feat(openbao): add SSH engine automation for ops-warden signing

Declarative roles, warden-sign policy, apply/verify scripts, and Makefile
targets openbao-configure-ssh and openbao-verify-ssh. Document operator flow
in docs/openbao.md for NET-WP-0020 T5 / WP-0008 T2.
This commit is contained in:
2026-06-18 01:06:43 +02:00
parent 108944cd3e
commit c24956fb5a
6 changed files with 521 additions and 7 deletions

View File

@@ -0,0 +1,27 @@
# Declarative SSH CA roles for ops-warden ActorType policy.
# TTL max: adm 48h, agt 24h, atm 8h — wiki/OpsWardenConfig.md (ops-warden)
mount: ssh
roles:
adm-role:
key_type: ca
allowed_users: "*"
allow_user_certificates: true
default_user: adm
ttl: 48h
max_ttl: 48h
agt-role:
key_type: ca
allowed_users: "*"
allow_user_certificates: true
default_user: agt
ttl: 24h
max_ttl: 24h
atm-role:
key_type: ca
allowed_users: "*"
allow_user_certificates: true
default_user: atm
ttl: 8h
max_ttl: 8h