162 lines
6.7 KiB
Plaintext
162 lines
6.7 KiB
Plaintext
# StellaOps Air-Gapped Environment
|
|
# Copy to .env in repository root: cp etc/env/airgap.env.sample .env
|
|
#
|
|
# This profile is for fully offline/air-gapped deployments with no external
|
|
# network connectivity. All feeds, models, and packages must be pre-loaded.
|
|
|
|
# ============================================================================
|
|
# PROFILE IDENTIFICATION
|
|
# ============================================================================
|
|
STELLAOPS_PROFILE=airgap
|
|
STELLAOPS_LOG_LEVEL=Information
|
|
|
|
# ============================================================================
|
|
# NETWORK ISOLATION
|
|
# ============================================================================
|
|
# Block all outbound connections (enforced at application level)
|
|
STELLAOPS_NETWORK_ISOLATION=strict
|
|
STELLAOPS_ALLOWED_HOSTS=localhost,*.internal
|
|
|
|
# ============================================================================
|
|
# POSTGRES DATABASE
|
|
# ============================================================================
|
|
POSTGRES_HOST=postgres.internal
|
|
POSTGRES_PORT=5432
|
|
POSTGRES_USER=stellaops
|
|
# POSTGRES_PASSWORD=<inject-from-secure-storage>
|
|
POSTGRES_DB=stellaops_platform
|
|
|
|
# ============================================================================
|
|
# VALKEY (REDIS-COMPATIBLE CACHE)
|
|
# ============================================================================
|
|
VALKEY_HOST=valkey.internal
|
|
VALKEY_PORT=6379
|
|
|
|
# ============================================================================
|
|
# NATS MESSAGING
|
|
# ============================================================================
|
|
NATS_URL=nats://nats.internal:4222
|
|
NATS_CLIENT_PORT=4222
|
|
|
|
# ============================================================================
|
|
# RUSTFS ARTIFACT STORAGE
|
|
# ============================================================================
|
|
RUSTFS_ENDPOINT=http://rustfs.internal:8080
|
|
RUSTFS_HTTP_PORT=8080
|
|
|
|
# ============================================================================
|
|
# AUTHORITY SERVICE
|
|
# ============================================================================
|
|
AUTHORITY_PORT=8440
|
|
AUTHORITY_ISSUER=https://auth.internal:8440
|
|
|
|
# ============================================================================
|
|
# SIGNER SERVICE (OFFLINE MODE)
|
|
# ============================================================================
|
|
SIGNER_PORT=8441
|
|
SIGNER_POE_INTROSPECT_URL=https://auth.internal:8440/connect/introspect
|
|
# Disable Rekor transparency log (requires internet)
|
|
SIGNER_REKOR_ENABLED=false
|
|
|
|
# ============================================================================
|
|
# ATTESTOR SERVICE
|
|
# ============================================================================
|
|
ATTESTOR_PORT=8442
|
|
|
|
# ============================================================================
|
|
# SCANNER SERVICE (OFFLINE MODE)
|
|
# ============================================================================
|
|
SCANNER_WEB_PORT=8444
|
|
SCANNER_EVENTS_ENABLED=true
|
|
SCANNER_EVENTS_DRIVER=valkey
|
|
SCANNER_EVENTS_DSN=valkey.internal:6379
|
|
SCANNER_EVENTS_STREAM=stella.events
|
|
|
|
# CRITICAL: Enable offline kit for air-gapped operation
|
|
SCANNER_OFFLINEKIT_ENABLED=true
|
|
SCANNER_OFFLINEKIT_REQUIREDSSE=true
|
|
SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
|
|
SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
|
|
SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
|
|
SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=/opt/stellaops/offline/trust-roots
|
|
SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=/opt/stellaops/offline/rekor-snapshot
|
|
|
|
# ============================================================================
|
|
# CONCELIER SERVICE (OFFLINE FEEDS)
|
|
# ============================================================================
|
|
CONCELIER_PORT=8445
|
|
# Use pre-loaded vulnerability feeds
|
|
CONCELIER_FEED_MODE=offline
|
|
CONCELIER_FEED_DIRECTORY=/var/lib/stellaops/feeds
|
|
|
|
# ============================================================================
|
|
# NOTIFY SERVICE
|
|
# ============================================================================
|
|
NOTIFY_WEB_PORT=8446
|
|
# Disable external notification channels
|
|
NOTIFY_SLACK_ENABLED=false
|
|
NOTIFY_TEAMS_ENABLED=false
|
|
NOTIFY_WEBHOOK_ENABLED=false
|
|
# Only internal email relay if available
|
|
NOTIFY_EMAIL_ENABLED=true
|
|
NOTIFY_EMAIL_SMTP_HOST=smtp.internal
|
|
|
|
# ============================================================================
|
|
# ISSUER DIRECTORY SERVICE
|
|
# ============================================================================
|
|
ISSUER_DIRECTORY_PORT=8447
|
|
ISSUER_DIRECTORY_SEED_CSAF=false
|
|
# Pre-loaded issuer registry
|
|
ISSUER_DIRECTORY_OFFLINE_MODE=true
|
|
|
|
# ============================================================================
|
|
# ADVISORY AI SERVICE (LOCAL INFERENCE)
|
|
# ============================================================================
|
|
ADVISORY_AI_WEB_PORT=8448
|
|
# CRITICAL: Use local inference only (no external API calls)
|
|
ADVISORY_AI_INFERENCE_MODE=Local
|
|
ADVISORY_AI_MODEL_BUNDLE_PATH=/opt/stellaops/offline/models
|
|
# Do NOT set remote inference settings
|
|
# ADVISORY_AI_REMOTE_BASEADDRESS=
|
|
# ADVISORY_AI_REMOTE_APIKEY=
|
|
|
|
# ============================================================================
|
|
# SCHEDULER SERVICE
|
|
# ============================================================================
|
|
SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web.internal:8444
|
|
|
|
# ============================================================================
|
|
# WEB UI
|
|
# ============================================================================
|
|
UI_PORT=8443
|
|
|
|
# ============================================================================
|
|
# CRYPTO PROFILE
|
|
# ============================================================================
|
|
# Select based on organizational requirements
|
|
# Note: Some providers may require additional offline packages
|
|
STELLAOPS_CRYPTO_PROFILE=us-fips
|
|
|
|
# For Russian GOST (requires CryptoPro offline package):
|
|
# STELLAOPS_CRYPTO_PROFILE=ru
|
|
# CRYPTOPRO_ACCEPT_EULA=1
|
|
|
|
# ============================================================================
|
|
# TELEMETRY (LOCAL COLLECTOR ONLY)
|
|
# ============================================================================
|
|
STELLAOPS_TELEMETRY_ENABLED=true
|
|
STELLAOPS_TELEMETRY_ENDPOINT=http://otel-collector.internal:4317
|
|
# Disable cloud exporters
|
|
STELLAOPS_TELEMETRY_CLOUD_EXPORT=false
|
|
|
|
# ============================================================================
|
|
# OFFLINE PACKAGE PATHS
|
|
# ============================================================================
|
|
# Pre-loaded package caches for language ecosystems
|
|
STELLAOPS_OFFLINE_NPM_REGISTRY=/opt/stellaops/offline/npm
|
|
STELLAOPS_OFFLINE_PYPI_INDEX=/opt/stellaops/offline/pypi
|
|
STELLAOPS_OFFLINE_MAVEN_REPO=/opt/stellaops/offline/maven
|
|
STELLAOPS_OFFLINE_NUGET_FEED=/opt/stellaops/offline/nuget
|
|
STELLAOPS_OFFLINE_CRATES_INDEX=/opt/stellaops/offline/crates
|
|
STELLAOPS_OFFLINE_GO_PROXY=/opt/stellaops/offline/goproxy
|