keylimectl: Add example configuration file

ansasaki · ansasaki · commit b5c9fa69e480 · 2025-08-04T16:03:19.000+02:00
Signed-off-by: Anderson Toshiyuki Sasaki &lt;ansasaki@redhat.com&gt;
diff --git a/keylimectl/keylimectl.conf b/keylimectl/keylimectl.conf
@@ -0,0 +1,234 @@
+# keylimectl Configuration File
+#
+# This file contains all available configuration options for keylimectl,
+# the modern command-line tool for Keylime remote attestation.
+#
+# Configuration files are completely optional. keylimectl will work out-of-the-box
+# with sensible defaults if no configuration file is provided.
+#
+# Configuration precedence (highest to lowest):
+# 1. Command-line arguments
+# 2. Environment variables (KEYLIME_*)
+# 3. Configuration files (this file)
+# 4. Default values
+#
+# This file uses TOML format. For more information about TOML syntax,
+# see: https://toml.io/
+
+#
+# VERIFIER CONFIGURATION
+#
+# The verifier continuously monitors agent integrity and manages attestation policies.
+# It receives attestation evidence from agents and verifies their trustworthiness.
+#
+[verifier]
+
+# IP address of the Keylime verifier service
+# Default: "127.0.0.1"
+# Environment variable: KEYLIME_VERIFIER__IP
+ip = "127.0.0.1"
+
+# Port number of the Keylime verifier service
+# Default: 8881
+# Environment variable: KEYLIME_VERIFIER__PORT
+port = 8881
+
+# Optional verifier identifier for multi-verifier deployments
+# Default: None
+# Environment variable: KEYLIME_VERIFIER__ID
+# id = "verifier-1"
+
+#
+# REGISTRAR CONFIGURATION
+#
+# The registrar maintains a database of registered agents and their TPM public keys.
+# Agents must register with the registrar before they can be added to the verifier.
+#
+[registrar]
+
+# IP address of the Keylime registrar service
+# Default: "127.0.0.1"
+# Environment variable: KEYLIME_REGISTRAR__IP
+ip = "127.0.0.1"
+
+# Port number of the Keylime registrar service
+# Default: 8891
+# Environment variable: KEYLIME_REGISTRAR__PORT
+port = 8891
+
+#
+# TLS/SSL SECURITY CONFIGURATION
+#
+# This section controls secure communication with Keylime services.
+# Proper TLS configuration is essential for production deployments.
+#
+[tls]
+
+# Path to client certificate file for mutual TLS authentication
+# Default: None (no client certificate)
+# Environment variable: KEYLIME_TLS__CLIENT_CERT
+# client_cert = "/var/lib/keylime/cv_ca/client-cert.crt"
+
+# Path to client private key file for mutual TLS authentication
+# Default: None (no client key)
+# Environment variable: KEYLIME_TLS__CLIENT_KEY
+# client_key = "/var/lib/keylime/cv_ca/client-private.pem"
+
+# Password for encrypted client private key (if applicable)
+# Default: None (no password)
+# Environment variable: KEYLIME_TLS__CLIENT_KEY_PASSWORD
+# client_key_password = "your-key-password"
+
+# List of trusted CA certificate file paths for server verification
+# Default: [] (empty list - uses system CA store)
+# Environment variable: KEYLIME_TLS__TRUSTED_CA (comma-separated)
+# trusted_ca = [
+#     "/var/lib/keylime/cv_ca/cacert.crt",
+#     "/etc/ssl/certs/additional-ca.crt"
+# ]
+
+# Whether to verify server certificates
+# Default: true
+# Environment variable: KEYLIME_TLS__VERIFY_SERVER_CERT
+# WARNING: Only disable for testing - never in production!
+verify_server_cert = true
+
+# Whether to enable mutual TLS for agent communications
+# Default: true
+# Environment variable: KEYLIME_TLS__ENABLE_AGENT_MTLS
+enable_agent_mtls = true
+
+#
+# HTTP CLIENT CONFIGURATION
+#
+# This section controls HTTP client behavior including timeouts and retry logic.
+# These settings affect reliability and performance of API communications.
+#
+[client]
+
+# Request timeout in seconds
+# Default: 60
+# Environment variable: KEYLIME_CLIENT__TIMEOUT
+timeout = 60
+
+# Base retry interval in seconds
+# Default: 1.0
+# Environment variable: KEYLIME_CLIENT__RETRY_INTERVAL
+retry_interval = 1.0
+
+# Whether to use exponential backoff for retries
+# Default: true
+# Environment variable: KEYLIME_CLIENT__EXPONENTIAL_BACKOFF
+# When true, retry delays increase exponentially: 1s, 2s, 4s, 8s, etc.
+# When false, retry delay remains constant at retry_interval
+exponential_backoff = true
+
+# Maximum number of retry attempts
+# Default: 3
+# Environment variable: KEYLIME_CLIENT__MAX_RETRIES
+max_retries = 3
+
+#
+# EXAMPLE CONFIGURATIONS
+#
+
+# Example 1: Production configuration with custom services
+# [verifier]
+# ip = "keylime-verifier.company.com"
+# port = 8881
+# id = "prod-verifier-01"
+#
+# [registrar]
+# ip = "keylime-registrar.company.com"
+# port = 8891
+#
+# [tls]
+# client_cert = "/etc/keylime/certs/client.crt"
+# client_key = "/etc/keylime/certs/client.key"
+# trusted_ca = ["/etc/keylime/certs/ca.crt"]
+# verify_server_cert = true
+# enable_agent_mtls = true
+#
+# [client]
+# timeout = 30
+# retry_interval = 2.0
+# exponential_backoff = true
+# max_retries = 5
+
+# Example 2: Development/testing configuration
+# [verifier]
+# ip = "192.168.1.100"
+# port = 8881
+#
+# [registrar]
+# ip = "192.168.1.101"
+# port = 8891
+#
+# [tls]
+# verify_server_cert = false  # WARNING: Testing only!
+# enable_agent_mtls = false   # WARNING: Testing only!
+#
+# [client]
+# timeout = 10
+# retry_interval = 0.5
+# max_retries = 1
+
+# Example 3: IPv6 configuration
+# [verifier]
+# ip = "2001:db8::1"
+# port = 8881
+#
+# [registrar]
+# ip = "2001:db8::2"
+# port = 8891
+
+#
+# ENVIRONMENT VARIABLE REFERENCE
+#
+# All configuration options can be overridden using environment variables
+# with the KEYLIME_ prefix and double underscores as section separators:
+#
+# KEYLIME_VERIFIER__IP=192.168.1.100
+# KEYLIME_VERIFIER__PORT=8881
+# KEYLIME_VERIFIER__ID=verifier-1
+# KEYLIME_REGISTRAR__IP=192.168.1.101
+# KEYLIME_REGISTRAR__PORT=8891
+# KEYLIME_TLS__CLIENT_CERT=/path/to/client.crt
+# KEYLIME_TLS__CLIENT_KEY=/path/to/client.key
+# KEYLIME_TLS__CLIENT_KEY_PASSWORD=password
+# KEYLIME_TLS__TRUSTED_CA=/path/ca1.crt,/path/ca2.crt
+# KEYLIME_TLS__VERIFY_SERVER_CERT=true
+# KEYLIME_TLS__ENABLE_AGENT_MTLS=true
+# KEYLIME_CLIENT__TIMEOUT=60
+# KEYLIME_CLIENT__RETRY_INTERVAL=1.0
+# KEYLIME_CLIENT__EXPONENTIAL_BACKOFF=true
+# KEYLIME_CLIENT__MAX_RETRIES=3
+
+#
+# COMMAND-LINE ARGUMENT REFERENCE
+#
+# Configuration can also be overridden via command-line arguments:
+#
+# --verifier-ip <IP>          Override verifier IP address
+# --verifier-port <PORT>      Override verifier port
+# --registrar-ip <IP>         Override registrar IP address
+# --registrar-port <PORT>     Override registrar port
+# -c, --config <FILE>         Specify explicit configuration file path
+# -v, --verbose               Enable verbose logging
+# -q, --quiet                 Suppress non-essential output
+# --format <FORMAT>           Output format (json, table, yaml)
+
+#
+# CONFIGURATION FILE LOCATIONS
+#
+# keylimectl searches for configuration files in this order:
+# 1. Explicit path provided via -c/--config (required to exist)
+# 2. ./keylimectl.toml (current directory)
+# 3. ./keylimectl.conf (current directory)
+# 4. /etc/keylime/keylimectl.conf (system-wide)
+# 5. /usr/etc/keylime/keylimectl.conf (alternative system-wide)
+# 6. ~/.config/keylime/keylimectl.conf (user-specific)
+# 7. ~/.keylimectl.toml (user-specific)
+# 8. $XDG_CONFIG_HOME/keylime/keylimectl.conf (XDG standard)
+#
+# If no configuration files are found, keylimectl works with defaults.
