up

etc/authority.plugins/ldap.yaml

@@ -0,0 +1,17 @@
+# Placeholder configuration for the LDAP identity provider plug-in.
+# Replace values with your directory settings before enabling the plug-in.
+connection:
+  host: "ldap.example.com"
+  port: 636
+  useTls: true
+  bindDn: "cn=service,dc=example,dc=com"
+  bindPassword: "CHANGE_ME"
+
+queries:
+  userFilter: "(uid={username})"
+  groupFilter: "(member={distinguishedName})"
+  groupAttribute: "cn"
+
+capabilities:
+  supportsPassword: true
+  supportsMfa: false

etc/authority.plugins/standard.yaml

@@ -0,0 +1,21 @@
+# Standard plugin configuration (Mongo-backed identity store).
+bootstrapUser:
+  username: "admin"
+  password: "changeme"
+
+passwordPolicy:
+  minimumLength: 12
+  requireUppercase: true
+  requireLowercase: true
+  requireDigit: true
+  requireSymbol: true
+
+lockout:
+  enabled: true
+  maxAttempts: 5
+  windowMinutes: 15
+
+tokenSigning:
+  # Path to the directory containing signing keys (relative paths resolve
+  # against this configuration file location).
+  keyDirectory: "../keys"

etc/authority.yaml.sample

@@ -0,0 +1,71 @@
+# StellaOps Authority configuration template.
+# Copy to ../etc/authority.yaml (relative to the Authority content root)
+# and adjust values to fit your environment. Environment variables
+# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
+# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com
+
+schemaVersion: 1
+
+# Absolute issuer URI advertised to clients. Use HTTPS for anything
+# beyond loopback development.
+issuer: "https://authority.stella-ops.local"
+
+# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
+accessTokenLifetime: "00:15:00"
+refreshTokenLifetime: "30.00:00:00"
+identityTokenLifetime: "00:05:00"
+authorizationCodeLifetime: "00:05:00"
+deviceCodeLifetime: "00:15:00"
+
+# MongoDB storage connection details.
+storage:
+  connectionString: "mongodb://localhost:27017/stellaops-authority"
+  # databaseName: "stellaops_authority"
+  commandTimeout: "00:00:30"
+
+# Bootstrap administrative endpoints (initial provisioning).
+bootstrap:
+  enabled: false
+  apiKey: "change-me"
+  defaultIdentityProvider: "standard"
+
+# Directories scanned for Authority plug-ins. Relative paths resolve
+# against the application content root, enabling air-gapped deployments
+# that package plug-ins alongside binaries.
+pluginDirectories:
+  - "../PluginBinaries/Authority"
+  # "/var/lib/stellaops/authority/plugins"
+
+# Plug-in manifests live in descriptors below; per-plugin settings are stored
+# in the configurationDirectory (YAML files). Authority will load any enabled
+# plugins and surface their metadata/capabilities to the host.
+plugins:
+  configurationDirectory: "../etc/authority.plugins"
+  descriptors:
+    standard:
+      type: "standard"
+      assemblyName: "StellaOps.Authority.Plugin.Standard"
+      enabled: true
+      configFile: "standard.yaml"
+      capabilities:
+        - password
+        - bootstrap
+        - clientProvisioning
+      metadata:
+        defaultRole: "operators"
+    # Example for an external identity provider plugin. Leave disabled unless
+    # the plug-in package exists under PluginBinaries/Authority.
+    ldap:
+      type: "ldap"
+      assemblyName: "StellaOps.Authority.Plugin.Ldap"
+      enabled: false
+      configFile: "ldap.yaml"
+      capabilities:
+        - password
+        - mfa
+
+# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
+# Keep the list tight: localhost is sufficient for most air-gapped installs.
+bypassNetworks:
+  - "127.0.0.1/32"
+  - "::1/128"