# Declarative SSH CA roles for ops-warden ActorType policy.
# TTL max: adm 48h, agt 24h, atm 8h — wiki/OpsWardenConfig.md (ops-warden)

mount: ssh

roles:
  adm-role:
    key_type: ca
    allowed_users: "*"
    allow_user_certificates: true
    allow_user_key_ids: true
    default_user: adm
    ttl: 48h
    max_ttl: 48h
  agt-role:
    key_type: ca
    allowed_users: "*"
    allow_user_certificates: true
    allow_user_key_ids: true
    default_user: agt
    ttl: 24h
    max_ttl: 24h
  atm-role:
    key_type: ca
    allowed_users: "*"
    allow_user_certificates: true
    allow_user_key_ids: true
    default_user: atm
    ttl: 8h
    max_ttl: 8h