-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy path.guardian-cli.toml
More file actions
49 lines (44 loc) · 1.55 KB
/
.guardian-cli.toml
File metadata and controls
49 lines (44 loc) · 1.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
[agent]
name = "sectwin"
dreamfields_profile = "sectwin"
evidence_root = "artifacts/guardian"
default_timeout = 30
log_level = "info"
[observability.targets.gateway_http3]
name = "gateway_http3"
method = "GET"
url = "https://localhost:8443/metrics"
protocol = "http3"
allow_insecure = false
sni = "metrics.cryptlz.ai" # Required for HTTP/3 - Server Name Indication
verify_ca = "/etc/cryptlz/certs/cryptlz-ca-cert.pem"
ca_pin = "" # Optional: SHA256 fingerprint of CA cert for pinning
spki_pin = "" # Optional: SHA256 fingerprint of server public key for pinning
alpn_required = ["h3"] # Required ALPN protocols (default: ["h3"] for HTTP/3)
tags = ["gateway", "http3", "metrics", "quic-security"]
required = true
[observability.targets.firewall_metrics]
name = "firewall_metrics"
method = "GET"
url = "http://localhost:8889/metrics"
protocol = "http1"
allow_insecure = false
tags = ["firewall", "metrics"]
required = true
[tls.services.vault_ca]
name = "vault_ca"
cert_path = "/etc/cryptlz/certs/cryptlz-ca-cert.pem"
key_path = "/etc/cryptlz/certs/cryptlz-ca-key.pem"
ca_bundle = "/etc/cryptlz/certs/cryptlz-ca-cert.pem"
sans = ["cryptlz.ai", "api.cryptlz.ai", "metrics.cryptlz.ai"]
auto_restart = true
[systemd.units.vault_api_gateway]
name = "cryptlz-vault-api-gateway-http1.service"
description = "Cryptlz API Gateway HTTP/1 shim"
dependencies = ["cryptlz-vault-ca.service"]
restart_policy = "on-failure"
[alertmanager.routes.security_alerts]
name = "security_alerts"
match_labels = { component = "firewall" }
group_by = ["component", "severity"]
receiver = "security-team"