# Security Configuration for deb-bootc-compose # This file demonstrates comprehensive security features including: # - Multiple authentication providers (Kerberos, OIDC, API Key) # - Role-based access control (RBAC) # - SSL/TLS configuration # - Comprehensive audit logging security: enabled: true provider: "auto" # auto, kerberos, oidc, apikey # Kerberos Authentication kerberos: enabled: true realm: "DEBIAN.ORG" keytab_path: "/etc/krb5.keytab" service_name: "deb-bootc-compose" debug: false # OpenID Connect Authentication oidc: enabled: true issuer_url: "https://auth.debian.org" client_id: "deb-bootc-compose" client_secret: "${OIDC_CLIENT_SECRET}" # Use environment variable redirect_url: "https://compose.debian.org/auth/callback" scopes: "openid profile email groups" token_endpoint: "https://auth.debian.org/oauth2/token" userinfo_url: "https://auth.debian.org/oauth2/userinfo" jwks_url: "https://auth.debian.org/.well-known/jwks.json" # API Key Authentication api_key: enabled: true header_name: "X-API-Key" query_param: "api_key" secret_path: "/etc/deb-bootc-compose/api-keys" algorithm: "HS256" expiration: "24h" # SSL/TLS Configuration ssl: enabled: true cert_file: "/etc/ssl/certs/deb-bootc-compose.crt" key_file: "/etc/ssl/private/deb-bootc-compose.key" ca_file: "/etc/ssl/certs/deb-ca.crt" min_version: "TLS1.2" max_version: "TLS1.3" cipher_suites: - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" # Role-Based Access Control (RBAC) rbac: enabled: true default_role: "user" # Role Definitions roles: # Base user role with minimal permissions user: name: "user" description: "Basic user with read access to public resources" permissions: - "compose:read" - "variant:read" - "phase:read" - "metadata:read" inherits: [] # Developer role with build permissions developer: name: "developer" description: "Developer with build and test permissions" permissions: - "compose:create" - "compose:build" - "variant:create" - "variant:modify" - "phase:execute" - "build:trigger" - "test:run" inherits: ["user"] # Maintainer role with full variant control maintainer: name: "maintainer" description: "Package maintainer with full variant control" permissions: - "variant:delete" - "variant:publish" - "repository:manage" - "signing:manage" inherits: ["developer"] # Admin role with full system access admin: name: "admin" description: "System administrator with full access" permissions: - "*:*" # Full access to everything inherits: ["maintainer"] # Security role for security-related operations security: name: "security" description: "Security team with audit and security management permissions" permissions: - "audit:read" - "audit:export" - "security:manage" - "rbac:manage" - "user:manage" inherits: ["user"] # Policy Definitions policies: # Deny access to sensitive resources for non-admin users deny_sensitive_resources: name: "deny_sensitive_resources" description: "Deny access to sensitive system resources" effect: "deny" resources: - "system:*" - "security:*" - "audit:*" actions: - "*" conditions: user_groups: ["user", "developer", "maintainer"] # Allow developers to access development resources allow_dev_access: name: "allow_dev_access" description: "Allow developers to access development resources" effect: "allow" resources: - "dev:*" - "test:*" - "build:*" actions: - "*" conditions: user_groups: ["developer", "maintainer", "admin"] # Time-based access control (example) business_hours_only: name: "business_hours_only" description: "Restrict access to business hours for non-critical operations" effect: "deny" resources: - "compose:create" - "variant:modify" actions: - "*" conditions: time_of_day: "outside_business_hours" # Audit Logging Configuration audit: enabled: true log_file: "/var/log/deb-bootc-compose/audit.log" log_level: "info" max_size: 100 # MB max_backups: 10 max_age: 30 # days # Custom security settings custom: session_timeout: "8h" max_login_attempts: 5 lockout_duration: "15m" password_policy: min_length: 12 require_uppercase: true require_lowercase: true require_numbers: true require_special: true ip_whitelist: - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" rate_limiting: requests_per_minute: 100 burst_size: 20 # Example user assignments (in production, this would be in a separate database) users: - username: "alice" email: "alice@debian.org" full_name: "Alice Developer" groups: ["developer"] metadata: department: "Engineering" location: "Remote" - username: "bob" email: "bob@debian.org" full_name: "Bob Maintainer" groups: ["maintainer"] metadata: department: "Package Maintenance" location: "Berlin" - username: "charlie" email: "charlie@debian.org" full_name: "Charlie Admin" groups: ["admin"] metadata: department: "Infrastructure" location: "Amsterdam" - username: "diana" email: "diana@debian.org" full_name: "Diana Security" groups: ["security"] metadata: department: "Security Team" location: "Paris" # Example API keys (in production, these would be hashed and stored securely) api_keys: - key: "dev-key-12345" user: "alice" permissions: ["compose:create", "variant:read"] expires_at: "2025-12-31T23:59:59Z" - key: "maintainer-key-67890" user: "bob" permissions: ["*:*"] expires_at: "2025-12-31T23:59:59Z" # Security monitoring and alerting monitoring: enabled: true alerts: - event_type: "authentication_failure" threshold: 5 window: "5m" action: "lockout_user" notification: "email" - event_type: "access_denied" threshold: 10 window: "1m" action: "block_ip" notification: "slack" - event_type: "security_violation" threshold: 1 window: "1m" action: "immediate_alert" notification: "pagerduty" # Compliance and reporting compliance: enabled: true standards: - "SOX" - "GDPR" - "ISO27001" reporting: frequency: "monthly" formats: ["pdf", "csv", "json"] recipients: - "security@debian.org" - "compliance@debian.org" retention: audit_logs: "7y" user_sessions: "1y" security_events: "10y"