nadir-agent/config.example.yaml

# ──────────────────────────────────────────────────────────────────────
# Nadir configuration - config.yaml
#
# This is the single source of truth for runtime settings: server/TLS,
# roles, role assignments, and log-file allowlists. The only env var
# nadir reads is CONFIG_PATH, the bootstrap pointer to this file.
# By default, nadir uses ~/.config/config.yaml. You can override this
# with the -f / --config flag or by setting the CONFIG_PATH env var.
# ──────────────────────────────────────────────────────────────────────

server:
  # Secure attribute on the session cookie.
  # Keep true when the browser reaches nadir over HTTPS (direct or via proxy).
  # Set false only for local plain-HTTP development.
  secure_tls: true

  # TLS mode, in priority order:
  #
  #  1. trust_proxy: true
  #     A reverse proxy (e.g. Traefik) terminates TLS and forwards plaintext
  #     to nadir. Bind hostname to a private/overlay address so only the proxy
  #     can reach nadir. X-Forwarded-For is trusted in this mode.
  #
  #  2. tls_cert + tls_key (uncomment below)
  #     Nadir terminates TLS itself with your PEM certificate and key.
  #
  #  3. Neither (default)
  #     Nadir generates a fresh in-memory self-signed certificate on every
  #     start. Browsers will warn - this is for development only.
  #
  # Keep secure_tls: true in modes 1 and 2.
  # trust_proxy: false
  # tls_cert: /etc/nadir/tls/cert.pem
  # tls_key:  /etc/nadir/tls/key.pem

  # Address and port to bind.
  # Use 127.0.0.1 for local-only, or an overlay/VPN address (e.g. a Netbird
  # or Tailscale IP) to expose nadir only on that interface.
  hostname: localhost
  port: 9999
  release_repo: https://tea.urania.dev/urania/nadir-agent

# ──────────────────────────────────────────────────────────────────────
# Roles
#
# Maps a role name to { module → [permissions] }.
#   - Module key "*" means "all modules (including future ones)".
#   - Permission "*" means "all permissions the module exports".
#   - IMPORTANT: quote "*" - bare * is YAML alias syntax and fails to parse.
#
# Each module exports its own permission vocabulary via Permissions().
# Valid tiers are: read, write, root. Unknown modules or permissions
# cause a startup error, not a silent denial.
# ──────────────────────────────────────────────────────────────────────
roles:
  # Full access - every permission on every module.
  admin:
    "*": ["*"]

  # Read-only on all modules - good for monitoring dashboards.
  # auditor:
  #   "*": ["read"]

  # Scoped operator - can read and write the system module only.
  # system_ops:
  #   system: ["read", "write"]

# ──────────────────────────────────────────────────────────────────────
# Assignments
#
# Maps a local username to one or more roles. Effective grants are the
# union of all assigned roles' permissions. The username must match a
# real system account (PAM authenticates against /etc/shadow).
#
# A machine credential (Bearer token) is assigned a role the same way, by its
# token name rather than a system username. Mint with `nadir token add
# central-dashboard`, then grant it scoped access below. Until it is listed
# here the token authenticates but can do nothing.
# ──────────────────────────────────────────────────────────────────────
assignments:
  # Replace with your admin username.
  ubuntu: [admin]
  # central-dashboard: [auditor]

# ──────────────────────────────────────────────────────────────────────
# Log files (optional)
#
# Per-unit allowlist of log files the Services module may serve via the
# source=file log endpoints. Only paths listed here are readable - the
# caller can never request an arbitrary file.
# ──────────────────────────────────────────────────────────────────────
# log_files:
#   nginx:
#     - /var/log/nginx/access.log
#     - /var/log/nginx/error.log
#   files:
#     - /var/log/auth.log