# Linux Patch API Configuration
# Example configuration file - copy to /etc/linux_patch_api/config.yaml

# Server Configuration
server:
  port: 12443
  bind: "0.0.0.0"
  timeout_seconds: 30

# TLS/mTLS Configuration
tls:
  enabled: true
  port: 12443
  ca_cert: "/etc/linux_patch_api/certs/ca.pem"
  server_cert: "/etc/linux_patch_api/certs/server.pem"
  server_key: "/etc/linux_patch_api/certs/server.key"
  # TLS 1.3 is the only supported version (hardcoded, not configurable)

# Job Configuration
jobs:
  max_concurrent: 5
  timeout_minutes: 30
  storage_path: "/var/lib/linux_patch_api/jobs"

# Logging Configuration
logging:
  level: "info"
  journal_enabled: true
  syslog_enabled: false
  # syslog_server: "udp://localhost:514"
  file_path: "/var/log/linux_patch_api/audit.log"
  retention_days: 30

# IP Whitelist Configuration
whitelist:
  path: "/etc/linux_patch_api/whitelist.yaml"
  # Entries can be:
  # - Individual IPs: "192.168.1.100"
  # - CIDR subnets: "192.168.1.0/24"
  # - Hostnames: "admin-server.internal"

# Package Manager Backend
package_manager:
  # Primary backend (auto-detected if not specified)
  # Options: apt, dnf, yum, apk, pacman
  backend: "auto"

# Enrollment Configuration (optional)
# Uncomment and configure for self-enrollment with linux_patch_manager
# enrollment:
#   # URL of the enrollment manager for polling status updates
#   manager_url: "https://manager.example.com/enroll"
#   # Authentication token for enrollment polling requests
#   polling_token: "your-enrollment-token-here"
#   # How often to poll the manager in seconds (default: 60)
#   polling_interval_seconds: 60
#   # Maximum number of polling attempts before giving up
#   # Default: 1440 (24 hours at 60s intervals = 86400 seconds total)
#   max_poll_attempts: 1440
#   # Network interface whose IPv4 address is reported to the manager.
#   # Overrides auto-detection when the wrong IP is selected (e.g., Docker bridge).
#   # Example: "eth0", "ens192", "enp0s3"
#   report_interface: "eth0"
#   # Explicit IPv4 address reported to the manager.
#   # Highest priority — overrides both report_interface and route-based selection.
#   # Useful when the host has multiple IPs or runs inside a container.
#   report_ip: "192.168.3.36"
#   # Route-based IP selection is enabled by default when manager_url is set.
#   The agent resolves the manager hostname to an IP, then uses `ip route get <manager_ip>`
#   to determine which local source IP the kernel would use to reach the manager.
#   This is the most accurate method for multi-homed hosts because it queries
#   the kernel routing table directly.
#   Priority order: report_ip > report_interface > route-based > auto-detect