# StellaOps Authority configuration template. # Copy to ../etc/authority.yaml (relative to the Authority content root) # and adjust values to fit your environment. Environment variables # prefixed with STELLAOPS_AUTHORITY_ override these values at runtime. # Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com schemaVersion: 1 # Absolute issuer URI advertised to clients. Use HTTPS for anything # beyond loopback development. issuer: "https://authority.stella-ops.local" # Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS. accessTokenLifetime: "00:15:00" refreshTokenLifetime: "30.00:00:00" identityTokenLifetime: "00:05:00" authorizationCodeLifetime: "00:05:00" deviceCodeLifetime: "00:15:00" # MongoDB storage connection details. storage: connectionString: "mongodb://localhost:27017/stellaops-authority" # databaseName: "stellaops_authority" commandTimeout: "00:00:30" # Signing configuration for revocation bundles and JWKS. signing: enabled: true activeKeyId: "authority-signing-2025-dev" keyPath: "../certificates/authority-signing-2025-dev.pem" algorithm: "ES256" keySource: "file" # provider: "default" additionalKeys: - keyId: "authority-signing-dev" path: "../certificates/authority-signing-dev.pem" source: "file" # Rotation flow: # 1. Generate a new PEM under ./certificates (e.g. authority-signing-2026-dev.pem). # 2. Trigger the .gitea/workflows/authority-key-rotation.yml workflow (or run # ops/authority/key-rotation.sh) with the new keyId/keyPath. # 3. Update activeKeyId/keyPath above and move the previous key into additionalKeys # so restarts retain retired material for JWKS consumers. # Bootstrap administrative endpoints (initial provisioning). bootstrap: enabled: false apiKey: "change-me" defaultIdentityProvider: "standard" # Directories scanned for Authority plug-ins. Relative paths resolve # against the application content root, enabling air-gapped deployments # that package plug-ins alongside binaries. pluginDirectories: - "../PluginBinaries/Authority" # "/var/lib/stellaops/authority/plugins" # Plug-in manifests live in descriptors below; per-plugin settings are stored # in the configurationDirectory (YAML files). Authority will load any enabled # plugins and surface their metadata/capabilities to the host. plugins: configurationDirectory: "../etc/authority.plugins" descriptors: standard: type: "standard" assemblyName: "StellaOps.Authority.Plugin.Standard" enabled: true configFile: "standard.yaml" capabilities: - password - bootstrap - clientProvisioning metadata: defaultRole: "operators" # Example for an external identity provider plugin. Leave disabled unless # the plug-in package exists under PluginBinaries/Authority. ldap: type: "ldap" assemblyName: "StellaOps.Authority.Plugin.Ldap" enabled: false configFile: "ldap.yaml" capabilities: - password - mfa # OAuth client registrations issued by Authority. These examples cover Notify WebService # in dev (notify.dev audience) and production (notify audience). Replace the secret files # with paths to your sealed credentials before enabling bootstrap mode. clients: - clientId: "notify-web-dev" displayName: "Notify WebService (dev)" grantTypes: [ "client_credentials" ] audiences: [ "notify.dev" ] scopes: [ "notify.read", "notify.admin" ] senderConstraint: "dpop" auth: type: "client_secret" secretFile: "../secrets/notify-web-dev.secret" - clientId: "notify-web" displayName: "Notify WebService" grantTypes: [ "client_credentials" ] audiences: [ "notify" ] scopes: [ "notify.read", "notify.admin" ] senderConstraint: "dpop" auth: type: "client_secret" secretFile: "../secrets/notify-web.secret" # CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs). # Keep the list tight: localhost is sufficient for most air-gapped installs. bypassNetworks: - "127.0.0.1/32" - "::1/128"