stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 1 Releases Wiki Activity
Files
cfaea5efd942e5461dac7f070b0e8692dbbd729b
git.stella-ops.org/etc/concelier.yaml.sample

114 lines
4.0 KiB
Plaintext
Raw Blame History

# Concelier configuration template for StellaOps deployments.
# Copy to ../etc/concelier.yaml (relative to the web service content root)
# and adjust the values to match your environment. Environment variables
# (prefixed with CONCELIER_) override these settings at runtime.
storage:
driver: mongo
# Mongo connection string. Use SRV URI or standard connection string.
dsn: "mongodb://concelier:concelier@mongo:27017/concelier?authSource=admin"
# Optional database name; defaults to the name embedded in the DSN or 'concelier'.
database: "concelier"
# Mongo command timeout in seconds.
commandTimeoutSeconds: 30
plugins:
# Concelier resolves plug-ins relative to the content root; override as needed.
baseDirectory: ".."
directory: "StellaOps.Concelier.PluginBinaries"
searchPatterns:
- "StellaOps.Concelier.Plugin.*.dll"
telemetry:
enabled: true
enableTracing: false
enableMetrics: false
enableLogging: true
minimumLogLevel: "Information"
serviceName: "stellaops-concelier"
# Configure OTLP endpoint when shipping traces/metrics/logs out-of-band.
otlpEndpoint: ""
# Optional headers for OTLP exporters, for example authentication tokens.
otlpHeaders: {}
# Attach additional resource attributes to telemetry exports.
resourceAttributes:
deployment.environment: "local"
# Emit console exporters for local debugging.
exportConsole: true
authority:
enabled: false
# Temporary rollout flag. When true, Concelier logs anonymous access but does not fail requests
# without tokens. Set to false before 2025-12-31 UTC to enforce authentication fully.
allowAnonymousFallback: true
# Issuer advertised by StellaOps Authority (e.g. https://authority.stella-ops.local).
issuer: "https://authority.stella-ops.local"
# Optional explicit metadata address; defaults to {issuer}/.well-known/openid-configuration.
metadataAddress: ""
requireHttpsMetadata: true
backchannelTimeoutSeconds: 30
tokenClockSkewSeconds: 60
audiences:
- "api://concelier"
requiredScopes:
- "concelier.jobs.trigger"
# Outbound credentials Concelier can use to call Authority (client credentials flow).
clientId: "concelier-jobs"
# Prefer storing the secret outside of the config file. Provide either clientSecret or clientSecretFile.
clientSecret: ""
clientSecretFile: ""
clientScopes:
- "concelier.jobs.trigger"
resilience:
# Enable deterministic retry/backoff when Authority is briefly unavailable.
enableRetries: true
retryDelays:
- "00:00:01"
- "00:00:02"
- "00:00:05"
# Allow stale discovery/JWKS responses when Authority is offline (extend tolerance as needed for air-gapped mirrors).
allowOfflineCacheFallback: true
offlineCacheTolerance: "00:10:00"
# Networks allowed to bypass authentication (loopback by default for on-host cron jobs).
bypassNetworks:
- "127.0.0.1/32"
- "::1/128"
mirror:
enabled: false
# Directory containing JSON exporter outputs (absolute or relative to content root).
exportRoot: "exports/json"
# Optional explicit export identifier; defaults to `latest` symlink or most recent export.
activeExportId: ""
latestDirectoryName: "latest"
mirrorDirectoryName: "mirror"
requireAuthentication: false
maxIndexRequestsPerHour: 600
domains:
- id: "primary"
displayName: "Primary Mirror"
requireAuthentication: false
maxDownloadRequestsPerHour: 1200
sources:
ghsa:
apiToken: "${GITHUB_PAT}"
pageSize: 50
maxPagesPerFetch: 5
requestDelay: "00:00:00.200"
failureBackoff: "00:05:00"
rateLimitWarningThreshold: 500
secondaryRateLimitBackoff: "00:02:00"
cve:
baseEndpoint: "https://cveawg.mitre.org/api/"
apiOrg: ""
apiUser: ""
apiKey: ""
# Optional mirror used when credentials are unavailable.
seedDirectory: "./seed-data/cve"
pageSize: 200
maxPagesPerFetch: 5
initialBackfill: "30.00:00:00"
requestDelay: "00:00:00.250"
failureBackoff: "00:10:00"
Reference in New Issue View Git Blame Copy Permalink