config

type ACME struct {
	// EnabledFlag is whether ACME should be enabled
	EnabledFlag string `yaml:"enabled,omitempty"`
	// Email is the email that will receive problems with certificate renewals
	Email string `yaml:"email,omitempty"`
	// URI is ACME server URI
	URI string `yaml:"uri,omitempty"`
}

type AWSKMS struct {
	// Account is the AWS account to use.
	Account string `yaml:"account"`
	// Region is the AWS region to use.
	Region string `yaml:"region"`
}

type AWSMatcher struct {
	// Types are AWS database types to match, "ec2", "rds", "redshift", "elasticache",
	// or "memorydb".
	Types []string `yaml:"types,omitempty"`
	// Regions are AWS regions to query for databases.
	Regions []string `yaml:"regions,omitempty"`
	// AssumeRoleARN is the AWS role to assume for database discovery.
	AssumeRoleARN string `yaml:"assume_role_arn,omitempty"`
	// ExternalID is the AWS external ID to use when assuming a role for
	// database discovery in an external AWS account.
	ExternalID string `yaml:"external_id,omitempty"`
	// Tags are AWS tags to match.
	Tags map[string]apiutils.Strings `yaml:"tags,omitempty"`
	// InstallParams sets the join method when installing on
	// discovered EC2 nodes
	InstallParams *InstallParams `yaml:"install,omitempty"`
	// SSM provides options to use when sending a document command to
	// an EC2 node
	SSM AWSSSM `yaml:"ssm,omitempty"`
}

type AWSSSM struct {
	// DocumentName is the name of the document to use when executing an
	// SSM command
	DocumentName string `yaml:"document_name,omitempty"`
}

type AccessGraph struct {
	// Enabled enables the AccessGraph service.
	Enabled bool `yaml:"enabled"`
	// Endpoint is the endpoint of the AccessGraph service.
	Endpoint string `yaml:"endpoint"`
	// CA is the path to the CA certificate for the AccessGraph service.
	CA string `yaml:"ca"`
	// Insecure is true if the AccessGraph service should not verify the CA.
	Insecure bool `yaml:"insecure"`
}

type AccessGraphAWSSync struct {
	// Regions are AWS regions to poll for resources.
	Regions []string `yaml:"regions,omitempty"`
	// AssumeRoleARN is the AWS role to assume for database discovery.
	AssumeRoleARN string `yaml:"assume_role_arn,omitempty"`
	// ExternalID is the AWS external ID to use when assuming a role for
	// database discovery in an external AWS account.
	ExternalID string `yaml:"external_id,omitempty"`
}

type AccessGraphSync struct {
	// AWS is the AWS configuration for the AccessGraph Sync service.
	AWS []AccessGraphAWSSync `yaml:"aws,omitempty"`
}

type App struct {
	// Name of the application.
	Name string `yaml:"name"`

	// Description is an optional free-form app description.
	Description string `yaml:"description,omitempty"`

	// URI is the internal address of the application.
	URI string `yaml:"uri"`

	// Public address of the application. This is the address users will access
	// the application at.
	PublicAddr string `yaml:"public_addr"`

	// StaticLabels is a map of static labels to apply to this application.
	StaticLabels map[string]string `yaml:"labels,omitempty"`

	// DynamicLabels is a list of commands that generate dynamic labels
	// to apply to this application.
	DynamicLabels []CommandLabel `yaml:"commands,omitempty"`

	// InsecureSkipVerify is used to skip validating the servers certificate.
	InsecureSkipVerify bool `yaml:"insecure_skip_verify"`

	// Rewrite defines a block that is used to rewrite requests and responses.
	Rewrite *Rewrite `yaml:"rewrite,omitempty"`

	// AWS contains additional options for AWS applications.
	AWS *AppAWS `yaml:"aws,omitempty"`

	// Cloud identifies the cloud instance the app represents.
	Cloud string `yaml:"cloud,omitempty"`
}

type AppAWS struct {
	// ExternalID is the AWS External ID used when assuming roles in this app.
	ExternalID string `yaml:"external_id,omitempty"`
}

type Apps struct {
	// Service contains fields common to all services like "enabled" and
	// "listen_addr".
	Service `yaml:",inline"`

	// DebugApp turns on a header debugging application.
	DebugApp bool `yaml:"debug_app"`

	// Apps is a list of applications that will be run by this service.
	Apps []*App `yaml:"apps"`

	// ResourceMatchers match cluster application resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
}

type AssistOptions struct {
	// OpenAI is a set of options related to the OpenAI assist backend.
	OpenAI *OpenAIOptions `yaml:"openai,omitempty"`
}

type Auth struct {
	Service `yaml:",inline"`

	// ProxyProtocol controls support for HAProxy PROXY protocol.
	// Possible values:
	// - 'on': one PROXY header is accepted and required per incoming connection.
	// - 'off': no PROXY headers are allows, otherwise connection is rejected.
	// If unspecified - one PROXY header is allowed, but not required. Connection is marked with source port set to 0
	// and IP pinning will not be allowed. It is supposed to be used only as default mode for test setups.
	// In production you should always explicitly set the mode based on your network setup - if you have L4 load balancer
	// with enabled PROXY protocol in front of Teleport you should set it to 'on', if you don't have it, set it to 'off'
	ProxyProtocol string `yaml:"proxy_protocol,omitempty"`

	// ClusterName is the name of the CA who manages this cluster
	ClusterName ClusterName `yaml:"cluster_name,omitempty"`

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	//
	// Each token string has the following format: "role1,role2,..:token",
	// for example: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo"
	StaticTokens StaticTokens `yaml:"tokens,omitempty"`

	// Authentication holds authentication configuration information like authentication
	// type, second factor type, specific connector information, etc.
	Authentication *AuthenticationConfig `yaml:"authentication,omitempty"`

	// SessionRecording determines where the session is recorded:
	// node, node-sync, proxy, proxy-sync, or off.
	SessionRecording string `yaml:"session_recording,omitempty"`

	// ProxyChecksHostKeys is used when the proxy is in recording mode and
	// determines if the proxy will check the host key of the client or not.
	ProxyChecksHostKeys *types.BoolOption `yaml:"proxy_checks_host_keys,omitempty"`

	// LicenseFile is a path to the license file. The path can be either absolute or
	// relative to the global data dir
	LicenseFile string `yaml:"license_file,omitempty"`

	// FOR INTERNAL USE:
	// ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk
	// to 3rd party auth servers we trust)
	ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"`

	// PublicAddr sets SSH host principals and TLS DNS names to auth
	// server certificates
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// ClientIdleTimeout sets global cluster default setting for client idle timeouts
	ClientIdleTimeout types.Duration `yaml:"client_idle_timeout,omitempty"`

	// DisconnectExpiredCert provides disconnect expired certificate setting -
	// if true, connections with expired client certificates will get disconnected
	DisconnectExpiredCert *types.BoolOption `yaml:"disconnect_expired_cert,omitempty"`

	// SessionControlTimeout specifies the maximum amount of time a node can be out
	// of contact with the auth server before it starts terminating controlled sessions.
	SessionControlTimeout types.Duration `yaml:"session_control_timeout,omitempty"`

	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`

	// KeepAliveInterval set the keep-alive interval for server to client
	// connections.
	KeepAliveInterval types.Duration `yaml:"keep_alive_interval,omitempty"`

	// KeepAliveCountMax set the number of keep-alive messages that can be
	// missed before the server disconnects the client.
	KeepAliveCountMax int64 `yaml:"keep_alive_count_max,omitempty"`

	// ClientIdleTimeoutMessage is sent to the client when the inactivity timeout
	// expires. The empty string implies no message should be sent prior to
	// disconnection.
	ClientIdleTimeoutMessage string `yaml:"client_idle_timeout_message,omitempty"`

	// MessageOfTheDay is a banner that a user must acknowledge during a `tsh login`.
	MessageOfTheDay string `yaml:"message_of_the_day,omitempty"`

	// WebIdleTimeout sets global cluster default setting for WebUI client
	// idle timeouts
	WebIdleTimeout types.Duration `yaml:"web_idle_timeout,omitempty"`

	// CAKeyParams configures how CA private keys will be created and stored.
	CAKeyParams *CAKeyParams `yaml:"ca_key_params,omitempty"`

	// ProxyListenerMode is a listener mode user by the proxy.
	ProxyListenerMode types.ProxyListenerMode `yaml:"proxy_listener_mode,omitempty"`

	// RoutingStrategy configures the routing strategy to nodes.
	RoutingStrategy types.RoutingStrategy `yaml:"routing_strategy,omitempty"`

	// TunnelStrategy configures the tunnel strategy used by the cluster.
	TunnelStrategy *types.TunnelStrategyV1 `yaml:"tunnel_strategy,omitempty"`

	// ProxyPingInterval defines in which interval the TLS routing ping message
	// should be sent. This is applicable only when using ping-wrapped
	// connections, regular TLS routing connections are not affected.
	ProxyPingInterval types.Duration `yaml:"proxy_ping_interval,omitempty"`

	// CaseInsensitiveRouting causes proxies to use case-insensitive hostname matching.
	CaseInsensitiveRouting bool `yaml:"case_insensitive_routing,omitempty"`

	// LoadAllCAs tells tsh to load the CAs for all clusters when trying
	// to ssh into a node, instead of just the CA for the current cluster.
	LoadAllCAs bool `yaml:"load_all_cas,omitempty"`

	// HostedPlugins configures the hosted plugins runtime.
	// This is currently Cloud-specific.
	HostedPlugins HostedPlugins `yaml:"hosted_plugins,omitempty"`

	// Assist is a set of options related to the Teleport Assist feature.
	Assist *AuthAssistOptions `yaml:"assist,omitempty"`

	// AccessMonitoring is a set of options related to the Access Monitoring feature.
	AccessMonitoring *servicecfg.AccessMonitoringOptions `yaml:"access_monitoring,omitempty"`
}

type AuthAssistOptions struct {
	AssistOptions `yaml:",inline"`
	// CommandExecutionWorkers determines the number of workers that will
	// execute arbitrary remote commands on servers (e.g. through Assist) in parallel
	CommandExecutionWorkers int32 `yaml:"command_execution_workers,omitempty"`
}

type AuthenticationConfig struct {
	Type           string                     `yaml:"type"`
	SecondFactor   constants.SecondFactorType `yaml:"second_factor,omitempty"`
	ConnectorName  string                     `yaml:"connector_name,omitempty"`
	U2F            *UniversalSecondFactor     `yaml:"u2f,omitempty"`
	Webauthn       *Webauthn                  `yaml:"webauthn,omitempty"`
	RequireMFAType types.RequireMFAType       `yaml:"require_session_mfa,omitempty"`
	LockingMode    constants.LockingMode      `yaml:"locking_mode,omitempty"`

	// LocalAuth controls if local authentication is allowed.
	LocalAuth *types.BoolOption `yaml:"local_auth"`

	// Passwordless enables/disables passwordless support.
	// Requires Webauthn to work.
	// Defaults to true if the Webauthn is configured, defaults to false
	// otherwise.
	Passwordless *types.BoolOption `yaml:"passwordless"`

	// Headless enables/disables headless support.
	// Requires Webauthn to work.
	// Defaults to true if the Webauthn is configured, defaults to false
	// otherwise.
	Headless *types.BoolOption `yaml:"headless"`

	// DeviceTrust holds settings related to trusted device verification.
	// Requires Teleport Enterprise.
	DeviceTrust *DeviceTrust `yaml:"device_trust,omitempty"`

	// DefaultSessionTTL is the default cluster max session ttl
	DefaultSessionTTL types.Duration `yaml:"default_session_ttl"`

	// Deprecated. HardwareKey.PIVSlot should be used instead.
	// TODO(Joerger): DELETE IN 17.0.0
	PIVSlot keys.PIVSlot `yaml:"piv_slot,omitempty"`

	// HardwareKey holds settings related to hardware key support.
	// Requires Teleport Enterprise.
	HardwareKey *HardwareKey `yaml:"hardware_key,omitempty"`
}

type AzureInstallParams struct {
	// ClientID is the client ID of the managed identity to use for installation.
	ClientID string `yaml:"client_id"`
}

type AzureJoinParams struct {
	ClientID string `yaml:"client_id"`
}

type AzureMatcher struct {
	// Subscriptions are Azure subscriptions to query for resources.
	Subscriptions []string `yaml:"subscriptions,omitempty"`
	// ResourceGroups are Azure resource groups to query for resources.
	ResourceGroups []string `yaml:"resource_groups,omitempty"`
	// Types are Azure types to match: "mysql", "postgres", "aks", "vm"
	Types []string `yaml:"types,omitempty"`
	// Regions are Azure locations to match for databases.
	Regions []string `yaml:"regions,omitempty"`
	// ResourceTags are Azure tags on resources to match.
	ResourceTags map[string]apiutils.Strings `yaml:"tags,omitempty"`
	// InstallParams sets the join method when installing on
	// discovered Azure nodes.
	InstallParams *InstallParams `yaml:"install,omitempty"`
}

type BPF struct {
	// Enabled enables or disables enhanced session recording for this node.
	Enabled string `yaml:"enabled"`

	// CommandBufferSize is the size of the perf buffer for command events.
	CommandBufferSize *int `yaml:"command_buffer_size,omitempty"`

	// DiskBufferSize is the size of the perf buffer for disk events.
	DiskBufferSize *int `yaml:"disk_buffer_size,omitempty"`

	// NetworkBufferSize is the size of the perf buffer for network events.
	NetworkBufferSize *int `yaml:"network_buffer_size,omitempty"`

	// CgroupPath controls where cgroupv2 hierarchy is mounted.
	CgroupPath string `yaml:"cgroup_path"`
}

type CAKeyParams struct {
	// PKCS11 configures a PKCS#11 HSM to be used for all CA private key generation and
	// storage.
	PKCS11 *PKCS11 `yaml:"pkcs11,omitempty"`
	// GoogleCloudKMS configures Google Cloud Key Management Service to to be used for
	// all CA private key crypto operations.
	GoogleCloudKMS *GoogleCloudKMS `yaml:"gcp_kms,omitempty"`
	// AWSKMS configures AWS Key Management Service to to be used for
	// all CA private key crypto operations.
	AWSKMS *AWSKMS `yaml:"aws_kms,omitempty"`
}

type CachePolicy struct {
	// Type is for cache type `sqlite` or `in-memory`
	Type string `yaml:"type,omitempty"`
	// EnabledFlag enables or disables cache
	EnabledFlag string `yaml:"enabled,omitempty"`
	// TTL sets maximum TTL for the cached values
	TTL string `yaml:"ttl,omitempty"`
	// MaxBackoff sets the maximum backoff on error.
	MaxBackoff time.Duration `yaml:"max_backoff,omitempty"`
}

type ClaimMapping struct {
	// Claim is OIDC claim name
	Claim string `yaml:"claim"`
	// Value is claim value to match
	Value string `yaml:"value"`
	// Roles is a list of teleport roles to match
	Roles []string `yaml:"roles,omitempty"`
}

type ClusterName string

type CommandLabel struct {
	Name    string        `yaml:"name"`
	Command []string      `yaml:"command,flow"`
	Period  time.Duration `yaml:"period"`
}

type CommandLineFlags struct {
	// --name flag
	NodeName string
	// --auth-server flag
	AuthServerAddr []string
	// --token flag
	AuthToken string
	// --join-method flag
	JoinMethod string
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// --listen-ip flag
	ListenIP net.IP
	// --advertise-ip flag
	AdvertiseIP string
	// --config flag
	ConfigFile string
	// --apply-on-startup contains the path of a YAML manifest whose resources should be
	// applied on startup. Unlike the bootstrap flag, the resources are always applied,
	// even if the cluster is already initialized. Existing resources will be updated.
	ApplyOnStartupFile string
	// Bootstrap flag contains a YAML file that defines a set of resources to bootstrap
	// a cluster.
	BootstrapFile string
	// ConfigString is a base64 encoded configuration string
	// set by --config-string or TELEPORT_CONFIG environment variable
	ConfigString string
	// --roles flag
	Roles string
	// -d flag
	Debug bool

	// --insecure-no-tls flag
	DisableTLS bool

	// --labels flag
	Labels string
	// --pid-file flag
	PIDFile string
	// DiagnosticAddr is listen address for diagnostic endpoint
	DiagnosticAddr string
	// PermitUserEnvironment enables reading of ~/.tsh/environment
	// when creating a new session.
	PermitUserEnvironment bool

	// Insecure mode is controlled by --insecure flag and in this mode
	// Teleport won't check certificates when connecting to trusted clusters
	// It's useful for learning Teleport (following quick starts, etc).
	InsecureMode bool

	// FIPS mode means Teleport starts in a FedRAMP/FIPS 140-2 compliant
	// configuration.
	FIPS bool

	// SkipVersionCheck allows Teleport to connect to auth servers that
	// have an earlier major version number.
	SkipVersionCheck bool

	// AppName is the name of the application to proxy.
	AppName string

	// AppURI is the internal address of the application to proxy.
	AppURI string

	// AppCloud is set if application is proxying Cloud API
	AppCloud string

	// AppPublicAddr is the public address of the application to proxy.
	AppPublicAddr string

	// DatabaseName is the name of the database to proxy.
	DatabaseName string
	// DatabaseDescription is a free-form database description.
	DatabaseDescription string
	// DatabaseProtocol is the type of the proxied database e.g. postgres or mysql.
	DatabaseProtocol string
	// DatabaseURI is the address to connect to the proxied database.
	DatabaseURI string
	// DatabaseCACertFile is the database CA cert path.
	DatabaseCACertFile string
	// DatabaseAWSRegion is an optional database cloud region e.g. when using AWS RDS.
	DatabaseAWSRegion string
	// DatabaseAWSAccountID is an optional AWS account ID e.g. when using Keyspaces.
	DatabaseAWSAccountID string
	// DatabaseAWSAssumeRoleARN is an optional AWS IAM role ARN to assume when accessing the database.
	DatabaseAWSAssumeRoleARN string
	// DatabaseAWSExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
	DatabaseAWSExternalID string
	// DatabaseAWSRedshiftClusterID is Redshift cluster identifier.
	DatabaseAWSRedshiftClusterID string
	// DatabaseAWSRDSInstanceID is RDS instance identifier.
	DatabaseAWSRDSInstanceID string
	// DatabaseAWSRDSClusterID is RDS cluster (Aurora) cluster identifier.
	DatabaseAWSRDSClusterID string
	// DatabaseAWSElastiCacheGroupID is the ElastiCache replication group identifier.
	DatabaseAWSElastiCacheGroupID string
	// DatabaseAWSMemoryDBClusterName is the MemoryDB cluster name.
	DatabaseAWSMemoryDBClusterName string
	// DatabaseAWSSessionTags is the AWS STS session tags.
	DatabaseAWSSessionTags string
	// DatabaseGCPProjectID is GCP Cloud SQL project identifier.
	DatabaseGCPProjectID string
	// DatabaseGCPInstanceID is GCP Cloud SQL instance identifier.
	DatabaseGCPInstanceID string
	// DatabaseADKeytabFile is the path to Kerberos keytab file.
	DatabaseADKeytabFile string
	// DatabaseADKrb5File is the path to krb5.conf file.
	DatabaseADKrb5File string
	// DatabaseADDomain is the Active Directory domain for authentication.
	DatabaseADDomain string
	// DatabaseADSPN is the database Service Principal Name.
	DatabaseADSPN string
	// DatabaseMySQLServerVersion is the MySQL server version reported to a client
	// if the value cannot be obtained from the database.
	DatabaseMySQLServerVersion string

	// ProxyServer is the url of the proxy server to connect to.
	ProxyServer string
	// OpenSSHConfigPath is the path of the file to write agentless configuration to.
	OpenSSHConfigPath string
	// RestartOpenSSH indicates whether openssh should be restarted or not.
	RestartOpenSSH bool
	// RestartCommand is the command to use when restarting sshd
	RestartCommand string
	// CheckCommand is the command to use when checking sshd config validity
	CheckCommand string
	// Address is the ip address of the OpenSSH node.
	Address string
	// AdditionalPrincipals is a list of additional principals to include in the SSH cert.
	AdditionalPrincipals string
	// Directory to store
	DataDir string

	// IntegrationConfDeployServiceIAMArguments contains the arguments of
	// `teleport integration configure deployservice-iam` command
	IntegrationConfDeployServiceIAMArguments IntegrationConfDeployServiceIAM

	// IntegrationConfEICEIAMArguments contains the arguments of
	// `teleport integration configure eice-iam` command
	IntegrationConfEICEIAMArguments IntegrationConfEICEIAM

	// IntegrationConfEKSIAMArguments contains the arguments of
	// `teleport integration configure eks-iam` command
	IntegrationConfEKSIAMArguments IntegrationConfEKSIAM

	// IntegrationConfAWSOIDCIdPArguments contains the arguments of
	// `teleport integration configure awsoidc-idp` command
	IntegrationConfAWSOIDCIdPArguments IntegrationConfAWSOIDCIdP

	// IntegrationConfListDatabasesIAMArguments contains the arguments of
	// `teleport integration configure listdatabases-iam` command
	IntegrationConfListDatabasesIAMArguments IntegrationConfListDatabasesIAM

	// IntegrationConfExternalAuditStorageArguments contains the arguments of the
	// `teleport integration configure externalauditstorage` command
	IntegrationConfExternalAuditStorageArguments easconfig.ExternalAuditStorageConfiguration

	// IntegrationConfAccessGraphAWSSyncArguments contains the arguments of
	// `teleport integration configure access-graph aws-iam` command
	IntegrationConfAccessGraphAWSSyncArguments IntegrationConfAccessGraphAWSSync
}

type ConnectionLimits struct {
	MaxConnections int64            `yaml:"max_connections"`
	MaxUsers       int              `yaml:"max_users"`
	Rates          []ConnectionRate `yaml:"rates,omitempty"`
}

type ConnectionRate struct {
	Period  time.Duration `yaml:"period"`
	Average int64         `yaml:"average"`
	Burst   int64         `yaml:"burst"`
}

type Database struct {
	// Name is the name for the database proxy service.
	Name string `yaml:"name"`
	// Description is an optional free-form database description.
	Description string `yaml:"description,omitempty"`
	// Protocol is the database type e.g. postgres, mysql, etc.
	Protocol string `yaml:"protocol"`
	// URI is the database address to connect to.
	URI string `yaml:"uri"`
	// CACertFile is an optional path to the database CA certificate.
	// Deprecated in favor of TLS.CACertFile.
	CACertFile string `yaml:"ca_cert_file,omitempty"`
	// TLS keeps an optional TLS configuration options.
	TLS DatabaseTLS `yaml:"tls"`
	// MySQL are additional database options.
	MySQL DatabaseMySQL `yaml:"mysql"`
	// StaticLabels is a map of database static labels.
	StaticLabels map[string]string `yaml:"static_labels,omitempty"`
	// DynamicLabels is a list of database dynamic labels.
	DynamicLabels []CommandLabel `yaml:"dynamic_labels,omitempty"`
	// AWS contains AWS specific settings for AWS-hosted databases.
	AWS DatabaseAWS `yaml:"aws"`
	// GCP contains GCP specific settings for Cloud SQL databases.
	GCP DatabaseGCP `yaml:"gcp"`
	// AD contains Active Directory database configuration.
	AD DatabaseAD `yaml:"ad"`
	// Azure contains Azure database configuration.
	Azure DatabaseAzure `yaml:"azure"`
	// AdminUser describes database privileged user for auto-provisioning.
	AdminUser DatabaseAdminUser `yaml:"admin_user"`
	// Oracle is Database Oracle settings
	Oracle DatabaseOracle `yaml:"oracle,omitempty"`
}

type DatabaseAD struct {
	// KeytabFile is the path to the Kerberos keytab file.
	KeytabFile string `yaml:"keytab_file"`
	// Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
	Krb5File string `yaml:"krb5_file,omitempty"`
	// Domain is the Active Directory domain the database resides in.
	Domain string `yaml:"domain"`
	// SPN is the service principal name for the database.
	SPN string `yaml:"spn"`
	// LDAPCert is a certificate from Windows LDAP/AD, optional; only for x509 Authentication.
	LDAPCert string `yaml:"ldap_cert,omitempty"`
	// KDCHostName is the host name for a KDC for x509 Authentication.
	KDCHostName string `yaml:"kdc_host_name,omitempty"`
}

type DatabaseAWS struct {
	// Region is a cloud region for RDS/Aurora database endpoint.
	Region string `yaml:"region,omitempty"`
	// Redshift contains Redshift specific settings.
	Redshift DatabaseAWSRedshift `yaml:"redshift"`
	// RDS contains RDS specific settings.
	RDS DatabaseAWSRDS `yaml:"rds"`
	// ElastiCache contains ElastiCache specific settings.
	ElastiCache DatabaseAWSElastiCache `yaml:"elasticache"`
	// SecretStore contains settings for managing secrets.
	SecretStore SecretStore `yaml:"secret_store"`
	// MemoryDB contains MemoryDB specific settings.
	MemoryDB DatabaseAWSMemoryDB `yaml:"memorydb"`
	// AccountID is the AWS account ID.
	AccountID string `yaml:"account_id,omitempty"`
	// AssumeRoleARN is the AWS role to assume to before accessing the database.
	AssumeRoleARN string `yaml:"assume_role_arn,omitempty"`
	// ExternalID is an optional AWS external ID used to enable assuming an AWS role across accounts.
	ExternalID string `yaml:"external_id,omitempty"`
	// RedshiftServerless contains RedshiftServerless specific settings.
	RedshiftServerless DatabaseAWSRedshiftServerless `yaml:"redshift_serverless"`
	// SessionTags is a list of AWS STS session tags.
	SessionTags map[string]string `yaml:"session_tags,omitempty"`
}

type DatabaseAWSElastiCache struct {
	// ReplicationGroupID is the ElastiCache replication group ID.
	ReplicationGroupID string `yaml:"replication_group_id,omitempty"`
}

type DatabaseAWSMemoryDB struct {
	// ClusterName is the MemoryDB cluster name.
	ClusterName string `yaml:"cluster_name,omitempty"`
}

type DatabaseAWSRDS struct {
	// InstanceID is the RDS instance identifier.
	InstanceID string `yaml:"instance_id,omitempty"`
	// ClusterID is the RDS cluster (Aurora) identifier.
	ClusterID string `yaml:"cluster_id,omitempty"`
}

type DatabaseAWSRedshift struct {
	// ClusterID is the Redshift cluster identifier.
	ClusterID string `yaml:"cluster_id,omitempty"`
}

type DatabaseAWSRedshiftServerless struct {
	// WorkgroupName is the Redshift Serverless workgroup name.
	WorkgroupName string `yaml:"workgroup_name,omitempty"`
	// EndpointName is the Redshift Serverless VPC endpoint name.
	EndpointName string `yaml:"endpoint_name,omitempty"`
}

type DatabaseAdminUser struct {
	// Name is the database admin username (e.g. "postgres").
	Name string `yaml:"name"`
	// DefaultDatabase is the database that the admin user logs into by
	// default.
	//
	// Depending on the database type, this database may be used to store
	// procedures or data for managing database users.
	DefaultDatabase string `yaml:"default_database"`
}

type DatabaseAzure struct {
	// ResourceID is the Azure fully qualified ID for the resource.
	ResourceID string `yaml:"resource_id,omitempty"`
	// IsFlexiServer is true if the database is an Azure Flexible server.
	IsFlexiServer bool `yaml:"is_flexi_server,omitempty"`
}

type DatabaseGCP struct {
	// ProjectID is the GCP project ID where the database is deployed.
	ProjectID string `yaml:"project_id,omitempty"`
	// InstanceID is the Cloud SQL database instance ID.
	InstanceID string `yaml:"instance_id,omitempty"`
}

type DatabaseMySQL struct {
	// ServerVersion is the MySQL version reported by DB proxy instead of default Teleport string.
	ServerVersion string `yaml:"server_version,omitempty"`
}

type DatabaseOracle struct {
	// AuditUser is the Oracle database user privilege to access internal Oracle audit trail.
	AuditUser string `yaml:"audit_user,omitempty"`
}

type DatabaseSampleFlags struct {
	// DynamicResourcesRawLabels is the "raw" list of labels for dynamic "resources".
	DynamicResourcesRawLabels []string
	// DynamicResourcesLabels is the list of labels for dynamic "resources".
	DynamicResourcesLabels []map[string]string
	// StaticDatabaseName static database name provided by the user.
	StaticDatabaseName string
	// StaticDatabaseProtocol static databse protocol provided by the user.
	StaticDatabaseProtocol string
	// StaticDatabaseURI static database URI provided by the user.
	StaticDatabaseURI string
	// StaticDatabaseStaticLabels list of database static labels provided by
	// the user.
	StaticDatabaseStaticLabels map[string]string
	// StaticDatabaseDynamicLabels list of database dynamic labels provided by
	// the user.`
	StaticDatabaseDynamicLabels services.CommandLabels
	// StaticDatabaseRawLabels "raw" list of database labels provided by the
	// user.
	StaticDatabaseRawLabels string
	// NodeName `nodename` configuration.
	NodeName string
	// DataDir `data_dir` configuration.
	DataDir string
	// ProxyServer is the address of the proxy servers
	ProxyServer string
	// AuthToken auth server token.
	AuthToken string
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// AzureMySQLDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover MySQL servers in.
	AzureMySQLDiscoveryRegions []string
	// AzurePostgresDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover Postgres servers in.
	AzurePostgresDiscoveryRegions []string
	// AzureRedisDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover Azure Cache for Redis servers in.
	AzureRedisDiscoveryRegions []string
	// AzureSQLServerDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover Azure SQL servers and managed instances.
	AzureSQLServerDiscoveryRegions []string
	// AzureSubscriptions is a list of Azure subscriptions.
	AzureSubscriptions []string
	// AzureResourceGroups is a list of Azure resource groups.
	AzureResourceGroups []string
	// AzureTags is the list of the Azure resource tags used for Azure discoveries.
	AzureTags map[string]string
	// AzureRawTags is the "raw" list of Azure resource tags used for Azure discoveries.
	AzureRawTags string
	// RDSDiscoveryRegions is a list of regions the RDS auto-discovery is
	// configured.
	RDSDiscoveryRegions []string
	// RDSProxyDiscoveryRegions is a list of regions the RDS Proxy
	// auto-discovery is configured.
	RDSProxyDiscoveryRegions []string
	// RedshiftDiscoveryRegions is a list of regions the Redshift
	// auto-discovery is configured.
	RedshiftDiscoveryRegions []string
	// RedshiftServerlessDiscoveryRegions is a list of regions the Redshift
	// Serverless auto-discovery is configured.
	RedshiftServerlessDiscoveryRegions []string
	// ElastiCacheDiscoveryRegions is a list of regions the ElastiCache
	// auto-discovery is configured.
	ElastiCacheDiscoveryRegions []string
	// MemoryDBDiscoveryRegions is a list of regions the MemoryDB
	// auto-discovery is configured.
	MemoryDBDiscoveryRegions []string
	// OpenSearchDiscoveryRegions is a list of regions the OpenSearch
	// auto-discovery is configured.
	OpenSearchDiscoveryRegions []string
	// AWSTags is the list of the AWS resource tags used for AWS discoveries.
	AWSTags map[string]string
	// AWSRawTags is the "raw" list of AWS resource tags used for AWS discoveries.
	AWSRawTags string
	// DatabaseProtocols is a list of database protocols supported.
	DatabaseProtocols []string
	// DatabaseAWSRegion is an optional database cloud region e.g. when using AWS RDS.
	DatabaseAWSRegion string
	// DatabaseAWSAccountID is an optional AWS account ID e.g. when using Keyspaces or DynamoDB.
	DatabaseAWSAccountID string
	// DatabaseAWSAssumeRoleARN is an optional AWS IAM role ARN to assume when accessing the database.
	DatabaseAWSAssumeRoleARN string
	// DatabaseAWSExternalID is an optional AWS database external ID, used when assuming roles.
	DatabaseAWSExternalID string
	// DatabaseAWSRedshiftClusterID is Redshift cluster identifier.
	DatabaseAWSRedshiftClusterID string
	// DatabaseAWSRDSClusterID is the RDS Aurora cluster identifier.
	DatabaseAWSRDSClusterID string
	// DatabaseAWSRDSInstanceID is the RDS instance identifier.
	DatabaseAWSRDSInstanceID string
	// DatabaseAWSElastiCacheGroupID is the ElastiCache replication group identifier.
	DatabaseAWSElastiCacheGroupID string
	// DatabaseAWSMemoryDBClusterName is the MemoryDB cluster name.
	DatabaseAWSMemoryDBClusterName string
	// DatabaseADDomain is the Active Directory domain for authentication.
	DatabaseADDomain string
	// DatabaseADSPN is the database Service Principal Name.
	DatabaseADSPN string
	// DatabaseADKeytabFile is the path to Kerberos keytab file.
	DatabaseADKeytabFile string
	// DatabaseGCPProjectID is GCP Cloud SQL project identifier.
	DatabaseGCPProjectID string
	// DatabaseGCPInstanceID is GCP Cloud SQL instance identifier.
	DatabaseGCPInstanceID string
	// DatabaseCACertFile is the database CA cert path.
	DatabaseCACertFile string
}

type DatabaseTLS struct {
	// Mode is a TLS verification mode. Available options are 'verify-full', 'verify-ca' or 'insecure',
	// 'verify-full' is the default option.
	Mode string `yaml:"mode"`
	// ServerName allows providing custom server name.
	// This name will override DNS name when validating certificate presented by the database.
	ServerName string `yaml:"server_name,omitempty"`
	// CACertFile is an optional path to the database CA certificate.
	CACertFile string `yaml:"ca_cert_file,omitempty"`
}

type Databases struct {
	// Service contains common service fields.
	Service `yaml:",inline"`
	// Databases is a list of databases proxied by the service.
	Databases []*Database `yaml:"databases"`
	// ResourceMatchers match cluster database resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
	// AWSMatchers match AWS-hosted databases.
	AWSMatchers []AWSMatcher `yaml:"aws,omitempty"`
	// AzureMatchers match Azure hosted databases.
	AzureMatchers []AzureMatcher `yaml:"azure,omitempty"`
}

type DeviceTrust struct {
	// Mode is the trusted device verification mode.
	// Mirrors types.DeviceTrust.Mode.
	Mode string `yaml:"mode,omitempty"`
	// AutoEnroll is the toggle for the device auto-enroll feature.
	AutoEnroll string `yaml:"auto_enroll,omitempty"`
	// EKCertAllowedCAs is an allow list of EKCert CAs. These may be specified
	// as a PEM encoded certificate or as a path to a PEM encoded certificate.
	//
	// If present, only TPM devices that present an EKCert that is signed by a
	// CA specified here may be enrolled (existing enrollments are
	// unchanged).
	//
	// If not present, then the CA of TPM EKCerts will not be checked during
	// enrollment, this allows any device to enroll.
	EKCertAllowedCAs []string `yaml:"ekcert_allowed_cas,omitempty"`
}

type Discovery struct {
	Service `yaml:",inline"`

	// AWSMatchers are used to match EC2 instances
	AWSMatchers []AWSMatcher `yaml:"aws,omitempty"`

	// AzureMatchers are used to match Azure resources.
	AzureMatchers []AzureMatcher `yaml:"azure,omitempty"`

	// GCPMatchers are used to match GCP resources.
	GCPMatchers []GCPMatcher `yaml:"gcp,omitempty"`

	// KubernetesMatchers are used to match services inside Kubernetes cluster for auto discovery
	KubernetesMatchers []KubernetesMatcher `yaml:"kubernetes,omitempty"`

	// AccessGraph is used to configure the cloud sync into AccessGraph.
	AccessGraph *AccessGraphSync `yaml:"access_graph,omitempty"`

	// DiscoveryGroup is the name of the discovery group that the current
	// discovery service is a part of.
	// It is used to filter out discovered resources that belong to another
	// discovery services. When running in high availability mode and the agents
	// have access to the same cloud resources, this field value must be the same
	// for all discovery services. If different agents are used to discover different
	// sets of cloud resources, this field must be different for each set of agents.
	DiscoveryGroup string `yaml:"discovery_group,omitempty"`
	// PollInterval is the cadence at which the discovery server will run each of its
	// discovery cycles.
	PollInterval time.Duration `yaml:"poll_interval,omitempty"`
}

type FileConfig struct {
	Version string `yaml:"version,omitempty"`
	Global  `yaml:"teleport,omitempty"`
	Auth    Auth  `yaml:"auth_service,omitempty"`
	SSH     SSH   `yaml:"ssh_service,omitempty"`
	Proxy   Proxy `yaml:"proxy_service,omitempty"`
	Kube    Kube  `yaml:"kubernetes_service,omitempty"`

	// Apps is the "app_service" section in Teleport file configuration which
	// defines application access configuration.
	Apps Apps `yaml:"app_service,omitempty"`

	// Databases is the "db_service" section in Teleport configuration file
	// that defines database access configuration.
	Databases Databases `yaml:"db_service,omitempty"`

	// Metrics is the "metrics_service" section in Teleport configuration file
	// that defines the metrics service configuration
	Metrics Metrics `yaml:"metrics_service,omitempty"`

	// WindowsDesktop is the "windows_desktop_service" that defines the
	// configuration for Windows Desktop Access.
	WindowsDesktop WindowsDesktopService `yaml:"windows_desktop_service,omitempty"`

	// Tracing is the "tracing_service" section in Teleport configuration file
	Tracing TracingService `yaml:"tracing_service,omitempty"`

	// Discovery is the "discovery_service" section in the Teleport
	// configuration file
	Discovery Discovery `yaml:"discovery_service,omitempty"`

	// Okta is the "okta_service" section in the Teleport configuration file
	Okta Okta `yaml:"okta_service,omitempty"`

	// Jamf is the "jamf_service" section in the config file.
	Jamf JamfService `yaml:"jamf_service,omitempty"`

	// Plugins is the section of the config for configuring the plugin service.
	Plugins PluginService `yaml:"plugin_service,omitempty"`

	// AccessGraph is the section of the config describing AccessGraph service
	AccessGraph AccessGraph `yaml:"access_graph,omitempty"`
}

type GCPMatcher struct {
	// Types are GKE resource types to match: "gke", "gce".
	Types []string `yaml:"types,omitempty"`
	// Locations are GKE locations to search resources for.
	Locations []string `yaml:"locations,omitempty"`
	// Labels are GCP labels to match.
	Labels map[string]apiutils.Strings `yaml:"labels,omitempty"`
	// Tags are an alias for Labels, for backwards compatibility.
	Tags map[string]apiutils.Strings `yaml:"tags,omitempty"`
	// ProjectIDs are the GCP project ID where the resources are deployed.
	ProjectIDs []string `yaml:"project_ids,omitempty"`
	// ServiceAccounts are the emails of service accounts attached to VMs.
	ServiceAccounts []string `yaml:"service_accounts,omitempty"`
	// InstallParams sets the join method when installing on
	// discovered GCP VMs.
	InstallParams *InstallParams `yaml:"install,omitempty"`
}

type Global struct {
	NodeName string `yaml:"nodename,omitempty"`
	DataDir  string `yaml:"data_dir,omitempty"`
	PIDFile  string `yaml:"pid_file,omitempty"`

	JoinParams JoinParams `yaml:"join_params,omitempty"`

	// v1, v2
	AuthServers []string `yaml:"auth_servers,omitempty"`
	// AuthToken is the old way of configuring the token to be used by the
	// node to join the Teleport cluster. `JoinParams.TokenName` should be
	// used instead with `JoinParams.JoinMethod = types.JoinMethodToken`.
	AuthToken string `yaml:"auth_token,omitempty"`

	// v3
	AuthServer  string `yaml:"auth_server,omitempty"`
	ProxyServer string `yaml:"proxy_server,omitempty"`

	Limits      ConnectionLimits `yaml:"connection_limits,omitempty"`
	Logger      Log              `yaml:"log,omitempty"`
	Storage     backend.Config   `yaml:"storage,omitempty"`
	AdvertiseIP string           `yaml:"advertise_ip,omitempty"`
	CachePolicy CachePolicy      `yaml:"cache,omitempty"`

	// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
	// omitted, a Teleport selected list of defaults will be used.
	CipherSuites []string `yaml:"ciphersuites,omitempty"`

	// Ciphers is a list of SSH ciphers that the server supports. If omitted,
	// the defaults will be used.
	Ciphers []string `yaml:"ciphers,omitempty"`

	// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
	// server supports. If omitted, the defaults will be used.
	KEXAlgorithms []string `yaml:"kex_algos,omitempty"`

	// MACAlgorithms is a list of SSH message authentication codes (MAC) that
	// the server supports. If omitted the defaults will be used.
	MACAlgorithms []string `yaml:"mac_algos,omitempty"`

	// CASignatureAlgorithm is ignored but ketp for config backwards compat
	CASignatureAlgorithm *string `yaml:"ca_signature_algo,omitempty"`

	// CAPin is the SKPI hash of the CA used to verify the Auth Server. Can be
	// a single value or a list.
	CAPin apiutils.Strings `yaml:"ca_pin"`

	// DiagAddr is the address to expose a diagnostics HTTP endpoint.
	DiagAddr string `yaml:"diag_addr"`
}

type GoogleCloudKMS struct {
	// KeyRing is the GCP key ring where all keys generated by this auth server
	// should be held. This must be the fully qualified resource name of the key
	// ring, including the project and location, e.g.
	// projects/teleport-project/locations/us-west1/keyRings/teleport-keyring
	KeyRing string `yaml:"keyring"`
	// ProtectionLevel specifies how cryptographic operations are performed.
	// For more information, see https://cloud.google.com/kms/docs/algorithms#protection_levels
	// Supported options are "HSM" and "SOFTWARE".
	ProtectionLevel string `yaml:"protection_level"`
}

type HardwareKey struct {
	// PIVSlot is a PIV slot that Teleport clients should use instead of the
	// default based on private key policy. For example, "9a" or "9e".
	PIVSlot keys.PIVSlot `yaml:"piv_slot,omitempty"`

	// SerialNumberValidation contains optional settings for hardware key
	// serial number validation, including whether it is enabled.
	SerialNumberValidation *HardwareKeySerialNumberValidation `yaml:"serial_number_validation,omitempty"`
}

type HardwareKeySerialNumberValidation struct {
	// Enabled indicates whether hardware key serial number validation is enabled.
	Enabled string `yaml:"enabled"`

	// SerialNumberTraitName is an optional custom user trait name for hardware key
	// serial numbers to replace the default: "hardware_key_serial_numbers".
	SerialNumberTraitName string `yaml:"serial_number_trait_name"`
}

type HostedPlugins struct {
	Enabled        bool                 `yaml:"enabled"`
	OAuthProviders PluginOAuthProviders `yaml:"oauth_providers,omitempty"`
}

type IdP struct {
	// SAMLIdP represents configuratino options for the SAML identity provider.
	SAMLIdP SAMLIdP `yaml:"saml,omitempty"`
}

type InstallParams struct {
	// JoinParams sets the token and method to use when generating
	// config on cloud instances
	JoinParams JoinParams `yaml:"join_params,omitempty"`
	// ScriptName is the name of the teleport installer script
	// resource for the cloud instance to execute
	ScriptName string `yaml:"script_name,omitempty"`
	// InstallTeleport disables agentless discovery
	InstallTeleport string `yaml:"install_teleport,omitempty"`
	// SSHDConfig provides the path to write sshd configuration changes
	SSHDConfig string `yaml:"sshd_config,omitempty"`
	// PublicProxyAddr is the address of the proxy the discovered node should use
	// to connect to the cluster.
	PublicProxyAddr string `yaml:"public_proxy_addr,omitempty"`
	// Azure is te set of installation parameters specific to Azure.
	Azure *AzureInstallParams `yaml:"azure,omitempty"`
}

type IntegrationConfAWSOIDCIdP struct {
	// Cluster is the teleport cluster name.
	Cluster string
	// Name is the integration name.
	Name string
	// Role is the AWS Role to associate with the Integration
	Role string
	// ProxyPublicURL is the IdP Issuer URL (Teleport Proxy Public Address).
	// Eg, https://<tenant>.teleport.sh
	ProxyPublicURL string
}

type IntegrationConfAccessGraphAWSSync struct {
	// Role is the AWS Role associated with the Integration
	Role string
}

type IntegrationConfDeployServiceIAM struct {
	// Cluster is the teleport cluster name.
	Cluster string
	// Name is the integration name.
	Name string
	// Region is the AWS Region used to set up the client.
	Region string
	// Role is the AWS Role associated with the Integration
	Role string
	// TaskRole is the AWS Role to be used by the deployed service.
	TaskRole string
}

type IntegrationConfEICEIAM struct {
	// Region is the AWS Region used to set up the client.
	Region string
	// Role is the AWS Role associated with the Integration
	Role string
}

type IntegrationConfEKSIAM struct {
	// Region is the AWS Region used to set up the client.
	Region string
	// Role is the AWS Role associated with the Integration
	Role string
}

type IntegrationConfListDatabasesIAM struct {
	// Region is the AWS Region used to set up the client.
	Region string
	// Role is the AWS Role associated with the Integration
	Role string
}

type JamfInventoryEntry struct {
	// FilterRSQL is a Jamf Pro API RSQL filter string.
	FilterRSQL string `yaml:"filter_rsql,omitempty"`
	// SyncPeriodPartial is the period for PARTIAL syncs.
	// Zero means "server default", negative means "disabled".
	SyncPeriodPartial time.Duration `yaml:"sync_period_partial,omitempty"`
	// SyncPeriodFull is the period for FULL syncs.
	// Zero means "server default", negative means "disabled".
	SyncPeriodFull time.Duration `yaml:"sync_period_full,omitempty"`
	// OnMissing is the trigger for devices missing from the MDM inventory view.
	// See [types.JamfInventoryEntry.OnMissing].
	OnMissing string `yaml:"on_missing,omitempty"`
}

type JamfService struct {
	Service `yaml:",inline"`
	// Name is the name of the sync device source.
	Name string `yaml:"name,omitempty"`
	// SyncDelay is the initial sync delay.
	// Zero means "server default", negative means "immediate".
	SyncDelay time.Duration `yaml:"sync_delay,omitempty"`
	// ExitOnSync tells the service to exit immediately after the first sync.
	ExitOnSync bool `yaml:"exit_on_sync,omitempty"`
	// APIEndpoint is the Jamf Pro API endpoint.
	// Example: "https://yourtenant.jamfcloud.com/api".
	APIEndpoint string `yaml:"api_endpoint,omitempty"`
	// Username is the Jamf Pro API username.
	Username string `yaml:"username,omitempty"`
	// PasswordFile is a file containing the  Jamf Pro API password.
	// A single trailing newline is trimmed, anything else is taken literally.
	PasswordFile string `yaml:"password_file,omitempty"`
	// Inventory are the entries for inventory sync.
	Inventory []*JamfInventoryEntry `yaml:"inventory,omitempty"`
}

type JoinParams struct {
	TokenName string           `yaml:"token_name"`
	Method    types.JoinMethod `yaml:"method"`
	Azure     AzureJoinParams  `yaml:"azure,omitempty"`
}

type KeyPair struct {
	// PrivateKey is the path on disk to a PEM encoded private key,
	PrivateKey string `yaml:"key_file"`
	// Certificate is the path on disk to a PEM encoded x509 certificate.
	Certificate string `yaml:"cert_file"`
}

type Kube struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// PublicAddr is a publicly advertised address of the kubernetes service
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`
	// KubeClusterName is the name of a kubernetes cluster this service is
	// running in. If set, this proxy will handle kubernetes requests for the
	// cluster.
	KubeClusterName string `yaml:"kube_cluster_name,omitempty"`
	// StaticLabels are the static labels for RBAC on kubernetes clusters.
	StaticLabels map[string]string `yaml:"labels,omitempty"`
	// DynamicLabels are the dynamic labels for RBAC on kubernetes clusters.
	DynamicLabels []CommandLabel `yaml:"commands,omitempty"`
	// ResourceMatchers match cluster kube_cluster resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
}

type KubeProxy struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// PublicAddr is a publicly advertised address of the kubernetes proxy
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`
	// ClusterName is the name of a kubernetes cluster this proxy is running
	// in. If set, this proxy will handle kubernetes requests for the cluster.
	ClusterName string `yaml:"cluster_name,omitempty"`
}

type KubernetesMatcher struct {
	// Types are Kubernetes services types to match. Currently only 'app' is supported.
	Types []string `yaml:"types,omitempty"`
	// Namespaces are Kubernetes namespaces in which to discover services
	Namespaces []string `yaml:"namespaces,omitempty"`
	// Labels are Kubernetes services labels to match.
	Labels map[string]apiutils.Strings `yaml:"labels,omitempty"`
}

type LDAPConfig struct {
	// Addr is the host:port of the LDAP server (typically port 389).
	Addr string `yaml:"addr"`
	// Domain is the ActiveDirectory domain name.
	Domain string `yaml:"domain"`
	// Username for LDAP authentication.
	Username string `yaml:"username"`
	// SID is the Security Identifier for the service account specified by Username.
	SID string `yaml:"sid"`
	// InsecureSkipVerify decides whether whether we skip verifying with the LDAP server's CA when making the LDAPS connection.
	InsecureSkipVerify bool `yaml:"insecure_skip_verify"`
	// ServerName is the name of the LDAP server for TLS.
	ServerName string `yaml:"server_name,omitempty"`
	// DEREncodedCAFile is the filepath to an optional DER encoded CA cert to be used for verification (if InsecureSkipVerify is set to false).
	DEREncodedCAFile string `yaml:"der_ca_file,omitempty"`
	// PEMEncodedCACert is an optional PEM encoded CA cert to be used for verification (if InsecureSkipVerify is set to false).
	PEMEncodedCACert string `yaml:"ldap_ca_cert,omitempty"`
}

type LDAPDiscoveryConfig struct {
	// BaseDN is the base DN to search for desktops.
	// Use the value '*' to search from the root of the domain,
	// or leave blank to disable desktop discovery.
	BaseDN string `yaml:"base_dn"`
	// Filters are additional LDAP filters to apply to the search.
	// See: https://ldap.com/ldap-filters/
	Filters []string `yaml:"filters"`
	// LabelAttributes are LDAP attributes to apply to hosts discovered
	// via LDAP. Teleport labels hosts by prefixing the attribute with
	// "ldap/" - for example, a value of "location" here would result in
	// discovered desktops having a label with key "ldap/location" and
	// the value being the value of the "location" attribute.
	LabelAttributes []string `yaml:"label_attributes"`
}

type LegacyLog struct {
	// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
	// a path to a log file
	Output string `yaml:"output,omitempty"`
	// Severity defines how verbose the log will be. Possible values are "error", "info", "warn"
	Severity string `yaml:"severity,omitempty"`
	// Format lists the output fields from KnownFormatFields. Example format: [timestamp, component, caller]
	Format []string `yaml:"format,omitempty"`
}

type Log struct {
	// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
	// a path to a log file
	Output string `yaml:"output,omitempty"`
	// Severity defines how verbose the log will be. Possible values are "error", "info", "warn"
	Severity string `yaml:"severity,omitempty"`
	// Format defines the logs output format and extra fields
	Format LogFormat `yaml:"format,omitempty"`
}

type LogFormat struct {
	// Output defines the output format. Possible values are 'text' and 'json'.
	Output string `yaml:"output,omitempty"`
	// ExtraFields lists the output fields from KnownFormatFields. Example format: [timestamp, component, caller]
	ExtraFields []string `yaml:"extra_fields,omitempty"`
}

type Metrics struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`

	// KeyPairs is a list of x509 serving key pairs used for securing the metrics endpoint with mTLS.
	// mTLS will be enabled for the service if both 'keypairs' and 'ca_certs' fields are set.
	KeyPairs []KeyPair `yaml:"keypairs,omitempty"`

	// CACerts is a list of prometheus CA certificates to validate clients against.
	// mTLS will be enabled for the service if both 'keypairs' and 'ca_certs' fields are set.
	CACerts []string `yaml:"ca_certs,omitempty"`

	// GRPCServerLatency enables histogram metrics for each gRPC endpoint on the auth server
	GRPCServerLatency bool `yaml:"grpc_server_latency,omitempty"`

	// GRPCServerLatency enables histogram metrics for each gRPC endpoint on the auth server
	GRPCClientLatency bool `yaml:"grpc_client_latency,omitempty"`
}

type OAuthClientCredentials struct {
	// ClientID is the path to the file containing the Client ID
	ClientID string `yaml:"client_id"`
	// ClientSecret is the path to the file containing the Client Secret
	ClientSecret string `yaml:"client_secret"`
}

type Okta struct {
	Service `yaml:",inline"`

	// APIEndpoint is the Okta API endpoint to use.
	APIEndpoint string `yaml:"api_endpoint,omitempty"`

	// APITokenPath is the path to the Okta API token.
	APITokenPath string `yaml:"api_token_path,omitempty"`

	// SyncPeriod is the duration between synchronization calls for synchronizing Okta applications and groups..
	// Deprecated. Please use sync.app_group_sync_period instead.
	SyncPeriod time.Duration `yaml:"sync_period,omitempty"`

	// Import is the import settings for the Okta service.
	Sync OktaSync `yaml:"sync,omitempty"`
}

type OktaSync struct {
	// AppGroupSyncPeriod is the duration between synchronization calls for synchronizing Okta applications and groups.
	AppGroupSyncPeriod time.Duration `yaml:"app_group_sync_period,omitempty"`

	// SyncAccessLists will enable or disable the Okta importing of access lists. Defaults to false.
	SyncAccessListsFlag string `yaml:"sync_access_lists,omitempty"`

	// DefaultOwners are the default owners for all imported access lists.
	DefaultOwners []string `yaml:"default_owners,omitempty"`

	// GroupFilters are filters for which Okta groups to synchronize as access lists.
	// These are globs/regexes.
	GroupFilters []string `yaml:"group_filters,omitempty"`

	// AppFilters are filters for which Okta applications to synchronize as access lists.
	// These are globs/regexes.
	AppFilters []string `yaml:"app_filters,omitempty"`
}

type OpenAIOptions struct {
	// APITokenPath is the path to a file with OpenAI API key.
	APITokenPath string `yaml:"api_token_path,omitempty"`
}

type Opsgenie struct {
	// APIKeyFile is the path to a file containing an Opsgenie API key.
	APIKeyFile string `yaml:"api_key_file"`
}

type PAM struct {
	// Enabled controls if PAM will be used or not.
	Enabled string `yaml:"enabled"`

	// ServiceName is the name of the PAM policy to apply.
	ServiceName string `yaml:"service_name"`

	// UsePAMAuth specifies whether to trigger the "auth" PAM modules from the
	// policy.
	UsePAMAuth bool `yaml:"use_pam_auth"`

	// Environment represents environment variables to pass to PAM.
	// These may contain role-style interpolation syntax.
	Environment map[string]string `yaml:"environment,omitempty"`
}

type PKCS11 struct {
	// ModulePath is the path to the PKCS#11 library.
	ModulePath string `yaml:"module_path"`
	// TokenLabel is the CKA_LABEL of the HSM token to use. Set this or
	// SlotNumber to select a token.
	TokenLabel string `yaml:"token_label,omitempty"`
	// SlotNumber is the slot number of the HSM token to use. Set this or
	// TokenLabel to select a token.
	SlotNumber *int `yaml:"slot_number,omitempty"`
	// Pin is the raw pin for connecting to the HSM. Set this or PinPath to set
	// the pin.
	Pin string `yaml:"pin,omitempty"`
	// PinPath is a path to a file containing a pin for connecting to the HSM.
	// Trailing newlines will be removed, other whitespace will be left. Set
	// this or Pin to set the pin.
	PinPath string `yaml:"pin_path,omitempty"`
}

type PluginOAuthProviders struct {
	Slack *OAuthClientCredentials `yaml:"slack,omitempty"`
}

type PluginService struct {
	Enabled bool `yaml:"enabled"`
	// Plugins is a map of matchers for enabled plugin resources.
	Plugins map[string]string `yaml:"plugins,omitempty"`
}

type Proxy struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// WebAddr is a web UI listen address
	WebAddr string `yaml:"web_listen_addr,omitempty"`
	// TunAddr is a reverse tunnel address
	TunAddr string `yaml:"tunnel_listen_addr,omitempty"`
	// PeerAddr is the address this proxy will be dialed at by its peers.
	PeerAddr string `yaml:"peer_listen_addr,omitempty"`
	// PeerPublicAddr is the hostport the proxy advertises for peer proxy
	// client connections.
	PeerPublicAddr string `yaml:"peer_public_addr,omitempty"`
	// KeyFile is a TLS key file
	KeyFile string `yaml:"https_key_file,omitempty"`
	// CertFile is a TLS Certificate file
	CertFile string `yaml:"https_cert_file,omitempty"`
	// ProxyProtocol turns on support for HAProxy PROXY protocol
	// this is the option that has be turned on only by administrator,
	// as only admin knows whether service is in front of trusted load balancer
	// or not.
	ProxyProtocol string `yaml:"proxy_protocol,omitempty"`
	// KubeProxy configures kubernetes protocol support of the proxy
	Kube KubeProxy `yaml:"kubernetes,omitempty"`
	// KubeAddr is a shorthand for enabling the Kubernetes endpoint without a
	// local Kubernetes cluster.
	KubeAddr string `yaml:"kube_listen_addr,omitempty"`
	// KubePublicAddr is a public address of the kubernetes endpoint.
	KubePublicAddr apiutils.Strings `yaml:"kube_public_addr,omitempty"`

	// PublicAddr sets the hostport the proxy advertises for the HTTP endpoint.
	// The hosts in PublicAddr are included in the list of host principals
	// on the SSH certificate.
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// SSHPublicAddr sets the hostport the proxy advertises for the SSH endpoint.
	// The hosts in PublicAddr are included in the list of host principals
	// on the SSH certificate.
	SSHPublicAddr apiutils.Strings `yaml:"ssh_public_addr,omitempty"`

	// TunnelPublicAddr sets the hostport the proxy advertises for the tunnel
	// endpoint. The hosts in PublicAddr are included in the list of host
	// principals on the SSH certificate.
	TunnelPublicAddr apiutils.Strings `yaml:"tunnel_public_addr,omitempty"`

	// KeyPairs is a list of x509 key pairs the proxy will load.
	KeyPairs []KeyPair `yaml:"https_keypairs"`

	// KeyPairsReloadInterval is the interval between attempts to reload
	// x509 key pairs. If set to 0, then periodic reloading is disabled.
	KeyPairsReloadInterval time.Duration `yaml:"https_keypairs_reload_interval"`

	// ACME configures ACME protocol support
	ACME ACME `yaml:"acme"`

	// MySQLAddr is MySQL proxy listen address.
	MySQLAddr string `yaml:"mysql_listen_addr,omitempty"`
	// MySQLPublicAddr is the hostport the proxy advertises for MySQL
	// client connections.
	MySQLPublicAddr apiutils.Strings `yaml:"mysql_public_addr,omitempty"`

	// MySQLServerVersion allow to overwrite proxy default mysql engine version reported by Teleport proxy.
	MySQLServerVersion string `yaml:"mysql_server_version,omitempty"`

	// PostgresAddr is Postgres proxy listen address.
	PostgresAddr string `yaml:"postgres_listen_addr,omitempty"`
	// PostgresPublicAddr is the hostport the proxy advertises for Postgres
	// client connections.
	PostgresPublicAddr apiutils.Strings `yaml:"postgres_public_addr,omitempty"`

	// MongoAddr is Mongo proxy listen address.
	MongoAddr string `yaml:"mongo_listen_addr,omitempty"`
	// MongoPublicAddr is the hostport the proxy advertises for Mongo
	// client connections.
	MongoPublicAddr apiutils.Strings `yaml:"mongo_public_addr,omitempty"`

	// IdP is configuration for identity providers.
	//
	//nolint:revive // Because we want this to be IdP.
	IdP IdP `yaml:"idp,omitempty"`

	// UI provides config options for the web UI
	UI *UIConfig `yaml:"ui,omitempty"`

	// Assist is a set of options related to the Teleport Assist feature.
	Assist *ProxyAssistOptions `yaml:"assist,omitempty"`

	// TrustXForwardedFor enables the service to take client source IPs from
	// the "X-Forwarded-For" headers for web APIs received from layer 7 load
	// balancers or reverse proxies.
	TrustXForwardedFor types.Bool `yaml:"trust_x_forwarded_for,omitempty"`

	// AutomaticUpgradesChannels is a map of all version channels used by the
	// proxy built-in version server to retrieve target versions. This is part
	// of the automatic upgrades.
	AutomaticUpgradesChannels automaticupgrades.Channels `yaml:"automatic_upgrades_channels,omitempty"`
}

type ProxyAssistOptions struct {
	AssistOptions `yaml:",inline"`
}

type ResourceMatcher struct {
	// Labels match resource labels.
	Labels map[string]apiutils.Strings `yaml:"labels,omitempty"`
	// AWS contains AWS specific settings.
	AWS ResourceMatcherAWS `yaml:"aws,omitempty"`
}

type ResourceMatcherAWS struct {
	// AssumeRoleARN is the AWS role to assume to before accessing the
	// database.
	AssumeRoleARN string `yaml:"assume_role_arn,omitempty"`
	// ExternalID is an optional AWS external ID used to enable assuming an AWS
	// role across accounts.
	ExternalID string `yaml:"external_id,omitempty"`
}

type RestrictedSession struct {
	// Enabled enables or disables enforcement for this node.
	Enabled string `yaml:"enabled"`

	// EventsBufferSize is the size in bytes of the channel to report events
	// from the kernel to us.
	EventsBufferSize *int `yaml:"events_buffer_size,omitempty"`
}

type ReverseTunnel struct {
	DomainName string   `yaml:"domain_name"`
	Addresses  []string `yaml:"addresses"`
}

type Rewrite struct {
	// Redirect is a list of hosts that should be rewritten to the public address.
	Redirect []string `yaml:"redirect"`
	// Headers is a list of extra headers to inject in the request.
	Headers []string `yaml:"headers,omitempty"`
	// JWTClaims configures whether roles/traits are included in the JWT token
	JWTClaims string `yaml:"jwt_claims,omitempty"`
}

type SAMLIdP struct {
	// Enabled turns the SAML IdP on or off for this process.
	EnabledFlag string `yaml:"enabled,omitempty"`

	// BaseURL is the base URL to provide to the SAML IdP.
	BaseURL string `yaml:"base_url,omitempty"`
}

type SSH struct {
	Service               `yaml:",inline"`
	Namespace             string            `yaml:"namespace,omitempty"`
	Labels                map[string]string `yaml:"labels,omitempty"`
	Commands              []CommandLabel    `yaml:"commands,omitempty"`
	PermitUserEnvironment bool              `yaml:"permit_user_env,omitempty"`
	PAM                   *PAM              `yaml:"pam,omitempty"`
	// PublicAddr sets SSH host principals for SSH service
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// BPF is used to configure BPF-based auditing for this node.
	BPF *BPF `yaml:"enhanced_recording,omitempty"`

	// RestrictedSession is used to restrict access to kernel objects
	RestrictedSession *RestrictedSession `yaml:"restricted_session,omitempty"`

	// MaybeAllowTCPForwarding enables or disables TCP port forwarding. We're
	// using a pointer-to-bool here because the system default is to allow TCP
	// forwarding, we need to distinguish between an unset value and a false
	// value so we can an override unset value with `true`.
	//
	// Don't read this value directly: call the AllowTCPForwarding method
	// instead.
	MaybeAllowTCPForwarding *bool `yaml:"port_forwarding,omitempty"`

	// X11 is used to configure X11 forwarding settings
	X11 *X11 `yaml:"x11,omitempty"`

	// MaybeSSHFileCopy enables or disables remote file operations via SCP/SFTP.
	// We're using a pointer-to-bool here because the system default is to allow
	// SCP/SFTP, we need to distinguish between an unset value and a false
	// value so we can an override unset value with `true`.
	//
	// Don't read this value directly: call the SSHFileCopy method
	// instead.
	MaybeSSHFileCopy *bool `yaml:"ssh_file_copy,omitempty"`

	// DisableCreateHostUser disables automatic user provisioning on this
	// SSH node.
	DisableCreateHostUser bool `yaml:"disable_create_host_user,omitempty"`
}

type SampleFlags struct {
	// ClusterName is an optional cluster name
	ClusterName string
	// LicensePath adds license path to config
	LicensePath string
	// ACMEEmail is acme email
	ACMEEmail string
	// ACMEEnabled turns on ACME
	ACMEEnabled bool
	// Version is the Teleport Configuration version.
	Version string
	// PublicAddr sets the hostport the proxy advertises for the HTTP endpoint.
	PublicAddr string
	// KeyFile is a TLS key file
	KeyFile string
	// CertFile is a TLS Certificate file
	CertFile string
	// DataDir is a path to a directory where Teleport keep its data
	DataDir string
	// AuthToken is a token to register with an auth server
	AuthToken string
	// Roles is a list of comma-separated roles to create a config file with
	Roles string
	// AuthServer is the address of the auth server
	AuthServer string
	// ProxyAddress is the address of the proxy
	ProxyAddress string
	// AppName is the name of the application to start
	AppName string
	// AppURI is the internal address of the application to proxy
	AppURI string
	// NodeLabels is list of labels in the format `foo=bar,baz=bax` to add to newly created nodes.
	NodeLabels string
	// CAPin is the SKPI hash of the CA used to verify the Auth Server. Can be
	// a single value or a list.
	CAPin string
	// JoinMethod is the method that will be used to join the cluster, either "token", "iam" or "ec2"
	JoinMethod string
	// NodeName is the name of the teleport node
	NodeName string
	// Silent suppresses user hint printed after config has been generated.
	Silent bool
	// AzureClientID is the client ID of the managed identity to use when joining
	// the cluster. Only applicable for the azure join method.
	AzureClientID string
}

type SecretStore struct {
	// KeyPrefix specifies the secret key prefix.
	KeyPrefix string `yaml:"key_prefix,omitempty"`
	// KMSKeyID specifies the KMS key used to encrypt and decrypt the secret.
	KMSKeyID string `yaml:"kms_key_id,omitempty"`
}

type Service struct {
	EnabledFlag   string `yaml:"enabled,omitempty"`
	ListenAddress string `yaml:"listen_addr,omitempty"`
	// contains filtered or unexported fields
}

type StaticToken string

type StaticTokens []StaticToken

type SystemdFlags struct {
	// EnvironmentFile is the environment file path provided by the user.
	EnvironmentFile string
	// PIDFile is the process ID (PID) file path provided by the user.
	PIDFile string
	// FileDescriptorLimit is the maximum number of open file descriptors provided by the user.
	FileDescriptorLimit int
	// TeleportInstallationFile is the teleport installation path provided by the user.
	TeleportInstallationFile string
	// TeleportConfigPath is the path to the teleport config file (as set by Teleport defaults)
	TeleportConfigPath string
}

type TracingService struct {
	// Enabled turns the tracing service role on or off for this process
	EnabledFlag string `yaml:"enabled,omitempty"`

	// ExporterURL is the OTLP exporter URL to send spans to
	ExporterURL string `yaml:"exporter_url"`

	// KeyPairs is a list of x509 serving key pairs used for mTLS.
	KeyPairs []KeyPair `yaml:"keypairs,omitempty"`

	// CACerts are the exporter ca certs to use
	CACerts []string `yaml:"ca_certs,omitempty"`

	// SamplingRatePerMillion is the sampling rate for the exporter.
	// 1_000_000 means all spans will be sampled and 0 means none are sampled.
	SamplingRatePerMillion int `yaml:"sampling_rate_per_million"`
}

type TrustedCluster struct {
	// KeyFile is a path to a remote authority (AKA "trusted cluster") public keys
	KeyFile string `yaml:"key_file,omitempty"`
	// AllowedLogins is a comma-separated list of user logins allowed from that cluster
	AllowedLogins string `yaml:"allow_logins,omitempty"`
	// TunnelAddr is a comma-separated list of reverse tunnel addresses to
	// connect to
	TunnelAddr string `yaml:"tunnel_addr,omitempty"`
}

type UIConfig struct {
	// ScrollbackLines is the max number of lines the UI terminal can display in its history
	ScrollbackLines int `yaml:"scrollback_lines,omitempty"`
}

type UniversalSecondFactor struct {
	AppID string `yaml:"app_id"`
	// Facets kept only to avoid breakages during Teleport updates.
	// Webauthn is now used instead of U2F.
	Facets               []string `yaml:"facets"`
	DeviceAttestationCAs []string `yaml:"device_attestation_cas"`
}

type Webauthn struct {
	RPID                  string   `yaml:"rp_id,omitempty"`
	AttestationAllowedCAs []string `yaml:"attestation_allowed_cas,omitempty"`
	AttestationDeniedCAs  []string `yaml:"attestation_denied_cas,omitempty"`
	// Deprecated: Disabled has no effect, it is kept solely to not break existing
	// configurations.
	Disabled bool `yaml:"disabled,omitempty"`
}

type WindowsDesktopService struct {
	Service `yaml:",inline"`
	// Labels are the configured windows deesktops service labels.
	Labels map[string]string `yaml:"labels,omitempty"`
	// PublicAddr is a list of advertised public addresses of this service.
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// ShowDesktopWallpaper determines whether desktop sessions will show a
	// user-selected wallpaper vs a system-default, single-color wallpaper.
	ShowDesktopWallpaper bool `yaml:"show_desktop_wallpaper,omitempty"`
	// LDAP is the LDAP connection parameters.
	LDAP LDAPConfig `yaml:"ldap"`
	// PKIDomain optionally configures a separate Active Directory domain
	// for PKI operations. If empty, the domain from the LDAP config is used.
	// This can be useful for cases where PKI is configured in a root domain
	// but Teleport is used to provide access to users and computers in a child
	// domain.
	PKIDomain string `yaml:"pki_domain"`
	// Discovery configures desktop discovery via LDAP.
	Discovery LDAPDiscoveryConfig `yaml:"discovery,omitempty"`
	// ADHosts is a list of static, AD-connected Windows hosts. This gives users
	// a way to specify AD-connected hosts that won't be found by the filters
	// specified in `discovery` (or if `discovery` is omitted).
	//
	// Deprecated: prefer StaticHosts instead.
	ADHosts []string `yaml:"hosts,omitempty"`
	// NonADHosts is a list of standalone Windows hosts that are not
	// jointed to an Active Directory domain.
	//
	// Deprecated: prefer StaticHosts instead.
	NonADHosts []string `yaml:"non_ad_hosts,omitempty"`
	// StaticHosts is a list of Windows hosts (both AD-connected and standalone).
	// User can specify name for each host and labels specific to it.
	StaticHosts []WindowsHost `yaml:"static_hosts,omitempty"`
	// HostLabels optionally applies labels to Windows hosts for RBAC.
	// A host can match multiple rules and will get a union of all
	// the matched labels.
	HostLabels []WindowsHostLabelRule `yaml:"host_labels,omitempty"`
}

type WindowsHost struct {
	// Name of the host
	Name string `yaml:"name"`
	// Address of the host, with an optional port.
	// 10.1.103.4 or 10.1.103.4:3389, for example.
	Address string `yaml:"addr"`
	// Labels is the set of labels to apply to this host
	Labels map[string]string `yaml:"labels"`
	// AD tells if host is part of Active Directory domain
	AD bool `yaml:"ad"`
}

type WindowsHostLabelRule struct {
	// Match is a regexp that is checked against the Windows host's DNS name.
	// If the regexp matches, this rule's labels will be applied to the host.
	Match string `yaml:"match"`
	// Labels is the set of labels to apply to hosts that match this rule.
	Labels map[string]string `yaml:"labels"`
}

type X11 struct {
	// Enabled controls whether X11 forwarding requests can be granted by the server.
	Enabled string `yaml:"enabled"`
	// DisplayOffset tells the server what X11 display number to start from when
	// searching for an open X11 unix socket for XServer proxies.
	DisplayOffset *uint `yaml:"display_offset,omitempty"`
	// MaxDisplay tells the server what X11 display number to stop at when
	// searching for an open X11 unix socket for XServer proxies.
	MaxDisplay *uint `yaml:"max_display,omitempty"`
}