# Multi-User Mode Configuration
# Team collaboration with shared services

let contracts = import "./contracts.ncl" in
let oci_defaults = import "../oci_registry/defaults.ncl" in

{
  mode_name = "multi-user",
  description = "Team collaboration with shared services",

  authentication = {
    auth_type = "token",
    token_config = {
      token_path = "~/.provisioning/tokens/auth",
      token_format = "jwt",
      expiry_seconds = 86400,
      refresh_enabled = true,
    },
    ssh_key_storage = "local",
  },

  services = {
    orchestrator = {
      deployment = "remote",
      remote_config = {
        endpoint = "orchestrator.company.local",
        port = 8080,
        tls_enabled = true,
        verify_ssl = true,
        timeout = 30,
        retries = 3,
      },
    },

    control_center = {
      deployment = "remote",
      remote_config = {
        endpoint = "control.company.local",
        port = 8081,
        tls_enabled = true,
      },
    },

    coredns = {
      deployment = "remote",
      remote_config = {
        endpoint = "dns.company.local",
        port = 53,
        tls_enabled = false,
      },
    },

    gitea = {
      deployment = "remote",
      remote_config = {
        endpoint = "git.company.local",
        port = 443,
        tls_enabled = true,
      },
    },

    oci_registry = oci_defaults.remote_harbor_registry & {
      endpoint = "harbor.company.local",
      namespaces = {
        extensions = "provisioning-extensions",
        kcl_packages = "provisioning-kcl",
        platform_images = "provisioning-platform",
        test_images = "provisioning-test",
      },
    },
  },

  extensions = {
    source = "oci",
    oci_registry = {
      enabled = true,
      endpoint = "harbor.company.local",
      namespace = "provisioning-extensions",
      auth_token_path = "~/.provisioning/tokens/oci",
      tls_enabled = true,
      verify_ssl = true,
      cache_dir = "~/.provisioning/oci-cache",
    },
  },

  workspaces = {
    locking = "enabled",
    lock_provider = "gitea",
    git_integration = "required",
    isolation = "user",
    max_workspaces_per_user = 5,
  },

  security = {
    encryption_at_rest = false,
    encryption_in_transit = true,
    dns_modification = "coredns",
    audit_logging = true,
    audit_log_path = "/var/log/provisioning/audit.log",
    network_isolation = false,
  },

  resource_limits = {
    max_servers_per_user = 10,
    max_cpu_cores_per_user = 32,
    max_memory_gb_per_user = 128,
    max_storage_gb_per_user = 500,
    max_total_servers = 100,
    max_total_cpu_cores = 320,
    max_total_memory_gb = 1024,
  },
}
| contracts.ExecutionMode