# Infrastructure - OCI Registry Schema
# Defines type-safe OCI Registry configuration for Zot, Distribution, and Harbor
# Validates access policies, storage configuration, and TLS settings

{
  # Supported registry backends
  RegistryBackend = [| 'Zot, 'Distribution, 'Harbor |],

  # TLS configuration
  TLSConfig = {
    enabled | Bool | default = false,
    cert_path | String | optional,
    key_path | String | optional,
  },

  # Authentication configuration
  AuthConfig = {
    method | [| 'none, 'basic, 'bearer, 'oidc |] | default = 'none,
    htpasswd_path | String | optional,
    issuer | String | optional,
    client_id | String | optional,
  },

  # Storage configuration
  StorageConfig = {
    path | String,
    backend | [| 'filesystem, 's3', 'azure' |] | default = 'filesystem,
    dedupe | Bool | default = true,
    gc_enabled | Bool | default = true,
    gc_interval | String | default = "24h",
  },

  # Registry metrics configuration
  MetricsConfig = {
    enabled | Bool | default = true,
    listen_address | String | default = ":5001",
    prometheus_path | String | default = "/metrics",
  },

  # Access control policy for namespaces
  AccessPolicy = {
    namespace | String,
    public | Bool | default = false,
    users | Array String | default = [],
    actions | Array ([| 'read, 'create, 'update, 'delete |]) | default = ['read'],
  },

  # Webhook notification
  Webhook = {
    url | String,
    events | Array ([| 'pull, 'push, 'delete |]) | default = ['push'],
  },

  # Zot-specific configuration
  ZotConfig = {
    storage | StorageConfig,
    http = {
      address | String | default = "0.0.0.0",
      port | Number | default = 5000 | {
        predicate = fun n => n > 0 && n < 65536,
      },
    },
    tls | TLSConfig | default = {enabled = false},
    auth | AuthConfig | default = {method = 'none'},
    metrics | MetricsConfig | default = {
      enabled = true,
      listen_address = ":5001",
      prometheus_path = "/metrics",
    },
    access_control | Array AccessPolicy | default = [],
    webhooks | Array Webhook | default = [],
  },

  # Docker Distribution-specific configuration
  DistributionConfig = {
    storage | StorageConfig,
    http = {
      address | String | default = "0.0.0.0",
      port | Number | default = 5000,
      tls | TLSConfig | default = {enabled = false},
    },
    auth | AuthConfig | default = {method = 'basic'},
    notifications | Array Webhook | default = [],
  },

  # Harbor-specific configuration
  HarborConfig = {
    storage | StorageConfig,
    database = {
      host | String | default = "postgres",
      port | Number | default = 5432,
      name | String | default = "harbor",
      username | String | doc "Database user",
    },
    http = {
      address | String | default = "0.0.0.0",
      port | Number | default = 80,
    },
    https = {
      enabled | Bool | default = true,
      port | Number | default = 443,
      cert_path | String | optional,
      key_path | String | optional,
    },
    admin = {
      username | String | default = "admin",
      password | String | doc "Admin password (should use secrets)",
    },
    projects | Array {
      name | String,
      public | Bool | default = false,
      storage_quota | Number | optional,
    } | default = [],
  },

  # Complete OCI Registry configuration
  RegistryConfig = {
    backend | RegistryBackend | default = 'Zot,
    zot | ZotConfig | optional,
    distribution | DistributionConfig | optional,
    harbor | HarborConfig | optional,
  },

  # Common registry presets by mode
  soloRegistryPreset = {
    backend = 'Zot',
    zot = {
      storage = {
        path = "/tmp/zot-storage",
        backend = 'filesystem',
        dedupe = true,
        gc_enabled = true,
        gc_interval = "24h",
      },
      http = {
        address = "0.0.0.0",
        port = 5000,
      },
      tls = {
        enabled = false,
      },
      auth = {
        method = 'none',
      },
      metrics = {
        enabled = true,
        listen_address = ":5001",
        prometheus_path = "/metrics",
      },
      access_control = [],
      webhooks = [],
    },
  },

  multiuserRegistryPreset = {
    backend = 'Zot',
    zot = {
      storage = {
        path = "/var/lib/zot-storage",
        backend = 'filesystem',
        dedupe = true,
        gc_enabled = true,
        gc_interval = "12h",
      },
      http = {
        address = "0.0.0.0",
        port = 5000,
      },
      tls = {
        enabled = true,
        cert_path = "/etc/zot/tls/cert.pem",
        key_path = "/etc/zot/tls/key.pem",
      },
      auth = {
        method = 'basic',
        htpasswd_path = "/etc/zot/auth/htpasswd",
      },
      metrics = {
        enabled = true,
        listen_address = ":5001",
        prometheus_path = "/metrics",
      },
      access_control = [],
      webhooks = [],
    },
  },

  enterpriseRegistryPreset = {
    backend = 'Harbor',
    harbor = {
      storage = {
        path = "/var/lib/harbor-storage",
        backend = 's3',
        dedupe = true,
        gc_enabled = true,
        gc_interval = "6h",
      },
      database = {
        host = "postgres",
        port = 5432,
        name = "harbor",
        username = "harbor",
      },
      http = {
        address = "0.0.0.0",
        port = 80,
      },
      https = {
        enabled = true,
        port = 443,
        cert_path = "/etc/harbor/tls/cert.pem",
        key_path = "/etc/harbor/tls/key.pem",
      },
      admin = {
        username = "admin",
        password = "changeme",
      },
      projects = [],
    },
  },
}