# mcias.conf — Reference configuration for mciassrv # # Copy this file to /etc/mcias/mcias.conf and adjust the values for your # deployment. All fields marked REQUIRED must be set before the server will # start. Fields marked OPTIONAL can be omitted to use defaults. # # File permissions: mode 0640, owner root:mcias. # chmod 0640 /etc/mcias/mcias.conf # chown root:mcias /etc/mcias/mcias.conf # --------------------------------------------------------------------------- # [server] — Network listener configuration # --------------------------------------------------------------------------- [server] # REQUIRED. Address and port for the HTTPS REST listener. # Format: "host:port". Use "0.0.0.0" to listen on all interfaces. # Ports > 1024 do not require elevated privileges. listen_addr = "0.0.0.0:8443" # OPTIONAL. Address and port for the gRPC/TLS listener. # If omitted, the gRPC listener is disabled and only REST is served. # Format: "host:port". # grpc_addr = "0.0.0.0:9443" # REQUIRED. Path to the TLS certificate (PEM format). # Self-signed certificates work fine for personal deployments; for # public-facing deployments consider a certificate from Let's Encrypt. tls_cert = "/etc/mcias/server.crt" # REQUIRED. Path to the TLS private key (PEM format). # Permissions: mode 0640, owner root:mcias. tls_key = "/etc/mcias/server.key" # --------------------------------------------------------------------------- # [database] — SQLite database # --------------------------------------------------------------------------- [database] # REQUIRED. Path to the SQLite database file. # The directory must be writable by the mcias user. WAL mode is enabled # automatically; expect three files: mcias.db, mcias.db-wal, mcias.db-shm. path = "/var/lib/mcias/mcias.db" # --------------------------------------------------------------------------- # [tokens] — JWT issuance policy # --------------------------------------------------------------------------- [tokens] # REQUIRED. Issuer claim embedded in every JWT. Relying parties should # validate this claim matches the expected value. # Use the base URL of your MCIAS server (without trailing slash). issuer = "https://auth.example.com" # OPTIONAL. Default token expiry for interactive (human) logins. # Go duration string: "h" hours, "m" minutes, "s" seconds. # Default: 720h (30 days). Reduce for higher-security deployments. default_expiry = "720h" # OPTIONAL. Expiry for admin tokens (tokens with the "admin" role). # Should be shorter than default_expiry to limit the blast radius of # a leaked admin credential. # Default: 8h. admin_expiry = "8h" # OPTIONAL. Expiry for system account tokens (machine-to-machine). # System accounts have no interactive login; their tokens are long-lived. # Default: 8760h (365 days). service_expiry = "8760h" # --------------------------------------------------------------------------- # [argon2] — Password hashing parameters (Argon2id) # --------------------------------------------------------------------------- [argon2] # OWASP 2023 minimums: time >= 2, memory >= 65536 KiB (64 MB). # Increasing these values improves resistance to brute-force attacks but # increases CPU and memory usage at login time. # OPTIONAL. Time cost (number of passes over memory). Default: 3. time = 3 # OPTIONAL. Memory cost in KiB. Default: 65536 (64 MB). memory = 65536 # OPTIONAL. Parallelism (number of threads). Default: 4. threads = 4 # --------------------------------------------------------------------------- # [master_key] — AES-256 master key derivation # --------------------------------------------------------------------------- [master_key] # REQUIRED. Exactly ONE of passphrase_env or keyfile must be set. # Option A: Passphrase mode. The passphrase is read from the named environment # variable at startup, then cleared. The Argon2id KDF salt is stored in the # database on first run and reused on subsequent runs so the same passphrase # always produces the same master key. # # Set the passphrase in /etc/mcias/env (loaded by the systemd EnvironmentFile # directive). See dist/mcias.env.example for the template. passphrase_env = "MCIAS_MASTER_PASSPHRASE" # Option B: Key file mode. The file must contain exactly 32 bytes of raw key # material (AES-256). Generate with: openssl rand -out /etc/mcias/master.key 32 # Permissions: mode 0640, owner root:mcias. # # Uncomment and comment out passphrase_env to switch modes. # keyfile = "/etc/mcias/master.key"