ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-06 07:22:14 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/etc/bastion/osh-encrypt-rsync.conf.dist
Stéphane Lesimple fde20136ef
Initial commit
2020-10-20 14:30:27 +00:00

96 lines
3.7 KiB
Text
Raw Blame History

###################################################################
# Config for /opt/bastion/bin/admin/osh-encrypt-rsync.pl
# This is a JSON file.
###################################################################
{
# logfile (string)
# value: filename with full absolute path
# desc: file where the logs will be written to (don't forget to configure logrotate!)
# default: none (won't log to any file)
# optional
# "logfile": "/var/log/bastion/osh-encrypt-rsync.log",
# syslog_facility (string)
# value: syslog facility to log to
# desc: if not defined, we'll not use syslog
# default: local6
# optional
"syslog_facility": "local6",
# signing_key (string)
# value: GPG key ID (short or long)
# desc: ID of the key used to sign the ttyrec files (must be in the local keyring, cf gpg --list-secret-keys)
# default: -
# mandatory
"signing_key": "FFFFFFFF",
# signing_key_passphrase (string)
# value: the passphrase of the signing_key
# desc: will be used by the script to unlock the key and sign with it
# default: -
# mandatory
"signing_key_passphrase": "configure_this_passphrase",
# encryption_recipients (array of array of strings)
# value: strings must be GPG key IDs (short or long)
# desc: ttyrecs will be encrypted with those GPG keys, possibly using multi-layer GPG encryption.
# Each sub-array is a layer, the first sub-array being the first encryption layer (which is also the last one for decryption)
# To completely decrypt a ttyrec, one would need at least one key of each layer.
# To encrypt only to a single layer and to only one key, simply use [ [ "KEYID" ] ].
# To encrypt to a single layer but with 3 keys being able to decrypt the ttyrec, use [ [ "KEY1", "KEY2", "KEY3" ] ], etc.
# A common use of multi-layer encryption is to have the first layer composed of the auditors' GPG keys, and
# the second layer composed of the sysadmins' GPG keys. During an audit, the sysadmins would get the ttyrec encrypted file,
# decrypt the second encryption layer (the first for decryption), and handle the now only auditor-protected file to the auditors.
# All public keys must be in the local keyring (gpg --list-keys).
# Don't forget to trust those keys "ultimately" in your keyring, too (gpg --edit-key ID)
# default: -
# mandatory
"recipients": [
[ "AAAAAAAA", "BBBBBBBB" ],
[ "CCCCCCCC", "DDDDDDDD" ]
],
# encrypt_and_move_to_directory (string)
# value: directory name (will be created if doesn't exist)
# desc: after encryption (and compression), move ttyrec files to subdirs of this directory
# default: -
# mandatory
"encrypt_and_move_to_directory": "/home/.encrypt",
# encrypt_and_move_delay_days (integer)
# value: int > 0
# desc: don't touch ttyrec files that have a modification time more recent than this
# default: -
# mandatory
"encrypt_and_move_delay_days": 14,
# rsync_destination (string)
# value: user@remotehost:/remote/dir/
# desc: string passed to rsync as a destination. If empty, will DISABLE rsync.
# default: ""
# example: user@remotebackup:/remote/dir
# mandatory
"rsync_destination": "",
# rsync_rsh (string)
# value: any valid string that'll be passed to rsync's --rsh option
# desc: useful to specify an SSH key or an alternate SSH port for example. Not used if rsync is disabled.
# example: ssh -p 222 -i /home/plop/.ssh/id_rsa_backup
# default: none (--rsh won't be specified)
# optional
"rsync_rsh": "ssh -p 222 -i /root/.ssh/id_rsa_backup",
# rsync_delay_before_remove_days (integer)
# value: int >= 0
# desc: after encryption/compression, and successful rsync to remote, wait for this amount of days before removing the files locally. Not used if rsync is disabled.
# default: -
# mandatory
"rsync_delay_before_remove_days": 7
}
Reference in a new issue View git blame Copy permalink