generated from coulomb/repo-seed
tegwick
90007c2cda
Ship flex-auth policy gate registry and smoke evidence, archive WP-0009 through WP-0013, and add integration docs: ops-bridge cert_command migration playbook, operator OpenBao token hygiene, principals drift check script, and 2026-06-24 INTENT/SCOPE gap analysis.
27 lines
867 B
YAML
27 lines
867 B
YAML
# Non-secret production template — copy to ~/.config/warden/warden.yaml
|
|
# Never commit tokens or CA private keys. See wiki/OpsWardenConfig.md
|
|
|
|
backend: vault
|
|
|
|
vault:
|
|
addr: https://bao.coulomb.social
|
|
mount: ssh
|
|
role_map:
|
|
adm: adm-role
|
|
agt: agt-role
|
|
atm: atm-role
|
|
token_env: VAULT_TOKEN
|
|
|
|
inventory_path: ~/.config/warden/inventory.yaml
|
|
state_dir: ~/.local/state/warden
|
|
|
|
# Opt-in flex-auth gate — enable only when flex-auth is reachable at flex_auth_url.
|
|
# Registry: registry/flex-auth/production_registry_snapshot.json (build from inventory).
|
|
# See wiki/PolicyGatedSigning.md (operator checklist) and wiki/playbooks/operator-openbao-token-hygiene.md
|
|
policy:
|
|
enabled: false
|
|
flex_auth_url: http://flex-auth.flex-auth.svc.cluster.local:8080
|
|
fail_closed: true
|
|
tenant: tenant:platform
|
|
subject_env: WARDEN_POLICY_SUBJECT
|
|
system: ops-warden |