feat: Add comprehensive YAML-based configuration system for bssh-server (#130)

ARCHITECTURE.md

@@ -190,12 +190,15 @@ Common utilities for code reuse between bssh client and server implementations:
 The `security` and `jump::rate_limiter` modules re-export from shared for backward compatibility.
 
 ### SSH Server Module
+**Documentation**: [docs/architecture/server-configuration.md](./docs/architecture/server-configuration.md)
 
 SSH server implementation using the russh library for accepting incoming connections:
 
 **Structure** (`src/server/`):
 - `mod.rs` - `BsshServer` struct and `russh::server::Server` trait implementation
-- `config.rs` - `ServerConfig` with builder pattern for server settings
+- `config/mod.rs` - Module exports and backward compatibility layer
+- `config/types.rs` - Comprehensive configuration types with serde
+- `config/loader.rs` - Config loader with validation and environment overrides
 - `handler.rs` - `SshHandler` implementing `russh::server::Handler` trait
 - `session.rs` - Session state management (`SessionManager`, `SessionInfo`, `ChannelState`)
 - `exec.rs` - Command execution for SSH exec requests
@@ -209,13 +212,29 @@ SSH server implementation using the russh library for accepting incoming connect
   - Configures russh with authentication settings
   - Creates shared rate limiter for authentication attempts
 
+- **Server Configuration System**: Dual configuration system for flexibility
+  - **Builder API** (`ServerConfig`): Programmatic configuration for embedded use
+  - **File-Based** (`ServerFileConfig`): YAML configuration with environment overrides
+  - Configuration precedence: CLI > Environment > File > Defaults
+  - Configuration validation at startup (host keys, CIDR ranges, paths)
+  - Support for BSSH_* environment variable overrides
+
 - **ServerConfig**: Configuration options with builder pattern
   - Host key paths and listen address
   - Connection limits and timeouts
   - Authentication method toggles (password, publickey, keyboard-interactive)
   - Public key authentication configuration (authorized_keys location)
   - Command execution configuration (shell, timeout, allowed/blocked commands)
 
+- **ServerFileConfig**: Comprehensive YAML file configuration
+  - Server settings (bind address, port, host keys, keepalive)
+  - Authentication (public key, password with inline or file-based users)
+  - Shell configuration (default shell, environment, command timeout)
+  - SFTP/SCP enablement with optional chroot
+  - File transfer filtering rules
+  - Audit logging (file, OpenTelemetry, Logstash exporters)
+  - Security settings (auth attempts, bans, session limits, IP allowlist/blocklist)
+
 - **SshHandler**: Per-connection handler for SSH protocol events
   - Public key authentication via AuthProvider trait
   - Rate limiting for authentication attempts

Cargo.toml

@@ -53,6 +53,7 @@ fastrand = "2.3.0"
 tokio-util = "0.7.17"
 shell-words = "1.1.1"
 libc = "0.2"
+ipnetwork = "0.20"
 
 [target.'cfg(target_os = "macos")'.dependencies]
 security-framework = "3.5.1"

docs/architecture/README.md

@@ -32,6 +32,7 @@ bssh is a high-performance parallel SSH command execution tool with SSH-compatib
 
 ### Server Components
 
+- **[Server Configuration](./server-configuration.md)** - YAML-based server configuration, environment overrides, validation
 - **SSH Server Module** - SSH server implementation using russh (see main ARCHITECTURE.md)
 - **Server Authentication** - Authentication providers including public key verification (see main ARCHITECTURE.md)
 
@@ -56,7 +57,8 @@ Each component document includes:
 ### Finding Information
 
 - **CLI options and modes** → [CLI Interface](./cli-interface.md)
-- **Configuration file format** → [Configuration Management](./configuration.md)
+- **Client configuration file format** → [Configuration Management](./configuration.md)
+- **Server configuration file format** → [Server Configuration](./server-configuration.md)
 - **Parallel execution behavior** → [Parallel Executor](./executor.md)
 - **SSH connection details** → [SSH Client](./ssh-client.md)
 - **Interactive terminal usage** → [TUI](./tui.md) or [Interactive Mode](./interactive-mode.md)
@@ -76,7 +78,7 @@ src/
 ├── interactive/ → Interactive Mode
 ├── jump/ → Jump Host Support
 ├── forward/ → Port Forwarding
-├── server/ → SSH Server (handler, session, config)
+├── server/ → SSH Server (handler, session, config/, auth/)
 ├── shared/ → Shared utilities (validation, rate limiting, auth types, errors)
 ├── security/ → Security utilities (re-exports from shared for compatibility)
 └── commands/ → Command Implementations