// Server Security Profile
// For server deployments with strict isolation and enhanced auditing

profile "Server" {
  version "1.0"
  description "Strict isolation with no desktop and enhanced auditing for servers"

  // Isolation settings (strict for server security)
  isolation {
    level "Strict"  // Mount + PID + network + IPC namespaces

    namespaces {
      mount true
      pid true
      network true
      ipc true
      user false
      uts true
    }
  }

  // Desktop integration (disabled for headless)
  desktop {
    integration false
    themes false
    fonts false
    clipboard false
    dbus false
  }

  // Network access (controlled for servers)
  network {
    access "Controlled"
    restrictions [
      "firewall_required"
      "rate_limiting"
    ]
    allow_local_network true
    firewall_rules [
      "allow 22/tcp"
      "allow 80/tcp"
      "allow 443/tcp"
    ]
  }

  // Resource limits (high for server workloads)
  resources {
    max_memory "16GB"
    max_cpu 0.95
    max_disk "100GB"
    max_processes 500
    max_open_files 4096
  }

  // XDG enforcement (strict)
  xdg {
    enforce true
    redirect_legacy true
    strict_mode true
  }

  // Security settings (maximum for production)
  security {
    allow_system_units false
    audit_logging "Full"
    network_namespace true
    filesystem_isolation true
    selinux_enforcing true
    mandatory_access_control true
  }

  // Default packages for servers
  recommended_packages [
    "nginx"
    "postgresql"
    "redis"
    "fail2ban"
  ]
}