Initial commit (history squashed)

etc/authority.plugins/ldap.yaml

@@ -0,0 +1,17 @@
+# Placeholder configuration for the LDAP identity provider plug-in.
+# Replace values with your directory settings before enabling the plug-in.
+connection:
+  host: "ldap.example.com"
+  port: 636
+  useTls: true
+  bindDn: "cn=service,dc=example,dc=com"
+  bindPassword: "CHANGE_ME"
+
+queries:
+  userFilter: "(uid={username})"
+  groupFilter: "(member={distinguishedName})"
+  groupAttribute: "cn"
+
+capabilities:
+  supportsPassword: true
+  supportsMfa: false

etc/authority.plugins/standard.yaml

@@ -0,0 +1,22 @@
+# Standard plugin configuration (Mongo-backed identity store).
+bootstrapUser:
+  username: "admin"
+  password: "changeme"
+
+passwordPolicy:
+  minimumLength: 12
+  requireUppercase: true
+  requireLowercase: true
+  requireDigit: true
+  requireSymbol: true
+
+lockout:
+  enabled: true
+  maxAttempts: 5
+  windowMinutes: 15
+
+tokenSigning:
+  # Path to the directory containing signing keys (relative paths resolve
+  # against the location of this manifest, environment variables are expanded,
+  # and the final value is normalised to an absolute path during startup.
+  keyDirectory: "../keys"

etc/authority.yaml.sample

@@ -0,0 +1,71 @@
+# StellaOps Authority configuration template.
+# Copy to ../etc/authority.yaml (relative to the Authority content root)
+# and adjust values to fit your environment. Environment variables
+# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
+# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com
+
+schemaVersion: 1
+
+# Absolute issuer URI advertised to clients. Use HTTPS for anything
+# beyond loopback development.
+issuer: "https://authority.stella-ops.local"
+
+# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
+accessTokenLifetime: "00:15:00"
+refreshTokenLifetime: "30.00:00:00"
+identityTokenLifetime: "00:05:00"
+authorizationCodeLifetime: "00:05:00"
+deviceCodeLifetime: "00:15:00"
+
+# MongoDB storage connection details.
+storage:
+  connectionString: "mongodb://localhost:27017/stellaops-authority"
+  # databaseName: "stellaops_authority"
+  commandTimeout: "00:00:30"
+
+# Bootstrap administrative endpoints (initial provisioning).
+bootstrap:
+  enabled: false
+  apiKey: "change-me"
+  defaultIdentityProvider: "standard"
+
+# Directories scanned for Authority plug-ins. Relative paths resolve
+# against the application content root, enabling air-gapped deployments
+# that package plug-ins alongside binaries.
+pluginDirectories:
+  - "../PluginBinaries/Authority"
+  # "/var/lib/stellaops/authority/plugins"
+
+# Plug-in manifests live in descriptors below; per-plugin settings are stored
+# in the configurationDirectory (YAML files). Authority will load any enabled
+# plugins and surface their metadata/capabilities to the host.
+plugins:
+  configurationDirectory: "../etc/authority.plugins"
+  descriptors:
+    standard:
+      type: "standard"
+      assemblyName: "StellaOps.Authority.Plugin.Standard"
+      enabled: true
+      configFile: "standard.yaml"
+      capabilities:
+        - password
+        - bootstrap
+        - clientProvisioning
+      metadata:
+        defaultRole: "operators"
+    # Example for an external identity provider plugin. Leave disabled unless
+    # the plug-in package exists under PluginBinaries/Authority.
+    ldap:
+      type: "ldap"
+      assemblyName: "StellaOps.Authority.Plugin.Ldap"
+      enabled: false
+      configFile: "ldap.yaml"
+      capabilities:
+        - password
+        - mfa
+
+# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
+# Keep the list tight: localhost is sufficient for most air-gapped installs.
+bypassNetworks:
+  - "127.0.0.1/32"
+  - "::1/128"

etc/feedser.yaml.sample

@@ -0,0 +1,65 @@
+# Feedser configuration template for StellaOps deployments.
+# Copy to ../etc/feedser.yaml (relative to the web service content root)
+# and adjust the values to match your environment. Environment variables
+# (prefixed with FEEDSER_) override these settings at runtime.
+
+storage:
+  driver: mongo
+  # Mongo connection string. Use SRV URI or standard connection string.
+  dsn: "mongodb://feedser:feedser@mongo:27017/feedser?authSource=admin"
+  # Optional database name; defaults to the name embedded in the DSN or 'feedser'.
+  database: "feedser"
+  # Mongo command timeout in seconds.
+  commandTimeoutSeconds: 30
+
+plugins:
+  # Feedser resolves plug-ins relative to the content root; override as needed.
+  baseDirectory: ".."
+  directory: "PluginBinaries"
+  searchPatterns:
+    - "StellaOps.Feedser.Plugin.*.dll"
+
+telemetry:
+  enabled: true
+  enableTracing: false
+  enableMetrics: false
+  enableLogging: true
+  minimumLogLevel: "Information"
+  serviceName: "stellaops-feedser"
+  # Configure OTLP endpoint when shipping traces/metrics/logs out-of-band.
+  otlpEndpoint: ""
+  # Optional headers for OTLP exporters, for example authentication tokens.
+  otlpHeaders: {}
+  # Attach additional resource attributes to telemetry exports.
+  resourceAttributes:
+    deployment.environment: "local"
+  # Emit console exporters for local debugging.
+  exportConsole: true
+
+authority:
+  enabled: false
+  # Temporary rollout flag. When true, Feedser logs anonymous access but does not fail requests
+  # without tokens. Set to false before 2025-12-31 UTC to enforce authentication fully.
+  allowAnonymousFallback: true
+  # Issuer advertised by StellaOps Authority (e.g. https://authority.stella-ops.local).
+  issuer: "https://authority.stella-ops.local"
+  # Optional explicit metadata address; defaults to {issuer}/.well-known/openid-configuration.
+  metadataAddress: ""
+  requireHttpsMetadata: true
+  backchannelTimeoutSeconds: 30
+  tokenClockSkewSeconds: 60
+  audiences:
+    - "api://feedser"
+  requiredScopes:
+    - "feedser.jobs.trigger"
+  # Outbound credentials Feedser can use to call Authority (client credentials flow).
+  clientId: "feedser-jobs"
+  # Prefer storing the secret outside of the config file. Provide either clientSecret or clientSecretFile.
+  clientSecret: ""
+  clientSecretFile: ""
+  clientScopes:
+    - "feedser.jobs.trigger"
+  # Networks allowed to bypass authentication (loopback by default for on-host cron jobs).
+  bypassNetworks:
+    - "127.0.0.1/32"
+    - "::1/128"