-
Notifications
You must be signed in to change notification settings - Fork 4
/
sample_server_config.proto
68 lines (52 loc) · 2.12 KB
/
sample_server_config.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
##### SERVER CONFIGURATION
# Path to the SSH CA private key, e.g. ssh-keygen -t rsa -b 4096 -C "My CA" -N "" -f /path/to/ssh-ca
ca_key_path: "/path/to/ssh-ca"
# Port to listen for gRPC requests on (HTTP/2).
listen_port: 10000
# TLS cert / key to use, e.g. openssl req -x509 -newkey rsa:4096 -keyout /path/to/grpc-key.pem -out /path/to/grpc-cert.pem -days 3600 -nodes -subj '/CN=localhost' -batch
server_cert_path: "/path/to/grpc-key.pem"
server_key_path: "/path/to/grpc-cert.pem"
##### ID TOKEN VALIDATION
# Hosted domain allowed for ID token validation
allowed_domain_for_id_token: "example.com"
# Allowed client ID registered with Google: https://console.developers.google.com/
allowed_client_id_for_id_token: "xxxxxxxxxx.apps.googleusercontent.com"
##### GENERATED SSH CONFIG OPTIONS
# Appears as comment in the known_hosts
ca_comment: "ORGNAME-CA"
user_profiles: <
key: "admin"
value: <
principals: "ec2-user"
cert_permissions: <key: "permit-pty">
cert_permissions: <key: "permit-port-forwarding">
ssh_config_lines: "Host *.example.com"
ssh_config_lines: " User ec2-user"
ssh_config_lines: " IdentityFile $CERTNAME" # client updates
ssh_config_lines: " PasswordAuthentication no"
ssh_config_lines: " Port 12345"
ssh_config_lines: " StrictHostKeyChecking yes"
known_hosts: "*.example.com"
>
>
##### CERTIFICATE GENERATION OPTIONS
# TTL for each certificate. Since certs are not revokable, keep short.
generate_cert_duration_seconds: 86400
# Create an entry for each allowed user, where the key is the email address
# as validated by the Google ID token.
allowed_users: <
key: "[email protected]"
value: <
profiles: "admin"
>
>
allowed_users: <
key: "[email protected]"
value: <
profiles: "admin"
>
>
# Uncomment the following if you wish to issue host certificates
# http_listen_port: 10001 # port to listen to HTTP requests on
# allowed_hosts: "*.yourdomain.com" # list of glob hostnames that you will issue certs for
# caddy_file_path: "/path/to/sample_caddy_file" # edit the sample_caddy_file