# Config Point Registry ## Philosophy net-kingdom is opinionated: defaults, conventions, and automation are preferred at every level. A config point in this file is a **conscious exception** — a value that cannot be derived from the system's topology, naming conventions, component defaults, or available automation. **Minimizing this list is a design goal.** Before adding a config point, ask: - Can the value be derived from a naming convention or topology fact? - Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)? - Is the default provided by the upstream component safe to accept? If yes to any of the above, don't add it here. --- ## Summary | ID | Name | Value | Location(s) | |----|------|-------|-------------| | CP-NK-001 | ACME contact email | `bernd.worsch+netkingdom@gmail.com` | `sso-mfa/k8s/cert-manager/issuers.yaml:38` | | CP-NK-002 | privacyIDEA portal hostname | `pink.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` | | CP-NK-003 | privacyIDEA self-service hostname | `pink-account.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` | | CP-NK-004 | Keycloak SSO hostname | `kc.coulomb.social` | `sso-mfa/k8s/keycloak/deployment.yaml`, `sso-mfa/k8s/keycloak/ingress.yaml` | | CP-NK-005 | privacyIDEA Keycloak Provider JAR URL | *(not set — edit before apply)* | `sso-mfa/k8s/keycloak/deployment.yaml` | --- ## CP-NK-002 — privacyIDEA portal hostname **Value:** `pink.coulomb.social` **Set:** 2026-03-19 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/privacyidea/ingress.yaml` — all three Ingress `host` fields **Why non-default:** Subdomain prefix must be chosen by the operator; no naming convention existed in the repo before T04. `pink` = **P**rivacy**I**DEA **N**et **K**nights (project-specific mnemonic). **Scope:** TLS certificate, Traefik routing, and all references to the privacyIDEA public URL (including Keycloak Provider config in T05/T06). --- ## CP-NK-003 — privacyIDEA self-service portal hostname **Value:** `pink-account.coulomb.social` **Set:** 2026-03-19 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/privacyidea/ingress.yaml` — `privacyidea-account` Ingress `host` field **Why non-default:** Separate hostname for the self-service portal allows different firewall/allowlist rules from the admin portal. Follows the `-account` naming convention used in the workplan design. **Scope:** TLS certificate and Traefik routing for the user-facing self-service token enrolment portal. --- ## CP-NK-001 — ACME contact email **Value:** `bernd.worsch+netkingdom@gmail.com` **Set:** 2026-03-02 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/cert-manager/issuers.yaml:38` — `spec.acme.email` on the `letsencrypt-prod` ClusterIssuer **Why non-default:** ACME (Let's Encrypt) requires a contact address for certificate lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements. There is no system-level default that qualifies: this must be a real, monitored inbox. **Why not automated:** The Linux user GECOS email (via Local Identity) would be a natural source. However, that introduces a runtime dependency between cluster provisioning and the local-identity tool. Deferred; revisit when Local Identity gains a structured "operator contact" concept. **Scope:** All TLS certificates issued by the `letsencrypt-prod` ClusterIssuer across the entire cluster. --- ## CP-NK-004 — Keycloak SSO hostname **Value:** `kc.coulomb.social` **Set:** 2026-03-19 **Set by:** worsch **Location(s):** - `sso-mfa/k8s/keycloak/deployment.yaml` — `KC_HOSTNAME` env var - `sso-mfa/k8s/keycloak/ingress.yaml` — both Ingress `host` fields **Why non-default:** Subdomain prefix must be chosen by the operator. `kc` = **K**ey**c**loak, consistent with the service-initial naming pattern. **Scope:** TLS certificate, Traefik routing, Keycloak's internal hostname strictness check, and all OIDC/SAML redirect URIs registered in this realm. Changing this hostname after clients are registered requires updating all registered redirect URIs. --- ## CP-NK-005 — privacyIDEA Keycloak Provider JAR URL **Value:** *(not set — operator must edit before applying T05)* **Set:** — **Set by:** — **Location(s):** - `sso-mfa/k8s/keycloak/deployment.yaml` — `PROVIDER_JAR_URL` env var in the `install-privacyidea-provider` init container **Why non-default:** The JAR URL depends on the chosen release version, which must be verified for compatibility with the deployed Keycloak image version. There is no stable "latest" URL suitable for automation. **How to set:** 1. Browse https://github.com/privacyIDEA/keycloak-provider/releases 2. Choose a release compatible with the Keycloak image version in `deployment.yaml`. 3. Edit `deployment.yaml`: replace `EDIT_BEFORE_APPLY` with the `.jar` download URL. 4. Update this entry with the chosen URL and version. **Scope:** Keycloak init container only. If switching to a custom Keycloak image (see T05 README "Custom image" section), this config point becomes obsolete and can be removed.