niklas/amduat-api
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
amduat-api/notes/ASL-AUTH-HOST Configuration.md
Carl Niklas Rydberg 1d552bd46a Added some notes that needs to be analyzed.
2026-01-17 00:19:49 +01:00

3.2 KiB
Raw Blame History

Perfect! Heres an example config.yaml for your asl-auth-host. This integrates domains, courtesy leases, snapshots, and SOPS bundle paths in a way that your host can start in “ready-for-pickup” mode or perform a rescue.

/etc/asl-auth-host/config.yaml

# ASL-AUTH-HOST Configuration
# Defines domains, policies, and SOPS bundles for bootstrap or rescue

host:
  name: "asl-auth-host-01"
  version: "0.1"
  mode: "rescue"   # modes: "rescue" | "admission" | "normal"

domains:
  common:
    id: "00000000-0000-0000-0000-000000000001"   # Courtesy/common domain
    type: "courtesy"
    description: "Shared courtesy domain for new users or bootstrapped material"
    path: "/var/lib/asl/common"
    snapshot_retention: 30d
    allowed_operations:
      - read
      - write
      - append
    courtesy_lease: 7d   # Default grace period for newcomers
  personal:
    id: "00000000-0000-0000-0000-000000000002"   # Personal private domain
    type: "private"
    description: "Private domain for rescued material or user-owned data"
    path: "/var/lib/asl/personal"
    snapshot_retention: 90d
    allowed_operations:
      - read
      - write
      - append
      - seal
      - gc

certificates:
  root_offline_path: "/var/lib/asl/certs/root-offline"
  domain_authority_path: "/var/lib/asl/certs/domain-authority"
  sops_bundle_path: "/var/lib/asl/certs/sops"

policy:
  hash_file: "/etc/asl-auth-host/policy.hash"
  description: "Offline policy hash used to verify compliance before admission or rescue"

logging:
  path: "/var/log/asl-auth-host.log"
  level: "INFO"

store:
  type: "zfs"   # or "posix"
  pools:
    - name: "common_pool"
      mount_point: "/var/lib/asl/common"
    - name: "personal_pool"
      mount_point: "/var/lib/asl/personal"
  enable_snapshotting: true
  snapshot_prefix: "asl_snap"

# Optional hooks for init scripts
hooks:
  pre_start: "/bin/init-asl-host.sh"
  post_start: "/bin/helper-mount.sh"

Notes:

  1. host.mode:

    • "rescue" → SystemRescue boot with ready-for-pickup for old material.
    • "admission" → Host expects to receive a DAM and SOPS bundle for new personal domain.
    • "normal" → Standard operation with personal domain active.

  2. Domains:

    • Common: Courtesy domain, short-term leases for newcomers.
    • Personal: Private domain, snapshots and sealing enabled.

  3. Certificates:

    • Paths to offline root certs, DAM bundles, and SOPS bundles.

  4. Policy hash:

    • Offline verification ensures host doesnt act on incompatible policies.

  5. Store config:

    • Can be POSIX or ZFS-based.
    • Supports snapshotting for deterministic recovery.

  6. Hooks:

    • Allows you to initialize ZFS pools, mount overlays, or start ASL binaries.

This config gives you a bootable, ready-for-pickup SystemRescue node that can handle:

  • Receiving old data
  • Creating your personal domain
  • Storing material safely in courtesy/common domain
  • Verifying offline DAM bundles before admission

I can also draft the accompanying init script (init-asl-host.sh) that reads this config, sets up domains, mounts pools, and prepares the store for immediate rescue or admission.

Do you want me to do that next?