnet/global" registrations_limit = 3 [discovery.relay] registrations_limit = 3 [discovery.autonat] probe_interval = "10s" max_candidates = 5
[server] — HTTP Server

HTTP/WebSocket/SSE API server for meroctl and external clients.

Rust type: ServerConfig
FieldTypeDefaultDescription
listen
Vec<Multiaddr>
["/ip4/127.0.0.1/tcp/2528"]
Multiaddrs for the HTTP API server to listen on.
auth_mode
String
"Proxy"
Auth mode: Proxy (trust upstream headers) or Embedded (built-in JWT auth).
admin
AdminConfig
(enabled)
Admin API endpoint configuration.
jsonrpc
JsonRpcConfig
(enabled)
JSON-RPC endpoint configuration for application calls.
websocket
WsConfig
(enabled)
WebSocket endpoint for real-time event subscriptions.
sse
SseConfig
(enabled)
Server-Sent Events endpoint for event streaming.

[server.embedded_auth]

Embedded authentication settings (used when auth_mode = "Embedded").

FieldTypeDefaultDescription
jwt_secret
Option<String>
(generated)
HMAC secret for signing JWT tokens. Auto-generated if not set.
jwt_expiry_secs
u64
86400
JWT token expiry in seconds (default: 24 hours).
refresh_expiry_secs
u64
604800
Refresh token expiry in seconds (default: 7 days).
storage
String
"rocksdb"
Token storage backend: rocksdb or memory.
cors_origins
Vec<String>
["*"]
Allowed CORS origins for the auth endpoints.
secure_cookies
bool
false
Send cookies with the Secure flag (requires HTTPS).
[server] listen = ["/ip4/127.0.0.1/tcp/2528"] auth_mode = "Proxy" # Embedded auth (when auth_mode = "Embedded") [server.embedded_auth] jwt_expiry_secs = 86400 refresh_expiry_secs = 604800 storage = "rocksdb" cors_origins = ["*"] secure_cookies = false
[sync] — Sync Engine

Timeouts and intervals for the state synchronization engine.

Rust type: SyncConfig
FieldTypeDefaultDescription
timeout_ms
u64
30000
Maximum time in ms to wait for a sync response before timing out.
interval_ms
u64
5000
Base interval in ms between sync rounds for a context.
frequency_ms
u64
10000
Minimum ms between consecutive sync attempts for the same context.
[sync] timeout_ms = 30000 interval_ms = 5000 frequency_ms = 10000
[datastore] — RocksDB Storage

Path for the RocksDB persistent storage engine.

Rust type: DataStoreConfig
FieldTypeDefaultDescription
path
PathBuf
"data"
Relative or absolute path to the RocksDB data directory.
[datastore] path = "data"
[blobstore] — Blob Storage

Path for binary blob (WASM applications, large files) storage.

Rust type: BlobStoreConfig
FieldTypeDefaultDescription
path
PathBuf
"blobs"
Relative or absolute path to the blob storage directory.
[blobstore] path = "blobs"
[context] — Context Client

Configuration for the context management subsystem.

Rust type: ContextConfig
FieldTypeDefaultDescription
client
ContextClientConfig
(default)
Context client connection and retry settings.
[context] # Uses defaults — typically no manual configuration needed
[tee.kms.phala] — TEE / KMS

Optional Trusted Execution Environment and Key Management Service configuration. Only nodes with a [tee] section perform the KMS key-fetch and attestation flow at startup; other nodes use libp2p as usual without KMS. The section is nested: [tee] contains [tee.kms], which contains the provider block [tee.kms.phala] (Phala Cloud KMS / mero-kms-phala is currently the only provider). There is no flat enabled / kms_url key — presence of the [tee] block enables TEE mode, and the endpoint is tee.kms.phala.url. See TEE Mode for the full startup flow.

Rust type: TeeConfig / KmsConfig / PhalaKmsConfig (defined in crates/config/src/lib.rs; consumed by crates/merod/src/kms/mod.rs)

merod run --mock-tee

Dev/test only. Pass --mock-tee (or set MEROD_MOCK_TEE=1) to merod run to make the fleet-join and attest handlers produce and accept mock attestation quotes without real TDX hardware. merod will refuse to start (bail!) if the node's [tee.kms.phala.attestation] has real attestation configured (TeeConfig::has_real_attestation returns true). A loud warning is emitted on startup whenever --mock-tee is active; an additional warning fires if a Phala KMS provider is configured but real attestation is disabled (likely misconfiguration). The flag is threaded through NodeConfig::mock_teeAdminState::mock_tee at runtime and is never persisted to config.toml. Never use in production.

[tee.kms.phala]

FieldTypeDefaultDescription
url
Url
(required)
URL of the mero-kms-phala service (the KMS endpoint). Required when the [tee] block is present.

[tee.kms.phala.attestation]

KMS self-attestation verification policy (verified via POST /attest before key requests).

FieldTypeDefaultDescription
enabled
bool
false
Enable KMS attestation verification before requesting keys.
accept_mock
bool
false
Accept mock attestation quotes. Development/testing only — bypasses real attestation guarantees. When accept_mock = false (or enabled = true with real measurement values), TeeConfig::has_real_attestation returns true and merod run --mock-tee will be refused at startup.
allowed_tcb_statuses
Vec<String>
["UpToDate"]
Allowed TCB statuses for KMS quote verification.
allowed_mrtd
Vec<String>
[]
Allowed KMS MRTD values (hex, with or without 0x prefix). Required when enabled=true and accept_mock=false.
allowed_rtmr0
Vec<String>
[]
Allowed KMS RTMR0 values (hex). Required when enabled=true and accept_mock=false.
allowed_rtmr1
Vec<String>
[]
Allowed KMS RTMR1 values (hex). Required when enabled=true and accept_mock=false.
allowed_rtmr2
Vec<String>
[]
Allowed KMS RTMR2 values (hex). Required when enabled=true and accept_mock=false.
allowed_rtmr3
Vec<String>
[]
Allowed KMS RTMR3 values (hex). Required when enabled=true and accept_mock=false.
binding_b64
Option<String>
None
Optional base64-encoded 32-byte binding value for /attest. If unset, merod uses the default domain-separator binding.
policy_json_path
Option<Utf8PathBuf>
None
Optional absolute path to an externally-generated attestation policy JSON (e.g. a signed mero-tee release policy). Must reside under /etc/calimero or /run/calimero. Its allowlists merge over the inline values above.

[tee.kms.phala.tls]

Optional TLS hardening for KMS transport. All paths must be absolute and point to existing PEM files; setting any TLS path requires tee.kms.phala.url to use https://.

FieldTypeDefaultDescription
ca_cert_path
Option<Utf8PathBuf>
None
PEM-encoded CA certificate path for private trust roots. Added to merod's trust store for KMS TLS.
client_cert_path
Option<Utf8PathBuf>
None
PEM-encoded client certificate path for mTLS. Must be set together with client_key_path.
client_key_path
Option<Utf8PathBuf>
None
PEM-encoded client private key path for mTLS. Must be set together with client_cert_path.
[tee.kms.phala] url = "https://kms-host:8443/" [tee.kms.phala.attestation] enabled = true accept_mock = false allowed_tcb_statuses = ["UpToDate"] allowed_mrtd = ["<trusted_kms_mrtd_hex>"] allowed_rtmr0 = ["…"] # allowed_rtmr1..3 similarly in production [tee.kms.phala.tls] # ca_cert_path = "/etc/calimero/kms-ca.pem" # client_cert_path = "/etc/calimero/kms-client.pem" # client_key_path = "/etc/calimero/kms-client.key"
[specialized_node] — Specialized Node

Settings for specialized node roles (e.g., TEE nodes that handle key shares).

Rust type: SpecializedNodeConfig
FieldTypeDefaultDescription
invite_topic
String
"mero_specialized_node_invites"
Gossipsub topic for receiving specialized node invitations.
accept_mock_tee
bool
false
Accept mock TEE attestations (for development/testing only).
[specialized_node] invite_topic = "mero_specialized_node_invites" accept_mock_tee = false

Complete Example

A typical production config.toml with commonly customized fields:

[identity] mode = "Standard" [swarm] listen = [ "/ip4/0.0.0.0/tcp/2428", "/ip4/0.0.0.0/udp/2428/quic-v1" ] [bootstrap] nodes = [] [discovery] mdns = true advertise_address = false [discovery.rendezvous] namespace = "/calimero/devnet/global" registrations_limit = 3 [discovery.relay] registrations_limit = 3 [discovery.autonat] probe_interval = "10s" max_candidates = 5 [server] listen = ["/ip4/127.0.0.1/tcp/2528"] auth_mode = "Proxy" [sync] timeout_ms = 30000 interval_ms = 5000 frequency_ms = 10000 [datastore] path = "data" [blobstore] path = "blobs" [specialized_node] invite_topic = "mero_specialized_node_invites" accept_mock_tee = false

Governance Migration

Guide for migrating between group governance modes.

Default Configuration

merod init --group-governance local

Local governance is the default (and only) governance mode. Group operations are signed locally and propagated via gossip.

Backup

Back up the node data directory (RocksDB store path in config.toml) regularly. The group_store contains all governance state and can be rebuilt from the persistent op log, but a backup provides faster recovery.