niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/ASL-AUTH-HOST Configuration.md

117 lines
3.2 KiB
Markdown
Raw Normal View History

Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00
Perfect! Heres an example `config.yaml` for your `asl-auth-host`. This integrates domains, courtesy leases, snapshots, and SOPS bundle paths in a way that your host can start in “ready-for-pickup” mode or perform a rescue.
---
## `/etc/asl-auth-host/config.yaml`
```yaml
# ASL-AUTH-HOST Configuration
# Defines domains, policies, and SOPS bundles for bootstrap or rescue
host:
name: "asl-auth-host-01"
version: "0.1"
mode: "rescue" # modes: "rescue" | "admission" | "normal"
domains:
common:
id: "00000000-0000-0000-0000-000000000001" # Courtesy/common domain
type: "courtesy"
description: "Shared courtesy domain for new users or bootstrapped material"
path: "/var/lib/asl/common"
snapshot_retention: 30d
allowed_operations:
- read
- write
- append
courtesy_lease: 7d # Default grace period for newcomers
personal:
id: "00000000-0000-0000-0000-000000000002" # Personal private domain
type: "private"
description: "Private domain for rescued material or user-owned data"
path: "/var/lib/asl/personal"
snapshot_retention: 90d
allowed_operations:
- read
- write
- append
- seal
- gc
certificates:
root_offline_path: "/var/lib/asl/certs/root-offline"
domain_authority_path: "/var/lib/asl/certs/domain-authority"
sops_bundle_path: "/var/lib/asl/certs/sops"
policy:
hash_file: "/etc/asl-auth-host/policy.hash"
description: "Offline policy hash used to verify compliance before admission or rescue"
logging:
path: "/var/log/asl-auth-host.log"
level: "INFO"
store:
type: "zfs" # or "posix"
pools:
- name: "common_pool"
mount_point: "/var/lib/asl/common"
- name: "personal_pool"
mount_point: "/var/lib/asl/personal"
enable_snapshotting: true
snapshot_prefix: "asl_snap"
# Optional hooks for init scripts
hooks:
pre_start: "/bin/init-asl-host.sh"
post_start: "/bin/helper-mount.sh"
```
---
### Notes:
1. **`host.mode`**:
* `"rescue"` → SystemRescue boot with ready-for-pickup for old material.
* `"admission"` → Host expects to receive a DAM and SOPS bundle for new personal domain.
* `"normal"` → Standard operation with personal domain active.
2. **Domains**:
* **Common**: Courtesy domain, short-term leases for newcomers.
* **Personal**: Private domain, snapshots and sealing enabled.
3. **Certificates**:
* Paths to offline root certs, DAM bundles, and SOPS bundles.
4. **Policy hash**:
* Offline verification ensures host doesnt act on incompatible policies.
5. **Store config**:
* Can be POSIX or ZFS-based.
* Supports snapshotting for deterministic recovery.
6. **Hooks**:
* Allows you to initialize ZFS pools, mount overlays, or start ASL binaries.
---
This config gives you a **bootable, ready-for-pickup SystemRescue node** that can handle:
* Receiving old data
* Creating your personal domain
* Storing material safely in courtesy/common domain
* Verifying offline DAM bundles before admission
---
I can also **draft the accompanying init script (`init-asl-host.sh`)** that reads this config, sets up domains, mounts pools, and prepares the store for immediate rescue or admission.
Do you want me to do that next?
Reference in a new issue Copy permalink