master
607e72e2a1
Some checks failed
Build Test Deploy / docs (push) Has been cancelled
Build Test Deploy / deploy (push) Has been cancelled
Build Test Deploy / build-test (push) Has been cancelled
Build Test Deploy / authority-container (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
91 lines
3.2 KiB
Plaintext
91 lines
3.2 KiB
Plaintext
# StellaOps Authority configuration template.
|
|
# Copy to ../etc/authority.yaml (relative to the Authority content root)
|
|
# and adjust values to fit your environment. Environment variables
|
|
# prefixed with STELLAOPS_AUTHORITY_ override these values at runtime.
|
|
# Example: STELLAOPS_AUTHORITY__ISSUER=https://authority.example.com
|
|
|
|
schemaVersion: 1
|
|
|
|
# Absolute issuer URI advertised to clients. Use HTTPS for anything
|
|
# beyond loopback development.
|
|
issuer: "https://authority.stella-ops.local"
|
|
|
|
# Token lifetimes expressed as HH:MM:SS or DD.HH:MM:SS.
|
|
accessTokenLifetime: "00:15:00"
|
|
refreshTokenLifetime: "30.00:00:00"
|
|
identityTokenLifetime: "00:05:00"
|
|
authorizationCodeLifetime: "00:05:00"
|
|
deviceCodeLifetime: "00:15:00"
|
|
|
|
# MongoDB storage connection details.
|
|
storage:
|
|
connectionString: "mongodb://localhost:27017/stellaops-authority"
|
|
# databaseName: "stellaops_authority"
|
|
commandTimeout: "00:00:30"
|
|
|
|
# Signing configuration for revocation bundles and JWKS.
|
|
signing:
|
|
enabled: true
|
|
activeKeyId: "authority-signing-2025-dev"
|
|
keyPath: "../certificates/authority-signing-2025-dev.pem"
|
|
algorithm: "ES256"
|
|
keySource: "file"
|
|
# provider: "default"
|
|
additionalKeys:
|
|
- keyId: "authority-signing-dev"
|
|
path: "../certificates/authority-signing-dev.pem"
|
|
source: "file"
|
|
# Rotation flow:
|
|
# 1. Generate a new PEM under ./certificates (e.g. authority-signing-2026-dev.pem).
|
|
# 2. Trigger the .gitea/workflows/authority-key-rotation.yml workflow (or run
|
|
# ops/authority/key-rotation.sh) with the new keyId/keyPath.
|
|
# 3. Update activeKeyId/keyPath above and move the previous key into additionalKeys
|
|
# so restarts retain retired material for JWKS consumers.
|
|
|
|
# Bootstrap administrative endpoints (initial provisioning).
|
|
bootstrap:
|
|
enabled: false
|
|
apiKey: "change-me"
|
|
defaultIdentityProvider: "standard"
|
|
|
|
# Directories scanned for Authority plug-ins. Relative paths resolve
|
|
# against the application content root, enabling air-gapped deployments
|
|
# that package plug-ins alongside binaries.
|
|
pluginDirectories:
|
|
- "../PluginBinaries/Authority"
|
|
# "/var/lib/stellaops/authority/plugins"
|
|
|
|
# Plug-in manifests live in descriptors below; per-plugin settings are stored
|
|
# in the configurationDirectory (YAML files). Authority will load any enabled
|
|
# plugins and surface their metadata/capabilities to the host.
|
|
plugins:
|
|
configurationDirectory: "../etc/authority.plugins"
|
|
descriptors:
|
|
standard:
|
|
type: "standard"
|
|
assemblyName: "StellaOps.Authority.Plugin.Standard"
|
|
enabled: true
|
|
configFile: "standard.yaml"
|
|
capabilities:
|
|
- password
|
|
- bootstrap
|
|
- clientProvisioning
|
|
metadata:
|
|
defaultRole: "operators"
|
|
# Example for an external identity provider plugin. Leave disabled unless
|
|
# the plug-in package exists under PluginBinaries/Authority.
|
|
ldap:
|
|
type: "ldap"
|
|
assemblyName: "StellaOps.Authority.Plugin.Ldap"
|
|
enabled: false
|
|
configFile: "ldap.yaml"
|
|
capabilities:
|
|
- password
|
|
- mfa
|
|
|
|
# CIDR ranges that bypass network-sensitive policies (e.g. on-host cron jobs).
|
|
# Keep the list tight: localhost is sufficient for most air-gapped installs.
|
|
bypassNetworks:
|
|
- "127.0.0.1/32"
|
|
- "::1/128"
|