# Enterprise Mode Configuration
# Production enterprise deployment with full security

let contracts = import "./contracts.ncl" in
let oci_defaults = import "../oci_registry/defaults.ncl" in

{
  mode_name = "enterprise",
  description = "Production enterprise deployment with full security",

  authentication = {
    auth_type = "mtls",
    mtls_config = {
      client_cert_path = "/etc/provisioning/certs/client.crt",
      client_key_path = "/etc/provisioning/certs/client.key",
      ca_cert_path = "/etc/provisioning/certs/ca.crt",
      verify_server = true,
    },
    ssh_key_storage = "kms",
  },

  services = {
    orchestrator = {
      deployment = "k8s",
      k8s_config = {
        namespace = "provisioning-system",
        deployment_name = "orchestrator",
        service_name = "orchestrator-svc",
        replicas = 3,
        image = "harbor.enterprise.local/provisioning/orchestrator:latest",
        resources = {
          cpu_request = "500m",
          cpu_limit = "2000m",
          memory_request = "1Gi",
          memory_limit = "4Gi",
        },
      },
    },

    control_center = {
      deployment = "k8s",
      k8s_config = {
        namespace = "provisioning-system",
        deployment_name = "control-center",
        service_name = "control-center-svc",
        replicas = 2,
        image = "harbor.enterprise.local/provisioning/control-center:latest",
      },
    },

    coredns = {
      deployment = "k8s",
      k8s_config = {
        namespace = "kube-system",
        deployment_name = "coredns",
        service_name = "kube-dns",
        replicas = 2,
        image = "registry.k8s.io/coredns/coredns:latest",
      },
    },

    gitea = {
      deployment = "k8s",
      k8s_config = {
        namespace = "provisioning-system",
        deployment_name = "gitea",
        service_name = "gitea-svc",
        replicas = 2,
        image = "gitea/gitea:latest",
      },
    },

    oci_registry = oci_defaults.remote_harbor_registry & {
      endpoint = "harbor.enterprise.local",
      remote = {
        timeout = 60,
        retries = 5,
        verify_ssl = true,
      },
      namespaces = {
        extensions = "prod-extensions",
        kcl_packages = "prod-kcl",
        platform_images = "prod-platform",
        test_images = "test-images",
      },
    },
  },

  extensions = {
    source = "oci",
    oci_registry = {
      enabled = true,
      endpoint = "harbor.enterprise.local",
      namespace = "prod-extensions",
      auth_token_path = "/etc/provisioning/tokens/oci",
      tls_enabled = true,
      verify_ssl = true,
      cache_dir = "/var/cache/provisioning/oci",
    },
  },

  workspaces = {
    locking = "required",
    lock_provider = "etcd",
    git_integration = "required",
    isolation = "strict",
    max_workspaces_per_user = 3,
  },

  security = {
    encryption_at_rest = true,
    encryption_in_transit = true,
    dns_modification = "system",
    audit_logging = true,
    audit_log_path = "/var/log/provisioning/enterprise-audit.log",
    network_isolation = true,
  },

  resource_limits = {
    max_servers_per_user = 20,
    max_cpu_cores_per_user = 64,
    max_memory_gb_per_user = 256,
    max_storage_gb_per_user = 1000,
    max_total_servers = 500,
    max_total_cpu_cores = 2000,
    max_total_memory_gb = 8192,
  },
}
| contracts.ExecutionMode