Documentation ¶
Overview ¶
Package server implements the setec secrets server.
Index ¶
Constants ¶
View Source
const ACLCap tailcfg.PeerCapability = "tailscale.com/cap/secrets"
ACLCap is the capability name used for setec ACL permissions.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Config ¶
type Config struct { // DBPath is the path to the secrets database. DBPath string // Key is the AEAD used to encrypt/decrypt the database. Key tink.AEAD // AuditLog is the writer to use for audit logs. AuditLog *audit.Writer // WhoIs is a function that reports an identity for a client IP // address. Outside of tests, it will be the WhoIs of a Tailscale // LocalClient. WhoIs func(ctx context.Context, remoteAddr string) (*apitype.WhoIsResponse, error) // Mux is the http.ServeMux on which the server registers its HTTP // handlers. Mux *http.ServeMux // BackupBucket is an AWS S3 bucket name to which database // backups should be saved. If empty, the database is not backed // up. BackupBucket string // BackupBucketRegion is the AWS region that the S3 bucket is in. // // You would think that one could derive this automatically given // the bucket's unique global namespace. I genuinely could not // find a way to get the AWS Go SDK to just figure this out // correctly, after two days of trying. The AWS SDK is not // designed for excellence, you are supposed to just give up and // be mediocre. BackupBucketRegion string // BackupAssumeRole is an AWS IAM role to assume to access the // backup bucket. The role assumption is requested using the // process's ambient AWS permissions, as autoconfigured by the AWS // SDK. If BackupAssumeRole is empty, backups are written without // assuming a role. BackupAssumeRole string }
Config is the configuration for a Server.
Click to show internal directories.
Click to hide internal directories.