StellaOps Configuration (etc/)
This directory contains all configuration for StellaOps services. It is the single source of truth for deployment configuration.
Directory Structure
etc/
├── authority/ # Authentication & authorization service
├── certificates/ # Trust anchors and signing keys
├── concelier/ # Advisory ingestion service
├── crypto/ # Regional cryptographic profiles
├── env/ # Environment-specific profiles (dev/stage/prod/airgap)
├── llm-providers/ # AI/LLM provider configurations
├── notify/ # Notification service & templates
├── plugins/ # Plugin manifests (configuration, not binaries)
├── policy/ # Policy engine configuration & packs
├── router/ # Transport router configuration
├── scanner/ # Container scanning service
├── scheduler/ # Job scheduling service
├── scm-connectors/ # Source control integrations
├── secrets/ # Development secrets only (NEVER for production)
├── signals/ # Runtime signals configuration
└── vex/ # VEX processing services
File Naming Convention
| Pattern | Purpose | Git Status |
|---|---|---|
*.yaml.sample |
Documented template with all options | Committed |
*.yaml |
Active configuration | Git-ignored |
*.env.sample |
Environment variable template | Committed |
env.* |
Active environment file | Git-ignored |
Quick Start
# 1. Copy sample to active config
cp etc/scanner/scanner.yaml.sample etc/scanner/scanner.yaml
# 2. Edit for your environment
vi etc/scanner/scanner.yaml
# 3. Copy environment profile
cp etc/env/dev.env.sample etc/env/dev.env
Regional Crypto Profiles
For compliance with regional cryptographic standards:
| Profile | Standard | Use Case |
|---|---|---|
us-fips |
FIPS 140-3 | US Federal, DoD |
eu |
eIDAS | EU qualified signatures |
ru |
GOST R 34.10/11/12 | Russian Federation |
cn |
GM/T (SM2/SM3/SM4) | China |
kr |
KCMVP | South Korea |
Activate via:
export STELLAOPS_CRYPTO_PROFILE=us-fips
What Lives Elsewhere
| Directory | Purpose |
|---|---|
plugins/ |
Compiled plugin binaries (runtime artifacts) |
opt/ |
Optional vendor packages (CryptoPro, etc.) |
offline/ |
Air-gap operational state (feeds, packages) |
Security
- NEVER commit active configs (
.yamlfiles are git-ignored) - Secrets via environment variables or external secret managers
etc/secrets/contains ONLY development/sample keys - never for production- Production signing keys must come from HSM, Vault, or KMS
Documentation
Full guide: docs/operations/configuration-guide.md