162 lines
3.2 KiB
Markdown
162 lines
3.2 KiB
Markdown
# ASL/AUTH-HOST-CONFIG/1 - Configuration Schema
|
|
|
|
Status: Draft
|
|
Owner: Architecture
|
|
Version: 0.1.0
|
|
SoT: No
|
|
Last Updated: 2026-01-17
|
|
Tags: [ops, authority, config]
|
|
|
|
**Document ID:** `ASL/AUTH-HOST-CONFIG/1`
|
|
**Layer:** O2C - Authority host configuration
|
|
|
|
**Depends on (normative):**
|
|
|
|
* `ASL/AUTH-HOST/1`
|
|
* `ASL/HOST/1`
|
|
|
|
**Informative references:**
|
|
|
|
* `ENC-ASL-AUTH-HOST/1`
|
|
|
|
---
|
|
|
|
## 0. Conventions
|
|
|
|
The key words **MUST**, **MUST NOT**, **REQUIRED**, **SHOULD**, and **MAY** are to be
|
|
interpreted as in RFC 2119.
|
|
|
|
---
|
|
|
|
## 1. Purpose and Scope
|
|
|
|
This document defines the configuration schema for an ASL authority host.
|
|
Configuration is expressed as a single YAML file.
|
|
|
|
---
|
|
|
|
## 2. File Format
|
|
|
|
* UTF-8 YAML 1.2
|
|
* Root object with the fields defined below
|
|
* Unknown fields SHOULD be ignored with warning
|
|
|
|
---
|
|
|
|
## 3. Root Schema
|
|
|
|
```
|
|
host:
|
|
name: string
|
|
version: string
|
|
mode: "rescue" | "admission" | "normal"
|
|
|
|
domains:
|
|
<name>:
|
|
id: string
|
|
type: "courtesy" | "private" | "authority"
|
|
description: string
|
|
path: string
|
|
snapshot_retention: duration
|
|
allowed_operations: [read, write, append, seal, gc]
|
|
courtesy_lease: duration
|
|
|
|
certificates:
|
|
root_offline_path: string
|
|
domain_authority_path: string
|
|
sops_bundle_path: string
|
|
|
|
policy:
|
|
hash_file: string
|
|
description: string
|
|
|
|
logging:
|
|
path: string
|
|
level: "DEBUG" | "INFO" | "WARN" | "ERROR"
|
|
|
|
store:
|
|
type: "posix" | "zfs"
|
|
pools:
|
|
- name: string
|
|
mount_point: string
|
|
enable_snapshotting: boolean
|
|
snapshot_prefix: string
|
|
|
|
hooks:
|
|
pre_start: string
|
|
post_start: string
|
|
```
|
|
|
|
---
|
|
|
|
## 4. Semantics
|
|
|
|
* `host.mode` controls startup behavior.
|
|
* `domains` entries are keyed by stable names; `id` is the authoritative domain
|
|
identifier.
|
|
* `courtesy_lease` is required for `type: courtesy` and MUST be omitted for
|
|
`type: authority`.
|
|
* `store.type` selects the host backend. If `zfs`, each pool entry MUST be
|
|
mounted before starting the host.
|
|
|
|
---
|
|
|
|
## 5. Example Configuration
|
|
|
|
```yaml
|
|
host:
|
|
name: "asl-auth-host-01"
|
|
version: "0.1"
|
|
mode: "rescue"
|
|
|
|
domains:
|
|
common:
|
|
id: "00000000-0000-0000-0000-000000000001"
|
|
type: "courtesy"
|
|
description: "Shared courtesy domain"
|
|
path: "/var/lib/asl/common"
|
|
snapshot_retention: 30d
|
|
allowed_operations: [read, write, append]
|
|
courtesy_lease: 7d
|
|
personal:
|
|
id: "00000000-0000-0000-0000-000000000002"
|
|
type: "private"
|
|
description: "Private rescue domain"
|
|
path: "/var/lib/asl/personal"
|
|
snapshot_retention: 90d
|
|
allowed_operations: [read, write, append, seal, gc]
|
|
|
|
certificates:
|
|
root_offline_path: "/var/lib/asl/certs/root-offline"
|
|
domain_authority_path: "/var/lib/asl/certs/domain-authority"
|
|
sops_bundle_path: "/var/lib/asl/certs/sops"
|
|
|
|
policy:
|
|
hash_file: "/etc/asl-auth-host/policy.hash"
|
|
description: "Offline policy hash"
|
|
|
|
logging:
|
|
path: "/var/log/asl-auth-host.log"
|
|
level: "INFO"
|
|
|
|
store:
|
|
type: "zfs"
|
|
pools:
|
|
- name: "common_pool"
|
|
mount_point: "/var/lib/asl/common"
|
|
- name: "personal_pool"
|
|
mount_point: "/var/lib/asl/personal"
|
|
enable_snapshotting: true
|
|
snapshot_prefix: "asl_snap"
|
|
|
|
hooks:
|
|
pre_start: "/bin/init-asl-host.sh"
|
|
post_start: "/bin/helper-mount.sh"
|
|
```
|
|
|
|
---
|
|
|
|
## 6. Versioning
|
|
|
|
Backward-incompatible schema changes MUST bump the major version.
|