# CIS490 lab-host — copy to /etc/cis490/lab-host.toml and edit.
#
# This config drives BOTH the orchestrator (which runs episodes) and
# the shipper (which uploads completed episodes to the central
# receiver over WG).

# Stable identity for this lab host. Used in the receiver path
# (/v1/episodes/<host_id>/...) and in the X-Lab-Host header. Pick
# something short, stable, and DNS-safe — letters, digits, _.- only.
host_id = "REPLACE_ME"

[paths]
data_root = "/var/lib/cis490/data"
samples_store = "/var/lib/cis490/samples/store"
qcow_image = "/var/lib/cis490/vm/images/metasploitable2.qcow2"

[receiver]
# The receiver lives behind Caddy on the WG-side collector host. The
# hostname must resolve over WG (collector.wg in the canonical
# spectral lab). ca_bundle pins the Caddy root CA (bundled in the
# repo) so the shipper can verify the server's TLS cert. The wg-pki
# client CA (wg-ca.pem from the bootstrap tarball) is the RECEIVER's
# trust anchor for our client cert — we don't configure it here.
url = "https://collector.wg"
ca_bundle = "/opt/cis490/etc/caddy-root.crt"

# mTLS: leaf cert + private key issued by wg-pki for THIS host_id.
# Comment these out to fall back to bearer-token auth during early
# bring-up.
client_cert = "/etc/cis490/certs/lab-host.pem"
client_key  = "/etc/cis490/certs/lab-host.key"

# Bearer is optional and only used if mTLS isn't yet configured. When
# both are set, mTLS does the actual authn and the bearer is a
# belt-and-suspenders check.
# bearer_token = "REPLACE_ME_WITH_SECRET"

# Set to false ONLY for local-loopback dev against an unsigned cert.
# verify_tls = true

[shipper]
scan_interval_s = 5.0
request_timeout_s = 60.0

[episode]
baseline_seconds = 30
infected_seconds = 90
dormant_seconds = 60

[retention]
keep_local_for_days = 7
prune_at_disk_pct = 80