# ────────────────────────────────────────────────────────────────────── # Nadir configuration - config.yaml # # This is the single source of truth for runtime settings: server/TLS, # roles, role assignments, and log-file allowlists. The only env var # nadir reads is CONFIG_PATH, the bootstrap pointer to this file. # By default, nadir uses ~/.config/config.yaml. You can override this # with the -f / --config flag or by setting the CONFIG_PATH env var. # ────────────────────────────────────────────────────────────────────── server: # Secure attribute on the session cookie. # Keep true when the browser reaches nadir over HTTPS (direct or via proxy). # Set false only for local plain-HTTP development. secure_tls: true # TLS mode, in priority order: # # 1. trust_proxy: true # A reverse proxy (e.g. Traefik) terminates TLS and forwards plaintext # to nadir. Bind hostname to a private/overlay address so only the proxy # can reach nadir. X-Forwarded-For is trusted in this mode. # # 2. tls_cert + tls_key (uncomment below) # Nadir terminates TLS itself with your PEM certificate and key. # # 3. Neither (default) # Nadir generates a fresh in-memory self-signed certificate on every # start. Browsers will warn - this is for development only. # # Keep secure_tls: true in modes 1 and 2. # trust_proxy: false # tls_cert: /etc/nadir/tls/cert.pem # tls_key: /etc/nadir/tls/key.pem # Address and port to bind. # Use 127.0.0.1 for local-only, or an overlay/VPN address (e.g. a Netbird # or Tailscale IP) to expose nadir only on that interface. hostname: localhost port: 9999 release_repo: https://tea.urania.dev/urania/nadir-agent # ────────────────────────────────────────────────────────────────────── # Roles # # Maps a role name to { module → [permissions] }. # - Module key "*" means "all modules (including future ones)". # - Permission "*" means "all permissions the module exports". # - IMPORTANT: quote "*" - bare * is YAML alias syntax and fails to parse. # # Each module exports its own permission vocabulary via Permissions(). # Valid tiers are: read, write, root. Unknown modules or permissions # cause a startup error, not a silent denial. # ────────────────────────────────────────────────────────────────────── roles: # Full access - every permission on every module. admin: "*": ["*"] # Read-only on all modules - good for monitoring dashboards. # auditor: # "*": ["read"] # Scoped operator - can read and write the system module only. # system_ops: # system: ["read", "write"] # ────────────────────────────────────────────────────────────────────── # Assignments # # Maps a local username to one or more roles. Effective grants are the # union of all assigned roles' permissions. The username must match a # real system account (PAM authenticates against /etc/shadow). # # A machine credential (Bearer token) is assigned a role the same way, by its # token name rather than a system username. Mint with `nadir token add # central-dashboard`, then grant it scoped access below. Until it is listed # here the token authenticates but can do nothing. # ────────────────────────────────────────────────────────────────────── assignments: # Replace with your admin username. ubuntu: [admin] # central-dashboard: [auditor] # ────────────────────────────────────────────────────────────────────── # Log files (optional) # # Per-unit allowlist of log files the Services module may serve via the # source=file log endpoints. Only paths listed here are readable - the # caller can never request an arbitrary file. # ────────────────────────────────────────────────────────────────────── # log_files: # nginx: # - /var/log/nginx/access.log # - /var/log/nginx/error.log # files: # - /var/log/auth.log