-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathvigrid-shell-api.conf
More file actions
117 lines (106 loc) · 3.73 KB
/
vigrid-shell-api.conf
File metadata and controls
117 lines (106 loc) · 3.73 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
# =============================================================================
# Vigrid Shell API - Configuration File (YAML format)
# =============================================================================
# ---------------------------------------------------------------------------
# Network
# ---------------------------------------------------------------------------
bind: "0.0.0.0"
port: 8555
# ---------------------------------------------------------------------------
# SSL / TLS (HTTPS)
# ---------------------------------------------------------------------------
# Set enabled: true and provide certificate + private_key paths.
# If disabled or files are missing the API falls back to plain HTTP.
ssl:
enabled: false
certificate: "/etc/vigrid-shell-api/ssl/server.crt"
private_key: "/etc/vigrid-shell-api/ssl/server.key"
# ---------------------------------------------------------------------------
# Runtime
# ---------------------------------------------------------------------------
# Default Unix user under which commands are executed.
# Can be overridden per token (see tokens section below).
run_as: "root"
# Dry-run mode: when true commands are logged but never executed.
dry_run: false
# ---------------------------------------------------------------------------
# Command search path (equivalent to shell $PATH)
# ---------------------------------------------------------------------------
command_path: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# ---------------------------------------------------------------------------
# Forbidden characters
# ---------------------------------------------------------------------------
# Characters that are NOT allowed inside command arguments.
# Using a YAML list avoids any escaping ambiguity.
forbidden_chars:
- '"'
- "'"
- ";"
- "\\"
- "|"
- "&"
- "("
- ")"
- "{"
- "}"
- "$"
- "`"
# ---------------------------------------------------------------------------
# Logging
# ---------------------------------------------------------------------------
log_dir: "/var/log"
# Format: "syslog" or "json"
log_format: "syslog"
# Level: DEBUG, INFO, WARNING, ERROR, CRITICAL
log_level: "INFO"
# ---------------------------------------------------------------------------
# IP access control lists
# ---------------------------------------------------------------------------
# Evaluation order: deny first, then allow. First match wins.
# Default policy: DENY everything not explicitly allowed.
# Use CIDR notation (e.g. 192.168.1.0/24) or single IPs.
acl:
deny: []
allow:
- "127.0.0.0/8"
# ---------------------------------------------------------------------------
# Authentication tokens
# ---------------------------------------------------------------------------
# Each token has:
# secret - bearer token string
# user - Unix user to run commands as
# allow_commands - list of regex patterns (first match -> allow)
# deny_commands - list of regex patterns (first match -> deny)
#
# Evaluation order per request:
# 1. deny_commands -- first regex match -> REJECT
# 2. allow_commands -- first regex match -> ACCEPT
# 3. default -> REJECT
#
# Regex patterns are matched against: "<command> <arg1> <arg2> ..."
tokens:
admin:
secret: "VigridAdmin-Secret-Token-Change-Me"
user: "root"
allow_commands:
- ".*"
deny_commands:
- "^shutdown"
- "^reboot"
- "^init "
- "^systemctl.*(stop|disable).*vigrid-shell-api"
monitor:
secret: "VigridMonitor-Secret-Token-Change-Me"
user: "nobody"
allow_commands:
- "^ls"
- "^ps"
- "^df"
- "^free"
- "^uptime"
- "^uname"
- "^hostname"
- "^date"
- "^id"
- "^whoami"
deny_commands: []