config: add missing options

config/options.go

@@ -14,11 +14,12 @@ import (
 	"strings"
 	"time"
 
+	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	"github.com/mitchellh/mapstructure"
 	"github.com/rs/zerolog"
 	"github.com/spf13/viper"
 	"github.com/volatiletech/null/v9"
-	"google.golang.org/protobuf/proto"
+	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/pomerium/pomerium/internal/atomicutil"
 	"github.com/pomerium/pomerium/internal/hashutil"
@@ -31,6 +32,7 @@ import (
 	"github.com/pomerium/pomerium/internal/urlutil"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/grpc/config"
+	"github.com/pomerium/pomerium/pkg/grpc/crypt"
 	"github.com/pomerium/pomerium/pkg/hpke"
 )
 
@@ -1318,232 +1320,94 @@ func (o *Options) ApplySettings(ctx context.Context, settings *config.Settings)
 		return
 	}
 
-	if settings.InstallationId != nil {
+	set(&o.InstallationID, settings.InstallationId)
-		o.InstallationID = settings.GetInstallationId()
+	set(&o.Debug, settings.Debug)
-	}
+	set(&o.LogLevel, settings.LogLevel)
-	if settings.Debug != nil {
+	set(&o.ProxyLogLevel, settings.ProxyLogLevel)
-		o.Debug = settings.GetDebug()
+	set(&o.SharedKey, settings.SharedSecret)
-	}
+	set(&o.SharedSecretFile, settings.SharedSecretFile)
-	if settings.LogLevel != nil {
+	set(&o.Services, settings.Services)
-		o.LogLevel = settings.GetLogLevel()
+	set(&o.Addr, settings.Address)
-	}
+	set(&o.InsecureServer, settings.InsecureServer)
-	if settings.ProxyLogLevel != nil {
+	set(&o.DNSLookupFamily, settings.DnsLookupFamily)
-		o.ProxyLogLevel = settings.GetProxyLogLevel()
-	}
-	if settings.SharedSecret != nil {
-		o.SharedKey = settings.GetSharedSecret()
-	}
-	if settings.Services != nil {
-		o.Services = settings.GetServices()
-	}
-	if settings.Address != nil {
-		o.Addr = settings.GetAddress()
-	}
-	if settings.InsecureServer != nil {
-		o.InsecureServer = settings.GetInsecureServer()
-	}
-	if settings.DnsLookupFamily != nil {
-		o.DNSLookupFamily = settings.GetDnsLookupFamily()
-	}
 	o.applyExternalCerts(ctx, settings.GetCertificates())
-	if settings.HttpRedirectAddr != nil {
+	set(&o.HTTPRedirectAddr, settings.HttpRedirectAddr)
-		o.HTTPRedirectAddr = settings.GetHttpRedirectAddr()
+	setDuration(&o.ReadTimeout, settings.TimeoutRead)
-	}
+	setDuration(&o.WriteTimeout, settings.TimeoutWrite)
-	if settings.TimeoutRead != nil {
+	setDuration(&o.IdleTimeout, settings.TimeoutIdle)
-		o.ReadTimeout = settings.GetTimeoutRead().AsDuration()
+	set(&o.AuthenticateURLString, settings.AuthenticateServiceUrl)
-	}
+	set(&o.AuthenticateInternalURLString, settings.AuthenticateInternalServiceUrl)
-	if settings.TimeoutWrite != nil {
+	set(&o.SignOutRedirectURLString, settings.SignoutRedirectUrl)
-		o.WriteTimeout = settings.GetTimeoutWrite().AsDuration()
+	set(&o.AuthenticateCallbackPath, settings.AuthenticateCallbackPath)
-	}
+	set(&o.CookieName, settings.CookieName)
-	if settings.TimeoutIdle != nil {
+	set(&o.CookieSecret, settings.CookieSecret)
-		o.IdleTimeout = settings.GetTimeoutIdle().AsDuration()
+	set(&o.CookieSecretFile, settings.CookieSecretFile)
-	}
+	set(&o.CookieDomain, settings.CookieDomain)
-	if settings.AuthenticateServiceUrl != nil {
+	set(&o.CookieSecure, settings.CookieSecure)
-		o.AuthenticateURLString = settings.GetAuthenticateServiceUrl()
+	set(&o.CookieHTTPOnly, settings.CookieHttpOnly)
-	}
+	setDuration(&o.CookieExpire, settings.CookieExpire)
-	if settings.AuthenticateInternalServiceUrl != nil {
+	set(&o.ClientID, settings.IdpClientId)
-		o.AuthenticateInternalURLString = settings.GetAuthenticateInternalServiceUrl()
+	set(&o.ClientSecret, settings.IdpClientSecret)
-	}
+	set(&o.ClientSecretFile, settings.IdpClientSecretFile)
-	if settings.AuthenticateCallbackPath != nil {
+	set(&o.Provider, settings.IdpProvider)
-		o.AuthenticateCallbackPath = settings.GetAuthenticateCallbackPath()
+	set(&o.ProviderURL, settings.IdpProviderUrl)
-	}
+	setSlice(&o.Scopes, settings.Scopes)
-	if settings.CookieName != nil {
+	setMap(&o.RequestParams, settings.RequestParams)
-		o.CookieName = settings.GetCookieName()
+	setSlice(&o.AuthorizeURLStrings, settings.AuthorizeServiceUrls)
-	}
+	set(&o.AuthorizeInternalURLString, settings.AuthorizeInternalServiceUrl)
-	if settings.CookieSecret != nil {
+	set(&o.OverrideCertificateName, settings.OverrideCertificateName)
-		o.CookieSecret = settings.GetCookieSecret()
+	set(&o.CA, settings.CertificateAuthority)
-	}
+	set(&o.CAFile, settings.CertificateAuthorityFile)
-	if settings.CookieDomain != nil {
+	setOptional(&o.DeriveInternalDomainCert, settings.DeriveTls)
-		o.CookieDomain = settings.GetCookieDomain()
+	set(&o.SigningKey, settings.SigningKey)
-	}
+	set(&o.SigningKeyFile, settings.SigningKeyFile)
-	if settings.CookieSecure != nil {
+	setMap(&o.SetResponseHeaders, settings.SetResponseHeaders)
-		o.CookieSecure = settings.GetCookieSecure()
+	setMap(&o.JWTClaimsHeaders, settings.JwtClaimsHeaders)
-	}
+	setDuration(&o.DefaultUpstreamTimeout, settings.DefaultUpstreamTimeout)
-	if settings.CookieHttpOnly != nil {
+	set(&o.MetricsAddr, settings.MetricsAddress)
-		o.CookieHTTPOnly = settings.GetCookieHttpOnly()
+	set(&o.MetricsBasicAuth, settings.MetricsBasicAuth)
-	}
+	setCertificate(&o.MetricsCertificate, &o.MetricsCertificateKey, &o.MetricsCertificateFile, &o.MetricsCertificateKeyFile, settings.MetricsCertificate)
-	if settings.CookieExpire != nil {
+	set(&o.MetricsClientCA, settings.MetricsClientCa)
-		o.CookieExpire = settings.GetCookieExpire().AsDuration()
+	set(&o.MetricsClientCAFile, settings.MetricsClientCaFile)
-	}
+	set(&o.TracingProvider, settings.TracingProvider)
-	if settings.IdpClientId != nil {
+	set(&o.TracingSampleRate, settings.TracingSampleRate)
-		o.ClientID = settings.GetIdpClientId()
+	set(&o.TracingDatadogAddress, settings.TracingDatadogAddress)
-	}
+	set(&o.TracingJaegerCollectorEndpoint, settings.TracingJaegerCollectorEndpoint)
-	if settings.IdpClientSecret != nil {
+	set(&o.TracingJaegerAgentEndpoint, settings.TracingJaegerAgentEndpoint)
-		o.ClientSecret = settings.GetIdpClientSecret()
+	set(&o.ZipkinEndpoint, settings.TracingZipkinEndpoint)
-	}
+	set(&o.GRPCAddr, settings.GrpcAddress)
-	if settings.IdpProvider != nil {
+	setOptional(&o.GRPCInsecure, settings.GrpcInsecure)
-		o.Provider = settings.GetIdpProvider()
+	setDuration(&o.GRPCClientTimeout, settings.GrpcClientTimeout)
-	}
+	set(&o.GRPCClientDNSRoundRobin, settings.GrpcClientDnsRoundrobin)
-	if settings.IdpProviderUrl != nil {
+	setSlice(&o.DataBrokerURLStrings, settings.DatabrokerServiceUrls)
-		o.ProviderURL = settings.GetIdpProviderUrl()
+	set(&o.DataBrokerInternalURLString, settings.DatabrokerInternalServiceUrl)
-	}
+	set(&o.DataBrokerStorageType, settings.DatabrokerStorageType)
-	if len(settings.Scopes) > 0 {
+	set(&o.DataBrokerStorageConnectionString, settings.DatabrokerStorageConnectionString)
-		o.Scopes = settings.Scopes
+	set(&o.DataBrokerStorageCertFile, settings.DatabrokerStorageCertFile)
-	}
+	set(&o.DataBrokerStorageCertKeyFile, settings.DatabrokerStorageKeyFile)
-	if settings.RequestParams != nil && len(settings.RequestParams) > 0 {
+	set(&o.DataBrokerStorageCAFile, settings.DatabrokerStorageCaFile)
-		o.RequestParams = settings.RequestParams
+	set(&o.DataBrokerStorageCertSkipVerify, settings.DatabrokerStorageTlsSkipVerify)
-	}
+	set(&o.ClientCA, settings.ClientCa)
-	if len(settings.AuthorizeServiceUrls) > 0 {
+	set(&o.ClientCAFile, settings.ClientCaFile)
-		o.AuthorizeURLStrings = settings.GetAuthorizeServiceUrls()
+	set(&o.GoogleCloudServerlessAuthenticationServiceAccount, settings.GoogleCloudServerlessAuthenticationServiceAccount)
-	}
+	set(&o.UseProxyProtocol, settings.UseProxyProtocol)
-	if settings.AuthorizeInternalServiceUrl != nil {
+	set(&o.AutocertOptions.Enable, settings.Autocert)
-		o.AuthorizeInternalURLString = settings.GetAuthorizeInternalServiceUrl()
+	set(&o.AutocertOptions.CA, settings.AutocertCa)
-	}
+	set(&o.AutocertOptions.Email, settings.AutocertEmail)
-	if settings.OverrideCertificateName != nil {
+	set(&o.AutocertOptions.EABKeyID, settings.AutocertEabKeyId)
-		o.OverrideCertificateName = settings.GetOverrideCertificateName()
+	set(&o.AutocertOptions.EABMACKey, settings.AutocertEabMacKey)
-	}
+	set(&o.AutocertOptions.UseStaging, settings.AutocertUseStaging)
-	if settings.CertificateAuthority != nil {
+	set(&o.AutocertOptions.MustStaple, settings.AutocertMustStaple)
-		o.CA = settings.GetCertificateAuthority()
+	set(&o.AutocertOptions.Folder, settings.AutocertDir)
-	}
+	set(&o.AutocertOptions.TrustedCA, settings.AutocertTrustedCa)
-	if settings.CertificateAuthorityFile != nil {
+	set(&o.AutocertOptions.TrustedCAFile, settings.AutocertTrustedCaFile)
-		o.CAFile = settings.GetCertificateAuthorityFile()
+	set(&o.SkipXffAppend, settings.SkipXffAppend)
-	}
+	set(&o.XffNumTrustedHops, settings.XffNumTrustedHops)
-	if settings.SigningKey != nil {
+	setSlice(&o.ProgrammaticRedirectDomainWhitelist, settings.ProgrammaticRedirectDomainWhitelist)
-		o.SigningKey = settings.GetSigningKey()
+	setAuditKey(&o.AuditKey, settings.AuditKey)
-	}
+	setCodecType(&o.CodecType, settings.CodecType)
-	if settings.SetResponseHeaders != nil && len(settings.SetResponseHeaders) > 0 {
+	set(&o.ClientCRL, settings.ClientCrl)
-		o.SetResponseHeaders = settings.SetResponseHeaders
+	set(&o.ClientCRLFile, settings.ClientCrlFile)
-	}
-	if len(settings.JwtClaimsHeaders) > 0 {
-		o.JWTClaimsHeaders = settings.GetJwtClaimsHeaders()
-	}
-	if settings.DefaultUpstreamTimeout != nil {
-		o.DefaultUpstreamTimeout = settings.GetDefaultUpstreamTimeout().AsDuration()
-	}
-	if settings.MetricsAddress != nil {
-		o.MetricsAddr = settings.GetMetricsAddress()
-	}
-	if settings.MetricsBasicAuth != nil {
-		o.MetricsBasicAuth = settings.GetMetricsBasicAuth()
-	}
-	if len(settings.GetMetricsCertificate().GetCertBytes()) > 0 {
-		o.MetricsCertificate = base64.StdEncoding.EncodeToString(settings.GetMetricsCertificate().GetCertBytes())
-	}
-	if len(settings.GetMetricsCertificate().GetKeyBytes()) > 0 {
-		o.MetricsCertificateKey = base64.StdEncoding.EncodeToString(settings.GetMetricsCertificate().GetKeyBytes())
-	}
-	if settings.GetMetricsCertificate().GetCertFile() != "" {
-		o.MetricsCertificateFile = settings.GetMetricsCertificate().GetCertFile()
-	}
-	if settings.GetMetricsCertificate().GetKeyFile() != "" {
-		o.MetricsCertificateKeyFile = settings.GetMetricsCertificate().GetKeyFile()
-	}
-	if settings.GetMetricsClientCa() != "" {
-		o.MetricsClientCA = settings.GetMetricsClientCa()
-	}
-	if settings.GetMetricsClientCaFile() != "" {
-		o.MetricsClientCAFile = settings.GetMetricsClientCaFile()
-	}
-	if settings.TracingProvider != nil {
-		o.TracingProvider = settings.GetTracingProvider()
-	}
-	if settings.TracingSampleRate != nil {
-		o.TracingSampleRate = settings.GetTracingSampleRate()
-	}
-	if settings.TracingJaegerCollectorEndpoint != nil {
-		o.TracingJaegerCollectorEndpoint = settings.GetTracingJaegerCollectorEndpoint()
-	}
-	if settings.TracingJaegerAgentEndpoint != nil {
-		o.TracingJaegerAgentEndpoint = settings.GetTracingJaegerAgentEndpoint()
-	}
-	if settings.TracingZipkinEndpoint != nil {
-		o.ZipkinEndpoint = settings.GetTracingZipkinEndpoint()
-	}
-	if settings.GrpcAddress != nil {
-		o.GRPCAddr = settings.GetGrpcAddress()
-	}
-	if settings.GrpcInsecure != nil {
-		o.GRPCInsecure = proto.Bool(settings.GetGrpcInsecure())
-	}
-	if len(settings.DatabrokerServiceUrls) > 0 {
-		o.DataBrokerURLStrings = settings.GetDatabrokerServiceUrls()
-	}
-	if settings.DatabrokerInternalServiceUrl != nil {
-		o.DataBrokerInternalURLString = settings.GetDatabrokerInternalServiceUrl()
-	}
-	if settings.ClientCa != nil {
-		o.ClientCA = settings.GetClientCa()
-	}
-	if settings.ClientCaFile != nil {
-		o.ClientCAFile = settings.GetClientCaFile()
-	}
-	if settings.GoogleCloudServerlessAuthenticationServiceAccount != nil {
-		o.GoogleCloudServerlessAuthenticationServiceAccount = settings.GetGoogleCloudServerlessAuthenticationServiceAccount()
-	}
-	if settings.Autocert != nil {
-		o.AutocertOptions.Enable = settings.GetAutocert()
-	}
-	if settings.AutocertCa != nil {
-		o.AutocertOptions.CA = settings.GetAutocertCa()
-	}
-	if settings.AutocertEmail != nil {
-		o.AutocertOptions.Email = settings.GetAutocertEmail()
-	}
-	if settings.AutocertEabKeyId != nil {
-		o.AutocertOptions.EABKeyID = settings.GetAutocertEabKeyId()
-	}
-	if settings.AutocertEabMacKey != nil {
-		o.AutocertOptions.EABMACKey = settings.GetAutocertEabMacKey()
-	}
-	if settings.AutocertUseStaging != nil {
-		o.AutocertOptions.UseStaging = settings.GetAutocertUseStaging()
-	}
-	if settings.AutocertMustStaple != nil {
-		o.AutocertOptions.MustStaple = settings.GetAutocertMustStaple()
-	}
-	if settings.AutocertDir != nil {
-		o.AutocertOptions.Folder = settings.GetAutocertDir()
-	}
-	if settings.AutocertTrustedCa != nil {
-		o.AutocertOptions.TrustedCA = settings.GetAutocertTrustedCa()
-	}
-	if settings.AutocertTrustedCaFile != nil {
-		o.AutocertOptions.TrustedCAFile = settings.GetAutocertTrustedCaFile()
-	}
-	if settings.SkipXffAppend != nil {
-		o.SkipXffAppend = settings.GetSkipXffAppend()
-	}
-	if settings.XffNumTrustedHops != nil {
-		o.XffNumTrustedHops = settings.GetXffNumTrustedHops()
-	}
-	if len(settings.ProgrammaticRedirectDomainWhitelist) > 0 {
-		o.ProgrammaticRedirectDomainWhitelist = settings.GetProgrammaticRedirectDomainWhitelist()
-	}
-	if settings.AuditKey != nil {
-		o.AuditKey = &PublicKeyEncryptionKeyOptions{
-			ID:   settings.AuditKey.GetId(),
-			Data: base64.StdEncoding.EncodeToString(settings.AuditKey.GetData()),
-		}
-	}
-	if settings.CodecType != nil {
-		o.CodecType = CodecTypeFromEnvoy(settings.GetCodecType())
-	}
-	if settings.ClientCrl != nil {
-		o.ClientCRL = settings.GetClientCrl()
-	}
-	if settings.ClientCrlFile != nil {
-		o.ClientCRLFile = settings.GetClientCrlFile()
-	}
 	o.BrandingOptions = settings
 }
 
@@ -1591,3 +1455,79 @@ func min(x, y int) int {
 func NewAtomicOptions() *atomicutil.Value[*Options] {
 	return atomicutil.NewValue(new(Options))
 }
+
+func set[T any](dst, src *T) {
+	if src == nil {
+		return
+	}
+	*dst = *src
+}
+
+func setAuditKey(dst **PublicKeyEncryptionKeyOptions, src *crypt.PublicKeyEncryptionKey) {
+	if src == nil {
+		return
+	}
+	*dst = &PublicKeyEncryptionKeyOptions{
+		ID:   src.GetId(),
+		Data: base64.StdEncoding.EncodeToString(src.GetData()),
+	}
+}
+
+func setCodecType(dst *CodecType, src *envoy_http_connection_manager.HttpConnectionManager_CodecType) {
+	if src == nil {
+		return
+	}
+	*dst = CodecTypeFromEnvoy(*src)
+}
+
+func setDuration(dst *time.Duration, src *durationpb.Duration) {
+	if src == nil {
+		return
+	}
+	*dst = src.AsDuration()
+}
+
+func setOptional[T any](dst **T, src *T) {
+	if src == nil {
+		return
+	}
+	*dst = &(*src)
+}
+
+func setSlice[T any](dst *[]T, src []T) {
+	if len(src) == 0 {
+		return
+	}
+	*dst = src
+}
+
+func setMap[TKey comparable, TValue any, TMap ~map[TKey]TValue](dst *TMap, src map[TKey]TValue) {
+	if src == nil || len(src) == 0 {
+		return
+	}
+	*dst = src
+}
+
+func setCertificate(
+	dstCertificate *string,
+	dstCertificateKey *string,
+	dstCertificateFile *string,
+	dstCertificateKeyFile *string,
+	src *config.Settings_Certificate,
+) {
+	if src == nil {
+		return
+	}
+	if len(src.GetCertBytes()) > 0 {
+		*dstCertificate = base64.StdEncoding.EncodeToString(src.GetCertBytes())
+	}
+	if len(src.GetKeyBytes()) > 0 {
+		*dstCertificateKey = base64.StdEncoding.EncodeToString(src.GetKeyBytes())
+	}
+	if src.GetCertFile() != "" {
+		*dstCertificateFile = src.GetCertFile()
+	}
+	if src.GetKeyFile() != "" {
+		*dstCertificateKeyFile = src.GetKeyFile()
+	}
+}

pkg/grpc/config/config.proto

@@ -145,6 +145,7 @@ message Settings {
   optional string log_level = 3;
   optional string proxy_log_level = 4;
   optional string shared_secret = 5;
+  optional string shared_secret_file = 92;
   optional string services = 6;
   optional string address = 7;
   optional bool insecure_server = 8;
@@ -156,15 +157,18 @@ message Settings {
   optional google.protobuf.Duration timeout_idle = 13;
   optional string authenticate_service_url = 14;
   optional string authenticate_internal_service_url = 82;
+  optional string signout_redirect_url = 93;
   optional string authenticate_callback_path = 15;
   optional string cookie_name = 16;
   optional string cookie_secret = 17;
+  optional string cookie_secret_file = 94;
   optional string cookie_domain = 18;
   optional bool cookie_secure = 19;
   optional bool cookie_http_only = 20;
   optional google.protobuf.Duration cookie_expire = 21;
   optional string idp_client_id = 22;
   optional string idp_client_secret = 23;
+  optional string idp_client_secret_file = 95;
   optional string idp_provider = 24;
   optional string idp_provider_url = 25;
   repeated string scopes = 26;
@@ -177,7 +181,9 @@ message Settings {
   optional string override_certificate_name = 33;
   optional string certificate_authority = 34;
   optional string certificate_authority_file = 35;
+  optional string derive_tls = 96;
   optional string signing_key = 36;
+  optional string signing_key_file = 97;
   map<string, string> set_response_headers = 69;
   // repeated string jwt_claims_headers = 37;
   map<string, string> jwt_claims_headers = 63;
@@ -189,35 +195,50 @@ message Settings {
   optional string metrics_client_ca_file = 67;
   optional string tracing_provider = 41;
   optional double tracing_sample_rate = 42;
+  optional string tracing_datadog_address = 98;
   optional string tracing_jaeger_collector_endpoint = 43;
   optional string tracing_jaeger_agent_endpoint = 44;
   optional string tracing_zipkin_endpoint = 45;
   optional string grpc_address = 46;
   optional bool grpc_insecure = 47;
+  optional google.protobuf.Duration grpc_client_timeout = 99;
+  optional bool grpc_client_dns_roundrobin = 100;
   // optional string forward_auth_url = 50;
   repeated string databroker_service_urls = 52;
   optional string databroker_internal_service_url = 84;
+  optional string databroker_storage_type = 101;
+  optional string databroker_storage_connection_string = 102;
+  optional string databroker_storage_cert_file = 103;
+  optional string databroker_storage_key_file = 104;
+  optional string databroker_storage_ca_file = 105;
+  optional bool databroker_storage_tls_skip_verify = 106;
   optional string client_ca = 53;
   optional string client_ca_file = 54;
   optional string client_crl = 74;
   optional string client_crl_file = 75;
   optional string google_cloud_serverless_authentication_service_account = 55;
+  optional bool use_proxy_protocol = 107;
   optional bool autocert = 56;
   optional string autocert_ca = 76;
   optional string autocert_email = 77;
+  optional bool autocert_use_staging = 57;
   optional string autocert_eab_key_id = 78;
   optional string autocert_eab_mac_key = 79;
-  optional string autocert_trusted_ca = 80;
-  optional string autocert_trusted_ca_file = 81;
-  optional bool autocert_use_staging = 57;
   optional bool autocert_must_staple = 58;
   optional string autocert_dir = 59;
+  optional string autocert_trusted_ca = 80;
+  optional string autocert_trusted_ca_file = 81;
   optional bool skip_xff_append = 61;
   optional uint32 xff_num_trusted_hops = 70;
+  optional string envoy_admin_access_log_path = 108;
+  optional string envoy_admin_profile_path = 109;
+  optional string envoy_admin_address = 110;
+  optional string envoy_bind_config_source_address = 111;
+  optional string envoy_bind_config_freebind = 112;
   repeated string programmatic_redirect_domain_whitelist = 68;
-  optional pomerium.crypt.PublicKeyEncryptionKey audit_key = 72;
   optional envoy.extensions.filters.network.http_connection_manager.v3
       .HttpConnectionManager.CodecType codec_type = 73;
+  optional pomerium.crypt.PublicKeyEncryptionKey audit_key = 72;
   optional string primary_color = 85;
   optional string secondary_color = 86;
   optional string darkmode_primary_color = 87;