usulnet/config.yaml at main · fr4nsys/usulnet · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# usulnet Configuration
# Structure must match Go Config struct in internal/app/config.go

# Operation mode: master | agent
mode: "master"

# Server settings
server:
  host: "0.0.0.0"
  port: 8080
  https_port: 7443
  read_timeout: "30s"
  write_timeout: "30s"
  idle_timeout: "120s"
  shutdown_timeout: "10s"
  # TLS / HTTPS configuration
  # When enabled, the server listens on both :8080 (HTTP) and :7443 (HTTPS)
  tls:
    enabled: true               # HTTPS enabled on port 7443 (auto-generates self-signed cert)
    auto_tls: true              # Auto-generate self-signed cert from internal CA
    # cert_file: ""             # Custom certificate path (overrides auto-generated)
    # key_file: ""              # Custom private key path
    # data_dir: ""              # PKI data directory (default: <storage.path>/pki)
  redirect_https: true          # Redirect HTTP→HTTPS when TLS is enabled (health checks still work over HTTP)

# Database (PostgreSQL)
database:
  url: "postgres://usulnet:usulnet_dev@postgres:5432/usulnet"
  ssl_mode: "require"           # Options: disable, prefer, require, verify-full
  # ssl_rootcert: ""            # CA certificate for server verification (required for verify-full)
  # ssl_cert: ""                # Client certificate (optional, for mTLS)
  # ssl_key: ""                 # Client private key (optional, for mTLS)
  max_open_conns: 25
  max_idle_conns: 10
  conn_max_lifetime: "30m"
  conn_max_idle_time: "5m"

# Redis (caching and sessions)
# TLS is auto-configured when server.tls.enabled=true (default).
# The redis:// URL is automatically upgraded to rediss:// when TLS is active.
redis:
  url: "redis://redis:6379"
  # tls_enabled: true           # Auto-enabled by PKI when server.tls.enabled=true
  # tls_skip_verify: true       # Skip CA verification (default for self-signed)
  # tls_ca_file: ""             # CA certificate for server verification
  # tls_cert_file: ""           # Client certificate (optional, for mTLS)
  # tls_key_file: ""            # Client private key (optional, for mTLS)

# NATS (messaging) — TLS encrypted by default (self-signed cert)
nats:
  url: "natss://nats:4222"
  name: "usulnet"
  # token: ""              # NATS auth token (if server requires it)
  # username: ""           # NATS username (alternative to token)
  # password: ""           # NATS password
  jetstream:
    enabled: true
  # tls:                   # TLS is auto-enabled by natss:// URL scheme
  #   cert_file: ""        # Client certificate path (for mutual TLS)
  #   key_file: ""         # Client private key path
  #   ca_file: ""          # CA certificate path (for server verification)
  #   skip_verify: true    # Default: true (self-signed CA)

# Security (JWT, encryption, passwords)
# This is the section the app validates - NOT "auth"
security:
  # REQUIRED: Generate with: openssl rand -hex 32
  # DO NOT use the example values — generate unique secrets for each deployment.
  jwt_secret: ""
  jwt_expiry: "24h"
  refresh_expiry: "168h"
  # REQUIRED: Generate with: openssl rand -hex 32 (must be 64 hex chars = 32 bytes)
  config_encryption_key: ""
  cookie_secure: true
  cookie_samesite: "lax"
  password_min_length: 8

# Storage (backups)
storage:
  type: "local"
  path: "/app/data"
  backup:
    compression: "gzip"
    default_retention_days: 30

# Trivy (security scanning)
trivy:
  enabled: true
  cache_dir: "/var/lib/usulnet/trivy"
  timeout: "5m"
  severity: "CRITICAL,HIGH,MEDIUM"
  ignore_unfixed: false
  update_db_on_start: true

# Reverse proxy (nginx backend, always enabled when encryption key is set)
nginx:
  acme_email: ""                    # Required for Let's Encrypt certificates (or env USULNET_NGINX_ACME_EMAIL)
  config_dir: "/etc/nginx/conf.d/usulnet"
  cert_dir: "/etc/usulnet/certs"
  acme_web_root: "/var/lib/usulnet/acme"
  acme_account_dir: "/var/lib/usulnet/acme/account"
  listen_http: ":80"
  listen_https: ":443"
  container_name: "usulnet-nginx"   # Docker container name for exec (nginx -t, nginx -s reload)

# MinIO/S3 storage (connect via Settings UI)
minio:
  enabled: false

# Docker settings
# When socket is not set, usulnet auto-detects the Docker socket by checking:
#   1. DOCKER_HOST env var
#   2. /var/run/docker.sock (standard)
#   3. $XDG_RUNTIME_DIR/docker.sock and /run/user/<UID>/docker.sock (rootless)
#   4. docker context inspect (active context)
# Set explicitly only if auto-detection doesn't work for your setup.
# Can also be set via USULNET_DOCKER_SOCKET or DOCKER_SOCKET env vars.
# docker:
#   socket: "/run/user/1000/docker.sock"

# Logging
logging:
  level: "info"
  format: "json"