# --- vCenter connection (defaults secure) ---
VCENTER_HOST=vcsa.example.local
VCENTER_USER=administrator@vsphere.local
VCENTER_PASSWORD=CHANGE_ME
VSPHERE_API_MODE=api # api|rest
INSECURE=false # true disables SSL verify (not recommended)
VCENTER_CA_BUNDLE= # optional path to custom CA bundle
VCENTER_TIMEOUT_S=20
VCENTER_RETRIES=3
VCENTER_BACKOFF=0.5
ALLOWED_VCENTER_HOSTS=vcsa.example.local,vcsa-dr.example.local
# --- Server ---
SERVER_NAME=vsphere-mcp-pro
SERVER_HOST=0.0.0.0
SERVER_PORT=8000
MCP_PATH=/mcp
AUDIT_LOG_PATH= # blank => stdout
VERBOSE_DEFAULT=false
# --- Auth & RBAC (Bearer tokens) ---
AUTH_ENFORCE=true
TOKENS_TO_ROLES={"readonly":"read","ops-secret":"ops","admin-secret":"admin"}
ROLES_TO_TOOLS={
"read":["list_vms","get_vm_details","list_hosts","list_datastores","list_networks","list_datacenters","get_datastore_usage","get_resource_utilization_summary","list_vm_snapshots"],
"ops":["power_on_vm","power_off_vm","restart_vm","create_vm_snapshot","delete_vm_snapshot","list_vm_snapshots"],
"admin":["delete_vm","modify_vm_resources"]
}
# --- Rate limiting ---
RATE_LIMIT=true
RATE_LIMIT_RPS=5
RATE_LIMIT_BURST=10