config

type ACME struct {
	// EnabledFlag is whether ACME should be enabled
	EnabledFlag string `yaml:"enabled,omitempty"`
	// Email is the email that will receive problems with certificate renewals
	Email string `yaml:"email,omitempty"`
	// URI is ACME server URI
	URI string `yaml:"uri,omitempty"`
}

type AWSMatcher struct {
	// Types are AWS database types to match, "ec2", "rds", "redshift", "elasticache",
	// or "memorydb".
	Types []string `yaml:"types,omitempty"`
	// Regions are AWS regions to query for databases.
	Regions []string `yaml:"regions,omitempty"`
	// Tags are AWS tags to match.
	Tags map[string]apiutils.Strings `yaml:"tags,omitempty"`
	// InstallParams sets the join method when installing on
	// discovered EC2 nodes
	InstallParams *InstallParams `yaml:"install,omitempty"`
	// SSM provides options to use when sending a document command to
	// an EC2 node
	SSM AWSSSM `yaml:"ssm,omitempty"`
}

type AWSSSM struct {
	// DocumentName is the name of the document to use when executing an
	// SSM command
	DocumentName string `yaml:"document_name,omitempty"`
}

type App struct {
	// Name of the application.
	Name string `yaml:"name"`

	// Description is an optional free-form app description.
	Description string `yaml:"description,omitempty"`

	// URI is the internal address of the application.
	URI string `yaml:"uri"`

	// Public address of the application. This is the address users will access
	// the application at.
	PublicAddr string `yaml:"public_addr"`

	// StaticLabels is a map of static labels to apply to this application.
	StaticLabels map[string]string `yaml:"labels,omitempty"`

	// DynamicLabels is a list of commands that generate dynamic labels
	// to apply to this application.
	DynamicLabels []CommandLabel `yaml:"commands,omitempty"`

	// InsecureSkipVerify is used to skip validating the servers certificate.
	InsecureSkipVerify bool `yaml:"insecure_skip_verify"`

	// Rewrite defines a block that is used to rewrite requests and responses.
	Rewrite *Rewrite `yaml:"rewrite,omitempty"`

	// AWS contains additional options for AWS applications.
	AWS *AppAWS `yaml:"aws,omitempty"`
}

type AppAWS struct {
	// ExternalID is the AWS External ID used when assuming roles in this app.
	ExternalID string `yaml:"external_id,omitempty"`
}

type Apps struct {
	// Service contains fields common to all services like "enabled" and
	// "listen_addr".
	Service `yaml:",inline"`

	// DebugApp turns on a header debugging application.
	DebugApp bool `yaml:"debug_app"`

	// Apps is a list of applications that will be run by this service.
	Apps []*App `yaml:"apps"`

	// ResourceMatchers match cluster application resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
}

type Auth struct {
	Service `yaml:",inline"`

	// ProxyProtocol enables support for HAProxy proxy protocol version 1 when it is turned 'on'.
	// Verify whether the service is in front of a trusted load balancer.
	// The default value is 'on'.
	ProxyProtocol string `yaml:"proxy_protocol,omitempty"`

	// ClusterName is the name of the CA who manages this cluster
	ClusterName ClusterName `yaml:"cluster_name,omitempty"`

	// StaticTokens are pre-defined host provisioning tokens supplied via config file for
	// environments where paranoid security is not needed
	//
	// Each token string has the following format: "role1,role2,..:token",
	// for exmple: "auth,proxy,node:MTIzNGlvemRmOWE4MjNoaQo"
	StaticTokens StaticTokens `yaml:"tokens,omitempty"`

	// Authentication holds authentication configuration information like authentication
	// type, second factor type, specific connector information, etc.
	Authentication *AuthenticationConfig `yaml:"authentication,omitempty"`

	// SessionRecording determines where the session is recorded:
	// node, node-sync, proxy, proxy-sync, or off.
	SessionRecording string `yaml:"session_recording,omitempty"`

	// ProxyChecksHostKeys is used when the proxy is in recording mode and
	// determines if the proxy will check the host key of the client or not.
	ProxyChecksHostKeys *types.BoolOption `yaml:"proxy_checks_host_keys,omitempty"`

	// LicenseFile is a path to the license file. The path can be either absolute or
	// relative to the global data dir
	LicenseFile string `yaml:"license_file,omitempty"`

	// FOR INTERNAL USE:
	// ReverseTunnels is a list of SSH tunnels to 3rd party proxy services (used to talk
	// to 3rd party auth servers we trust)
	ReverseTunnels []ReverseTunnel `yaml:"reverse_tunnels,omitempty"`

	// PublicAddr sets SSH host principals and TLS DNS names to auth
	// server certificates
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// ClientIdleTimeout sets global cluster default setting for client idle timeouts
	ClientIdleTimeout types.Duration `yaml:"client_idle_timeout,omitempty"`

	// DisconnectExpiredCert provides disconnect expired certificate setting -
	// if true, connections with expired client certificates will get disconnected
	DisconnectExpiredCert *types.BoolOption `yaml:"disconnect_expired_cert,omitempty"`

	// SessionControlTimeout specifies the maximum amount of time a node can be out
	// of contact with the auth server before it starts terminating controlled sessions.
	SessionControlTimeout types.Duration `yaml:"session_control_timeout,omitempty"`

	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`

	// KeepAliveInterval set the keep-alive interval for server to client
	// connections.
	KeepAliveInterval types.Duration `yaml:"keep_alive_interval,omitempty"`

	// KeepAliveCountMax set the number of keep-alive messages that can be
	// missed before the server disconnects the client.
	KeepAliveCountMax int64 `yaml:"keep_alive_count_max,omitempty"`

	// ClientIdleTimeoutMessage is sent to the client when the inactivity timeout
	// expires. The empty string implies no message should be sent prior to
	// disconnection.
	ClientIdleTimeoutMessage string `yaml:"client_idle_timeout_message,omitempty"`

	// MessageOfTheDay is a banner that a user must acknowledge during a `tsh login`.
	MessageOfTheDay string `yaml:"message_of_the_day,omitempty"`

	// WebIdleTimeout sets global cluster default setting for WebUI client
	// idle timeouts
	WebIdleTimeout types.Duration `yaml:"web_idle_timeout,omitempty"`

	// CAKeyParams configures how CA private keys will be created and stored.
	CAKeyParams *CAKeyParams `yaml:"ca_key_params,omitempty"`

	// ProxyListenerMode is a listener mode user by the proxy.
	ProxyListenerMode types.ProxyListenerMode `yaml:"proxy_listener_mode,omitempty"`

	// RoutingStrategy configures the routing strategy to nodes.
	RoutingStrategy types.RoutingStrategy `yaml:"routing_strategy,omitempty"`

	// TunnelStrategy configures the tunnel strategy used by the cluster.
	TunnelStrategy *types.TunnelStrategyV1 `yaml:"tunnel_strategy,omitempty"`

	// ProxyPingInterval defines in which interval the TLS routing ping message
	// should be sent. This is applicable only when using ping-wrapped
	// connections, regular TLS routing connections are not affected.
	ProxyPingInterval types.Duration `yaml:"proxy_ping_interval,omitempty"`

	// LoadAllCAs tells tsh to load the CAs for all clusters when trying
	// to ssh into a node, instead of just the CA for the current cluster.
	LoadAllCAs bool `yaml:"load_all_cas,omitempty"`
}

type AuthenticationConfig struct {
	Type           string                     `yaml:"type"`
	SecondFactor   constants.SecondFactorType `yaml:"second_factor,omitempty"`
	ConnectorName  string                     `yaml:"connector_name,omitempty"`
	U2F            *UniversalSecondFactor     `yaml:"u2f,omitempty"`
	Webauthn       *Webauthn                  `yaml:"webauthn,omitempty"`
	RequireMFAType types.RequireMFAType       `yaml:"require_session_mfa,omitempty"`
	LockingMode    constants.LockingMode      `yaml:"locking_mode,omitempty"`

	// LocalAuth controls if local authentication is allowed.
	LocalAuth *types.BoolOption `yaml:"local_auth"`

	// Passwordless enables/disables passwordless support.
	// Requires Webauthn to work.
	// Defaults to true if the Webauthn is configured, defaults to false
	// otherwise.
	Passwordless *types.BoolOption `yaml:"passwordless"`
}

type AzureMatcher struct {
	// Subscriptions are Azure subscriptions to query for resources.
	Subscriptions []string `yaml:"subscriptions,omitempty"`
	// ResourceGroups are Azure resource groups to query for resources.
	ResourceGroups []string `yaml:"resource_groups,omitempty"`
	// Types are Azure types to match: "mysql", "postgres", "aks"
	Types []string `yaml:"types,omitempty"`
	// Regions are Azure locations to match for databases.
	Regions []string `yaml:"regions,omitempty"`
	// ResourceTags are Azure tags on resources to match.
	ResourceTags map[string]apiutils.Strings `yaml:"tags,omitempty"`
}

type BPF struct {
	// Enabled enables or disables enhanced session recording for this node.
	Enabled string `yaml:"enabled"`

	// CommandBufferSize is the size of the perf buffer for command events.
	CommandBufferSize *int `yaml:"command_buffer_size,omitempty"`

	// DiskBufferSize is the size of the perf buffer for disk events.
	DiskBufferSize *int `yaml:"disk_buffer_size,omitempty"`

	// NetworkBufferSize is the size of the perf buffer for network events.
	NetworkBufferSize *int `yaml:"network_buffer_size,omitempty"`

	// CgroupPath controls where cgroupv2 hierarchy is mounted.
	CgroupPath string `yaml:"cgroup_path"`
}

type CAKeyParams struct {
	// PKCS11 configures a PKCS#11 HSM to be used for all CA private key generation and
	// storage.
	PKCS11 *PKCS11 `yaml:"pkcs11,omitempty"`
	// GoogleCloudKMS configures Google Cloud Key Management Service to to be used for
	// all CA private key crypto operations.
	GoogleCloudKMS *GoogleCloudKMS `yaml:"gcp_kms,omitempty"`
}

type CachePolicy struct {
	// Type is for cache type `sqlite` or `in-memory`
	Type string `yaml:"type,omitempty"`
	// EnabledFlag enables or disables cache
	EnabledFlag string `yaml:"enabled,omitempty"`
	// TTL sets maximum TTL for the cached values
	TTL string `yaml:"ttl,omitempty"`
}

type ClaimMapping struct {
	// Claim is OIDC claim name
	Claim string `yaml:"claim"`
	// Value is claim value to match
	Value string `yaml:"value"`
	// Roles is a list of teleport roles to match
	Roles []string `yaml:"roles,omitempty"`
}

type ClusterName string

type CommandLabel struct {
	Name    string        `yaml:"name"`
	Command []string      `yaml:"command,flow"`
	Period  time.Duration `yaml:"period"`
}

type CommandLineFlags struct {
	// --name flag
	NodeName string
	// --auth-server flag
	AuthServerAddr []string
	// --token flag
	AuthToken string
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// --listen-ip flag
	ListenIP net.IP
	// --advertise-ip flag
	AdvertiseIP string
	// --config flag
	ConfigFile string
	// Bootstrap flag contains a YAML file that defines a set of resources to bootstrap
	// a cluster.
	BootstrapFile string
	// ConfigString is a base64 encoded configuration string
	// set by --config-string or TELEPORT_CONFIG environment variable
	ConfigString string
	// --roles flag
	Roles string
	// -d flag
	Debug bool

	// --insecure-no-tls flag
	DisableTLS bool

	// --labels flag
	Labels string
	// --pid-file flag
	PIDFile string
	// DiagnosticAddr is listen address for diagnostic endpoint
	DiagnosticAddr string
	// PermitUserEnvironment enables reading of ~/.tsh/environment
	// when creating a new session.
	PermitUserEnvironment bool

	// Insecure mode is controlled by --insecure flag and in this mode
	// Teleport won't check certificates when connecting to trusted clusters
	// It's useful for learning Teleport (following quick starts, etc).
	InsecureMode bool

	// FIPS mode means Teleport starts in a FedRAMP/FIPS 140-2 compliant
	// configuration.
	FIPS bool

	// SkipVersionCheck allows Teleport to connect to auth servers that
	// have an earlier major version number.
	SkipVersionCheck bool

	// AppName is the name of the application to proxy.
	AppName string

	// AppURI is the internal address of the application to proxy.
	AppURI string

	// AppPublicAddr is the public address of the application to proxy.
	AppPublicAddr string

	// DatabaseName is the name of the database to proxy.
	DatabaseName string
	// DatabaseDescription is a free-form database description.
	DatabaseDescription string
	// DatabaseProtocol is the type of the proxied database e.g. postgres or mysql.
	DatabaseProtocol string
	// DatabaseURI is the address to connect to the proxied database.
	DatabaseURI string
	// DatabaseCACertFile is the database CA cert path.
	DatabaseCACertFile string
	// DatabaseAWSRegion is an optional database cloud region e.g. when using AWS RDS.
	DatabaseAWSRegion string
	// DatabaseAWSAccountID is an optional AWS account ID e.g. when using Keyspaces.
	DatabaseAWSAccountID string
	// DatabaseAWSRedshiftClusterID is Redshift cluster identifier.
	DatabaseAWSRedshiftClusterID string
	// DatabaseAWSRDSInstanceID is RDS instance identifier.
	DatabaseAWSRDSInstanceID string
	// DatabaseAWSRDSClusterID is RDS cluster (Aurora) cluster identifier.
	DatabaseAWSRDSClusterID string
	// DatabaseGCPProjectID is GCP Cloud SQL project identifier.
	DatabaseGCPProjectID string
	// DatabaseGCPInstanceID is GCP Cloud SQL instance identifier.
	DatabaseGCPInstanceID string
	// DatabaseADKeytabFile is the path to Kerberos keytab file.
	DatabaseADKeytabFile string
	// DatabaseADKrb5File is the path to krb5.conf file.
	DatabaseADKrb5File string
	// DatabaseADDomain is the Active Directory domain for authentication.
	DatabaseADDomain string
	// DatabaseADSPN is the database Service Principal Name.
	DatabaseADSPN string
	// DatabaseMySQLServerVersion is the MySQL server version reported to a client
	// if the value cannot be obtained from the database.
	DatabaseMySQLServerVersion string
}

type ConnectionLimits struct {
	MaxConnections int64            `yaml:"max_connections"`
	MaxUsers       int              `yaml:"max_users"`
	Rates          []ConnectionRate `yaml:"rates,omitempty"`
}

type ConnectionRate struct {
	Period  time.Duration `yaml:"period"`
	Average int64         `yaml:"average"`
	Burst   int64         `yaml:"burst"`
}

type Database struct {
	// Name is the name for the database proxy service.
	Name string `yaml:"name"`
	// Description is an optional free-form database description.
	Description string `yaml:"description,omitempty"`
	// Protocol is the database type e.g. postgres, mysql, etc.
	Protocol string `yaml:"protocol"`
	// URI is the database address to connect to.
	URI string `yaml:"uri"`
	// CACertFile is an optional path to the database CA certificate.
	// Deprecated in favor of TLS.CACertFile.
	CACertFile string `yaml:"ca_cert_file,omitempty"`
	// TLS keeps an optional TLS configuration options.
	TLS DatabaseTLS `yaml:"tls"`
	// MySQL are additional database options.
	MySQL DatabaseMySQL `yaml:"mysql"`
	// StaticLabels is a map of database static labels.
	StaticLabels map[string]string `yaml:"static_labels,omitempty"`
	// DynamicLabels is a list of database dynamic labels.
	DynamicLabels []CommandLabel `yaml:"dynamic_labels,omitempty"`
	// AWS contains AWS specific settings for RDS/Aurora/Redshift databases.
	AWS DatabaseAWS `yaml:"aws"`
	// GCP contains GCP specific settings for Cloud SQL databases.
	GCP DatabaseGCP `yaml:"gcp"`
	// AD contains Active Directory database configuration.
	AD DatabaseAD `yaml:"ad"`
	// Azure contains Azure database configuration.
	Azure DatabaseAzure `yaml:"azure"`
}

type DatabaseAD struct {
	// KeytabFile is the path to the Kerberos keytab file.
	KeytabFile string `yaml:"keytab_file"`
	// Krb5File is the path to the Kerberos configuration file. Defaults to /etc/krb5.conf.
	Krb5File string `yaml:"krb5_file,omitempty"`
	// Domain is the Active Directory domain the database resides in.
	Domain string `yaml:"domain"`
	// SPN is the service principal name for the database.
	SPN string `yaml:"spn"`
}

type DatabaseAWS struct {
	// Region is a cloud region for RDS/Aurora database endpoint.
	Region string `yaml:"region,omitempty"`
	// Redshift contains Redshift specific settings.
	Redshift DatabaseAWSRedshift `yaml:"redshift"`
	// RDS contains RDS specific settings.
	RDS DatabaseAWSRDS `yaml:"rds"`
	// ElastiCache contains ElastiCache specific settings.
	ElastiCache DatabaseAWSElastiCache `yaml:"elasticache"`
	// SecretStore contains settings for managing secrets.
	SecretStore SecretStore `yaml:"secret_store"`
	// MemoryDB contains MemoryDB specific settings.
	MemoryDB DatabaseAWSMemoryDB `yaml:"memorydb"`
	// AccountID is the AWS account ID.
	AccountID string `yaml:"account_id,omitempty"`
}

type DatabaseAWSElastiCache struct {
	// ReplicationGroupID is the ElastiCache replication group ID.
	ReplicationGroupID string `yaml:"replication_group_id,omitempty"`
}

type DatabaseAWSMemoryDB struct {
	// ClusterName is the MemoryDB cluster name.
	ClusterName string `yaml:"cluster_name,omitempty"`
}

type DatabaseAWSRDS struct {
	// InstanceID is the RDS instance identifier.
	InstanceID string `yaml:"instance_id,omitempty"`
	// ClusterID is the RDS cluster (Aurora) identifier.
	ClusterID string `yaml:"cluster_id,omitempty"`
}

type DatabaseAWSRedshift struct {
	// ClusterID is the Redshift cluster identifier.
	ClusterID string `yaml:"cluster_id,omitempty"`
}

type DatabaseAzure struct {
	// ResourceID is the Azure fully qualified ID for the resource.
	ResourceID string `yaml:"resource_id,omitempty"`
}

type DatabaseGCP struct {
	// ProjectID is the GCP project ID where the database is deployed.
	ProjectID string `yaml:"project_id,omitempty"`
	// InstanceID is the Cloud SQL database instance ID.
	InstanceID string `yaml:"instance_id,omitempty"`
}

type DatabaseMySQL struct {
	// ServerVersion is the MySQL version reported by DB proxy instead of default Teleport string.
	ServerVersion string `yaml:"server_version,omitempty"`
}

type DatabaseSampleFlags struct {
	// StaticDatabaseName static database name provided by the user.
	StaticDatabaseName string
	// StaticDatabaseProtocol static databse protocol provided by the user.
	StaticDatabaseProtocol string
	// StaticDatabaseURI static database URI provided by the user.
	StaticDatabaseURI string
	// StaticDatabaseStaticLabels list of database static labels provided by
	// the user.
	StaticDatabaseStaticLabels map[string]string
	// StaticDatabaseDynamicLabels list of database dynamic labels provided by
	// the user.`
	StaticDatabaseDynamicLabels services.CommandLabels
	// StaticDatabaseRawLabels "raw" list of database labels provided by the
	// user.
	StaticDatabaseRawLabels string
	// NodeName `nodename` configuration.
	NodeName string
	// DataDir `data_dir` configuration.
	DataDir string
	// ProxyServer is the address of the proxy servers
	ProxyServer string
	// AuthToken auth server token.
	AuthToken string
	// CAPins are the SKPI hashes of the CAs used to verify the Auth Server.
	CAPins []string
	// AzureMySQLDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover MySQL servers in.
	AzureMySQLDiscoveryRegions []string
	// AzurePostgresDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover Postgres servers in.
	AzurePostgresDiscoveryRegions []string
	// AzureRedisDiscoveryRegions is a list of regions Azure auto-discovery is
	// configured to discover Azure Cache for Redis servers in.
	AzureRedisDiscoveryRegions []string
	// RDSDiscoveryRegions is a list of regions the RDS auto-discovery is
	// configured.
	RDSDiscoveryRegions []string
	// RDSProxyDiscoveryRegions is a list of regions the RDS Proxy
	// auto-discovery is configured.
	RDSProxyDiscoveryRegions []string
	// RedshiftDiscoveryRegions is a list of regions the Redshift
	// auto-discovery is configured.
	RedshiftDiscoveryRegions []string
	// ElastiCacheDiscoveryRegions is a list of regions the ElastiCache
	// auto-discovery is configured.
	ElastiCacheDiscoveryRegions []string
	// MemoryDBDiscoveryRegions is a list of regions the MemoryDB
	// auto-discovery is configured.
	MemoryDBDiscoveryRegions []string
	// DatabaseProtocols is a list of database protocols supported.
	DatabaseProtocols []string
	// DatabaseAWSRegion is an optional database cloud region e.g. when using AWS RDS.
	DatabaseAWSRegion string
	// DatabaseAWSRedshiftClusterID is Redshift cluster identifier.
	DatabaseAWSRedshiftClusterID string
	// DatabaseADDomain is the Active Directory domain for authentication.
	DatabaseADDomain string
	// DatabaseADSPN is the database Service Principal Name.
	DatabaseADSPN string
	// DatabaseADKeytabFile is the path to Kerberos keytab file.
	DatabaseADKeytabFile string
	// DatabaseGCPProjectID is GCP Cloud SQL project identifier.
	DatabaseGCPProjectID string
	// DatabaseGCPInstanceID is GCP Cloud SQL instance identifier.
	DatabaseGCPInstanceID string
	// DatabaseCACertFile is the database CA cert path.
	DatabaseCACertFile string
	// DatabaseAzureSubscriptions is a list of Azure subscriptions.
	DatabaseAzureSubscriptions []string
	// DatabaseAzureResourceGroups is a list of Azure resource groups.
	DatabaseAzureResourceGroups []string
}

type DatabaseTLS struct {
	// Mode is a TLS verification mode. Available options are 'verify-full', 'verify-ca' or 'insecure',
	// 'verify-full' is the default option.
	Mode string `yaml:"mode"`
	// ServerName allows providing custom server name.
	// This name will override DNS name when validating certificate presented by the database.
	ServerName string `yaml:"server_name,omitempty"`
	// CACertFile is an optional path to the database CA certificate.
	CACertFile string `yaml:"ca_cert_file,omitempty"`
}

type Databases struct {
	// Service contains common service fields.
	Service `yaml:",inline"`
	// Databases is a list of databases proxied by the service.
	Databases []*Database `yaml:"databases"`
	// ResourceMatchers match cluster database resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
	// AWSMatchers match AWS hosted databases.
	AWSMatchers []AWSMatcher `yaml:"aws,omitempty"`
	// AzureMatchers match Azure hosted databases.
	AzureMatchers []AzureMatcher `yaml:"azure,omitempty"`
}

type Discovery struct {
	Service `yaml:",inline"`

	// AWSMatchers are used to match EC2 instances
	AWSMatchers []AWSMatcher `yaml:"aws,omitempty"`

	// AzureMatchers are used to match Azure resources.
	AzureMatchers []AzureMatcher `yaml:"azure,omitempty"`

	// GCPMatchers are used to match GCP resources.
	GCPMatchers []GCPMatcher `yaml:"gcp,omitempty"`
}

type FileConfig struct {
	Version string `yaml:"version,omitempty"`
	Global  `yaml:"teleport,omitempty"`
	Auth    Auth  `yaml:"auth_service,omitempty"`
	SSH     SSH   `yaml:"ssh_service,omitempty"`
	Proxy   Proxy `yaml:"proxy_service,omitempty"`
	Kube    Kube  `yaml:"kubernetes_service,omitempty"`

	// Apps is the "app_service" section in Teleport file configuration which
	// defines application access configuration.
	Apps Apps `yaml:"app_service,omitempty"`

	// Databases is the "db_service" section in Teleport configuration file
	// that defines database access configuration.
	Databases Databases `yaml:"db_service,omitempty"`

	// Metrics is the "metrics_service" section in Teleport configuration file
	// that defines the metrics service configuration
	Metrics Metrics `yaml:"metrics_service,omitempty"`

	// WindowsDesktop is the "windows_desktop_service" that defines the
	// configuration for Windows Desktop Access.
	WindowsDesktop WindowsDesktopService `yaml:"windows_desktop_service,omitempty"`

	// Tracing is the "tracing_service" section in Teleport configuration file
	Tracing TracingService `yaml:"tracing_service,omitempty"`

	// Discovery is the "discovery_service" section in the Teleport
	// configuration file
	Discovery Discovery `yaml:"discovery_service,omitempty"`
}

type GCPMatcher struct {
	// Types are GKE resource types to match: "gke".
	Types []string `yaml:"types,omitempty"`
	// Locations are GKE locations to search resources for.
	Locations []string `yaml:"locations,omitempty"`
	// Tags are GCP labels to match.
	Tags map[string]apiutils.Strings `yaml:"tags,omitempty"`
	// ProjectIDs are the GCP project ID where the resources are deployed.
	ProjectIDs []string `yaml:"project_ids,omitempty"`
}

type Global struct {
	NodeName string `yaml:"nodename,omitempty"`
	DataDir  string `yaml:"data_dir,omitempty"`
	PIDFile  string `yaml:"pid_file,omitempty"`

	JoinParams JoinParams `yaml:"join_params,omitempty"`

	// v1, v2
	AuthServers []string `yaml:"auth_servers,omitempty"`
	// AuthToken is the old way of configuring the token to be used by the
	// node to join the Teleport cluster. `JoinParams.TokenName` should be
	// used instead with `JoinParams.JoinMethod = types.JoinMethodToken`.
	AuthToken string `yaml:"auth_token,omitempty"`

	// v3
	AuthServer  string `yaml:"auth_server,omitempty"`
	ProxyServer string `yaml:"proxy_server,omitempty"`

	Limits      ConnectionLimits `yaml:"connection_limits,omitempty"`
	Logger      Log              `yaml:"log,omitempty"`
	Storage     backend.Config   `yaml:"storage,omitempty"`
	AdvertiseIP string           `yaml:"advertise_ip,omitempty"`
	CachePolicy CachePolicy      `yaml:"cache,omitempty"`

	// CipherSuites is a list of TLS ciphersuites that Teleport supports. If
	// omitted, a Teleport selected list of defaults will be used.
	CipherSuites []string `yaml:"ciphersuites,omitempty"`

	// Ciphers is a list of SSH ciphers that the server supports. If omitted,
	// the defaults will be used.
	Ciphers []string `yaml:"ciphers,omitempty"`

	// KEXAlgorithms is a list of SSH key exchange (KEX) algorithms that the
	// server supports. If omitted, the defaults will be used.
	KEXAlgorithms []string `yaml:"kex_algos,omitempty"`

	// MACAlgorithms is a list of SSH message authentication codes (MAC) that
	// the server supports. If omitted the defaults will be used.
	MACAlgorithms []string `yaml:"mac_algos,omitempty"`

	// CASignatureAlgorithm is ignored but ketp for config backwards compat
	CASignatureAlgorithm *string `yaml:"ca_signature_algo,omitempty"`

	// CAPin is the SKPI hash of the CA used to verify the Auth Server. Can be
	// a single value or a list.
	CAPin apiutils.Strings `yaml:"ca_pin"`

	// DiagAddr is the address to expose a diagnostics HTTP endpoint.
	DiagAddr string `yaml:"diag_addr"`
}

type GoogleCloudKMS struct {
	// KeyRing is the GCP key ring where all keys generated by this auth server
	// should be held. This must be the fully qualified resource name of the key
	// ring, including the project and location, e.g.
	// projects/teleport-project/locations/us-west1/keyRings/teleport-keyring
	KeyRing string `yaml:"keyring"`
	// ProtectionLevel specifies how cryptographic operations are performed.
	// For more information, see https://cloud.google.com/kms/docs/algorithms#protection_levels
	// Supported options are "HSM" and "SOFTWARE".
	ProtectionLevel string `yaml:"protection_level"`
}

type InstallParams struct {
	// JoinParams sets the token and method to use when generating
	// config on EC2 instances
	JoinParams JoinParams `yaml:"join_params,omitempty"`
	// ScriptName is the name of the teleport installer script
	// resource for the EC2 instance to execute
	ScriptName string `yaml:"script_name,omitempty"`
}

type JoinParams struct {
	TokenName string           `yaml:"token_name"`
	Method    types.JoinMethod `yaml:"method"`
}

type KeyPair struct {
	// PrivateKey is the path on disk to a PEM encoded private key,
	PrivateKey string `yaml:"key_file"`
	// Certificate is the path on disk to a PEM encoded x509 certificate.
	Certificate string `yaml:"cert_file"`
}

type Kube struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// PublicAddr is a publicly advertised address of the kubernetes service
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`
	// KubeClusterName is the name of a kubernetes cluster this service is
	// running in. If set, this proxy will handle kubernetes requests for the
	// cluster.
	KubeClusterName string `yaml:"kube_cluster_name,omitempty"`
	// StaticLabels are the static labels for RBAC on kubernetes clusters.
	StaticLabels map[string]string `yaml:"labels,omitempty"`
	// DynamicLabels are the dynamic labels for RBAC on kubernetes clusters.
	DynamicLabels []CommandLabel `yaml:"commands,omitempty"`
	// ResourceMatchers match cluster kube_cluster resources.
	ResourceMatchers []ResourceMatcher `yaml:"resources,omitempty"`
}

type KubeProxy struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// PublicAddr is a publicly advertised address of the kubernetes proxy
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// KubeconfigFile is an optional path to kubeconfig file,
	// if specified, teleport will use API server address and
	// trusted certificate authority information from it
	KubeconfigFile string `yaml:"kubeconfig_file,omitempty"`
	// ClusterName is the name of a kubernetes cluster this proxy is running
	// in. If set, this proxy will handle kubernetes requests for the cluster.
	ClusterName string `yaml:"cluster_name,omitempty"`
}

type LDAPConfig struct {
	// Addr is the host:port of the LDAP server (typically port 389).
	Addr string `yaml:"addr"`
	// Domain is the ActiveDirectory domain name.
	Domain string `yaml:"domain"`
	// Username for LDAP authentication.
	Username string `yaml:"username"`
	// InsecureSkipVerify decides whether whether we skip verifying with the LDAP server's CA when making the LDAPS connection.
	InsecureSkipVerify bool `yaml:"insecure_skip_verify"`
	// ServerName is the name of the LDAP server for TLS.
	ServerName string `yaml:"server_name,omitempty"`
	// DEREncodedCAFile is the filepath to an optional DER encoded CA cert to be used for verification (if InsecureSkipVerify is set to false).
	DEREncodedCAFile string `yaml:"der_ca_file,omitempty"`
	// PEMEncodedCACert is an optional PEM encoded CA cert to be used for verification (if InsecureSkipVerify is set to false).
	PEMEncodedCACert string `yaml:"ldap_ca_cert,omitempty"`
}

type LegacyLog struct {
	// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
	// a path to a log file
	Output string `yaml:"output,omitempty"`
	// Severity defines how verbose the log will be. Possible values are "error", "info", "warn"
	Severity string `yaml:"severity,omitempty"`
	// Format lists the output fields from KnownFormatFields. Example format: [timestamp, component, caller]
	Format []string `yaml:"format,omitempty"`
}

type Log struct {
	// Output defines where logs go. It can be one of the following: "stderr", "stdout" or
	// a path to a log file
	Output string `yaml:"output,omitempty"`
	// Severity defines how verbose the log will be. Possible values are "error", "info", "warn"
	Severity string `yaml:"severity,omitempty"`
	// Format defines the logs output format and extra fields
	Format LogFormat `yaml:"format,omitempty"`
}

type LogFormat struct {
	// Output defines the output format. Possible values are 'text' and 'json'.
	Output string `yaml:"output,omitempty"`
	// ExtraFields lists the output fields from KnownFormatFields. Example format: [timestamp, component, caller]
	ExtraFields []string `yaml:"extra_fields,omitempty"`
}

type Metrics struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`

	// KeyPairs is a list of x509 serving key pairs used for securing the metrics endpoint with mTLS.
	// mTLS will be enabled for the service if both 'keypairs' and 'ca_certs' fields are set.
	KeyPairs []KeyPair `yaml:"keypairs,omitempty"`

	// CACerts is a list of prometheus CA certificates to validate clients against.
	// mTLS will be enabled for the service if both 'keypairs' and 'ca_certs' fields are set.
	CACerts []string `yaml:"ca_certs,omitempty"`

	// GRPCServerLatency enables histogram metrics for each grpc endpoint on the auth server
	GRPCServerLatency bool `yaml:"grpc_server_latency,omitempty"`

	// GRPCServerLatency enables histogram metrics for each grpc endpoint on the auth server
	GRPCClientLatency bool `yaml:"grpc_client_latency,omitempty"`
}

type PAM struct {
	// Enabled controls if PAM will be used or not.
	Enabled string `yaml:"enabled"`

	// ServiceName is the name of the PAM policy to apply.
	ServiceName string `yaml:"service_name"`

	// UsePAMAuth specifies whether to trigger the "auth" PAM modules from the
	// policy.
	UsePAMAuth bool `yaml:"use_pam_auth"`

	// Environment represents environment variables to pass to PAM.
	// These may contain role-style interpolation syntax.
	Environment map[string]string `yaml:"environment,omitempty"`
}

type PKCS11 struct {
	// ModulePath is the path to the PKCS#11 library.
	ModulePath string `yaml:"module_path"`
	// TokenLabel is the CKA_LABEL of the HSM token to use. Set this or
	// SlotNumber to select a token.
	TokenLabel string `yaml:"token_label,omitempty"`
	// SlotNumber is the slot number of the HSM token to use. Set this or
	// TokenLabel to select a token.
	SlotNumber *int `yaml:"slot_number,omitempty"`
	// Pin is the raw pin for connecting to the HSM. Set this or PinPath to set
	// the pin.
	Pin string `yaml:"pin,omitempty"`
	// PinPath is a path to a file containing a pin for connecting to the HSM.
	// Trailing newlines will be removed, other whitespace will be left. Set
	// this or Pin to set the pin.
	PinPath string `yaml:"pin_path,omitempty"`
}

type Proxy struct {
	// Service is a generic service configuration section
	Service `yaml:",inline"`
	// WebAddr is a web UI listen address
	WebAddr string `yaml:"web_listen_addr,omitempty"`
	// TunAddr is a reverse tunnel address
	TunAddr string `yaml:"tunnel_listen_addr,omitempty"`
	// PeerAddr is the address this proxy will be dialed at by its peers.
	PeerAddr string `yaml:"peer_listen_addr,omitempty"`
	// PeerPublicAddr is the hostport the proxy advertises for peer proxy
	// client connections.
	PeerPublicAddr string `yaml:"peer_public_addr,omitempty"`
	// KeyFile is a TLS key file
	KeyFile string `yaml:"https_key_file,omitempty"`
	// CertFile is a TLS Certificate file
	CertFile string `yaml:"https_cert_file,omitempty"`
	// ProxyProtocol turns on support for HAProxy proxy protocol
	// this is the option that has be turned on only by administrator,
	// as only admin knows whether service is in front of trusted load balancer
	// or not.
	ProxyProtocol string `yaml:"proxy_protocol,omitempty"`
	// KubeProxy configures kubernetes protocol support of the proxy
	Kube KubeProxy `yaml:"kubernetes,omitempty"`
	// KubeAddr is a shorthand for enabling the Kubernetes endpoint without a
	// local Kubernetes cluster.
	KubeAddr string `yaml:"kube_listen_addr,omitempty"`
	// KubePublicAddr is a public address of the kubernetes endpoint.
	KubePublicAddr apiutils.Strings `yaml:"kube_public_addr,omitempty"`

	// PublicAddr sets the hostport the proxy advertises for the HTTP endpoint.
	// The hosts in PublicAddr are included in the list of host principals
	// on the SSH certificate.
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// SSHPublicAddr sets the hostport the proxy advertises for the SSH endpoint.
	// The hosts in PublicAddr are included in the list of host principals
	// on the SSH certificate.
	SSHPublicAddr apiutils.Strings `yaml:"ssh_public_addr,omitempty"`

	// TunnelPublicAddr sets the hostport the proxy advertises for the tunnel
	// endpoint. The hosts in PublicAddr are included in the list of host
	// principals on the SSH certificate.
	TunnelPublicAddr apiutils.Strings `yaml:"tunnel_public_addr,omitempty"`

	// KeyPairs is a list of x509 key pairs the proxy will load.
	KeyPairs []KeyPair `yaml:"https_keypairs"`

	// ACME configures ACME protocol support
	ACME ACME `yaml:"acme"`

	// MySQLAddr is MySQL proxy listen address.
	MySQLAddr string `yaml:"mysql_listen_addr,omitempty"`
	// MySQLPublicAddr is the hostport the proxy advertises for MySQL
	// client connections.
	MySQLPublicAddr apiutils.Strings `yaml:"mysql_public_addr,omitempty"`

	// PostgresAddr is Postgres proxy listen address.
	PostgresAddr string `yaml:"postgres_listen_addr,omitempty"`
	// PostgresPublicAddr is the hostport the proxy advertises for Postgres
	// client connections.
	PostgresPublicAddr apiutils.Strings `yaml:"postgres_public_addr,omitempty"`

	// MongoAddr is Mongo proxy listen address.
	MongoAddr string `yaml:"mongo_listen_addr,omitempty"`
	// MongoPublicAddr is the hostport the proxy advertises for Mongo
	// client connections.
	MongoPublicAddr apiutils.Strings `yaml:"mongo_public_addr,omitempty"`
}

type ResourceMatcher struct {
	// Labels match resource labels.
	Labels map[string]apiutils.Strings `yaml:"labels,omitempty"`
}

type RestrictedSession struct {
	// Enabled enables or disables enforcemant for this node.
	Enabled string `yaml:"enabled"`

	// EventsBufferSize is the size in bytes of the channel to report events
	// from the kernel to us.
	EventsBufferSize *int `yaml:"events_buffer_size,omitempty"`
}

type ReverseTunnel struct {
	DomainName string   `yaml:"domain_name"`
	Addresses  []string `yaml:"addresses"`
}

type Rewrite struct {
	// Redirect is a list of hosts that should be rewritten to the public address.
	Redirect []string `yaml:"redirect"`
	// Headers is a list of extra headers to inject in the request.
	Headers []string `yaml:"headers,omitempty"`
}

type SSH struct {
	Service               `yaml:",inline"`
	Namespace             string            `yaml:"namespace,omitempty"`
	Labels                map[string]string `yaml:"labels,omitempty"`
	Commands              []CommandLabel    `yaml:"commands,omitempty"`
	PermitUserEnvironment bool              `yaml:"permit_user_env,omitempty"`
	PAM                   *PAM              `yaml:"pam,omitempty"`
	// PublicAddr sets SSH host principals for SSH service
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`

	// BPF is used to configure BPF-based auditing for this node.
	BPF *BPF `yaml:"enhanced_recording,omitempty"`

	// RestrictedSession is used to restrict access to kernel objects
	RestrictedSession *RestrictedSession `yaml:"restricted_session,omitempty"`

	// MaybeAllowTCPForwarding enables or disables TCP port forwarding. We're
	// using a pointer-to-bool here because the system default is to allow TCP
	// forwarding, we need to distinguish between an unset value and a false
	// value so we can an override unset value with `true`.
	//
	// Don't read this value directly: call the AllowTCPForwarding method
	// instead.
	MaybeAllowTCPForwarding *bool `yaml:"port_forwarding,omitempty"`

	// X11 is used to configure X11 forwarding settings
	X11 *X11 `yaml:"x11,omitempty"`

	// MaybeSSHFileCopy enables or disables remote file operations via SCP/SFTP.
	// We're using a pointer-to-bool here because the system default is to allow
	// SCP/SFTP, we need to distinguish between an unset value and a false
	// value so we can an override unset value with `true`.
	//
	// Don't read this value directly: call the SSHFileCopy method
	// instead.
	MaybeSSHFileCopy *bool `yaml:"ssh_file_copy,omitempty"`

	// DisableCreateHostUser disables automatic user provisioning on this
	// SSH node.
	DisableCreateHostUser bool `yaml:"disable_create_host_user,omitempty"`
}

type SampleFlags struct {
	// ClusterName is an optional cluster name
	ClusterName string
	// LicensePath adds license path to config
	LicensePath string
	// ACMEEmail is acme email
	ACMEEmail string
	// ACMEEnabled turns on ACME
	ACMEEnabled bool
	// Version is the Teleport Configuration version.
	Version string
	// PublicAddr sets the hostport the proxy advertises for the HTTP endpoint.
	PublicAddr string
	// KeyFile is a TLS key file
	KeyFile string
	// CertFile is a TLS Certificate file
	CertFile string
	// DataDir is a path to a directory where Teleport keep its data
	DataDir string
	// AuthToken is a token to register with an auth server
	AuthToken string
	// Roles is a list of comma-separated roles to create a config file with
	Roles string
	// AuthServer is the address of the auth server
	AuthServer string
	// ProxyAddress is the address of the proxy
	ProxyAddress string
	// AppName is the name of the application to start
	AppName string
	// AppURI is the internal address of the application to proxy
	AppURI string
	// NodeLabels is list of labels in the format `foo=bar,baz=bax` to add to newly created nodes.
	NodeLabels string
	// CAPin is the SKPI hash of the CA used to verify the Auth Server. Can be
	// a single value or a list.
	CAPin string
	// JoinMethod is the method that will be used to join the cluster, either "token", "iam" or "ec2"
	JoinMethod string
	// NodeName is the name of the teleport node
	NodeName string
}

type SecretStore struct {
	// KeyPrefix specifies the secret key prefix.
	KeyPrefix string `yaml:"key_prefix,omitempty"`
	// KMSKeyID specifies the KMS key used to encrypt and decrypt the secret.
	KMSKeyID string `yaml:"kms_key_id,omitempty"`
}

type Service struct {
	EnabledFlag   string `yaml:"enabled,omitempty"`
	ListenAddress string `yaml:"listen_addr,omitempty"`
	// contains filtered or unexported fields
}

type StaticToken string

type StaticTokens []StaticToken

type SystemdFlags struct {
	// EnvironmentFile is the environment file path provided by the user.
	EnvironmentFile string
	// PIDFile is the process ID (PID) file path provided by the user.
	PIDFile string
	// FileDescriptorLimit is the maximum number of open file descriptors provided by the user.
	FileDescriptorLimit int
	// TeleportInstallationFile is the teleport installation path provided by the user.
	TeleportInstallationFile string
}

type TracingService struct {
	// Enabled turns the tracing service role on or off for this process
	EnabledFlag string `yaml:"enabled,omitempty"`

	// ExporterURL is the OTLP exporter URL to send spans to
	ExporterURL string `yaml:"exporter_url"`

	// KeyPairs is a list of x509 serving key pairs used for mTLS.
	KeyPairs []KeyPair `yaml:"keypairs,omitempty"`

	// CACerts are the exporter ca certs to use
	CACerts []string `yaml:"ca_certs,omitempty"`

	// SamplingRatePerMillion is the sampling rate for the exporter.
	// 1_000_000 means all spans will be sampled and 0 means none are sampled.
	SamplingRatePerMillion int `yaml:"sampling_rate_per_million"`
}

type TrustedCluster struct {
	// KeyFile is a path to a remote authority (AKA "trusted cluster") public keys
	KeyFile string `yaml:"key_file,omitempty"`
	// AllowedLogins is a comma-separated list of user logins allowed from that cluster
	AllowedLogins string `yaml:"allow_logins,omitempty"`
	// TunnelAddr is a comma-separated list of reverse tunnel addresses to
	// connect to
	TunnelAddr string `yaml:"tunnel_addr,omitempty"`
}

type UniversalSecondFactor struct {
	AppID string `yaml:"app_id"`
	// Facets kept only to avoid breakages during Teleport updates.
	// Webauthn is now used instead of U2F.
	Facets               []string `yaml:"facets"`
	DeviceAttestationCAs []string `yaml:"device_attestation_cas"`
}

type Webauthn struct {
	RPID                  string   `yaml:"rp_id,omitempty"`
	AttestationAllowedCAs []string `yaml:"attestation_allowed_cas,omitempty"`
	AttestationDeniedCAs  []string `yaml:"attestation_denied_cas,omitempty"`
	// Deprecated: Disabled has no effect, it is kept solely to not break existing
	// configurations.
	Disabled bool `yaml:"disabled,omitempty"`
}

type WindowsDesktopService struct {
	Service `yaml:",inline"`
	// Labels are the configured windows deesktops service labels.
	Labels map[string]string `yaml:"labels,omitempty"`
	// PublicAddr is a list of advertised public addresses of this service.
	PublicAddr apiutils.Strings `yaml:"public_addr,omitempty"`
	// LDAP is the LDAP connection parameters.
	LDAP LDAPConfig `yaml:"ldap"`
	// Discovery configures desktop discovery via LDAP.
	Discovery service.LDAPDiscoveryConfig `yaml:"discovery,omitempty"`
	// Hosts is a list of static Windows hosts connected to this service in
	// gateway mode.
	Hosts []string `yaml:"hosts,omitempty"`
	// HostLabels optionally applies labels to Windows hosts for RBAC.
	// A host can match multiple rules and will get a union of all
	// the matched labels.
	HostLabels []WindowsHostLabelRule `yaml:"host_labels,omitempty"`
}

type WindowsHostLabelRule struct {
	// Match is a regexp that is checked against the Windows host's DNS name.
	// If the regexp matches, this rule's labels will be applied to the host.
	Match string `yaml:"match"`
	// Labels is the set of labels to apply to hosts that match this rule.
	Labels map[string]string `yaml:"labels"`
}

type X11 struct {
	// Enabled controls whether X11 forwarding requests can be granted by the server.
	Enabled string `yaml:"enabled"`
	// DisplayOffset tells the server what X11 display number to start from when
	// searching for an open X11 unix socket for XServer proxies.
	DisplayOffset *uint `yaml:"display_offset,omitempty"`
	// MaxDisplay tells the server what X11 display number to stop at when
	// searching for an open X11 unix socket for XServer proxies.
	MaxDisplay *uint `yaml:"max_display,omitempty"`
}