Documentation
¶
Overview ¶
Package server implements the setec secrets server.
Index ¶
Constants ¶
View Source
const ACLCap tailcfg.PeerCapability = "tailscale.com/cap/secrets"
ACLCap is the capability name used for setec ACL permissions.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct {
// DBPath is the path to the secrets database.
DBPath string
// Key is the AEAD used to encrypt/decrypt the database.
Key tink.AEAD
// AuditLog is the writer to use for audit logs.
AuditLog *audit.Writer
// WhoIs is a function that reports an identity for a client IP
// address. Outside of tests, it will be the WhoIs of a Tailscale
// LocalClient.
WhoIs func(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error)
// Mux is the http.ServeMux on which the server registers its HTTP
// handlers.
Mux *http.ServeMux
// BackupBucket is an AWS S3 bucket name to which database
// backups should be saved. If empty, the database is not backed
// up.
BackupBucket string
// BackupBucketRegion is the AWS region that the S3 bucket is in.
//
// You would think that one could derive this automatically given
// the bucket's unique global namespace. I genuinely could not
// find a way to get the AWS Go SDK to just figure this out
// correctly, after two days of trying. The AWS SDK is not
// designed for excellence, you are supposed to just give up and
// be mediocre.
BackupBucketRegion string
// BackupAssumeRole is an AWS IAM role to assume to access the
// backup bucket. The role assumption is requested using the
// process's ambient AWS permissions, as autoconfigured by the AWS
// SDK. If BackupAssumeRole is empty, backups are written without
// assuming a role.
BackupAssumeRole string
}
Config is the configuration for a Server.
Source Files
Click to show internal directories.
Click to hide internal directories.