v1beta1

type ACLPolicyConfig struct {
	// TagOwners maps tag names to the list of users or groups that may apply
	// that tag (e.g. {"tag:router": ["group:admin"]}). Tags referenced by
	// HeadscaleAutoApprover resources must be declared here.
	// +optional
	TagOwners map[string][]string `json:"tag_owners,omitempty"`

	// Inline is a JSON or HuJSON Headscale policy document that serves as the
	// base policy. The operator parses it, merges TagOwners and any
	// HeadscaleAutoApprover entries on top, then pushes the result via
	// the gRPC API. Use this for `acls`, `groups`, `hosts`, and `ssh` rules.
	// +optional
	Inline string `json:"inline,omitempty"`
}

type APIKeyConfig struct {
	// AutoManage enables automatic API key creation and rotation
	// +kubebuilder:default=true
	// +optional
	AutoManage *bool `json:"auto_manage,omitempty"`

	// SecretName is the name of the Kubernetes secret to store the API key.
	// When empty, the operator defaults to "<headscale-name>-api-key" so that
	// multiple Headscale instances in the same namespace do not collide.
	// +optional
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
	SecretName string `json:"secret_name,omitempty"`

	// Expiration is the API key expiration duration in Go duration format (e.g., "2160h", "90d" is not valid, use "2160h" for 90 days)
	// The API key will be rotated before it expires
	// Examples: "720h" (30 days), "2160h" (90 days), "8760h" (365 days)
	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))+$`
	// +kubebuilder:default="2160h"
	// +optional
	Expiration string `json:"expiration,omitempty"`

	// RotationBuffer is the time before expiration to rotate the key in Go duration format (e.g., "168h" for 7 days)
	// Key will be rotated when it has less than this time remaining
	// Examples: "168h" (7 days), "1920h" (80 days)
	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))+$`
	// +kubebuilder:default="1920h"
	// +optional
	RotationBuffer string `json:"rotation_buffer,omitempty"`

	// ManagerImage is the container image to use for the API key manager sidecar
	// +kubebuilder:default="ghcr.io/infradohq/headscale-operator/apikey-manager:latest"
	// +optional
	ManagerImage string `json:"manager_image,omitempty"`
}

type AutoApproverRoute struct {
	// CIDR is the subnet route to auto-approve (IPv4 or IPv6).
	// +kubebuilder:validation:Pattern=`^(([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}|([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4})/[0-9]{1,3})$`
	// +required
	CIDR string `json:"cidr"`

	// Tags whose nodes will have this route auto-approved when advertised.
	// Each tag must be declared in the parent Headscale's spec.acl_policy.tag_owners.
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:items:Pattern=`^tag:[a-zA-Z0-9._-]+$`
	// +required
	Tags []string `json:"tags"`
}

type DERPConfig struct {
	// Server configuration for embedded DERP server
	// +optional
	Server DERPServerConfig `json:"server"`

	// URLs is the list of external DERP map URLs
	// +kubebuilder:default={"https://controlplane.tailscale.com/derpmap/default"}
	// +optional
	URLs []string `json:"urls,omitzero"`

	// Paths is the list of local DERP map file paths
	// +optional
	Paths []string `json:"paths,omitempty"`

	// AutoUpdateEnabled indicates whether to auto-update DERP maps
	// +kubebuilder:default=true
	// +optional
	AutoUpdateEnabled *bool `json:"auto_update_enabled,omitempty"`

	// UpdateFrequency is how often to check for DERP updates
	// +kubebuilder:default="3h"
	// +optional
	UpdateFrequency string `json:"update_frequency,omitempty"`
}

type DERPServerConfig struct {
	// Enabled indicates if the embedded DERP server is enabled
	// +kubebuilder:default=false
	// +optional
	Enabled *bool `json:"enabled,omitempty"`

	// RegionID is the region ID for the embedded DERP server
	// +kubebuilder:default=999
	// +optional
	RegionID int `json:"region_id,omitempty"`

	// RegionCode is the region code for display
	// +kubebuilder:default="headscale"
	// +optional
	RegionCode string `json:"region_code,omitempty"`

	// RegionName is the region name for display
	// +kubebuilder:default="Headscale Embedded DERP"
	// +optional
	RegionName string `json:"region_name,omitempty"`

	// VerifyClients indicates whether to verify clients
	// +kubebuilder:default=true
	// +optional
	VerifyClients *bool `json:"verify_clients,omitempty"`

	// STUNListenAddr is the address for STUN connections
	// +kubebuilder:default="0.0.0.0:3478"
	// +optional
	STUNListenAddr string `json:"stun_listen_addr,omitempty"`

	// PrivateKeyPath is the path to the DERP server private key
	// +kubebuilder:default="/var/lib/headscale/derp_server_private.key"
	// +optional
	PrivateKeyPath string `json:"private_key_path,omitempty"`

	// AutomaticallyAddEmbeddedDerpRegion indicates whether to automatically add the embedded DERP region
	// +kubebuilder:default=true
	// +optional
	AutomaticallyAddEmbeddedDerpRegion *bool `json:"automatically_add_embedded_derp_region,omitempty"`

	// IPv4 is the public IPv4 address
	// +kubebuilder:default="198.51.100.1"
	// +optional
	IPv4 string `json:"ipv4,omitempty"`

	// IPv6 is the public IPv6 address
	// +kubebuilder:default="2001:db8::1"
	// +optional
	IPv6 string `json:"ipv6,omitempty"`
}

type DNSConfig struct {
	// MagicDNS enables MagicDNS
	// +kubebuilder:default=true
	// +optional
	MagicDNS *bool `json:"magic_dns,omitempty"`

	// BaseDomain is the base domain for MagicDNS
	// +optional
	BaseDomain string `json:"base_domain,omitempty"`

	// OverrideLocalDNS overrides local DNS settings
	// +kubebuilder:default=true
	// +optional
	OverrideLocalDNS *bool `json:"override_local_dns,omitempty"`

	// Nameservers configuration
	// +optional
	Nameservers DNSNameserversConfig `json:"nameservers"`

	// SearchDomains is the list of search domains
	// +optional
	SearchDomains []string `json:"search_domains,omitempty"`

	// ExtraRecords is the list of extra DNS records
	// +optional
	ExtraRecords []DNSExtraRecord `json:"extra_records,omitempty"`
}

type DNSExtraRecord struct {
	// Name is the DNS record name
	// +optional
	Name string `json:"name,omitempty"`

	// Type is the DNS record type
	// +kubebuilder:validation:Enum=A;AAAA
	// +optional
	Type string `json:"type,omitempty"`

	// Value is the DNS record value
	// +optional
	Value string `json:"value,omitempty"`
}

type DNSNameserversConfig struct {
	// Global nameservers
	// +kubebuilder:default={"1.1.1.1", "1.0.0.1", "2606:4700:4700::1111", "2606:4700:4700::1001"}
	// +optional
	Global []string `json:"global,omitempty"`

	// Split DNS configuration
	// +optional
	Split map[string][]string `json:"split,omitempty"`
}

type DatabaseConfig struct {
	// Type is the database type
	// +kubebuilder:validation:Enum=sqlite;postgres
	// +kubebuilder:default="sqlite"
	// +optional
	Type string `json:"type,omitempty"`

	// Debug enables debug mode
	// +kubebuilder:default=false
	// +optional
	Debug *bool `json:"debug,omitempty"`

	// Gorm configuration
	// +optional
	Gorm GormConfig `json:"gorm"`

	// Sqlite configuration
	// +optional
	Sqlite SqliteConfig `json:"sqlite"`

	// Postgres configuration
	// +optional
	Postgres PostgresConfig `json:"postgres"`
}

type GormConfig struct {
	// PrepareStmt enables prepared statements
	// +kubebuilder:default=true
	// +optional
	PrepareStmt *bool `json:"prepare_stmt,omitempty"`

	// ParameterizedQueries enables parameterized queries
	// +kubebuilder:default=true
	// +optional
	ParameterizedQueries *bool `json:"parameterized_queries,omitempty"`

	// SkipErrRecordNotFound skips "record not found" errors
	// +kubebuilder:default=true
	// +optional
	SkipErrRecordNotFound *bool `json:"skip_err_record_not_found,omitempty"`

	// SlowThreshold is the threshold for slow queries in milliseconds
	// +kubebuilder:default=1000
	// +optional
	SlowThreshold int `json:"slow_threshold,omitempty"`
}

type Headscale struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is a standard object metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitzero"`

	// spec defines the desired state of Headscale
	// +required
	Spec HeadscaleSpec `json:"spec"`

	// status defines the observed state of Headscale
	// +optional
	Status HeadscaleStatus `json:"status,omitzero"`
}

type HeadscaleAutoApprover struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is a standard object metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitzero"`

	// spec defines the desired state of HeadscaleAutoApprover
	// +required
	Spec HeadscaleAutoApproverSpec `json:"spec"`

	// status defines the observed state of HeadscaleAutoApprover
	// +optional
	Status HeadscaleAutoApproverStatus `json:"status,omitzero"`
}

type HeadscaleAutoApproverList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitzero"`
	Items           []HeadscaleAutoApprover `json:"items"`
}

type HeadscaleAutoApproverSpec struct {
	// HeadscaleRef is the name of the Headscale instance (in the same namespace)
	// whose policy these auto-approvers contribute to.
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
	// +required
	HeadscaleRef string `json:"headscaleRef"`

	// Routes is the list of subnet routes to auto-approve when advertised by a
	// node carrying one of the listed tags.
	// +optional
	Routes []AutoApproverRoute `json:"routes,omitempty"`

	// ExitNodeTags is the list of tags whose nodes will be auto-approved as
	// exit nodes when they advertise themselves as such.
	// +kubebuilder:validation:items:Pattern=`^tag:[a-zA-Z0-9._-]+$`
	// +optional
	ExitNodeTags []string `json:"exitNodeTags,omitempty"`
}

type HeadscaleAutoApproverStatus struct {
	// conditions represent the current state of the HeadscaleAutoApprover resource.
	//
	// Standard condition types include:
	// - "Ready": the entries from this resource have been merged into the active policy
	//
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type HeadscaleConfig struct {
	// ServerURL is the URL clients will connect to
	// +required
	ServerURL string `json:"server_url"`

	// ListenAddr is the address to listen on
	// +kubebuilder:default="0.0.0.0:8080"
	// +optional
	ListenAddr string `json:"listen_addr,omitempty"`

	// MetricsListenAddr is the address for metrics
	// +kubebuilder:default="0.0.0.0:9090"
	// +optional
	MetricsListenAddr string `json:"metrics_listen_addr,omitempty"`

	// GRPCListenAddr is the address for gRPC
	// +kubebuilder:default="0.0.0.0:50443"
	// +optional
	GRPCListenAddr string `json:"grpc_listen_addr,omitempty"`

	// GRPCAllowInsecure allows insecure gRPC
	// +kubebuilder:default=false
	// +optional
	GRPCAllowInsecure *bool `json:"grpc_allow_insecure,omitempty"`

	// Noise configuration
	// +optional
	Noise NoiseConfig `json:"noise"`

	// Prefixes configuration
	// +optional
	Prefixes PrefixesConfig `json:"prefixes"`

	// DERP configuration
	// +optional
	DERP DERPConfig `json:"derp"`

	// DisableCheckUpdates disables update checks
	// +kubebuilder:default=false
	// +optional
	DisableCheckUpdates *bool `json:"disable_check_updates,omitempty"`

	// EphemeralNodeInactivityTimeout is the timeout for ephemeral nodes
	// +kubebuilder:default="30m"
	// +optional
	EphemeralNodeInactivityTimeout string `json:"ephemeral_node_inactivity_timeout,omitempty"`

	// Database configuration
	// +optional
	Database DatabaseConfig `json:"database"`

	// ACMEURL is the ACME directory URL
	// +kubebuilder:default="https://acme-v02.api.letsencrypt.org/directory"
	// +optional
	ACMEURL string `json:"acme_url,omitempty"`

	// ACMEEmail is the email for ACME registration
	// +optional
	ACMEEmail string `json:"acme_email,omitempty"`

	// TLSLetsEncryptHostname is the hostname for Let's Encrypt
	// +optional
	TLSLetsEncryptHostname string `json:"tls_letsencrypt_hostname,omitempty"`

	// TLSLetsEncryptCacheDir is the cache directory for Let's Encrypt
	// +kubebuilder:default="/var/lib/headscale/cache"
	// +optional
	TLSLetsEncryptCacheDir string `json:"tls_letsencrypt_cache_dir,omitempty"`

	// TLSLetsEncryptChallengeType is the ACME challenge type
	// +kubebuilder:validation:Enum=HTTP-01;TLS-ALPN-01
	// +kubebuilder:default="HTTP-01"
	// +optional
	TLSLetsEncryptChallengeType string `json:"tls_letsencrypt_challenge_type,omitempty"`

	// TLSLetsEncryptListen is the address for Let's Encrypt challenge
	// +kubebuilder:default=":http"
	// +optional
	TLSLetsEncryptListen string `json:"tls_letsencrypt_listen,omitempty"`

	// TLSCertPath is the path to the TLS certificate
	// +optional
	TLSCertPath string `json:"tls_cert_path,omitempty"`

	// TLSKeyPath is the path to the TLS key
	// +optional
	TLSKeyPath string `json:"tls_key_path,omitempty"`

	// Log configuration
	// +optional
	Log LogConfig `json:"log"`

	// Policy configuration
	// +optional
	Policy PolicyConfig `json:"policy"`

	// DNS configuration
	// +optional
	DNS DNSConfig `json:"dns"`

	// UnixSocket is the path to the Unix socket
	// +kubebuilder:default="/var/run/headscale/headscale.sock"
	// +kubebuilder:validation:MinLength=1
	// +optional
	UnixSocket string `json:"unix_socket,omitempty"`

	// UnixSocketPermission is the Unix socket permission (e.g., "0770")
	// +kubebuilder:default="0770"
	// +optional
	UnixSocketPermission string `json:"unix_socket_permission,omitempty"`

	// OIDC configuration
	// +optional
	OIDC OIDCConfig `json:"oidc"`

	// LogTail configuration
	// +optional
	LogTail LogTailConfig `json:"logtail"`

	// RandomizeClientPort randomizes the WireGuard client port
	// +kubebuilder:default=false
	// +optional
	RandomizeClientPort *bool `json:"randomize_client_port,omitempty"`

	// Taildrop configuration
	// +optional
	Taildrop TaildropConfig `json:"taildrop"`

	// Tuning configuration
	// +optional
	Tuning Tuning `json:"tuning"`
}

type HeadscaleList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitzero"`
	Items           []Headscale `json:"items"`
}

type HeadscalePreAuthKey struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is a standard object metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitzero"`

	// spec defines the desired state of HeadscalePreAuthKey
	// +required
	Spec HeadscalePreAuthKeySpec `json:"spec"`

	// status defines the observed state of HeadscalePreAuthKey
	// +optional
	Status HeadscalePreAuthKeyStatus `json:"status,omitzero"`
}

type HeadscalePreAuthKeyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitzero"`
	Items           []HeadscalePreAuthKey `json:"items"`
}

type HeadscalePreAuthKeySpec struct {
	// HeadscaleRef is the name of the Headscale instance to create the preauth key in
	// +kubebuilder:validation:Required
	// +required
	HeadscaleRef string `json:"headscaleRef"`

	// HeadscaleUserRef is the name of the HeadscaleUser resource to create the preauth key for
	// Either HeadscaleUserRef or UserID must be specified, but not both
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
	// +optional
	HeadscaleUserRef string `json:"headscaleUserRef,omitempty"`

	// UserID is the ID of the user in Headscale to create the preauth key for
	// Either HeadscaleUserRef or UserID must be specified, but not both
	// +kubebuilder:validation:Minimum=1
	// +optional
	UserID uint64 `json:"userId,omitempty"`

	// Expiration is the duration after which the preauth key expires
	// Examples: 30m, 24h, 1h30m, 300ms, 1.5h (must be a valid Go duration string)
	// Valid time units are "s", "m", "h"
	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(s|m|h))+$`
	// +kubebuilder:default="1h"
	// +optional
	Expiration string `json:"expiration,omitempty"`

	// Reusable indicates whether the preauth key can be used multiple times
	// +kubebuilder:default=false
	// +optional
	Reusable bool `json:"reusable,omitempty"`

	// Ephemeral indicates whether nodes using this key should be ephemeral
	// +kubebuilder:default=false
	// +optional
	Ephemeral bool `json:"ephemeral,omitempty"`

	// Tags to automatically assign to nodes registered with this preauth key
	// +kubebuilder:validation:items:Pattern=`^tag:[a-zA-Z0-9._-]+$`
	// +optional
	Tags []string `json:"tags,omitempty"`

	// SecretName is the name of the secret to store the preauth key in
	// If not specified, defaults to the HeadscalePreAuthKey resource name
	// +optional
	SecretName string `json:"secretName,omitempty"`
}

type HeadscalePreAuthKeyStatus struct {
	// KeyID is the ID of the preauth key in Headscale
	// +optional
	KeyID string `json:"keyId,omitempty"`

	// conditions represent the current state of the HeadscalePreAuthKey resource.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type HeadscaleSpec struct {
	// Version indicates the version of Headscale to deploy.
	// +kubebuilder:validation:Pattern=`^v?(\d+\.)?(\d+\.)?(\*|\d+)(-.+)?$`
	// +required
	Version string `json:"version"`

	// Image is the container image to use for Headscale.
	// +kubebuilder:default="headscale/headscale"
	// +kubebuilder:validation:MinLength=1
	// +optional
	Image string `json:"image,omitempty"`

	// Replicas indicates the number of Headscale instances to deploy.
	// +kubebuilder:validation:Minimum=0
	// +required
	Replicas int32 `json:"replicas"`

	// Config holds custom configuration for Headscale.
	// +optional
	Config HeadscaleConfig `json:"config"`

	// PersistentVolumeClaim configuration for data storage
	// +optional
	PersistentVolumeClaim PersistentVolumeClaimConfig `json:"persistent_volume_claim"`

	// APIKey configuration for automatic API key management
	// +optional
	APIKey APIKeyConfig `json:"api_key"`

	// ImagePullSecrets is a list of references to secrets for pulling images from private registries
	// +optional
	ImagePullSecrets []string `json:"image_pull_secrets,omitempty"`

	// ExtraEnv allows injecting additional environment variables into the Headscale container
	// +optional
	ExtraEnv []corev1.EnvVar `json:"extra_env,omitempty"`

	// ExtraVolumes allows adding additional volumes to the Headscale pod
	// +optional
	ExtraVolumes []corev1.Volume `json:"extra_volumes,omitempty"`

	// ExtraVolumeMounts allows adding additional volume mounts to the Headscale container
	// +optional
	ExtraVolumeMounts []corev1.VolumeMount `json:"extra_volume_mounts,omitempty"`

	// ACLPolicy is the base ACL policy and tag ownership map. The operator
	// merges this with any HeadscaleAutoApprover resources that reference this
	// Headscale and pushes the result via the gRPC SetPolicy API.
	// Requires `spec.config.policy.mode=database`.
	// +optional
	ACLPolicy ACLPolicyConfig `json:"acl_policy"`
}

type HeadscaleStatus struct {

	// conditions represent the current state of the Headscale resource.
	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
	//
	// Standard condition types include:
	// - "Available": the resource is fully functional
	// - "Progressing": the resource is being created or updated
	// - "Degraded": the resource failed to reach or maintain its desired state
	//
	// The status of each condition is one of True, False, or Unknown.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type HeadscaleUser struct {
	metav1.TypeMeta `json:",inline"`

	// metadata is a standard object metadata
	// +optional
	metav1.ObjectMeta `json:"metadata,omitzero"`

	// spec defines the desired state of HeadscaleUser
	// +required
	Spec HeadscaleUserSpec `json:"spec"`

	// status defines the observed state of HeadscaleUser
	// +optional
	Status HeadscaleUserStatus `json:"status,omitzero"`
}

type HeadscaleUserList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitzero"`
	Items           []HeadscaleUser `json:"items"`
}

type HeadscaleUserSpec struct {
	// HeadscaleRef references the Headscale instance to create the user in
	// +required
	HeadscaleRef string `json:"headscaleRef"`

	// Username is the unique username for the Headscale user
	// This field is immutable after creation
	// +kubebuilder:validation:Required
	// +kubebuilder:validation:Pattern=`^[a-z0-9]([-a-z0-9]*[a-z0-9])?$`
	// +kubebuilder:validation:MaxLength=63
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="username is immutable"
	// +required
	Username string `json:"username"`

	// DisplayName is the display name for the user
	// This field is immutable after creation
	// +kubebuilder:validation:MaxLength=255
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="displayName is immutable"
	// +optional
	DisplayName string `json:"displayName,omitempty"`

	// Email is the email address of the user
	// This field is immutable after creation
	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`
	// +kubebuilder:validation:MaxLength=320
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="email is immutable"
	// +optional
	Email string `json:"email,omitempty"`

	// PictureURL is the URL to the user's profile picture
	// This field is immutable after creation
	// +kubebuilder:validation:Pattern=`^https?://.*$`
	// +kubebuilder:validation:MaxLength=2048
	// +kubebuilder:validation:XValidation:rule="self == oldSelf",message="pictureURL is immutable"
	// +optional
	PictureURL string `json:"pictureURL,omitempty"`
}

type HeadscaleUserStatus struct {
	// UserID is the unique identifier assigned by Headscale
	// +optional
	UserID string `json:"userId,omitempty"`

	// CreatedAt is the timestamp when the user was created in Headscale
	// +optional
	CreatedAt string `json:"createdAt,omitempty"`

	// conditions represent the current state of the HeadscaleUser resource.
	// Each condition has a unique type and reflects the status of a specific aspect of the resource.
	//
	// Standard condition types include:
	// - "Available": the resource is fully functional
	// - "Progressing": the resource is being created or updated
	// - "Degraded": the resource failed to reach or maintain its desired state
	//
	// The status of each condition is one of True, False, or Unknown.
	// +listType=map
	// +listMapKey=type
	// +optional
	Conditions []metav1.Condition `json:"conditions,omitempty"`
}

type LogConfig struct {
	// Level is the log level
	// +kubebuilder:validation:Enum=panic;fatal;error;warn;info;debug;trace
	// +kubebuilder:default="info"
	// +optional
	Level string `json:"level,omitempty"`

	// Format is the log format
	// +kubebuilder:validation:Enum=text;json
	// +kubebuilder:default="text"
	// +optional
	Format string `json:"format,omitempty"`
}

type LogTailConfig struct {
	// Enabled indicates if Logtail is enabled
	// +kubebuilder:default=false
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
}

type NoiseConfig struct {
	// PrivateKeyPath is the path to the Noise private key
	// +kubebuilder:default="/var/lib/headscale/noise_private.key"
	// +optional
	PrivateKeyPath string `json:"private_key_path,omitempty"`
}

type OIDCConfig struct {
	// OnlyStartIfOIDCIsAvailable blocks startup until OIDC is available
	// +kubebuilder:default=true
	// +optional
	OnlyStartIfOIDCIsAvailable *bool `json:"only_start_if_oidc_is_available,omitempty"`

	// Issuer is the OIDC issuer URL
	// +optional
	Issuer string `json:"issuer,omitempty"`

	// ClientID is the OIDC client ID
	// +optional
	ClientID string `json:"client_id,omitempty"`

	// ClientSecret is the OIDC client secret
	// +optional
	ClientSecret string `json:"client_secret,omitempty"`

	// ClientSecretPath is the path to the OIDC client secret file
	// +optional
	ClientSecretPath string `json:"client_secret_path,omitempty"`

	// Expiry is the authentication expiry duration
	// +kubebuilder:default="180d"
	// +optional
	Expiry string `json:"expiry,omitempty"`

	// UseExpiryFromToken uses the token expiry
	// +kubebuilder:default=false
	// +optional
	UseExpiryFromToken *bool `json:"use_expiry_from_token,omitempty"`

	// Scope is the list of OIDC scopes
	// +optional
	Scope []string `json:"scope,omitempty"`

	// ExtraParams are additional parameters for the OIDC provider
	// +optional
	ExtraParams map[string]string `json:"extra_params,omitempty"`

	// AllowedDomains is the list of allowed email domains
	// +optional
	AllowedDomains []string `json:"allowed_domains,omitempty"`

	// AllowedUsers is the list of allowed email addresses
	// +optional
	AllowedUsers []string `json:"allowed_users,omitempty"`

	// AllowedGroups is the list of allowed groups
	// +optional
	AllowedGroups []string `json:"allowed_groups,omitempty"`

	// PKCE configuration
	// +optional
	PKCE PKCEConfig `json:"pkce"`

	// EmailVerifiedRequired requires email verification
	// +optional
	EmailVerifiedRequired *bool `json:"email_verified_required,omitempty"`
}

type PKCEConfig struct {
	// Enabled indicates if PKCE is enabled
	// +kubebuilder:default=false
	// +optional
	Enabled *bool `json:"enabled,omitempty"`

	// Method is the PKCE method
	// +kubebuilder:validation:Enum=plain;S256
	// +kubebuilder:default="S256"
	// +optional
	Method string `json:"method,omitempty"`
}

type PersistentVolumeClaimConfig struct {
	// Size is the storage size for the PVC
	// +kubebuilder:default="128Mi"
	// +optional
	Size *resource.Quantity `json:"size,omitempty"`

	// StorageClassName is the storage class name for the PVC
	// +optional
	StorageClassName *string `json:"storage_class_name,omitempty"`
}

type PolicyConfig struct {
	// Mode is the policy mode
	// +kubebuilder:validation:Enum=file;database
	// +kubebuilder:default="file"
	// +optional
	Mode string `json:"mode,omitempty"`

	// Path is the path to the policy file
	// +optional
	Path string `json:"path,omitempty"`
}

type PostgresConfig struct {
	// Host is the PostgreSQL host
	// +optional
	Host string `json:"host,omitempty"`

	// Port is the PostgreSQL port
	// +optional
	Port int `json:"port,omitempty"`

	// Name is the database name
	// +optional
	Name string `json:"name,omitempty"`

	// User is the database user
	// +optional
	User string `json:"user,omitempty"`

	// Pass is the database password
	// +optional
	Pass string `json:"pass,omitempty"`

	// MaxOpenConns is the maximum number of open connections
	// +kubebuilder:default=10
	// +optional
	MaxOpenConns int `json:"max_open_conns,omitempty"`

	// MaxIdleConns is the maximum number of idle connections
	// +kubebuilder:default=10
	// +optional
	MaxIdleConns int `json:"max_idle_conns,omitempty"`

	// ConnMaxIdleTimeSecs is the maximum connection idle time in seconds
	// +kubebuilder:default=3600
	// +optional
	ConnMaxIdleTimeSecs int `json:"conn_max_idle_time_secs,omitempty"`

	// SSL indicates whether to use SSL
	// +kubebuilder:default=false
	// +optional
	SSL *bool `json:"ssl,omitempty"`
}

type PrefixesConfig struct {
	// V4 is the IPv4 prefix for allocation
	// +kubebuilder:validation:Pattern=`^([0-9]{1,3}\.){3}[0-9]{1,3}/[0-9]{1,2}$`
	// +kubebuilder:default="100.64.0.0/10"
	// +optional
	V4 string `json:"v4,omitempty"`

	// V6 is the IPv6 prefix for allocation
	// +kubebuilder:validation:Pattern=`^([0-9a-fA-F]{0,4}:){2,7}([0-9a-fA-F]{0,4})/([0-9]{1,3})$`
	// +kubebuilder:default="fd7a:115c:a1e0::/48"
	// +optional
	V6 string `json:"v6,omitempty"`

	// Allocation strategy for IPs
	// +kubebuilder:validation:Enum=sequential;random
	// +kubebuilder:default="sequential"
	// +optional
	Allocation string `json:"allocation,omitempty"`
}

type SqliteConfig struct {
	// Path is the path to the SQLite database file
	// +kubebuilder:default="/var/lib/headscale/db.sqlite"
	// +optional
	Path string `json:"path,omitempty"`

	// WriteAheadLog enables WAL mode
	// +kubebuilder:default=true
	// +optional
	WriteAheadLog *bool `json:"write_ahead_log,omitempty"`

	// WALAutocheckpoint sets the WAL autocheckpoint value
	// +kubebuilder:default=1000
	// +optional
	WALAutocheckpoint int `json:"wal_autocheckpoint,omitempty"`
}

type TLSConfig struct {
	// LetsEncryptHostname is the hostname for Let's Encrypt
	// +optional
	LetsEncryptHostname string `json:"letsencrypt_hostname,omitempty"`

	// LetsEncryptCacheDir is the cache directory for Let's Encrypt
	// +kubebuilder:default="/var/lib/headscale/cache"
	// +optional
	LetsEncryptCacheDir string `json:"letsencrypt_cache_dir,omitempty"`

	// LetsEncryptChallengeType is the ACME challenge type
	// +kubebuilder:validation:Enum=HTTP-01;TLS-ALPN-01
	// +kubebuilder:default="HTTP-01"
	// +optional
	LetsEncryptChallengeType string `json:"letsencrypt_challenge_type,omitempty"`

	// LetsEncryptListen is the address for Let's Encrypt challenge
	// +kubebuilder:default=":http"
	// +optional
	LetsEncryptListen string `json:"letsencrypt_listen,omitempty"`

	// CertPath is the path to the TLS certificate
	// +optional
	CertPath string `json:"cert_path,omitempty"`

	// KeyPath is the path to the TLS key
	// +optional
	KeyPath string `json:"key_path,omitempty"`
}

type TaildropConfig struct {
	// Enabled indicates if Taildrop is enabled
	// +optional
	Enabled *bool `json:"enabled,omitempty"`
}

type Tuning struct {
	// NotifierSendTimeout is the maximum time to wait when sending notifications
	// to connected clients about network changes.
	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$`
	// +optional
	NotifierSendTimeout *string `json:"notifier_send_timeout,omitempty"`

	// BatchChangeDelay controls how long to wait before sending batched updates
	// to clients when multiple changes occur in rapid succession.
	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$`
	// +optional
	BatchChangeDelay *string `json:"batch_change_delay,omitempty"`

	// NodeMapSessionBufferedChanSize sets the buffer size for the channel that
	// queues map updates to be sent to connected clients.
	// +optional
	NodeMapSessionBufferedChanSize *int `json:"node_map_session_buffered_chan_size,omitempty"`

	// BatcherWorkers controls the number of parallel workers processing map
	// updates for connected clients.
	// +optional
	BatcherWorkers *int `json:"batcher_workers,omitempty"`

	// RegisterCacheCleanup is the interval between cleanup operations for
	// expired registration cache entries.
	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$`
	// +optional
	RegisterCacheCleanup *string `json:"register_cache_cleanup,omitempty"`

	// RegisterCacheExpiration is how long registration cache entries remain
	// valid before being eligible for cleanup.
	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$`
	// +optional
	RegisterCacheExpiration *string `json:"register_cache_expiration,omitempty"`

	// NodeStoreBatchSize controls how many write operations are accumulated
	// before rebuilding the in-memory node snapshot.
	//
	// The NodeStore batches write operations (add/update/delete nodes) before
	// rebuilding its in-memory data structures. Rebuilding involves recalculating
	// peer relationships between all nodes based on the current ACL policy, which
	// is computationally expensive and scales with the square of the number of nodes.
	//
	// By batching writes, Headscale can process N operations but only rebuild once,
	// rather than rebuilding N times. This significantly reduces CPU usage during
	// bulk operations like initial sync or policy updates.
	//
	// Trade-off: Higher values reduce CPU usage from rebuilds but increase latency
	// for individual operations waiting for their batch to complete.
	// +optional
	NodeStoreBatchSize *int `json:"node_store_batch_size,omitempty"`

	// NodeStoreBatchTimeout is the maximum time to wait before processing a
	// partial batch of node operations.
	//
	// When NodeStoreBatchSize operations haven't accumulated, this timeout ensures
	// writes don't wait indefinitely. The batch processes when either the size
	// threshold is reached OR this timeout expires, whichever comes first.
	//
	// Trade-off: Lower values provide faster response for individual operations
	// but trigger more frequent (expensive) peer map rebuilds. Higher values
	// optimize for bulk throughput at the cost of individual operation latency.
	// +kubebuilder:validation:Pattern=`^([0-9]+(\.[0-9]+)?(ns|us|µs|ms|s|m|h))+$`
	// +optional
	NodeStoreBatchTimeout *string `json:"node_store_batch_timeout,omitempty"`
}