# /etc/sysconfig/termland-server
# Configuration for termland-server systemd service.
# After editing, restart the service: systemctl restart termland-server

# ─── Network ──────────────────────────────────────────────────────────────────
# Bind address. Use 0.0.0.0 to accept connections from any interface,
# or 127.0.0.1 for localhost-only (e.g. behind an SSH tunnel or reverse proxy).
TERMLAND_BIND=0.0.0.0

# TCP port to listen on. Default: 7867 ("TL" in ASCII).
TERMLAND_PORT=7867

# ─── TLS Encryption ──────────────────────────────────────────────────────────
# Enable TLS for all TCP connections. Highly recommended for non-localhost.
# If no certificate paths are given, a self-signed cert is auto-generated
# in /root/.config/termland/ on first startup.
#
# To use your own certificate (e.g. from Let's Encrypt):
#   TERMLAND_TLS_FLAGS=--tls --tls-cert /etc/letsencrypt/live/myhost/fullchain.pem --tls-key /etc/letsencrypt/live/myhost/privkey.pem
#
# To use auto-generated self-signed certificate:
#   TERMLAND_TLS_FLAGS=--tls
#
# To disable TLS (only safe behind SSH tunnel or on localhost):
#   TERMLAND_TLS_FLAGS=
TERMLAND_TLS_FLAGS=--tls

# ─── Authentication ───────────────────────────────────────────────────────────
# Require PAM authentication before session creation.
# Uses the "termland" PAM service if /etc/pam.d/termland exists,
# otherwise falls back to the system "login" service.
#
# PAM supports any auth backend your system is configured for:
# local passwords, LDAP, Kerberos, SSSD, TOTP/2FA modules, etc.
#
# Note: PAM auth requires the server to run as root (or with
# read access to /etc/shadow). For SSH subsystem mode, auth is
# handled by sshd so this flag is ignored.
#
# To enable:  TERMLAND_AUTH_FLAGS=--auth
# To disable: TERMLAND_AUTH_FLAGS=
TERMLAND_AUTH_FLAGS=--auth

# ─── Logging ──────────────────────────────────────────────────────────────────
# Control log verbosity via the RUST_LOG environment variable.
# Levels: error, warn, info, debug, trace
# Examples:
#   RUST_LOG=info                      — default, session lifecycle + errors
#   RUST_LOG=debug                     — include frame stats, input events
#   RUST_LOG=termland_server=debug     — verbose server only, deps at info
#   RUST_LOG=warn                      — errors and warnings only (production)
RUST_LOG=info
