net-kingdom/CONFIG.md

# Config Point Registry

## Philosophy

net-kingdom is opinionated: defaults, conventions, and automation are preferred at every
level. A config point in this file is a **conscious exception** — a value that cannot be
derived from the system's topology, naming conventions, component defaults, or available
automation.

**Minimizing this list is a design goal.** Before adding a config point, ask:
- Can the value be derived from a naming convention or topology fact?
- Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)?
- Is the default provided by the upstream component safe to accept?

If yes to any of the above, don't add it here.

---

## Summary

| ID | Name | Value | Location(s) |
|----|------|-------|-------------|
| CP-NK-001 | ACME contact email | `bernd.worsch+netkingdom@gmail.com` | `sso-mfa/k8s/cert-manager/issuers.yaml:38` |
| CP-NK-002 | privacyIDEA portal hostname | `pink.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
| CP-NK-003 | privacyIDEA self-service hostname | `pink-account.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
| CP-NK-004 | Keycloak SSO hostname | `kc.coulomb.social` | `sso-mfa/k8s/keycloak/deployment.yaml`, `sso-mfa/k8s/keycloak/ingress.yaml` |
| CP-NK-005 | privacyIDEA Keycloak Provider JAR URL | *(not set — edit before apply)* | `sso-mfa/k8s/keycloak/deployment.yaml` |

---

## CP-NK-002 — privacyIDEA portal hostname

**Value:** `pink.coulomb.social`
**Set:** 2026-03-19
**Set by:** worsch

**Location(s):**
- `sso-mfa/k8s/privacyidea/ingress.yaml` — all three Ingress `host` fields

**Why non-default:** Subdomain prefix must be chosen by the operator; no naming
convention existed in the repo before T04. `pink` = **P**rivacy**I**DEA
**N**et **K**nights (project-specific mnemonic).

**Scope:** TLS certificate, Traefik routing, and all references to the
privacyIDEA public URL (including Keycloak Provider config in T05/T06).

---

## CP-NK-003 — privacyIDEA self-service portal hostname

**Value:** `pink-account.coulomb.social`
**Set:** 2026-03-19
**Set by:** worsch

**Location(s):**
- `sso-mfa/k8s/privacyidea/ingress.yaml` — `privacyidea-account` Ingress `host` field

**Why non-default:** Separate hostname for the self-service portal allows
different firewall/allowlist rules from the admin portal. Follows the
`<service>-account` naming convention used in the workplan design.

**Scope:** TLS certificate and Traefik routing for the user-facing
self-service token enrolment portal.

---

## CP-NK-001 — ACME contact email

**Value:** `bernd.worsch+netkingdom@gmail.com`
**Set:** 2026-03-02
**Set by:** worsch

**Location(s):**
- `sso-mfa/k8s/cert-manager/issuers.yaml:38` — `spec.acme.email` on the
  `letsencrypt-prod` ClusterIssuer

**Why non-default:** ACME (Let's Encrypt) requires a contact address for certificate
lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements.
There is no system-level default that qualifies: this must be a real, monitored inbox.

**Why not automated:** The Linux user GECOS email (via Local Identity) would be a
natural source. However, that introduces a runtime dependency between cluster
provisioning and the local-identity tool. Deferred; revisit when Local Identity
gains a structured "operator contact" concept.

**Scope:** All TLS certificates issued by the `letsencrypt-prod` ClusterIssuer across
the entire cluster.

---

## CP-NK-004 — Keycloak SSO hostname

**Value:** `kc.coulomb.social`
**Set:** 2026-03-19
**Set by:** worsch

**Location(s):**
- `sso-mfa/k8s/keycloak/deployment.yaml` — `KC_HOSTNAME` env var
- `sso-mfa/k8s/keycloak/ingress.yaml` — both Ingress `host` fields

**Why non-default:** Subdomain prefix must be chosen by the operator. `kc` =
**K**ey**c**loak, consistent with the service-initial naming pattern.

**Scope:** TLS certificate, Traefik routing, Keycloak's internal hostname strictness
check, and all OIDC/SAML redirect URIs registered in this realm. Changing this
hostname after clients are registered requires updating all registered redirect URIs.

---

## CP-NK-005 — privacyIDEA Keycloak Provider JAR URL

**Value:** *(not set — operator must edit before applying T05)*
**Set:** —
**Set by:** —

**Location(s):**
- `sso-mfa/k8s/keycloak/deployment.yaml` — `PROVIDER_JAR_URL` env var in the
  `install-privacyidea-provider` init container

**Why non-default:** The JAR URL depends on the chosen release version, which must
be verified for compatibility with the deployed Keycloak image version. There is no
stable "latest" URL suitable for automation.

**How to set:**
1. Browse https://github.com/privacyIDEA/keycloak-provider/releases
2. Choose a release compatible with the Keycloak image version in `deployment.yaml`.
3. Edit `deployment.yaml`: replace `EDIT_BEFORE_APPLY` with the `.jar` download URL.
4. Update this entry with the chosen URL and version.

**Scope:** Keycloak init container only. If switching to a custom Keycloak image
(see T05 README "Custom image" section), this config point becomes obsolete and
can be removed.