# full-hybrid.toml — Hybrid-native workload with all options for Volt
#
# Exercises every configurable isolation knob:
#   - Custom kernel profile
#   - Strict seccomp
#   - Landlock LSM (no AppArmor, ever)
#   - Full cgroups v2 resource limits
#   - CPU pinning
#   - I/O weight control
#   - Network port forwarding
#   - Read-only rootfs layer
#   - Private user namespace

[workload]
name = "test-hybrid-full"
type = "hybrid"
image = "ubuntu:24.04"

[resources]
memory = "2G"
memory_soft = "1G"
cpu_weight = 200
cpu_set = "0-1"
io_weight = 150
pids_max = 8192

[network]
mode = "private"
bridge = "voltbr0"
dns = ["1.1.1.1", "1.0.0.1"]

[[network.port_forward]]
host_port = 8080
container_port = 80
protocol = "tcp"

[[network.port_forward]]
host_port = 8443
container_port = 443
protocol = "tcp"

[kernel]
profile = "server"
# custom_path = "/var/lib/volt/kernels/vmlinuz-custom"

[security]
seccomp = "strict"
landlock = "server"
private_users = true
read_only_rootfs = false

[environment]
VOLT_ENV = "test"
APP_MODE = "production"
LOG_LEVEL = "info"

[[volumes]]
host_path = "/tmp/volt-test-data"
container_path = "/data"
read_only = false

[[volumes]]
host_path = "/etc/ssl/certs"
container_path = "/etc/ssl/certs"
read_only = true