Resolve Concelier/Excititor merge conflicts

2025-10-20 14:19:25 +03:00
parent 67d581d2e8 5fd4032c7c
commit 09b6a28172
2687 changed files with 212646 additions and 85913 deletions
--- a/etc/authority.yaml.sample
+++ b/etc/authority.yaml.sample
@@ -1,90 +1,113 @@
-# StellaOps Authority configuration template.
-# Copy to ../etc/authority.yaml (relative to the Authority content root)
-# and adjust values to fit your environment. Environment variables
-# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
-# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com
-
-schemaVersion: 1
-
-# Absolute issuer URI advertised to clients. Use HTTPS for anything
-# beyond loopback development.
-issuer: "https://authority.stella-ops.local"
-
-# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
-accessTokenLifetime: "00:15:00"
-refreshTokenLifetime: "30.00:00:00"
-identityTokenLifetime: "00:05:00"
-authorizationCodeLifetime: "00:05:00"
-deviceCodeLifetime: "00:15:00"
-
-# MongoDB storage connection details.
-storage:
-  connectionString: "mongodb://localhost:27017/stellaops-authority"
-  # databaseName: "stellaops_authority"
-  commandTimeout: "00:00:30"
-
-# Signing configuration for revocation bundles and JWKS.
-signing:
-  enabled: true
-  activeKeyId: "authority-signing-2025-dev"
-  keyPath: "../certificates/authority-signing-2025-dev.pem"
-  algorithm: "ES256"
-  keySource: "file"
-  # provider: "default"
-  additionalKeys:
-    - keyId: "authority-signing-dev"
-      path: "../certificates/authority-signing-dev.pem"
-      source: "file"
-  # Rotation flow:
-  #   1. Generate a new PEM under ./certificates (e.g. authority-signing-2026-dev.pem).
-  #   2. Trigger the .gitea/workflows/authority-key-rotation.yml workflow (or run
-  #      ops/authority/key-rotation.sh) with the new keyId/keyPath.
-  #   3. Update activeKeyId/keyPath above and move the previous key into additionalKeys
-  #      so restarts retain retired material for JWKS consumers.
-
-# Bootstrap administrative endpoints (initial provisioning).
-bootstrap:
-  enabled: false
-  apiKey: "change-me"
-  defaultIdentityProvider: "standard"
-
-# Directories scanned for Authority plug-ins. Relative paths resolve
-# against the application content root, enabling air-gapped deployments
-# that package plug-ins alongside binaries.
-pluginDirectories:
-  - "../PluginBinaries/Authority"
-  # "/var/lib/stellaops/authority/plugins"
-
-# Plug-in manifests live in descriptors below; per-plugin settings are stored
-# in the configurationDirectory (YAML files). Authority will load any enabled
-# plugins and surface their metadata/capabilities to the host.
-plugins:
-  configurationDirectory: "../etc/authority.plugins"
-  descriptors:
-    standard:
-      type: "standard"
-      assemblyName: "StellaOps.Authority.Plugin.Standard"
-      enabled: true
-      configFile: "standard.yaml"
-      capabilities:
-        - password
-        - bootstrap
-        - clientProvisioning
-      metadata:
-        defaultRole: "operators"
-    # Example for an external identity provider plugin. Leave disabled unless
-    # the plug-in package exists under PluginBinaries/Authority.
-    ldap:
-      type: "ldap"
-      assemblyName: "StellaOps.Authority.Plugin.Ldap"
-      enabled: false
-      configFile: "ldap.yaml"
-      capabilities:
-        - password
-        - mfa
-
-# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
-# Keep the list tight: localhost is sufficient for most air-gapped installs.
-bypassNetworks:
-  - "127.0.0.1/32"
-  - "::1/128"
+# StellaOps Authority configuration template.
+# Copy to ../etc/authority.yaml (relative to the Authority content root)
+# and adjust values to fit your environment. Environment variables
+# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
+# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com
+
+schemaVersion: 1
+
+# Absolute issuer URI advertised to clients. Use HTTPS for anything
+# beyond loopback development.
+issuer: "https://authority.stella-ops.local"
+
+# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
+accessTokenLifetime: "00:15:00"
+refreshTokenLifetime: "30.00:00:00"
+identityTokenLifetime: "00:05:00"
+authorizationCodeLifetime: "00:05:00"
+deviceCodeLifetime: "00:15:00"
+
+# MongoDB storage connection details.
+storage:
+  connectionString: "mongodb://localhost:27017/stellaops-authority"
+  # databaseName: "stellaops_authority"
+  commandTimeout: "00:00:30"
+
+# Signing configuration for revocation bundles and JWKS.
+signing:
+  enabled: true
+  activeKeyId: "authority-signing-2025-dev"
+  keyPath: "../certificates/authority-signing-2025-dev.pem"
+  algorithm: "ES256"
+  keySource: "file"
+  # provider: "default"
+  additionalKeys:
+    - keyId: "authority-signing-dev"
+      path: "../certificates/authority-signing-dev.pem"
+      source: "file"
+  # Rotation flow:
+  #   1. Generate a new PEM under ./certificates (e.g. authority-signing-2026-dev.pem).
+  #   2. Trigger the .gitea/workflows/authority-key-rotation.yml workflow (or run
+  #      ops/authority/key-rotation.sh) with the new keyId/keyPath.
+  #   3. Update activeKeyId/keyPath above and move the previous key into additionalKeys
+  #      so restarts retain retired material for JWKS consumers.
+
+# Bootstrap administrative endpoints (initial provisioning).
+bootstrap:
+  enabled: false
+  apiKey: "change-me"
+  defaultIdentityProvider: "standard"
+
+# Directories scanned for Authority plug-ins. Relative paths resolve
+# against the application content root, enabling air-gapped deployments
+# that package plug-ins alongside binaries.
+pluginDirectories:
+  - "../StellaOps.Authority.PluginBinaries"
+  # "/var/lib/stellaops/authority/plugins"
+
+# Plug-in manifests live in descriptors below; per-plugin settings are stored
+# in the configurationDirectory (YAML files). Authority will load any enabled
+# plugins and surface their metadata/capabilities to the host.
+plugins:
+  configurationDirectory: "../etc/authority.plugins"
+  descriptors:
+    standard:
+      type: "standard"
+      assemblyName: "StellaOps.Authority.Plugin.Standard"
+      enabled: true
+      configFile: "standard.yaml"
+      capabilities:
+        - password
+        - bootstrap
+        - clientProvisioning
+      metadata:
+        defaultRole: "operators"
+    # Example for an external identity provider plugin. Leave disabled unless
+    # the plug-in package exists under StellaOps.Authority.PluginBinaries.
+    ldap:
+      type: "ldap"
+      assemblyName: "StellaOps.Authority.Plugin.Ldap"
+      enabled: false
+      configFile: "ldap.yaml"
+      capabilities:
+        - password
+        - mfa
+
+# OAuth client registrations issued by Authority. These examples cover Notify WebService
+# in dev (notify.dev audience) and production (notify audience). Replace the secret files
+# with paths to your sealed credentials before enabling bootstrap mode.
+clients:
+  - clientId: "notify-web-dev"
+    displayName: "Notify WebService (dev)"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "notify.dev" ]
+    scopes: [ "notify.read", "notify.admin" ]
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/notify-web-dev.secret"
+  - clientId: "notify-web"
+    displayName: "Notify WebService"
+    grantTypes: [ "client_credentials" ]
+    audiences: [ "notify" ]
+    scopes: [ "notify.read", "notify.admin" ]
+    senderConstraint: "dpop"
+    auth:
+      type: "client_secret"
+      secretFile: "../secrets/notify-web.secret"
+
+# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
+# Keep the list tight: localhost is sufficient for most air-gapped installs.
+bypassNetworks:
+  - "127.0.0.1/32"
+  - "::1/128"