diff --git a/bin/periphery/src/api/router.rs b/bin/periphery/src/api/router.rs index 5b122bb9a..a66bc1f47 100644 --- a/bin/periphery/src/api/router.rs +++ b/bin/periphery/src/api/router.rs @@ -83,7 +83,7 @@ async fn guard_request_by_passkey( req: Request, next: Next, ) -> serror::Result { - if periphery_config().passkeys.is_empty() { + if periphery_config().passkey.is_empty() { return Ok(next.run(req).await); } let Some(req_passkey) = req.headers().get("authorization") else { @@ -97,7 +97,7 @@ async fn guard_request_by_passkey( .context("failed to convert passkey to str") .status_code(StatusCode::UNAUTHORIZED)?; if periphery_config() - .passkeys + .passkey .iter() .any(|passkey| passkey == req_passkey) { diff --git a/bin/periphery/src/config.rs b/bin/periphery/src/config.rs index d67508265..90d081c6f 100644 --- a/bin/periphery/src/config.rs +++ b/bin/periphery/src/config.rs @@ -108,11 +108,11 @@ pub fn periphery_config() -> &'static PeripheryConfig { allowed_ips: env .periphery_allowed_ips .unwrap_or(config.allowed_ips), - passkeys: maybe_read_list_from_file( - env.periphery_passkeys_file, - env.periphery_passkeys, + passkey: maybe_read_list_from_file( + env.periphery_passkey_file, + env.periphery_passkey, ) - .unwrap_or(config.passkeys), + .unwrap_or(config.passkey), include_disk_mounts: env .periphery_include_disk_mounts .unwrap_or(config.include_disk_mounts), diff --git a/client/core/rs/src/entities/config/periphery.rs b/client/core/rs/src/entities/config/periphery.rs index 4219246b6..ec79e7085 100644 --- a/client/core/rs/src/entities/config/periphery.rs +++ b/client/core/rs/src/entities/config/periphery.rs @@ -66,7 +66,7 @@ pub struct CliArgs { #[arg(long)] pub merge_nested_config: Option, - /// Extends config arrays, eg. allowed_ips, passkeys. + /// Extends config arrays, eg. allowed_ips, passkey. /// Will override the equivalent env configuration. /// Default: true #[arg(long)] @@ -113,7 +113,7 @@ pub struct Env { #[serde(default = "super::default_merge_nested_config")] pub periphery_merge_nested_config: bool, - /// Will extend config arrays (eg. `allowed_ips`, `passkeys`) across multiple config files. + /// Will extend config arrays (eg. `allowed_ips`, `passkey`) across multiple config files. /// Default: `true` /// /// Note. This is overridden if the equivalent arg is passed in [CliArgs]. @@ -161,10 +161,10 @@ pub struct Env { /// Override `allowed_ips` pub periphery_allowed_ips: Option>, - /// Override `passkeys` - pub periphery_passkeys: Option>, - /// Override `passkeys` from file - pub periphery_passkeys_file: Option, + /// Override `passkey` + pub periphery_passkey: Option>, + /// Override `passkey` from file + pub periphery_passkey_file: Option, /// Override `include_disk_mounts` pub periphery_include_disk_mounts: Option>, /// Override `exclude_disk_mounts` @@ -267,12 +267,12 @@ pub struct PeripheryConfig { #[serde(default)] pub allowed_ips: ForgivingVec, - /// Limits the accepted passkeys. + /// Limits the accepted passkey. /// Default: none /// /// Note: this should be configured to increase security. #[serde(default)] - pub passkeys: Vec, + pub passkey: Vec, /// If non-empty, only includes specific mount paths in the disk report. #[serde(default)] @@ -353,7 +353,7 @@ impl Default for PeripheryConfig { logging: Default::default(), pretty_startup_config: Default::default(), allowed_ips: Default::default(), - passkeys: Default::default(), + passkey: Default::default(), include_disk_mounts: Default::default(), exclude_disk_mounts: Default::default(), secrets: Default::default(), @@ -383,8 +383,8 @@ impl PeripheryConfig { logging: self.logging.clone(), pretty_startup_config: self.pretty_startup_config, allowed_ips: self.allowed_ips.clone(), - passkeys: self - .passkeys + passkey: self + .passkey .iter() .map(|passkey| empty_or_redacted(passkey)) .collect(), diff --git a/compose/compose.env b/compose/compose.env index f98cc82e9..a5d9b09fa 100644 --- a/compose/compose.env +++ b/compose/compose.env @@ -128,8 +128,8 @@ KOMODO_AWS_SECRET_ACCESS_KEY= # Alt: KOMODO_AWS_SECRET_ACCESS_KEY_FILE ## Specify the root directory used by Periphery agent. PERIPHERY_ROOT_DIRECTORY=/etc/komodo -## Periphery passkeys must include KOMODO_PASSKEY to authenticate. -PERIPHERY_PASSKEYS=${KOMODO_PASSKEY} +## Periphery passkey must include KOMODO_PASSKEY to authenticate. +PERIPHERY_PASSKEY=${KOMODO_PASSKEY} ## Specify whether to disable the terminals feature ## and disallow remote shell access (inside the Periphery container). diff --git a/compose/periphery.compose.yaml b/compose/periphery.compose.yaml index 53014e5f6..c8d0d91f5 100644 --- a/compose/periphery.compose.yaml +++ b/compose/periphery.compose.yaml @@ -15,7 +15,7 @@ services: environment: PERIPHERY_ROOT_DIRECTORY: ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo} ## Pass the same passkey as used by the Komodo Core connecting to this Periphery agent. - PERIPHERY_PASSKEYS: abc123 + PERIPHERY_PASSKEY: abc123 ## Make server run over https PERIPHERY_SSL_ENABLED: true ## Specify whether to disable the terminals feature diff --git a/config/core.config.toml b/config/core.config.toml index 5abe9fa12..c56d1c644 100644 --- a/config/core.config.toml +++ b/config/core.config.toml @@ -44,7 +44,7 @@ bind_ip = "[::]" ## This is the token used to authenticate core requests to periphery. ## Ensure this matches a passkey in the connected periphery configs. -## If the periphery servers don't have passkeys configured, this doesn't need to be changed. +## If the periphery servers don't have passkey configured, this doesn't need to be changed. ## Env: KOMODO_PASSKEY or KOMODO_PASSKEY_FILE ## Required, no default passkey = "default-passkey-changeme" diff --git a/config/periphery.config.toml b/config/periphery.config.toml index cce5396eb..db656ef2e 100644 --- a/config/periphery.config.toml +++ b/config/periphery.config.toml @@ -109,11 +109,11 @@ exclude_disk_mounts = [] ## Default: empty, which will not block any request by ip. allowed_ips = [] -## Optional. Require callers to provide on of the provided passkeys to access the periphery api. -## Example: passkeys = ["your-passkey"] -## Env: PERIPHERY_PASSKEYS or PERIPHERY_PASSKEYS_FILE +## Optional. Require callers to provide on of the provided passkey to access the periphery api. +## Example: passkey = ["your-passkey"] +## Env: PERIPHERY_PASSKEY or PERIPHERY_PASSKEY_FILE ## Default: empty, which will not require any passkey to be passed by core. -passkeys = [] +passkey = [] ############ # Security # diff --git a/docsite/docs/setup/connect-servers.mdx b/docsite/docs/setup/connect-servers.mdx index 089682dde..c69f1f17f 100644 --- a/docsite/docs/setup/connect-servers.mdx +++ b/docsite/docs/setup/connect-servers.mdx @@ -16,8 +16,8 @@ You can install Periphery as a systemd managed process, run it as a [docker cont :::warning Allowing unintended access to the Periphery agent API is a security risk. Ensure to take appropriate measures to block access to the Periphery API, such as firewall rules on port `8120`. -Additionally, you can whitelist your Komodo Core IP address in the [Periphery config](https://github.com/moghtech/komodo/blob/main/config/periphery.config.toml#L46), -and configure it to [only accept requests including your Core passkey](https://github.com/moghtech/komodo/blob/main/config/periphery.config.toml#L51). +Additionally, you can whitelist your Komodo Core IP address in the [Periphery config](https://github.com/moghtech/komodo/blob/main/config/periphery.config.toml#L110), +and configure it to [only accept requests including your Core passkey](https://github.com/moghtech/komodo/blob/main/config/periphery.config.toml#L116). ::: ### Install the Periphery agent - systemd