# SSH Temporal Key Management Configuration
#
# This file configures the SSH key management system for automated
# generation, deployment, and cleanup of short-lived SSH keys.

[ssh]
# Enable SSH key management
enabled = true

# Default TTL for generated keys (in seconds)
# Default: 3600 (1 hour)
default_ttl = 3600

# Cleanup interval for expired keys (in seconds)
# Default: 300 (5 minutes)
cleanup_interval = 300

# Path to provisioning SSH key for deploying keys to servers
# This key must have access to target servers
provisioning_key_path = "/path/to/provisioning/ssh/key"

[ssh.vault]
# Enable Vault integration for OTP and CA modes
enabled = false

# Vault server address
addr = "https://vault.example.com:8200"

# Vault token (use environment variable VAULT_TOKEN instead)
# token = "your-vault-token"

# Vault SSH secrets engine mount point
mount_point = "ssh"

# Vault SSH mode: "ca" or "otp"
# - "ca": Certificate Authority mode (recommended)
# - "otp": One-Time Password mode
mode = "ca"

[ssh.vault.ca]
# CA mode configuration
role = "default"
ttl = "1h"
max_ttl = "24h"
allowed_users = "root,admin,deploy"

[ssh.vault.otp]
# OTP mode configuration
role = "otp_key_role"
default_user = "root"
cidr_list = "0.0.0.0/0"

[ssh.security]
# Maximum TTL allowed for keys (in seconds)
# Prevents generation of long-lived keys
max_ttl = 86400  # 24 hours

# Minimum TTL allowed for keys (in seconds)
min_ttl = 300  # 5 minutes

# Require key deployment before use
require_deployment = true

# Enable audit logging for all SSH operations
audit_logging = true

[ssh.deployment]
# SSH connection timeout (in seconds)
connection_timeout = 30

# Number of deployment retries
max_retries = 3

# Retry delay (in seconds)
retry_delay = 5

# SSH options
ssh_options = [
    "StrictHostKeyChecking=no",
    "UserKnownHostsFile=/dev/null",
    "LogLevel=ERROR"
]

[ssh.cleanup]
# Enable automatic cleanup of expired keys
enabled = true

# Remove keys from servers on expiration
remove_from_servers = true

# Grace period before removing expired keys (in seconds)
grace_period = 60

# Maximum number of keys to cleanup per run
batch_size = 100

[ssh.monitoring]
# Enable SSH key metrics
enabled = true

# Metrics collection interval (in seconds)
collection_interval = 60

# Alert on expired keys not cleaned up
alert_on_stale_keys = true

# Stale key threshold (in seconds)
stale_threshold = 3600

[ssh.api]
# Enable REST API endpoints
enabled = true

# API rate limiting (requests per minute)
rate_limit = 60

# Require authentication for API endpoints
require_auth = true

# Allow private key retrieval via API
allow_private_key_retrieval = false