github.com/hyperion-hyn/go-ethereum@v2.4.0+incompatible/docs/Privacy/Constellation/Sample Configuration.md

github.com/hyperion-hyn/go-ethereum@v2.4.0+incompatible/docs/Privacy/Constellation/Sample Configuration.md (about)

     1  ``` yaml
     2  #####
     3  ## Constellation configuration file example
     4  ## ----------------------------------------
     5  ## Every option listed here can also be specified on the command line, e.g.
     6  ## `constellation-node --url=http://www.foo.com --port 9001 ...`
     7  ## (lists are given using comma-separated strings)
     8  ## If both command line parameters and a configuration file are given, the
     9  ## command line options will take precedence.
    10  ##
    11  ## The only strictly necessary option is `port`, however it's recommended to
    12  ## set at least the following:
    13  ##
    14  ##   --url           The URL to advertise to other nodes (reachable by them)
    15  ##   --port          The local port to listen on
    16  ##   --workdir       The folder to put stuff in (default: .)
    17  ##   --socket        IPC socket to create for access to the Private API
    18  ##   --othernodes    "Boot nodes" to connect to to discover the network
    19  ##   --publickeys    Public keys hosted by this node
    20  ##   --privatekeys   Private keys hosted by this node (in corresponding order)
    21  ##
    22  ## Example usage:
    23  ##
    24  ##   constellation-node --workdir=data --generatekeys=foo
    25  ##   (To generate a keypair foo in the data directory)
    26  ##
    27  ##   constellation-node --url=https://localhost:9000/ \
    28  ##                      --port=9000 \
    29  ##                      --workdir=data \
    30  ##                      --socket=constellation.ipc \
    31  ##                      --othernodes=https://localhost:9001/ \
    32  ##                      --publickeys=foo.pub \
    33  ##                      --privatekeys=foo.key
    34  ##
    35  ##   constellation-node sample.conf
    36  ##
    37  ##   constellation-node --port=9002 sample.conf
    38  ##   (This overrides the port value given in sample.conf)
    39  ##
    40  ## Note on defaults: "Default:" below indicates the value that will be assumed
    41  ## if the option is not present either in the configuration file or as a command
    42  ## line parameter.
    43  ##
    44  ## Note about security: In the default configuration, Constellation will
    45  ## automatically generate TLS certificates and trust other nodes' certificates
    46  ## when they're first encountered (trust-on-first-use). See the documentation
    47  ## for tlsservertrust and tlsclienttrust below. To disable TLS entirely, e.g.
    48  ## when using Constellation in conjunction with a VPN like WireGuard, set tls to
    49  ## off.
    50  #####
    51  
    52  ## Externally accessible URL for this node's public API (this is what's
    53  ## advertised to other nodes on the network, and must be reachable by them.)
    54  url = "http://127.0.0.1:9001/"
    55  
    56  ## Port to listen on for the public API.
    57  port = 9001
    58  
    59  ## Directory in which to put and look for other files referenced here.
    60  ##
    61  ## Default: The current directory
    62  workdir = "data"
    63  
    64  ## Socket file to use for the private API / IPC. If this is commented out,
    65  ## the private API will not be accessible.
    66  ##
    67  ## Default: Not set
    68  socket = "constellation.ipc"
    69  
    70  ## Initial (not necessarily complete) list of other nodes in the network.
    71  ## Constellation will automatically connect to other nodes not in this list
    72  ## that are advertised by the nodes below, thus these can be considered the
    73  ## "boot nodes."
    74  ##
    75  ## Default: []
    76  othernodes = ["http://127.0.0.1:9000/"]
    77  
    78  ## The set of public keys this node will host.
    79  ##
    80  ## Default: []
    81  publickeys = ["foo.pub"]
    82  
    83  ## The corresponding set of private keys. These must correspond to the public
    84  ## keys listed above.
    85  ##
    86  ## Default: []
    87  privatekeys = ["foo.key"]
    88  
    89  ## Optional comma-separated list of paths to public keys to add as recipients
    90  ## for every transaction sent through this node, e.g. for backup purposes.
    91  ## These keys must be advertised by some Constellation node on the network, i.e.
    92  ## be in a node's publickeys/privatekeys lists.
    93  ##
    94  ## Default: []
    95  alwayssendto = []
    96  
    97  ## Optional file containing the passwords needed to unlock the given privatekeys
    98  ## (the file should contain one password per line -- add an empty line if any
    99  ## one key isn't locked.)
   100  ##
   101  ## Default: Not set
   102  # passwords = "passwords"
   103  
   104  ## Storage engine used to save payloads and related information. Options:
   105  ##   - bdb:path (BerkeleyDB)
   106  ##   - dir:path (Directory/file storage - can be used with e.g. FUSE-mounted
   107  ##     file systems.)
   108  ##   - leveldb:path (LevelDB - experimental)
   109  ##   - memory (Contents are cleared when Constellation exits)
   110  ##   - sqlite:path (SQLite - experimental)
   111  ##
   112  ## Default: "dir:storage"
   113  storage = "dir:storage"
   114  
   115  ## Verbosity level (each level includes all prior levels)
   116  ##   - 0: Only fatal errors
   117  ##   - 1: Warnings
   118  ##   - 2: Informational messages
   119  ##   - 3: Debug messages
   120  ##
   121  ## At the command line this can be specified using -v0, -v1, -v2, -v3, or
   122  ## -v (2) and -vv (3).
   123  ##
   124  ## Default: 1
   125  verbosity = 1
   126  
   127  ## Optional IP whitelist for the public API. If unspecified/empty,
   128  ## connections from all sources will be allowed (but the private API remains
   129  ## accessible only via the IPC socket above.) To allow connections from
   130  ## localhost when a whitelist is defined, e.g. when running multiple
   131  ## Constellation nodes on the same machine, add "127.0.0.1" and "::1" to
   132  ## this list.
   133  ##
   134  ## Default: Not set
   135  # ipwhitelist = ["10.0.0.1", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"]
   136  
   137  ## TLS status. Options:
   138  ##
   139  ##   - strict: All connections to and from this node must use TLS with mutual
   140  ##     authentication. See the documentation for tlsservertrust and
   141  ##     tlsclienttrust below.
   142  ##   - off: Mutually authenticated TLS is not used for in- and outbound
   143  ##     connections, although unauthenticated connections to HTTPS hosts are
   144  ##     still possible. This should only be used if another transport security
   145  ##     mechanism like WireGuard is in place.
   146  ##
   147  ## Default: "strict"
   148  tls = "strict"
   149  
   150  ## Path to a file containing the server's TLS certificate in Apache format.
   151  ## This is used to identify this node to other nodes in the network when they
   152  ## connect to the public API.
   153  ##
   154  ## This file will be auto-generated if it doesn't exist.
   155  ##
   156  ## Default: "tls-server-cert.pem"
   157  tlsservercert = "tls-server-cert.pem"
   158  
   159  ## List of files that constitute the CA trust chain for the server certificate.
   160  ## This can be empty for auto-generated/non-PKI-based certificates.
   161  ##
   162  ## Default: []
   163  tlsserverchain = []
   164  
   165  ## The private key file for the server TLS certificate.
   166  ##
   167  ## This file will be auto-generated if it doesn't exist.
   168  ##
   169  ## Default: "tls-server-key.pem"
   170  tlsserverkey = "tls-server-key.pem"
   171  
   172  ## TLS trust mode for the server. This decides who's allowed to connect to it.
   173  ## Options:
   174  ##
   175  ##   - whitelist: Only nodes that have previously connected to this node and
   176  ##     been added to the tlsknownclients file below will be allowed to connect.
   177  ##     This mode will not add any new clients to the tlsknownclients file.
   178  ##
   179  ##   - tofu: (Trust-on-first-use) Only the first node that connects identifying
   180  ##     as a certain host will be allowed to connect as the same host in the
   181  ##     future. Note that nodes identifying as other hosts will still be able
   182  ##     to connect -- switch to whitelist after populating the tlsknownclients
   183  ##     list to restrict access.
   184  ##
   185  ##   - ca: Only nodes with a valid certificate and chain of trust to one of
   186  ##     the system root certificates will be allowed to connect. The folder
   187  ##     containing trusted root certificates can be overriden with the
   188  ##     SYSTEM_CERTIFICATE_PATH environment variable.
   189  ##
   190  ##   - ca-or-tofu: A combination of ca and tofu: If a certificate is valid,
   191  ##     it is always allowed and added to the tlsknownclients list. If it is
   192  ##     self-signed, it will be allowed only if it's the first certificate this
   193  ##     node has seen for that host.
   194  ##
   195  ##   - insecure-no-validation: Any client can connect, however they will still
   196  ##     be added to the tlsknownclients file.
   197  ##
   198  ## Default: "tofu"
   199  tlsservertrust = "tofu"
   200  
   201  ## TLS known clients file for the server. This contains the fingerprints of
   202  ## public keys of other nodes that are allowed to connect to this one.
   203  ##
   204  ## Default: "tls-known-clients"
   205  tlsknownclients = "tls-known-clients"
   206  
   207  ## Path to a file containing the client's TLS certificate in Apache format.
   208  ## This is used to identify this node to other nodes in the network when it is
   209  ## connecting to their public APIs.
   210  ##
   211  ## This file will be auto-generated if it doesn't exist.
   212  ##
   213  ## Default: "tls-client-cert.pem"
   214  tlsclientcert = "tls-client-cert.pem"
   215  
   216  ## List of files that constitute the CA trust chain for the client certificate.
   217  ## This can be empty for auto-generated/non-PKI-based certificates.
   218  ##
   219  ## Default: []
   220  tlsclientchain = []
   221  
   222  ## The private key file for the client TLS certificate.
   223  ##
   224  ## This file will be auto-generated if it doesn't exist.
   225  ##
   226  ## Default: "tls-client-key.pem"
   227  tlsclientkey = "tls-client-key.pem"
   228  
   229  ## TLS trust mode for the client. This decides which servers it will connect to.
   230  ## Options:
   231  ##
   232  ##   - whitelist: This node will only connect to servers it has previously seen
   233  ##     and added to the tlsknownclients file below. This mode will not add
   234  ##     any new servers to the tlsknownservers file.
   235  ##
   236  ##   - tofu: (Trust-on-first-use) This node will only connect to the same
   237  ##     server for any given host. (Similar to how OpenSSH works.)
   238  ##
   239  ##   - ca: The node will only connect to servers with a valid certificate and
   240  ##     chain of trust to one of the system root certificates. The folder
   241  ##     containing trusted root certificates can be overriden with the
   242  ##     SYSTEM_CERTIFICATE_PATH environment variable.
   243  ##
   244  ##   - ca-or-tofu: A combination of ca and tofu: If a certificate is valid,
   245  ##     it is always allowed and added to the tlsknownservers list. If it is
   246  ##     self-signed, it will be allowed only if it's the first certificate this
   247  ##     node has seen for that host.
   248  ##
   249  ##   - insecure-no-validation: This node will connect to any server, regardless
   250  ##     of certificate, however it will still be added to the tlsknownservers
   251  ##     file.
   252  ##
   253  ## Default: "ca-or-tofu"
   254  tlsclienttrust = "ca-or-tofu"
   255  
   256  ## TLS known servers file for the client. This contains the fingerprints of
   257  ## public keys of other nodes that this node has encountered.
   258  ##
   259  ## Default: "tls-known-servers"
   260  tlsknownservers = "tls-known-servers"
   261  ```
   262