# Plugin Configuration # Controls plugin behavior, backends, and fallback strategies [plugins] # Global plugin toggle enabled = true # Warn when falling back to HTTP/SOPS warn_on_fallback = true # Log performance metrics log_performance = true # Use HTTP fallback if plugin not available use_http_if_missing = true # Plugin discovery timeout (seconds) discovery_timeout = 5 # ============================================================================ # Authentication Plugin Configuration # ============================================================================ [plugins.auth] # Enable authentication plugin enabled = true # Control Center API URL control_center_url = "http://localhost:3000" # Token refresh threshold (seconds before expiry) # If token expires in less than this, auto-refresh token_refresh_threshold = 300 # MFA configuration mfa_required_for_production = true mfa_remember_device_days = 30 # Session timeout (seconds) session_timeout = 3600 # Token storage token_file = "~/.provisioning/tokens.json" # ============================================================================ # KMS Plugin Configuration # ============================================================================ [plugins.kms] # Enable KMS plugin enabled = true # Preferred backend (first to try) preferred_backend = "rustyvault" # Fallback backend if preferred fails fallback_backend = "age" # Auto-rotate encryption keys auto_rotate_keys = false rotation_interval_days = 90 # Cache decrypted values in memory cache_decrypted = true cache_ttl_seconds = 300 # ============================================================================ # KMS Backend: RustyVault # ============================================================================ [plugins.kms.backends.rustyvault] enabled = true # RustyVault KMS service URL url = "http://localhost:8200" # Mount point for transit engine mount_point = "transit" # Key name for encryption key_name = "provisioning-master" # Timeout (seconds) timeout = 30 # Use envelope encryption for large data use_envelope_encryption = true envelope_threshold_bytes = 4096 # ============================================================================ # KMS Backend: Age # ============================================================================ [plugins.kms.backends.age] enabled = true # Age key file path key_file = "~/.provisioning/age-key.txt" # Public key for encryption public_key = "" # Armor output (base64 encoded) armor = true # ============================================================================ # KMS Backend: HashiCorp Vault # ============================================================================ [plugins.kms.backends.vault] enabled = false # Vault server address address = "http://localhost:8200" # Token for authentication token_file = "~/.vault-token" # Mount point for transit engine mount_point = "transit" # Key name key_name = "provisioning" # Timeout (seconds) timeout = 30 # ============================================================================ # KMS Backend: AWS KMS # ============================================================================ [plugins.kms.backends.aws_kms] enabled = false # AWS region region = "us-east-1" # KMS key ID or ARN key_id = "" # Use envelope encryption use_envelope_encryption = true # Encryption context (additional authenticated data) encryption_context = { "Application" = "Provisioning" } # ============================================================================ # Orchestrator Plugin Configuration # ============================================================================ [plugins.orchestrator] # Enable orchestrator plugin enabled = true # Orchestrator URL url = "http://localhost:8080" # Data directory for file-based operations data_dir = "./data" # Prefer local plugin for localhost URLs # If true, uses plugin for http://localhost:* and http://127.0.0.1:* # If false, always uses HTTP prefer_local = true # Workflow configuration [plugins.orchestrator.workflows] # Default timeout for workflow operations (seconds) default_timeout = 3600 # Maximum concurrent workflows max_concurrent = 10 # Retry failed operations retry_on_failure = true max_retries = 3 retry_delay_seconds = 5 # Checkpoint interval (seconds) checkpoint_interval = 300 # Batch configuration [plugins.orchestrator.batch] # Default parallel limit parallel_limit = 5 # Enable rollback on failure rollback_enabled = true # Storage backend (filesystem, surrealdb) storage_backend = "filesystem" # ============================================================================ # Performance Tuning # ============================================================================ [plugins.performance] # Connection pooling connection_pool_size = 10 connection_timeout_seconds = 30 # HTTP client configuration http_user_agent = "Provisioning-Plugin/1.0" http_timeout_seconds = 30 http_max_redirects = 5 # Cache configuration enable_response_cache = true cache_ttl_seconds = 300 cache_max_entries = 1000 # ============================================================================ # Security Configuration # ============================================================================ [plugins.security] # Verify TLS certificates verify_tls = true # TLS certificate file (if custom CA) tls_ca_file = "" # Client certificate for mutual TLS client_cert_file = "" client_key_file = "" # Allowed cipher suites (empty = use defaults) cipher_suites = [] # Minimum TLS version (1.2 or 1.3) min_tls_version = "1.3" # ============================================================================ # Logging and Monitoring # ============================================================================ [plugins.logging] # Log level (trace, debug, info, warn, error) level = "info" # Log file path file = "~/.provisioning/plugins.log" # Log format (json, text) format = "json" # Include timestamps include_timestamps = true # Include caller information include_caller = false # Metrics configuration [plugins.metrics] # Enable metrics collection enabled = true # Metrics export format (prometheus, json) export_format = "json" # Metrics file metrics_file = "~/.provisioning/plugin-metrics.json" # Update interval (seconds) update_interval = 60 # ============================================================================ # Feature Flags # ============================================================================ [plugins.features] # Enable experimental features experimental = false # Enable beta features beta = false # Feature-specific flags auth_webauthn = true kms_hardware_security = false orchestrator_distributed = false