niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/ops/ASL-AUTH-HOST Configuration.md
Carl Niklas Rydberg 4cba1f45eb Move host/rescue docs to ops tier
2026-01-17 09:04:19 +01:00

117 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Perfect! Heres an example `config.yaml` for your `asl-auth-host`. This integrates domains, courtesy leases, snapshots, and SOPS bundle paths in a way that your host can start in “ready-for-pickup” mode or perform a rescue.
---
## `/etc/asl-auth-host/config.yaml`
```yaml
# ASL-AUTH-HOST Configuration
# Defines domains, policies, and SOPS bundles for bootstrap or rescue
host:
name: "asl-auth-host-01"
version: "0.1"
mode: "rescue" # modes: "rescue" | "admission" | "normal"
domains:
common:
id: "00000000-0000-0000-0000-000000000001" # Courtesy/common domain
type: "courtesy"
description: "Shared courtesy domain for new users or bootstrapped material"
path: "/var/lib/asl/common"
snapshot_retention: 30d
allowed_operations:
- read
- write
- append
courtesy_lease: 7d # Default grace period for newcomers
personal:
id: "00000000-0000-0000-0000-000000000002" # Personal private domain
type: "private"
description: "Private domain for rescued material or user-owned data"
path: "/var/lib/asl/personal"
snapshot_retention: 90d
allowed_operations:
- read
- write
- append
- seal
- gc
certificates:
root_offline_path: "/var/lib/asl/certs/root-offline"
domain_authority_path: "/var/lib/asl/certs/domain-authority"
sops_bundle_path: "/var/lib/asl/certs/sops"
policy:
hash_file: "/etc/asl-auth-host/policy.hash"
description: "Offline policy hash used to verify compliance before admission or rescue"
logging:
path: "/var/log/asl-auth-host.log"
level: "INFO"
store:
type: "zfs" # or "posix"
pools:
- name: "common_pool"
mount_point: "/var/lib/asl/common"
- name: "personal_pool"
mount_point: "/var/lib/asl/personal"
enable_snapshotting: true
snapshot_prefix: "asl_snap"
# Optional hooks for init scripts
hooks:
pre_start: "/bin/init-asl-host.sh"
post_start: "/bin/helper-mount.sh"
```
---
### Notes:
1. **`host.mode`**:
* `"rescue"` → SystemRescue boot with ready-for-pickup for old material.
* `"admission"` → Host expects to receive a DAM and SOPS bundle for new personal domain.
* `"normal"` → Standard operation with personal domain active.
2. **Domains**:
* **Common**: Courtesy domain, short-term leases for newcomers.
* **Personal**: Private domain, snapshots and sealing enabled.
3. **Certificates**:
* Paths to offline root certs, DAM bundles, and SOPS bundles.
4. **Policy hash**:
* Offline verification ensures host doesnt act on incompatible policies.
5. **Store config**:
* Can be POSIX or ZFS-based.
* Supports snapshotting for deterministic recovery.
6. **Hooks**:
* Allows you to initialize ZFS pools, mount overlays, or start ASL binaries.
---
This config gives you a **bootable, ready-for-pickup SystemRescue node** that can handle:
* Receiving old data
* Creating your personal domain
* Storing material safely in courtesy/common domain
* Verifying offline DAM bundles before admission
---
I can also **draft the accompanying init script (`init-asl-host.sh`)** that reads this config, sets up domains, mounts pools, and prepares the store for immediate rescue or admission.
Do you want me to do that next?
Reference in a new issue View git blame Copy permalink