# ╔══════════════════════════════════════════════════════╗
# ║  Bascule SSH Proxy — Configuration Reference         ║
# ╚══════════════════════════════════════════════════════╝

# ─── Server ──────────────────────────────────────────────

# Listen address (default: 0.0.0.0:2222)
listen_addr = "0.0.0.0:2222"

# Path to host key. Auto-generated Ed25519 if not present.
# host_key_path = "/var/lib/bascule/host_key"

# Maximum concurrent sessions (default: 0 → 10000 internal cap)
# max_sessions = 100

# Banner shown after authentication
# banner = "Welcome to Bascule."

# ─── Shell (Local PTY mode — default backend) ────────────

# Shell command to spawn (default: /bin/bash)
# shell_command = "/bin/bash"
# shell_args = ["--login"]

# ─── Authentication ──────────────────────────────────────

[auth]
# Auth mode: "accept-all" (DEV ONLY), "authorized-keys"
mode = "accept-all"

# For authorized-keys mode:
# authorized_keys_path = "/etc/bascule/keys"

# ─── Entra Agent ID (optional, --features agent-id) ─────
# [auth.agent_id]
# tenant_id = "your-entra-tenant-id"
# audiences = ["api://bascule-proxy"]
# multi_tenant = false

# ─── SPIFFE/SPIRE (config ready, runtime planned) ───────
# [auth.spiffe]
# trust_domain = "example.com"
# trust_bundle_path = "/run/spire/bundle/bundle.pem"
# workload_api_socket = "/run/spire/agent/sockets/agent.sock"

# ─── Remote Proxy Mode ──────────────────────────────────
# Uncomment to forward sessions to a remote SSH host.
# [proxy]
# target_host = "192.168.1.100"
# target_port = 22
# target_user = "deploy"
# target_key_path = "/path/to/key"
# accept_target_host_key = false

# ─── Container Mode ─────────────────────────────────────
# Uncomment to spawn ephemeral containers per session.
# [container]
# runtime = "auto"                  # auto | docker | podman | nerdctl
# image = "bascule-shell:k8s-ops"
# pull_policy = "if-not-present"    # always | if-not-present | never
# ephemeral = true                  # destroy container on disconnect
# hardened = true                   # cap-drop ALL, no-new-privileges
# read_only_rootfs = false
# memory_limit = "512m"
# cpu_limit = "1.0"
# shell = "/bin/bash"
# user = "operator"
# network = "bridge"                # bridge | none | host
#
# [[container.mounts]]
# source = "/home/user/.kube"
# target = "/home/operator/.kube"
# readonly = true

# ─── Kubernetes Mode (config ready, runtime planned) ────
# Auto-detected in-cluster via downward API.
# [k8s]
# enabled = true
# shell_container = "shell"
# shell = "/bin/bash"

# ─── Dashboard / Management API ─────────────────────────
# Enabled by default with --features dashboard
[dashboard]
enabled = true
listen = "0.0.0.0:9090"

# ─── Telemetry ──────────────────────────────────────────
# [telemetry]
# otlp_endpoint = "http://localhost:4317"
# service_name = "bascule"

# ─── Metrics (planned) ──────────────────────────────────
# [metrics]
# enabled = true
# port = 9090