-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbroker.env
More file actions
96 lines (88 loc) · 5.1 KB
/
broker.env
File metadata and controls
96 lines (88 loc) · 5.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
# AgentKeys broker env file — source this on the BROKER HOST (EC2 ubuntu).
#
# Companion to scripts/operator-workstation.env (which is for your laptop).
#
# Scope: ONLY env vars the `agentkeys-broker-server` binary actually reads
# (every entry below has a matching constant in
# crates/agentkeys-broker-server/src/env.rs). Operator-workstation vars used
# by AWS admin tooling (BUCKET, ACCOUNT_ID for shell-side ARN derivation,
# OIDC_PROVIDER_ARN, etc.) live in scripts/operator-workstation.env on your
# laptop — they DO NOT belong on the broker host and would silently shadow
# the broker's own config.
#
# Usage on the broker host (after scp'ing this file in):
# set -a; source ./broker.env; set +a
# agentkeys-broker-server --bind 127.0.0.1 --port 8091
#
# The systemd path (scripts/setup-broker-host.sh) does NOT use this file —
# it bakes equivalent Environment= lines into the unit. This file is for the
# foreground Quickstart path in docs/operator-runbook-stage7.md.
#
# Private keys (referenced below) must be generated on this same host with:
# mkdir -p ~/.agentkeys/broker
# agentkeys-broker-server keygen --purpose oidc --out ~/.agentkeys/broker/oidc-keypair.json
# agentkeys-broker-server keygen --purpose session --out ~/.agentkeys/broker/session-keypair.json
# chmod 600 ~/.agentkeys/broker/{oidc,session}-keypair.json
#
# Keep mode 0600 if you ever fill in real secrets. The file as committed
# contains no secrets — only the public role ARN and hostnames.
# AWS account that owns agentkeys-data-role. Set explicitly so a fork
# operator only edits one line; BROKER_DATA_ROLE_ARN below derives from it.
ACCOUNT_ID=429071895007
INSTANCE_ID=i-0c0b739bd35643fd3
EIP=54.164.117.252
# Role the broker hands to AssumeRoleWithWebIdentity (cloud-setup.md §3.2 +
# §4.3 trust policy swap). Derived from ACCOUNT_ID — the role name is
# fixed by cloud-setup.md §3.2.
BROKER_DATA_ROLE_ARN=arn:aws:iam::${ACCOUNT_ID}:role/agentkeys-data-role
# AWS region for STS calls. STS is global but the SDK still resolves
# endpoints via region.
BROKER_AWS_REGION=us-east-1
# Public OIDC issuer — AWS validates JWT iss claim against this byte-for-byte.
# No trailing slash, no path. Must match the URL passed to
# `aws iam create-open-id-connect-provider --url` in cloud-setup.md §4.2.
BROKER_OIDC_ISSUER=https://broker.litentry.org
# ES256 keypair paths (generated on this host; never copied off it).
BROKER_OIDC_KEYPAIR_PATH=/home/ubuntu/.agentkeys/broker/oidc-keypair.json
BROKER_SESSION_KEYPAIR_PATH=/home/ubuntu/.agentkeys/broker/session-keypair.json
# Plug-in selection.
# wallet_sig: SIWE wallet auth (default, gated by `auth-wallet-sig`)
# email_link: magic-link auth (Pass 2 of Option B; gated by `auth-email-link`)
# To enable email_link, scripts/setup-broker-host.sh must build the broker
# with `--features auth-email-link` (it does, by default since Pass 2).
BROKER_AUTH_METHODS=wallet_sig,email_link
BROKER_AUDIT_ANCHORS=sqlite
# ─── Email-link auth (Pass 2 of Option B) ────────────────────────────────────
# Sender backend selector — `stub` (in-process Vec) or `ses` (real
# aws-sdk-sesv2). The setup-broker-host.sh systemd unit pins this to `ses`;
# the foreground Quickstart path can override to `stub` for local debugging
# without AWS creds.
BROKER_EMAIL_SENDER=ses
# Verified SES sender identity. Register + verify via:
# bash scripts/ses-verify-sender.sh
# (one-shot: aws sesv2 create-email-identity → poll S3 inbound for SES
# verify mail → curl-click → confirm verified).
BROKER_EMAIL_FROM_ADDRESS=noreply-test@bots.litentry.org
# No HMAC key — magic-link is stateful per architecture.md §5a.1.M:
# CSPRNG token → SHA256(token) keyed by request_id in EmailTokenStore →
# single-use within TTL on click. No signature step.
# ─── dev_key_service signer (issue #74 step 1b) ──────────────────────────────
# DO NOT set DEV_KEY_SERVICE_MASTER_SECRET in this file. Both the backend
# (:8090, loopback, Tier-2 probe target) and the signer (:8092, loopback,
# fronted publicly by signer.<zone>) read it from
# /etc/agentkeys/dev-key-service.env, which scripts/setup-broker-host.sh
# auto-generates (mode 0600, owner agentkeys) and preserves across re-runs.
# Regenerating the secret invalidates every previously-derived wallet — see
# docs/spec/signer-protocol.md and docs/spec/plans/issue-74-dev-key-service-plan.md
# for the rotation rationale and the issue #74 step 2 TEE replacement plan.
#
# Signer split summary:
# :8092 listener (agentkeys-signer.service) serves ONLY /dev/* + /healthz.
# It is fronted by nginx at signer.<zone> (see docs/cloud-setup.md §1.3).
# JWT bearer auth: the signer verifies broker session JWTs on every /dev/*
# request using the pubkey exported by the broker to
# /var/lib/agentkeys/.agentkeys/broker/session-keypair.pub.pem at boot.
#
# This file (broker.env) covers ONLY the broker process; the signer's env is
# identical in shape (same EnvironmentFile) but served from a separate unit.
# A leaked broker.env never exposes the master secret (separate file).