bolyai/CIS490
3
0
Fork 0
Code Issues 5 Pull requests Projects 1 Releases Packages Wiki Activity Actions
CIS490/etc/lab-host.toml.example
elliott 4e8d2bdb04 etc/lab-host.toml.example: pin Caddy root, not wg-pki client CA (closes #14) 
ca_bundle is what the shipper uses to verify collector.wg's TLS cert.
That cert is signed by the Caddy Local Authority, bundled in the repo
as etc/caddy-root.crt. Pointing it at wg-ca.pem (the wg-pki CIS490
Lab-Host Client CA, which is the *receiver's* trust anchor for our
client cert) caused CERTIFICATE_VERIFY_FAILED on every ship.

Original fix authored by the on-device agent on k-gamingcom in
Dev_REL2_043026@786b8da; cherry-picked here onto main.

Co-Authored-By: k-gamingcom on-device agent
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 17:26:36 -05:00

52 lines
1.8 KiB
Text
Raw Blame History

# CIS490 lab-host — copy to /etc/cis490/lab-host.toml and edit.
#
# This config drives BOTH the orchestrator (which runs episodes) and
# the shipper (which uploads completed episodes to the central
# receiver over WG).
# Stable identity for this lab host. Used in the receiver path
# (/v1/episodes/<host_id>/...) and in the X-Lab-Host header. Pick
# something short, stable, and DNS-safe — letters, digits, _.- only.
host_id = "REPLACE_ME"
[paths]
data_root = "/var/lib/cis490/data"
samples_store = "/var/lib/cis490/samples/store"
qcow_image = "/var/lib/cis490/vm/images/metasploitable2.qcow2"
[receiver]
# The receiver lives behind Caddy on the WG-side collector host. The
# hostname must resolve over WG (collector.wg in the canonical
# spectral lab). ca_bundle pins the Caddy root CA (bundled in the
# repo) so the shipper can verify the server's TLS cert. The wg-pki
# client CA (wg-ca.pem from the bootstrap tarball) is the RECEIVER's
# trust anchor for our client cert — we don't configure it here.
url = "https://collector.wg"
ca_bundle = "/opt/cis490/etc/caddy-root.crt"
# mTLS: leaf cert + private key issued by wg-pki for THIS host_id.
# Comment these out to fall back to bearer-token auth during early
# bring-up.
client_cert = "/etc/cis490/certs/lab-host.pem"
client_key = "/etc/cis490/certs/lab-host.key"
# Bearer is optional and only used if mTLS isn't yet configured. When
# both are set, mTLS does the actual authn and the bearer is a
# belt-and-suspenders check.
# bearer_token = "REPLACE_ME_WITH_SECRET"
# Set to false ONLY for local-loopback dev against an unsigned cert.
# verify_tls = true
[shipper]
scan_interval_s = 5.0
request_timeout_s = 60.0
[episode]
baseline_seconds = 30
infected_seconds = 90
dormant_seconds = 60
[retention]
keep_local_for_days = 7
prune_at_disk_pct = 80
Reference in a new issue View git blame Copy permalink