jesus/provisioning
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
provisioning/schemas/platform/common/security.ncl

135 lines
3.1 KiB
Text
Raw Normal View History

chore: complete nickel migration and consolidate legacy configs - Remove KCL ecosystem (~220 files deleted) - Migrate all infrastructure to Nickel schema system - Consolidate documentation: legacy docs → provisioning/docs/src/ - Add CI/CD workflows (.github/) and Rust build config (.cargo/) - Update core system for Nickel schema parsing - Update README.md and CHANGES.md for v5.0.0 release - Fix pre-commit hooks: end-of-file, trailing-whitespace - Breaking changes: KCL workspaces require migration - Migration bridge available in docs/src/development/
2026-01-08 09:55:37 +00:00
# Security Configuration Schema
# Common schema for authentication, RBAC, and encryption
{
# Supported KMS backends
SecurityConfig = {
# JWT Configuration
jwt | {
# JWT issuer
issuer | String | optional,
# JWT audience
audience | String | optional,
# Token expiration in seconds
expiration | Number | optional,
# Refresh token expiration in seconds
refresh_expiration | Number | optional,
# Secret key for JWT signing
secret | String | optional,
# Algorithm (HS256, RS256, etc.)
algorithm | String | optional,
} | optional,
# Encryption Configuration
encryption | {
# KMS backend: none, age, sops, kms_external
kms_backend | String | default = 'none,
# Path to encryption key file
key_path | String | optional,
# Master encryption key (for age/SOPS)
master_key | String | optional,
# Enable encrypted field storage
enable_field_encryption | Bool | default = false,
} | optional,
# RBAC Configuration
rbac | {
# Enable RBAC
enabled | Bool | default = false,
# Default role for new users
default_role | String | optional,
# Allow role inheritance
inheritance | Bool | default = true,
} | optional,
# MFA Configuration
mfa | {
# Require MFA for all users
required | Bool | default = false,
# Supported MFA methods (totp, webauthn, etc.)
methods | Array String | optional,
# Max failed MFA attempts before lockout
max_attempts | String | optional,
# Lockout duration in minutes
lockout_duration | Number | optional,
} | optional,
# Rate Limiting
rate_limiting | {
# Enable rate limiting
enabled | Bool | default = false,
# Max requests per window
max_requests | String | optional,
# Time window in seconds
window_seconds | Number | optional,
# Lockout duration in minutes
lockout_duration | Number | optional,
} | optional,
# Session Configuration
session | {
# Session max duration in seconds
max_duration | Number | optional,
# Idle timeout in seconds
idle_timeout | Number | optional,
# Enable session tracking
tracking | Bool | default = false,
} | optional,
# TLS Configuration
tls | {
# Enable TLS
enabled | Bool | default = false,
# Path to certificate file
cert_path | String | optional,
# Path to key file
key_path | String | optional,
# CA certificate path for client verification
ca_path | String | optional,
# Require client certificates
client_auth | Bool | default = false,
} | optional,
# CORS Configuration
cors | {
# Enable CORS
enabled | Bool | default = false,
# Allowed origins (comma-separated or array)
allowed_origins | Array String | optional,
# Allow credentials
allow_credentials | Bool | default = false,
# Allowed methods
allowed_methods | Array String | optional,
# Allowed headers
allowed_headers | Array String | optional,
} | optional,
},
}
Reference in a new issue Copy permalink