-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path.env.example
More file actions
211 lines (188 loc) · 11 KB
/
Copy path.env.example
File metadata and controls
211 lines (188 loc) · 11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
# Bor development environment configuration
# Copy to .env and adjust for your local setup.
# Used by: make run-server, make dev
#
# Environment variables always take precedence over server.yaml values.
# For production deployments, prefer /etc/bor/server.yaml as the primary
# config file; use environment variables only for secrets or overrides.
#
# For a complete reference of the YAML-based configuration see:
# server/server.yaml.example → /etc/bor/server.yaml (installed by the package)
# ── Database ───────────────────────────────────────────────────────────────────
DB_HOST=localhost
DB_PORT=5432
DB_USER=bor
DB_PASSWORD=bor
DB_NAME=bor
# "disable" for local dev; "require" for remote / production servers.
# When DB_HOST is a socket path (starts with '/') this is ignored.
DB_SSLMODE=disable
# ── Server ────────────────────────────────────────────────────────────────────
# Hostname or IP the server binds to (no port). Empty = all interfaces.
# BOR_ADDRESS=
# Port for the admin UI and enrollment gRPC (default: 8443).
BOR_ENROLLMENT_PORT=8443
# Port for mTLS policy streaming and certificate renewal (default: 8444).
# Must be reachable by enrolled agents.
BOR_POLICY_PORT=8444
# Additional hostnames/IPs for the auto-generated TLS certificate SANs.
# Comma-separated. Overrides the 'hostnames' list in server.yaml when set.
# BOR_HOSTNAMES=bor.example.com,192.0.2.10
# Path to the YAML config file (default: /etc/bor/server.yaml).
# BOR_CONFIG=/etc/bor/server.yaml
# ── Security ──────────────────────────────────────────────────────────────────
# JWT signing secret. Minimum 32 bytes.
# If left as the default placeholder a random secret is auto-generated
# (sessions are lost on restart).
JWT_SECRET=change-me-in-production
# JWT access token lifetime (default: 1h).
# BOR_JWT_LIFETIME=1h
# Refresh token lifetime (default: 24h). Stored in an httpOnly cookie.
# BOR_REFRESH_LIFETIME=24h
# Static admin token for gRPC enrollment calls (optional).
# Leave empty to require a web-UI-generated one-time enrollment token.
# BOR_ADMIN_TOKEN=
# Initial admin account password (used only on first startup when no users exist).
# If unset, a random password is generated and printed to the server log.
# BOR_ADMIN_PASSWORD=change-me-in-production
# ── TLS certificate (UI + enrollment port, :8443) ─────────────────────────────
# Paths to an externally-managed TLS certificate and private key.
# If both are unset the server auto-generates a cert signed by the internal CA.
# Mutually exclusive with BOR_ACME_ENABLED.
# BOR_TLS_CERT_FILE=/etc/bor/tls/server.crt
# BOR_TLS_KEY_FILE=/etc/bor/tls/server.key
# Directory for the auto-generated server certificate (default: /var/lib/bor/pki/ui).
# BOR_TLS_AUTOGEN_DIR=/var/lib/bor/pki/ui
# ── ACME automatic TLS certificate ────────────────────────────────────────────
# Obtain and auto-renew a publicly-trusted certificate via the ACME protocol
# (Let's Encrypt or any RFC 8555-compatible CA).
# Requires a public domain name reachable by the CA. Mutually exclusive with
# BOR_TLS_CERT_FILE/KEY. See docs/acme.md for full documentation.
# BOR_ACME_ENABLED=false
# BOR_ACME_DOMAINS=bor.example.com
# BOR_ACME_EMAIL=admin@example.com
# ACME CA directory URL (default: Let's Encrypt production).
# Staging (not browser-trusted): https://acme-staging-v02.api.letsencrypt.org/directory
# ZeroSSL: https://acme.zerossl.com/v2/DV90
# Buypass: https://api.buypass.com/acme/directory
# Google Trust Services: https://dv.acme-v02.api.pki.goog/directory
# BOR_ACME_DIRECTORY=https://acme-v02.api.letsencrypt.org/directory
# Directory for persisting ACME account key and issued certificates.
# BOR_ACME_CACHE_DIR=/var/lib/bor/acme
# Local port for the HTTP-01 challenge listener (default: 80).
# BOR_ACME_HTTP_PORT=80
# ── Internal CA (signs agent mTLS certificates) ───────────────────────────────
# Paths to an existing CA certificate and private key.
# If both are unset the server auto-generates a CA in BOR_CA_AUTOGEN_DIR.
# BOR_CA_CERT_FILE=/etc/bor/pki/ca.crt
# BOR_CA_KEY_FILE=/etc/bor/pki/ca.key
# Directory for the auto-generated CA (default: /var/lib/bor/pki/ca).
# BOR_CA_AUTOGEN_DIR=/var/lib/bor/pki/ca
# ── PKCS#11 HSM for CA private key (optional; requires make server-pkcs11) ────
# Store the CA private key in a hardware security module rather than a file.
# The CA certificate is still kept on disk (BOR_CA_CERT_FILE or autogen_dir).
# BOR_CA_PKCS11_LIB=/usr/lib/softhsm/libsofthsm2.so
# BOR_CA_PKCS11_TOKEN_LABEL=bor-ca
# BOR_CA_PKCS11_KEY_LABEL=bor-ca-key
# BOR_CA_PKCS11_PIN=
# ── Kerberos token-free agent enrollment (optional) ───────────────────────────
# Domain-joined nodes can enroll automatically using their machine keytab
# (/etc/krb5.keytab) without a manually generated enrollment token.
# BOR_KERBEROS_DEFAULT_NODE_GROUP: UUID of the node group for auto-enrolled agents.
# Copy it from Node Groups → Edit (Group ID field) in the web UI.
# BOR_KERBEROS_ENABLED=false
# BOR_KERBEROS_REALM=EXAMPLE.COM
# BOR_KERBEROS_KEYTAB=/etc/bor/krb5.keytab
# BOR_KERBEROS_PRINCIPAL=HTTP/bor.example.com@EXAMPLE.COM
# UUID of the node group for auto-enrolled Kerberos agents.
# Copy from Node Groups → Edit (Group ID field) in the web UI.
# BOR_KERBEROS_DEFAULT_NODE_GROUP=
# ── LDAP / Active Directory (optional) ────────────────────────────────────────
LDAP_ENABLED=false
LDAP_HOST=localhost
LDAP_PORT=389
# Enable LDAPS (TLS from the start). Typically uses port 636.
LDAP_USE_TLS=false
# Upgrade a plain LDAP (port 389) connection with STARTTLS.
# Mutually exclusive with LDAP_USE_TLS.
# LDAP_START_TLS=false
# PEM CA file for LDAPS/StartTLS certificate verification.
# Leave unset to use the system certificate pool.
# LDAP_TLS_CA_FILE=/path/to/ca.pem
# Disable TLS certificate verification (development only).
# Requires BOR_DEV_MODE=true or BOR_ALLOW_INSECURE_LDAP=true in production.
# LDAP_TLS_SKIP_VERIFY=false
LDAP_BIND_DN=cn=admin,dc=example,dc=com
LDAP_BIND_PASSWORD=admin
LDAP_BASE_DN=dc=example,dc=com
# LDAP search filter for user lookup. Use %s as the username placeholder.
# FreeIPA: (uid=%s) AD: (sAMAccountName=%s)
LDAP_USER_FILTER=(uid=%s)
# UPN-style bind fallback for Active Directory (e.g. @EXAMPLE.COM).
# LDAP_UPN_SUFFIX=
LDAP_ATTR_USERNAME=uid
LDAP_ATTR_EMAIL=mail
LDAP_ATTR_FULL_NAME=cn
# Group membership: base DN for group searches (defaults to LDAP_BASE_DN).
# LDAP_GROUP_BASE_DN=
# Filter to find groups a user DN belongs to. Use %s for the user DN.
# FreeIPA: (&(objectClass=groupofnames)(member=%s))
# AD: (&(objectClass=group)(member=%s))
# LDAP_GROUP_FILTER=
# Attribute on a group object listing member DNs (typically "member").
# LDAP_GROUP_MEMBER_ATTR=member
# User attribute listing group DNs directly (typically "memberOf").
# When set, a separate group search is skipped.
# LDAP_ATTR_MEMBER_OF=memberOf
# LDAP result paging (RFC 2696). 0 disables paging.
# LDAP_PAGE_SIZE=500
# Map LDAP group CNs to Bor role names. Synced on every login.
# Roles outside this map are not touched (manually assigned bindings preserved).
# Format: "Group CN=Role Name,Another Group=Another Role"
# Available roles: Super Admin, Org Admin, Policy Editor, Policy Reviewer,
# Compliance Viewer, Auditor
# BOR_LDAP_GROUP_ROLE_MAP=Domain Admins=Super Admin,IT Staff=Org Admin
# ── WebAuthn / FIDO2 (optional) ───────────────────────────────────────────────
# Enable hardware security keys and passkeys as a second factor.
# rpid must equal the domain users browse to (no scheme, no port).
# BOR_WEBAUTHN_RPID=bor.example.com
# Comma-separated allowed origins (scheme + host + optional port).
# BOR_WEBAUTHN_ORIGINS=https://bor.example.com
# BOR_WEBAUTHN_DISPLAY_NAME=Bor Policy Manager
# ── UI ────────────────────────────────────────────────────────────────────────
# Show a Privacy Policy link in the sidebar footer (GDPR Article 13).
# Leave empty to hide the link.
# BOR_PRIVACY_POLICY_URL=https://example.com/privacy
# ── Prometheus metrics ────────────────────────────────────────────────────────
# Listen address for the /metrics endpoint (default: 127.0.0.1:9090).
# 127.0.0.1:9090 — localhost only (default, safe)
# 192.168.1.10:9090 — management VLAN only
# :9090 — all interfaces (protect with a firewall)
# BOR_METRICS_ADDR=127.0.0.1:9090
# Bearer token required on every scrape request (optional).
# BOR_METRICS_TOKEN=
# Enable HTTPS on the metrics endpoint (both must be set together).
# BOR_METRICS_TLS_CERT_FILE=/etc/bor/metrics.crt
# BOR_METRICS_TLS_KEY_FILE=/etc/bor/metrics.key
# ── Audit log ─────────────────────────────────────────────────────────────────
# Forward audit events to a syslog receiver (SIEM integration).
# BOR_AUDIT_SYSLOG_ENABLED=false
# BOR_AUDIT_SYSLOG_NETWORK=udp # udp | tcp | tcp+tls
# BOR_AUDIT_SYSLOG_ADDR=localhost:514
# BOR_AUDIT_SYSLOG_FORMAT=cef # cef (ArcSight) | ocsf (JSON, OCSF v1.3)
# BOR_AUDIT_SYSLOG_FACILITY=16 # RFC 5424 facility code (16 = local0)
# BOR_AUDIT_SYSLOG_TLS_CA= # PEM CA file for tcp+tls verification
# Purge audit log entries older than N days (default: 365; 0 disables purging).
# BOR_AUDIT_RETENTION_DAYS=365
# Anonymize IP addresses to /24 (IPv4) or /48 (IPv6) before storing (GDPR).
# BOR_AUDIT_ANONYMIZE_IPS=false
# ── Development / insecure overrides ──────────────────────────────────────────
# Enable development mode (relaxes some security checks; never use in production).
# BOR_DEV_MODE=false
# Allow LDAP_TLS_SKIP_VERIFY=true without BOR_DEV_MODE (explicit opt-in).
# BOR_ALLOW_INSECURE_LDAP=false
# ── Local dev helpers (not read by the server binary) ─────────────────────────
# These are consumed by docker-compose / podman-compose for the dev stack.
# LOG_LEVEL=info
# LOG_FORMAT=json
# FRONTEND_URL=http://localhost:3000