aboutsummaryrefslogtreecommitdiff
path: root/example-server.conf
blob: 8d299fa72504e7d73689036892adac3d79df3d17 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
# Server config
server {
  use_tls = true  # Optional. If this is set then `tls_key` and `tls_cert` must be set
  tls_key = "server.key"  # Path to TLS key
  tls_cert = "server.crt"  # Path to TLS certificate
  address = "127.0.0.1"  # Optional. IP address to listen on
  port = 443  # Port to listen on
  user = "www" # Optional. User to which the server drops privileges to
  cookie_secret = "supersecret"  # Authentication key for the client cookie
  csrf_secret = "supersecret"  # Authentication key for the CSRF token
  http_logfile = "http.log"  # Logfile for HTTP requests
  datastore = "mysql:user:pass:host:3306"  # engine:username:password:hostname:port
}

# Oauth2 configuration
auth {
  provider = "google"  # Oauth provider to use
  oauth_client_id = "nnnnnnnnnnnnnnnn.apps.googleusercontent.com"  # Oauth client ID
  oauth_client_secret = "yyyyyyyyyyyyyyyyyyyyyy"  # Oauth client secret
  oauth_callback_url = "https://sshca.example.com/auth/callback"  # Oauth callback url
  provider_opts {
    domain = "example.com"  # Oauth-provider specific options
  }
  users_whitelist = ["marco@gmail.com", "niall@gmail.com", "patrick@gmail.com"] # Optional
}

# Configuration for the certificate signer.
ssh {
  signing_key = "signing_key"  # Path to the CA signing secret key
  additional_principals = ["ec2-user", "ubuntu"]  # Additional principals to allow
  max_age = "720h"  # Maximum lifetime of a ssh certificate
  permissions = ["permit-pty", "permit-X11-forwarding", "permit-agent-forwarding", "permit-port-forwarding", "permit-user-rc", "force-command=/bin/ls"]  #  Permissions associated with a certificate
}

# Optional AWS config. if an aws config is present, then files (e.g. signing key or tls cert) can be read from S3 using the syntax `/s3/bucket/path/to/signing.key`.
# These can also be set configured using the standard aws-sdk environment variables, IAM roles etc. https://github.com/aws/aws-sdk-go/wiki/configuring-sdk
aws {
  region = "eu-west-1"
  access_key = "abcdef"
  secret_key = "xyz123"
}

# Optional Vault config. If a vault config is present then files (e.g. signing key or tls cert) can be read from a vault server using the syntax `/vault/secret/service/key_name`.
vault {
  address = "https://127.0.0.1:8200"
  token = "83f01274-c6f0-4dae-aab9-13a6fc62772e"
}