jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/config/ssh-config.toml.example
Jesús Pérez 6a59d34bb1
chore: update provisioning configuration and documentation 
Update configuration files, templates, and internal documentation
for the provisioning repository system.

Configuration Updates:
- KMS configuration modernization
- Plugin system settings
- Service port mappings
- Test cluster topologies
- Installation configuration examples
- VM configuration defaults
- Cedar authorization policies

Documentation Updates:
- Library module documentation
- Extension API guides
- AI system documentation
- Service management guides
- Test environment setup
- Plugin usage guides
- Validator configuration documentation

All changes are backward compatible.
2025-12-11 21:50:42 +00:00

122 lines
2.6 KiB
Plaintext
Raw Blame History

# SSH Temporal Key Management Configuration
#
# This file configures the SSH key management system for automated
# generation, deployment, and cleanup of short-lived SSH keys.
[ssh]
# Enable SSH key management
enabled = true
# Default TTL for generated keys (in seconds)
# Default: 3600 (1 hour)
default_ttl = 3600
# Cleanup interval for expired keys (in seconds)
# Default: 300 (5 minutes)
cleanup_interval = 300
# Path to provisioning SSH key for deploying keys to servers
# This key must have access to target servers
provisioning_key_path = "/path/to/provisioning/ssh/key"
[ssh.vault]
# Enable Vault integration for OTP and CA modes
enabled = false
# Vault server address
addr = "https://vault.example.com:8200"
# Vault token (use environment variable VAULT_TOKEN instead)
# token = "your-vault-token"
# Vault SSH secrets engine mount point
mount_point = "ssh"
# Vault SSH mode: "ca" or "otp"
# - "ca": Certificate Authority mode (recommended)
# - "otp": One-Time Password mode
mode = "ca"
[ssh.vault.ca]
# CA mode configuration
role = "default"
ttl = "1h"
max_ttl = "24h"
allowed_users = "root,admin,deploy"
[ssh.vault.otp]
# OTP mode configuration
role = "otp_key_role"
default_user = "root"
cidr_list = "0.0.0.0/0"
[ssh.security]
# Maximum TTL allowed for keys (in seconds)
# Prevents generation of long-lived keys
max_ttl = 86400 # 24 hours
# Minimum TTL allowed for keys (in seconds)
min_ttl = 300 # 5 minutes
# Require key deployment before use
require_deployment = true
# Enable audit logging for all SSH operations
audit_logging = true
[ssh.deployment]
# SSH connection timeout (in seconds)
connection_timeout = 30
# Number of deployment retries
max_retries = 3
# Retry delay (in seconds)
retry_delay = 5
# SSH options
ssh_options = [
"StrictHostKeyChecking=no",
"UserKnownHostsFile=/dev/null",
"LogLevel=ERROR"
]
[ssh.cleanup]
# Enable automatic cleanup of expired keys
enabled = true
# Remove keys from servers on expiration
remove_from_servers = true
# Grace period before removing expired keys (in seconds)
grace_period = 60
# Maximum number of keys to cleanup per run
batch_size = 100
[ssh.monitoring]
# Enable SSH key metrics
enabled = true
# Metrics collection interval (in seconds)
collection_interval = 60
# Alert on expired keys not cleaned up
alert_on_stale_keys = true
# Stale key threshold (in seconds)
stale_threshold = 3600
[ssh.api]
# Enable REST API endpoints
enabled = true
# API rate limiting (requests per minute)
rate_limit = 60
# Require authentication for API endpoints
require_auth = true
# Allow private key retrieval via API
allow_private_key_retrieval = false
Reference in New Issue View Git Blame Copy Permalink