Configuration Reference
Maree-DB is configured via maree-db.toml. By default it is read from /etc/mareedb/maree-db.toml. Override with --config /path/to/file.toml.
[server]
| Key | Type | Default | Description |
|---|---|---|---|
data_dir | string | "/var/lib/mareedb" | Directory where all data files, WAL, and snapshots are stored. |
log_level | string | "info" | Log verbosity: trace, debug, info, warn, error. |
log_file | string | "" | Path to log file. Empty string logs to stdout. |
max_connections | integer | 1000 | Maximum simultaneous client connections across all wire protocols. |
thread_pool_size | integer | 0 | Worker thread count. 0 = auto (one per logical CPU). |
temp_dir | string | "/tmp/mareedb" | Temporary files (sort spills, large query intermediates). |
profile | string | "standard" | Server profile: iot, standard, performance, enterprise. |
[storage]
| Key | Type | Default | Description |
|---|---|---|---|
engine | string | "hybrid" | Storage engine: btree (OLTP), lsm (write-heavy), column (analytics), hybrid (automatic selection). |
page_size | integer | 16384 | Page size in bytes. Must be a power of 2 between 4096 and 65536. Set at database creation and immutable thereafter. |
wal_sync | string | "full" | WAL sync mode: full (fsync on each commit), buffered (OS-buffered, higher throughput, small crash window), none (benchmark only, not safe). |
wal_segment_size_mb | integer | 64 | WAL segment file size in megabytes before rotation. |
checkpoint_interval_secs | integer | 300 | Seconds between automatic WAL checkpoints. |
compression | string | "lz4" | Data page compression: none, lz4. |
encryption | bool | false | Enable AES-256-GCM encryption at rest. Requires encryption_key_path. |
encryption_key_path | string | "" | Path to a 32-byte binary key file for encryption at rest. Generated with maree-db-cli keygen. |
[wire]
| Key | Type | Default | Description |
|---|---|---|---|
mysql_port | integer | 3306 | MySQL 8.0 wire protocol port. Set to 0 to disable. |
pg_port | integer | 5432 | PostgreSQL FE/BE protocol v3 port. Set to 0 to disable. |
mssql_port | integer | 1433 | MS-TDS 7.4 (SQL Server) protocol port. Set to 0 to disable. |
redis_port | integer | 6379 | Redis RESP3 protocol port. Set to 0 to disable. |
rest_port | integer | 8080 | HTTP REST API port. Set to 0 to disable. |
bind_address | string | "0.0.0.0" | Network address to bind all wire protocols. Use "127.0.0.1" for localhost-only. |
tls_cert | string | "" | Path to PEM-encoded TLS certificate. Required to enable TLS. |
tls_key | string | "" | Path to PEM-encoded TLS private key. |
tls_min_version | string | "1.3" | Minimum TLS version: "1.2" or "1.3". TLS 1.0 and 1.1 are permanently disabled. |
[security]
| Key | Type | Default | Description |
|---|---|---|---|
require_tls | bool | false | Reject all connections that do not use TLS. Recommended for production. |
fortress_lock | bool | true | Enable Fortress Lock kernel-level security monitoring. Requires Linux. |
fortress_lock_sensitivity | string | "medium" | Fortress Lock anomaly detection sensitivity: low, medium, high. |
lockdown_webhook | string | "" | URL to POST a JSON payload when Fortress Lock triggers lockdown. |
max_failed_logins | integer | 5 | Failed login attempts before the account is temporarily locked (10 minutes). |
password_min_length | integer | 12 | Minimum password length enforced at account creation. |
[tamperlock]
| Key | Type | Default | Description |
|---|---|---|---|
enabled | bool | true | Enable TamperLock cryptographic integrity chain on all committed transactions. |
signing_key | string | "" | Path to Ed25519 private key for signing forensic audit reports. Generated with maree-db-cli keygen --type ed25519. If empty, auto-generated on first start. |
verify_on_start | bool | true | Verify the entire chain integrity on server startup. Adds a few seconds on very large databases. |
retention_days | integer | 2555 | Number of days to retain chain history (default: 7 years). Chain older than this is archived, not deleted. |
[cache]
| Key | Type | Default | Description |
|---|---|---|---|
buffer_pool_mb | integer | 0 | Buffer pool size in MB. 0 = auto (50% of available RAM). Increasing this is the single most impactful tuning parameter. |
query_cache_mb | integer | 256 | Query result cache size in MB. Results of identical read queries are cached until data changes. |
connection_pool_size | integer | 100 | Internal connection pool for cross-model query planning. |
[cluster]
| Key | Type | Default | Description |
|---|---|---|---|
enabled | bool | false | Enable clustering mode. Requires Enterprise licence. |
node_id | string | "" | Unique node identifier within the cluster. Auto-generated from hostname if empty. |
peers | array | [] | List of peer node addresses: ["192.168.1.2:7001", "192.168.1.3:7001"]. |
consensus_port | integer | 7001 | Port for inter-node consensus protocol communication. |
bft_mode | bool | false | Enable Byzantine fault tolerant consensus. Requires minimum 7 nodes (tolerates 2 Byzantine faults). Uses standard CFT consensus for 3-node clusters. |
auto_discover | bool | false | Enable automatic peer discovery via mDNS on the local subnet. |
replication_factor | integer | 3 | Number of replicas to maintain for each data partition. |
[compliance]
| Key | Type | Default | Description |
|---|---|---|---|
gdpr_enabled | bool | false | Enable GDPR compliance functions (mareedb_gdpr_erase, mareedb_gdpr_report, etc.) and PII column tagging. |
hipaa_enabled | bool | false | Enable HIPAA audit trail and mareedb_hipaa_access_report function. |
pci_enabled | bool | false | Enable PCI-DSS tokenisation (mareedb_pci_tokenise, mareedb_pci_detokenise). |
data_residency | string | "" | Declared data residency region for APP 8 (Australian Privacy Act) reporting. Example: "AU-TAS". |
audit_log_path | string | "" | Path to write compliance audit log. Empty = disabled. All compliance function calls are always logged to TamperLock regardless. |
[metrics]
| Key | Type | Default | Description |
|---|---|---|---|
enabled | bool | true | Enable Prometheus-compatible metrics endpoint. |
port | integer | 9090 | Port for the /metrics HTTP endpoint. |
bind_address | string | "127.0.0.1" | Metrics endpoint bind address. Defaults to localhost for security. |
Full Configuration Example
A complete maree-db.toml for a production single-node Professional deployment:
[server]
data_dir = "/var/lib/mareedb"
log_level = "info"
log_file = "/var/log/mareedb/server.log"
max_connections = 500
profile = "performance"
[storage]
engine = "hybrid"
page_size = 16384
wal_sync = "full"
compression = "lz4"
encryption = true
encryption_key_path = "/etc/mareedb/keys/data.key"
[wire]
bind_address = "0.0.0.0"
mysql_port = 3306
pg_port = 5432
redis_port = 6379
rest_port = 8080
tls_cert = "/etc/mareedb/tls/cert.pem"
tls_key = "/etc/mareedb/tls/key.pem"
tls_min_version = "1.3"
[security]
require_tls = true
fortress_lock = true
fortress_lock_sensitivity = "high"
lockdown_webhook = "https://alerts.example.com/mareedb-lockdown"
max_failed_logins = 3
[tamperlock]
enabled = true
signing_key = "/etc/mareedb/keys/tamperlock.ed25519"
retention_days = 2555
[cache]
buffer_pool_mb = 0 # auto: 50% of RAM
query_cache_mb = 512
[compliance]
gdpr_enabled = true
audit_log_path = "/var/log/mareedb/compliance.log"
[metrics]
enabled = true
port = 9090
bind_address = "127.0.0.1"