ansible/roles/sigul/server/templates/server.conf.j2

# This is a configuration for the sigul server.

[server]
# Host name of the publically acessible bridge to clients

{% if env == "production" %}
bridge-hostname: sign-bridge.{{datacenter}}.fedoraproject.org
{% else %}
bridge-hostname: sign-bridge01.stg.iad2.fedoraproject.org
{% endif %}
server-cert-nickname: sign-vault{{ env_suffix }}.iad2.fedoraproject.org

# Port on which the bridge expects server connections
bridge-port: 44333
# Maximum accepted size of payload stored on disk
max-file-payload-size: 5147483648
# Maximum accepted size of payload stored in server's memory
max-memory-payload-size: 1048576

[database]
# Path to a directory containing a SQLite database
;database-path: /var/lib/sigul

[gnupg]
# Path to a directory containing GPG configuration and keyrings
gnupg-home: /var/lib/sigul/gnupg
# Default primary key type for newly created keys
gnupg-key-type: RSA
# Default primary key length for newly created keys
gnupg-key-length: 4096
# Default subkey type for newly created keys, empty for no subkey
gnupg-subkey-type:
# Default subkey length for newly created keys if gnupg-subkey-type is not empty
; gnupg-subkey-length: 2048
# Default key usage flags for newly created keys
gnupg-key-usage: encrypt, sign
# Length of key passphrases used for newsly created keys
passphrase-length: 128

[daemon]
# The user to run as
unix-user: sigul
# The group to run as
unix-group: sigul

[nss]
# Path to a directory containing a NSS database
nss-dir: /var/lib/sigul
# Password for accessing the NSS database.  If not specified, the server will
# ask on startup
; nss-password is not specified by default
# Minimum and maximum versions of TLS used
nss-min-tls: tls1.2
nss-max-tls: tls1.2

[binding]
{% if env == "production" %}
# List of binding modules enabled
enabled: pkcs11
pkcs11_tokens: yubikey_sv03,yubikey_sv04,yubikey_sv05,yubikey_sv06
pkcs11_yubikey_sv03_pubkey: /etc/sigul/yubikey_sv03.pem
pkcs11_yubikey_sv04_pubkey: /etc/sigul/yubikey_sv04.pem
pkcs11_yubikey_sv05_pubkey: /etc/sigul/yubikey_sv05.pem
pkcs11_yubikey_sv06_pubkey: /etc/sigul/yubikey_sv06.pem
{% if inventory_hostname.startswith('sign-vault03') %}
pkcs11_yubikey_sv03_privkey: pkcs11:serial=8f2a341e00d7a665;id=%03;type=private
{% elif inventory_hostname.startswith('sign-vault04') %}
pkcs11_yubikey_sv04_privkey: pkcs11:serial=b38ee13e56b3b987;id=%03;type=private
{% elif inventory_hostname.startswith('sign-vault05') %}
pkcs11_yubikey_sv05_privkey: pkcs11:serial=e8dae68ae187ff13;id=%03;type=private
{% elif inventory_hostname.startswith('sign-vault06') or inventory_hostname == "sign-vault01.iad2.fedoraproject.org" %}
pkcs11_yubikey_sv06_privkey: pkcs11:serial=e3c4804a6631dd5f;id=%03;type=private
{% endif %}
{% endif %}