# Config Point Registry ## Philosophy net-kingdom is opinionated: defaults, conventions, and automation are preferred at every level. A config point in this file is a **conscious exception** — a value that cannot be derived from the system's topology, naming conventions, component defaults, or available automation. **Minimizing this list is a design goal.** Before adding a config point, ask: - Can the value be derived from a naming convention or topology fact? - Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)? - Is the default provided by the upstream component safe to accept? If yes to any of the above, don't add it here. --- ## Summary | ID | Name | Value | Location(s) | |----|------|-------|-------------| | CP-NK-001 | ACME contact email | `bernd.worsch+netkingdom@gmail.com` | `sso-mfa/k8s/cert-manager/issuers.yaml:38` | | CP-NK-002 | privacyIDEA portal hostname | `pink.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` | | CP-NK-003 | privacyIDEA self-service hostname | `pink-account.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` | | CP-NK-004 | KeyCape OIDC hostname | `kc.coulomb.social` | `sso-mfa/k8s/keycape/ingress.yaml`, `sso-mfa/k8s/authelia/configmap.yaml`, `sso-mfa/k8s/keycape/create-secrets.sh` | | CP-NK-005 | Authelia login portal hostname | `auth.coulomb.social` | `sso-mfa/k8s/authelia/ingress.yaml`, `sso-mfa/k8s/authelia/configmap.yaml` | | CP-NK-006 | LLDAP admin web UI hostname | `lldap.coulomb.social` | `sso-mfa/k8s/lldap/ingress.yaml` | --- ## CP-NK-002 — privacyIDEA portal hostname **Value:** `pink.coulomb.social` **Set:** 2026-03-19 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/privacyidea/ingress.yaml` — all three Ingress `host` fields **Why non-default:** Subdomain prefix must be chosen by the operator; no naming convention existed in the repo before T04. `pink` = **P**rivacy**I**DEA **N**et **K**nights (project-specific mnemonic). **Scope:** TLS certificate, Traefik routing, and all references to the privacyIDEA public URL (including Keycloak Provider config in T05/T06). --- ## CP-NK-003 — privacyIDEA self-service portal hostname **Value:** `pink-account.coulomb.social` **Set:** 2026-03-19 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/privacyidea/ingress.yaml` — `privacyidea-account` Ingress `host` field **Why non-default:** Separate hostname for the self-service portal allows different firewall/allowlist rules from the admin portal. Follows the `-account` naming convention used in the workplan design. **Scope:** TLS certificate and Traefik routing for the user-facing self-service token enrolment portal. --- ## CP-NK-001 — ACME contact email **Value:** `bernd.worsch+netkingdom@gmail.com` **Set:** 2026-03-02 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/cert-manager/issuers.yaml:38` — `spec.acme.email` on the `letsencrypt-prod` ClusterIssuer **Why non-default:** ACME (Let's Encrypt) requires a contact address for certificate lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements. There is no system-level default that qualifies: this must be a real, monitored inbox. **Why not automated:** The Linux user GECOS email (via Local Identity) would be a natural source. However, that introduces a runtime dependency between cluster provisioning and the local-identity tool. Deferred; revisit when Local Identity gains a structured "operator contact" concept. **Scope:** All TLS certificates issued by the `letsencrypt-prod` ClusterIssuer across the entire cluster. --- ## CP-NK-004 — KeyCape OIDC hostname **Value:** `kc.coulomb.social` **Set:** 2026-03-19 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/keycape/ingress.yaml` — Ingress `host` field - `sso-mfa/k8s/authelia/configmap.yaml` — `redirect_uris` for the KeyCape OIDC client - `sso-mfa/k8s/keycape/create-secrets.sh` — `issuer` and `redirectURI` in config.yaml **Why non-default:** Subdomain prefix must be chosen by the operator. `kc` is retained from the original design (`kc` = **K**ey**C**ape) for DNS stability. **Scope:** TLS certificate, Traefik routing, KeyCape's OIDC issuer claim, and all redirect URIs registered by downstream applications. Changing this hostname after clients are registered requires updating all registered `redirect_uris`. --- ## CP-NK-005 — Authelia login portal hostname **Value:** `auth.coulomb.social` **Set:** 2026-03-19 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/authelia/ingress.yaml` — Ingress `host` field - `sso-mfa/k8s/authelia/configmap.yaml` — `session.domain` parent domain comment **Why non-default:** Subdomain prefix must be chosen by the operator. `auth` is the conventional prefix for authentication portals. **Scope:** TLS certificate, Traefik routing, and the Authelia login page that users' browsers are redirected to during the OIDC flow. The session cookie `domain` is set to the parent domain (`coulomb.social`) so the cookie is valid across both `auth.coulomb.social` and `kc.coulomb.social`. --- ## CP-NK-006 — LLDAP admin web UI hostname **Value:** `lldap.coulomb.social` **Set:** 2026-03-19 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/lldap/ingress.yaml` — Ingress `host` field **Why non-default:** Subdomain prefix must be chosen by the operator. **Scope:** TLS certificate and Traefik routing for the LLDAP admin web UI. Access is IP-restricted by the `lldap-admin-allowlist` Traefik Middleware (VPN/office CIDRs only). The LDAP port (3890) is cluster-internal only and never exposed via Ingress.