# StellaOps Air-Gapped Environment # Copy to .env in repository root: cp etc/env/airgap.env.sample .env # # This profile is for fully offline/air-gapped deployments with no external # network connectivity. All feeds, models, and packages must be pre-loaded. # ============================================================================ # PROFILE IDENTIFICATION # ============================================================================ STELLAOPS_PROFILE=airgap STELLAOPS_LOG_LEVEL=Information # ============================================================================ # NETWORK ISOLATION # ============================================================================ # Block all outbound connections (enforced at application level) STELLAOPS_NETWORK_ISOLATION=strict STELLAOPS_ALLOWED_HOSTS=localhost,*.internal # ============================================================================ # POSTGRES DATABASE # ============================================================================ POSTGRES_HOST=postgres.internal POSTGRES_PORT=5432 POSTGRES_USER=stellaops # POSTGRES_PASSWORD= POSTGRES_DB=stellaops_platform # ============================================================================ # VALKEY (REDIS-COMPATIBLE CACHE) # ============================================================================ VALKEY_HOST=valkey.internal VALKEY_PORT=6379 # ============================================================================ # NATS MESSAGING # ============================================================================ NATS_URL=nats://nats.internal:4222 NATS_CLIENT_PORT=4222 # ============================================================================ # RUSTFS ARTIFACT STORAGE # ============================================================================ RUSTFS_ENDPOINT=http://rustfs.internal:8080 RUSTFS_HTTP_PORT=8080 # ============================================================================ # AUTHORITY SERVICE # ============================================================================ AUTHORITY_PORT=8440 AUTHORITY_ISSUER=https://auth.internal:8440 # ============================================================================ # SIGNER SERVICE (OFFLINE MODE) # ============================================================================ SIGNER_PORT=8441 SIGNER_POE_INTROSPECT_URL=https://auth.internal:8440/connect/introspect # Disable Rekor transparency log (requires internet) SIGNER_REKOR_ENABLED=false # ============================================================================ # ATTESTOR SERVICE # ============================================================================ ATTESTOR_PORT=8442 # ============================================================================ # SCANNER SERVICE (OFFLINE MODE) # ============================================================================ SCANNER_WEB_PORT=8444 SCANNER_EVENTS_ENABLED=true SCANNER_EVENTS_DRIVER=valkey SCANNER_EVENTS_DSN=valkey.internal:6379 SCANNER_EVENTS_STREAM=stella.events # CRITICAL: Enable offline kit for air-gapped operation SCANNER_OFFLINEKIT_ENABLED=true SCANNER_OFFLINEKIT_REQUIREDSSE=true SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=/opt/stellaops/offline/trust-roots SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=/opt/stellaops/offline/rekor-snapshot # ============================================================================ # CONCELIER SERVICE (OFFLINE FEEDS) # ============================================================================ CONCELIER_PORT=8445 # Use pre-loaded vulnerability feeds CONCELIER_FEED_MODE=offline CONCELIER_FEED_DIRECTORY=/var/lib/stellaops/feeds # ============================================================================ # NOTIFY SERVICE # ============================================================================ NOTIFY_WEB_PORT=8446 # Disable external notification channels NOTIFY_SLACK_ENABLED=false NOTIFY_TEAMS_ENABLED=false NOTIFY_WEBHOOK_ENABLED=false # Only internal email relay if available NOTIFY_EMAIL_ENABLED=true NOTIFY_EMAIL_SMTP_HOST=smtp.internal # ============================================================================ # ISSUER DIRECTORY SERVICE # ============================================================================ ISSUER_DIRECTORY_PORT=8447 ISSUER_DIRECTORY_SEED_CSAF=false # Pre-loaded issuer registry ISSUER_DIRECTORY_OFFLINE_MODE=true # ============================================================================ # ADVISORY AI SERVICE (LOCAL INFERENCE) # ============================================================================ ADVISORY_AI_WEB_PORT=8448 # CRITICAL: Use local inference only (no external API calls) ADVISORY_AI_INFERENCE_MODE=Local ADVISORY_AI_MODEL_BUNDLE_PATH=/opt/stellaops/offline/models # Do NOT set remote inference settings # ADVISORY_AI_REMOTE_BASEADDRESS= # ADVISORY_AI_REMOTE_APIKEY= # ============================================================================ # SCHEDULER SERVICE # ============================================================================ SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web.internal:8444 # ============================================================================ # WEB UI # ============================================================================ UI_PORT=8443 # ============================================================================ # CRYPTO PROFILE # ============================================================================ # Select based on organizational requirements # Note: Some providers may require additional offline packages STELLAOPS_CRYPTO_PROFILE=us-fips # For Russian GOST (requires CryptoPro offline package): # STELLAOPS_CRYPTO_PROFILE=ru # CRYPTOPRO_ACCEPT_EULA=1 # ============================================================================ # TELEMETRY (LOCAL COLLECTOR ONLY) # ============================================================================ STELLAOPS_TELEMETRY_ENABLED=true STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector.internal:4317 # Disable cloud exporters STELLAOPS_TELEMETRY_CLOUD_EXPORT=false # ============================================================================ # OFFLINE PACKAGE PATHS # ============================================================================ # Pre-loaded package caches for language ecosystems STELLAOPS_OFFLINE_NPM_REGISTRY=/opt/stellaops/offline/npm STELLAOPS_OFFLINE_PYPI_INDEX=/opt/stellaops/offline/pypi STELLAOPS_OFFLINE_MAVEN_REPO=/opt/stellaops/offline/maven STELLAOPS_OFFLINE_NUGET_FEED=/opt/stellaops/offline/nuget STELLAOPS_OFFLINE_CRATES_INDEX=/opt/stellaops/offline/crates STELLAOPS_OFFLINE_GO_PROXY=/opt/stellaops/offline/goproxy