# Default configuration for Provisioning System
# This file provides default values for all configuration options

[core]
version = "1.0.0"
name = "provisioning"

[paths]
generate = "generate"
run_clusters = "clusters"
run_taskservs = "taskservs"
extensions = "{{paths.base}}/.provisioning-extensions"
infra = "{{paths.base}}/infra"
base = "/Users/Akasha/project-provisioning/provisioning"
kloud = "{{paths.base}}/infra"
providers = "{{paths.base}}/extensions/providers"
taskservs = "{{paths.base}}/extensions/taskservs"
clusters = "{{paths.base}}/extensions/clusters"
workflows = "{{paths.base}}/extensions/workflows"
resources = "{{paths.base}}/resources"
templates = "{{paths.base}}/templates"
tools = "{{paths.base}}/tools"
core = "{{paths.base}}/core"

[paths.files]
defs = "defs.toml"
req_versions = "{{paths.core}}/versions.yaml"
vars = "{{paths.base}}/vars.yaml"
settings_file = "settings.k"
keys = "{{paths.base}}/keys.yaml"
requirements = "{{paths.base}}/requirements.yaml"
notify_icon = "{{paths.base}}/resources/icon.png"

[cache]
# Configuration Caching System
# Enable/disable cache for configuration loading operations
enabled = true

# Maximum cache size in bytes (100 MB default)
# Cache will clean up oldest entries when exceeded
max_cache_size = 104857600

# Path to runtime cache configuration (user-specific overrides)
runtime_config_path = "{{env.HOME}}/.provisioning/cache/config/settings.json"

# Version Caching (legacy, for version checking)
path = "{{paths.base}}/.cache/versions"
infra_cache = "{{paths.infra}}/{{infra.current}}/cache/versions"
grace_period = 86400  # 24 hours default
check_updates = false

[cache.ttl]
# Time-to-live (TTL) settings for different cache types
# Values in seconds

# Final merged configuration cache
# Short TTL (5 minutes) for safety - aggressive invalidation
final_config = 300

# KCL compilation cache
# Longer TTL (30 minutes) - KCL compilation is deterministic
kcl_compilation = 1800

# SOPS decryption cache
# Medium TTL (15 minutes) - balance between security and performance
sops_decryption = 900

# Provider configuration cache
# Standard TTL (10 minutes)
provider_config = 600

# Platform configuration cache
# Standard TTL (10 minutes)
platform_config = 600

[cache.paths]
# Cache directory structure
base = "{{env.HOME}}/.provisioning/cache/config"

[cache.security]
# Security settings for sensitive caches (SOPS, secrets, etc.)

# SOPS cache file permissions (must be 0600 for security)
sops_file_permissions = "0600"

# SOPS cache directory permissions (must be 0700)
sops_dir_permissions = "0700"

[cache.validation]
# Cache validation strictness

# Strict mtime validation: check all source files on cache hit
# When true: validates modification times of ALL source files
# When false: only checks TTL expiration
strict_mtime = true

[http]
use_curl = false  # Use curl instead of nushell's http get for API calls

[infra]
current = "default"  # Current infra context

[debug]
enabled = true
metadata = false
check = false
remote = false
log_level = "info"
no_terminal = false
no_titles = false

[output]
file_viewer = "bat"
format = "yaml"

[sops]
use_sops = true
config_path = "{{paths.base}}/.sops.yaml"
key_search_paths = [
    "{{paths.base}}/keys/age.txt",
    "~/.config/sops/age/keys.txt"
]

[taskservs]
run_path = "{{paths.base}}/run/taskservs"

[clusters]
run_path = "{{paths.base}}/run/clusters"

[generation]
dir_path = "{{paths.base}}/generated"
defs_file = "defs.toml"

# Environment-specific overrides
[environments.dev]
debug.enabled = true
debug.log_level = "debug"

[environments.test]
debug.check = true

[environments.prod]
debug.enabled = false
debug.log_level = "warn"

# Provider configurations
[providers]
default = "local"

[providers.aws]
api_url = ""
auth = ""
interface = "CLI"  # API or CLI

[providers.upcloud]
api_url = "https://api.upcloud.com/1.3"
auth = ""
interface = "CLI"  # API or CLI

[providers.local]
api_url = ""
auth = ""
interface = "CLI"  # API or CLI

# Tool Detection and Plugin Configuration
[tools]
use_kcl = true
use_kcl_plugin = true
use_tera_plugin = true

# KCL Module Configuration
[kcl]
# Core provisioning schemas (local path for development)
core_module = "{{paths.base}}/kcl"
core_version = "0.0.1"
core_package_name = "provisioning_core"

# Dynamic module loading for extensions
use_module_loader = true
module_loader_path = "{{paths.core}}/cli/module-loader"

# Workspace KCL module directory
modules_dir = ".kcl-modules"

# Distribution Configuration
[distribution]
# Where to generate KCL packages
pack_path = "{{paths.base}}/distribution/packages"
registry_path = "{{paths.base}}/distribution/registry"
cache_path = "{{paths.base}}/distribution/cache"

# Registry type: local | oci | git
registry_type = "local"

# Package metadata
[distribution.metadata]
maintainer = "JesusPerezLorenzo"
repository = "https://repo.jesusperez.pro/provisioning"
license = "MIT"
homepage = "https://github.com/jesusperezlorenzo/provisioning"

# AI Integration Configuration
[ai]
enabled = false
provider = "openai"
api_key = ""
model = "gpt-4"
timeout = 30

# SSH Configuration
[ssh]
user = ""
options = ["StrictHostKeyChecking=accept-new", "UserKnownHostsFile=/dev/null"]
timeout = 30
debug = false

# Extension System Configuration
[extensions]
path = ""
mode = "full"
profile = ""
allowed = ""
blocked = ""
custom_providers = ""
custom_taskservs = ""

# Key Management Service Configuration
[kms]
server = ""
auth_method = "certificate"
client_cert = ""
client_key = ""
ca_cert = ""
api_token = ""
username = ""
password = ""
timeout = 30
verify_ssl = true

# Security Configuration
[security]
#require_auth = true  # Require authentication for all operations
require_auth = false  # Require authentication for all operations
require_mfa_for_production = true  # Require MFA for production environment
require_mfa_for_destructive = true  # Require MFA for delete/destroy operations
auth_timeout = 3600  # Authentication timeout in seconds (1 hour)
audit_log_path = "{{paths.base}}/logs/audit.log"  # Path to audit log file

[security.bypass]
# allow_skip_auth = false  # Allow PROVISIONING_SKIP_AUTH environment variable (dev/test only)
allow_skip_auth = true  # Allow PROVISIONING_SKIP_AUTH environment variable (dev/test only)

# Plugin Configuration
[plugins]
auth_enabled = true  # Enable nu_plugin_auth for authentication

# Platform Services Configuration
# Configuration per workspace in: workspace_name/config/platform/deployment.toml
# These are fallback defaults if workspace config not found

[platform.orchestrator]
endpoint = "http://localhost:9090/health"

[platform.control_center]
url = "http://localhost:3000"  # Control Center URL for authentication

[platform.kms]
endpoint = "http://localhost:3001/health"