Anapaya appliance configuration (management only)
management object
The necessary configuration data for the management of the Anapaya appliance.
api object
Anapaya appliance management API configuration.
basic_auth object
Basic auth configuration that restricts the access to the Anapaya appliance management API.
Enable basic authentication for the Anapaya appliance management API.
users object[]
List of basic auth user credentials that are authorized to access the management API.
The user password hashed based on the hash algorithm indicated by the prefix in the string. The string takes the following form based on the Unix crypt function:
$id[$param=value(,param=value)*][$salt[$hash]]
Supported hash functions are:
- $2y$: bcrypt
The 'appliance-cli' or the 'htpasswd' tool can be used to create a password hash. E.g., 'appliance-cli crypto kdf hash' or 'htpasswd -nB -C 12 admin' prompts for a password.
$2y$10$QNodxwKFABMWu4XlFPmZDOSfqxrsqNvrSn487lCi7tJ/4nTsT/f02List of roles that a user has. The following standard roles 'reader', 'observer', and 'writer' are supported.
The 'reader' role is granted access to all GET endpoints on the API.
The 'observer' role is granted access to all GET endpoints, as well as POST access to '/api/v1/debug/scion-tunneling/paths/search' and '/api/v1/tools/scion.*'
The 'writer' role is granted access to all endpoints.
Possible values: >= 1
Name of the user.
adminBy default, the management API is exposed on a local UNIX socket, that can only be accessed by a privileged user (the user needs to be part of the caddy group) locally on the appliance. Setting this property to true disables the local UNIX socket. Note this might lock you out of the management API if you have not configured any other listeners or those listeners are not reachable.
falselisteners object[]
List of management API listeners that define where the API is exposed
An address that is used to expose the Anapaya appliance management API. This can be either a combination of an IP address and a fixed port, or a SCION address. The address must be specified as ip:port for IPv4, [ip]:port for IPv6 and [ISD-AS,ip]:port for SCION.
127.0.0.1:443Description, or comment, for the listener.
oauth object
Open authorization (OAuth) configuration that can authorize users who want to access the Anapaya appliance management API.
Whether the feature is enabled.
falseidentity_providers object[]
The identity providers. Currently only one is supported.
The base URL for the identity provider.
https://anapaya.eu.auth0.com/The client ID for this identity provider.
Reference to the client secret for this identity provider.
The identifier of the provider. Must be unique among all providers.
The URL for fetching the open ID configuration.
https://anapaya.eu.auth0.com/.well-known/openid-configurationThe tenant ID for Azure AD
The type of the provider.
Possible values: [GENERIC, AZURE_AD]
roles object[]
Roles configuration used for OAuth.
List of aliases for the role. This is useful for mapping
different role names from different identity providers to the
same role in the appliance. If no alias are configured for a role
the default aliases are 'appliance.
Name of the role.
token_verification_keys object[]
Keys to verify JWTs.
The identifier of the key. Must be unique among all keys.
anapaya.auth0URL for fetching JSON Web Key Sets.
https://anapaya.eu.auth0.com/.well-known/jwks.jsonWhether the management API is allowed to be exposed without authentication. Always make sure to properly protect your API.
falseThe hostname of the Anapaya appliance host. It is used to
identify the host in the telemetry data; thus, each host should
have a unique hostname. The hostname must be a valid hostname
according to the RFC 1123 specification. By default, the appliance
API disallows changing the hostname, except when it is still
unset. If the hostname is already set, the API will return a
validation error. This is a safety measure to prevent accidental
deployment of a configuration meant for a different appliance. If
you want to change the hostname after it has been set, you need to
set the allow_hostname_change query parameter to true.
anapaya-applianceedge-geneva-corpbankpam object
Configuration for the Pluggable Authentication Module (PAM) of the Anapaya appliance.
services object[]
List of services that are configured to use the Pluggable Authentication Module (PAM) of the Anapaya appliance.
List of PAM account modules that are used for the service.
List of PAM authentication modules that are used for the service.
Description or comment for the service.
Whether the PAM service is enabled.
falseList of PAM password modules that are used for the service.
The name of the PAM service. The service name must be a valid service name according to the PAM specification. The service name is used to identify the service in the PAM configuration files.
sshdList of PAM session modules that are used for the service.
ssh object
Configuration for SSH access to the Anapaya appliance.
Whether password login is enabled for SSH access to the Anapaya appliance.
falseradius object
Configuration for RADIUS access to the Anapaya appliance. The resulting RADIUS configuration on the appliance is written to /etc/pam_radius_auth.conf, and can be referenced in the PAM configuration.
servers object[]
RADIUS server configurations.
The IP address of the RADIUS server.
Description or comment for the server.
Reference to the secret ID used to authenticate the Anapaya appliance to the RADIUS server
users object[]
Users with SSH access to the Anapaya appliance.
ssh_keys object[]
List of SSH keys that are authorized for the given user. This list is authoritative and overwrites the list of existing SSH keys in the user's authorized_keys file.
Description or comment for the key.
The SSH public key of the user.
ssh-rsa AAAAB3NzaC1yc2The unix username of the user.
anapayatelemetry object
Anapaya appliance telemetry configuration.
The address where the telemetry data is exposed. This is a combination of an IP address and a fixed port. The address must be specified as host:port, where host can be empty. An empty address indicates a wildcard address. If the address is not specified or the IP is empty and the port is zero, only the management API address exposes the telemetry data.
:42001flow_metrics object
Configuration for the flow-metrics feature. The gateway collects information about outgoing flows, such as the source and destination ISD-AS and IP address, in order to export then number of gateway users. The flow information is sent to the flow-collector for storage and processing.
URL of the flow-collector where the flow metric information is sent to. Supports 'http', 'https' and 'grpc' transport
Whether the feature is enabled.
falseThe minimum time interval at which flow metrics are exported to the collector.
60sTime interval after which inactive flows are considered expired and are marked for cleanup.
180sURL of the optional HTTP(S) proxy. If set, the flow metric information is sent to the collector via the proxy.
labels object[]
List of static labels that are added to all telemetry data (e.g. logs, metrics).
Name of the label.
Value of the label.
logging object
Configuration for shipping logs to a remote log aggregation system.
The type of log aggregation system which is used.
Possible values: [LOKI]
loki object
Loki configuration.
basic_auth object
Basic auth configuration for sending log lines to Loki.
Reference to the password used for basic auth.
The username to use for basic auth.
promtailtls_config object
Configuration for TLS connection.
insecure-skip-verify controls whether the client verifies the Loki server's certificate chain and host name. If insecure-skip-verify is true, the appliance accepts any certificate presented by the server and any host name in that certificate. In this mode, TLS is susceptible to machine-in-the-middle attacks unless custom verification is used. This should be used only for testing.
falseThe url which is used to push logs to Loki.
https://loki.anapaya.net/loki/api/v1/push{
"management": {
"api": {
"basic_auth": {
"enabled": true,
"users": [
{
"password_hashed": "$2y$10$QNodxwKFABMWu4XlFPmZDOSfqxrsqNvrSn487lCi7tJ/4nTsT/f02",
"roles": [
"string"
],
"username": "admin"
}
]
},
"disable_local_unix_socket": false,
"listeners": [
{
"address": "127.0.0.1:443",
"description": "string"
}
],
"oauth": {
"enabled": false,
"identity_providers": [
{
"base_auth_url": "https://anapaya.eu.auth0.com/",
"client_id": "string",
"client_secret_ref": "string",
"id": "string",
"metadata_url": "https://anapaya.eu.auth0.com/.well-known/openid-configuration",
"tenant_id": "string",
"type": "GENERIC"
}
],
"roles": [
{
"aliases": [
"string"
],
"role": "string"
}
],
"token_verification_keys": [
{
"id": "anapaya.auth0",
"jwks_url": "https://anapaya.eu.auth0.com/.well-known/jwks.json"
}
]
},
"unprotected": false
},
"hostname": "edge-geneva-corpbank",
"pam": {
"services": [
{
"account_modules": [
"string"
],
"auth_modules": [
"string"
],
"description": "string",
"enabled": false,
"password_modules": [
"string"
],
"service": "sshd",
"session_modules": [
"string"
]
}
]
},
"ssh": {
"enable_password_login": false,
"radius": {
"servers": [
{
"address": "string",
"description": "string",
"secret_id_ref": "string"
}
]
},
"users": [
{
"ssh_keys": [
{
"description": "string",
"key": "ssh-rsa AAAAB3NzaC1yc2"
}
],
"username": "anapaya"
}
]
},
"telemetry": {
"address": ":42001",
"flow_metrics": {
"collector_url": "string",
"enabled": false,
"export_task_interval": "60s",
"flow_expiration_interval": "180s",
"proxy_url": "string"
},
"labels": [
{
"label": "string",
"value": "string"
}
],
"logging": {
"logging_type": "LOKI",
"loki": {
"basic_auth": {
"password_ref": "string",
"username": "promtail"
},
"tls_config": {
"insecure_skip_verify": false
},
"url": "https://loki.anapaya.net/loki/api/v1/push"
}
}
}
}
}