# Server config server { use_tls = true # Optional. If this is set then `tls_key` and `tls_cert` must be set tls_key = "server.key" # Path to TLS key tls_cert = "server.crt" # Path to TLS certificate address = "127.0.0.1" # Optional. IP address to listen on port = 443 # Port to listen on user = "www" # Optional. User to which the server drops privileges to cookie_secret = "supersecret" # Authentication key for the client cookie csrf_secret = "supersecret" # Authentication key for the CSRF token http_logfile = "http.log" # Logfile for HTTP requests database { type = "mysql" address = "host:3306" username = "user" password = "pass" } } # Oauth2 configuration auth { provider = "google" # Oauth provider to use oauth_client_id = "nnnnnnnnnnnnnnnn.apps.googleusercontent.com" # Oauth client ID oauth_client_secret = "yyyyyyyyyyyyyyyyyyyyyy" # Oauth client secret oauth_callback_url = "https://sshca.example.com/auth/callback" # Oauth callback url provider_opts { domain = "example.com" # Oauth-provider specific options } users_whitelist = ["marco@gmail.com", "niall@gmail.com", "patrick@gmail.com"] # Optional } # Configuration for the certificate signer. ssh { signing_key = "signing_key" # Path to the CA signing secret key additional_principals = ["ec2-user", "ubuntu"] # Additional principals to allow max_age = "720h" # Maximum lifetime of a ssh certificate permissions = ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc", "force-command=/bin/ls"] # Permissions associated with a certificate } # Optional AWS config. if an aws config is present, then files (e.g. signing key or tls cert) can be read from S3 using the syntax `/s3/bucket/path/to/signing.key`. # These can also be set configured using the standard aws-sdk environment variables, IAM roles etc. https://github.com/aws/aws-sdk-go/wiki/configuring-sdk aws { region = "eu-west-1" access_key = "abcdef" secret_key = "xyz123" } # Optional Vault config. If a vault config is present then files (e.g. signing key or tls cert) can be read from a vault server using the syntax `/vault/secret/service/key_name`. vault { address = "https://127.0.0.1:8200" token = "83f01274-c6f0-4dae-aab9-13a6fc62772e" }