From 952f821e9c5a4475f7619d3226fa001a439a9c7b Mon Sep 17 00:00:00 2001 From: reinkrul Date: Mon, 13 May 2024 09:59:26 +0200 Subject: [PATCH] Docs: remove leftover CORS mention (#3107) --- README.rst | 88 +++++++------ docs/pages/deployment/cli-reference.rst | 153 +++++++++++------------ docs/pages/deployment/configuration.rst | 2 +- docs/pages/deployment/server_options.rst | 91 +++++++------- 4 files changed, 167 insertions(+), 167 deletions(-) diff --git a/README.rst b/README.rst index 76862c2c74..528698e0ec 100644 --- a/README.rst +++ b/README.rst @@ -167,49 +167,54 @@ The following options can be configured on the server: :widths: 20 30 50 :class: options-table - ===================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ - Key Default Description - ===================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ - configfile ./config/nuts.yaml Nuts config file - cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set. - datadir ./data Directory where the node stores its files. - internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. - loggerformat text Log format (text, json) - strictmode true When set, insecure settings are forbidden. - url Public facing URL of the server (required). Must be HTTPS when strictmode is set. - verbosity info Log level (trace, debug, info, warn, error) - httpclient.timeout 30s Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax. + ======================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ + Key Default Description + ======================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ + configfile ./config/nuts.yaml Nuts config file + cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set. + datadir ./data Directory where the node stores its files. + internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. + loggerformat text Log format (text, json) + strictmode true When set, insecure settings are forbidden. + url Public facing URL of the server (required). Must be HTTPS when strictmode is set. + verbosity info Log level (trace, debug, info, warn, error) + httpclient.timeout 30s Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax. **Crypto** - crypto.storage Storage to use, 'external' for an external backend (experimental), 'fs' for file system (for development purposes), 'vaultkv' for Vault KV store (recommended, will be replaced by external backend in future). - crypto.external.address Address of the external storage service. - crypto.external.timeout 100ms Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s). - crypto.vault.address The Vault address. If set it overwrites the VAULT_ADDR env var. - crypto.vault.pathprefix kv The Vault path prefix. - crypto.vault.timeout 5s Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). - crypto.vault.token The Vault token. If set it overwrites the VAULT_TOKEN env var. + crypto.storage Storage to use, 'external' for an external backend (experimental), 'fs' for file system (for development purposes), 'vaultkv' for Vault KV store (recommended, will be replaced by external backend in future). + crypto.external.address Address of the external storage service. + crypto.external.timeout 100ms Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s). + crypto.vault.address The Vault address. If set it overwrites the VAULT_ADDR env var. + crypto.vault.pathprefix kv The Vault path prefix. + crypto.vault.timeout 5s Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). + crypto.vault.token The Vault token. If set it overwrites the VAULT_TOKEN env var. **Discovery** - discovery.client.refresh_interval 10m0s Interval at which the client synchronizes with the Discovery Server; refreshing Verifiable Presentations of local DIDs and loading changes, updating the local copy. It only will actually refresh registrations of local DIDs that about to expire (less than 1/4th of their lifetime left). Specified as Golang duration (e.g. 1m, 1h30m). - discovery.definitions.directory ./config/discovery Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start. - discovery.server.ids [] IDs of the Discovery Service for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start. + discovery.client.refresh_interval 10m0s Interval at which the client synchronizes with the Discovery Server; refreshing Verifiable Presentations of local DIDs and loading changes, updating the local copy. It only will actually refresh registrations of local DIDs that about to expire (less than 1/4th of their lifetime left). Specified as Golang duration (e.g. 1m, 1h30m). + discovery.definitions.directory ./config/discovery Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start. + discovery.server.ids [] IDs of the Discovery Service for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start. **HTTP** - http.log metadata What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). - http.internal.address 127.0.0.1:8081 Address and port the server will be listening to for internal-facing endpoints. - http.internal.auth.audience Expected audience for JWT tokens (default: hostname) - http.internal.auth.authorizedkeyspath Path to an authorized_keys file for trusted JWT signers - http.internal.auth.type Whether to enable authentication for /internal endpoints, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. - http.public.address \:8080 Address and port the server will be listening to for public-facing endpoints. + http.log metadata What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). When debug vebosity is set the authorization headers are also logged when the request is fully logged. + http.internal.address 127.0.0.1:8081 Address and port the server will be listening to for internal-facing endpoints. + http.internal.auth.audience Expected audience for JWT tokens (default: hostname) + http.internal.auth.authorizedkeyspath Path to an authorized_keys file for trusted JWT signers + http.internal.auth.type Whether to enable authentication for /internal endpoints, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. + http.public.address \:8080 Address and port the server will be listening to for public-facing endpoints. **JSONLD** - jsonld.contexts.localmapping [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. - jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. + jsonld.contexts.localmapping [https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. + jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. **PKI** - pki.maxupdatefailhours 4 Maximum number of hours that a denylist update can fail - pki.softfail true Do not reject certificates if their revocation status cannot be established when softfail is true + pki.maxupdatefailhours 4 Maximum number of hours that a denylist update can fail + pki.softfail true Do not reject certificates if their revocation status cannot be established when softfail is true **Storage** - storage.sql.connection Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL'). + storage.session.redis.address Redis session database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. If not set it, defaults to an in-memory database. + storage.session.redis.database Redis session database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance. + storage.session.redis.password Redis session database password. If set, it overrides the username in the connection URL. + storage.session.redis.username Redis session database username. If set, it overrides the username in the connection URL. + storage.session.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis session servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). + storage.sql.connection Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL'). **policy** - policy.address The address of a remote policy server. Mutual exclusive with policy.directory. - policy.directory ./config/policy Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping. Mutual exclusive with policy.address. - ===================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ + policy.address The address of a remote policy server. Mutual exclusive with policy.directory. + policy.directory ./config/policy Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping. Mutual exclusive with policy.address. + ======================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ Options specific for ``did:nuts``/gRPC ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -265,15 +270,6 @@ If your use case does not use these features, you can ignore this table. storage.redis.sentinel.password Password for authenticating to Redis Sentinels. storage.redis.sentinel.username Username for authenticating to Redis Sentinels. storage.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). - storage.session.redis.address Redis database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. - storage.session.redis.database Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance. - storage.session.redis.password Redis database password. If set, it overrides the username in the connection URL. - storage.session.redis.username Redis database username. If set, it overrides the username in the connection URL. - storage.session.redis.sentinel.master Name of the Redis Sentinel master. Setting this property enables Redis Sentinel. - storage.session.redis.sentinel.nodes [] Addresses of the Redis Sentinels to connect to initially. Setting this property enables Redis Sentinel. - storage.session.redis.sentinel.password Password for authenticating to Redis Sentinels. - storage.session.redis.sentinel.username Username for authenticating to Redis Sentinels. - storage.session.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). **VCR** vcr.openid4vci.definitionsdir Directory with the additional credential definitions the node could issue (experimental, may change without notice). vcr.openid4vci.enabled true Enable issuing and receiving credentials over OpenID4VCI. @@ -313,7 +309,7 @@ In addition, it requires ``auth.irma.schememanager=pbdf``. As a general safety precaution ``auth.contractvalidators`` ignores the ``dummy`` option if configured, requesting an access token from another node on ``/n2n/auth/v1/accesstoken`` does not return any error details, -``auth.accesstokenlifespan`` is always 60 seconds, ``http.default.cors.origin`` does not allow a wildcard (``*``), +``auth.accesstokenlifespan`` is always 60 seconds, json-ld context can only be downloaded from trusted domains configured in ``jsonld.contexts.remoteallowlist``, and the ``internalratelimiter`` is always on. diff --git a/docs/pages/deployment/cli-reference.rst b/docs/pages/deployment/cli-reference.rst index 94c73233a7..078424ad4c 100755 --- a/docs/pages/deployment/cli-reference.rst +++ b/docs/pages/deployment/cli-reference.rst @@ -13,83 +13,82 @@ The following options apply to the server commands below: :: - --auth.accesstokenlifespan int defines how long (in seconds) an access token is valid. Uses default in strict mode. (default 60) - --auth.clockskew int allowed JWT Clock skew in milliseconds (default 5000) - --auth.contractvalidators strings sets the different contract validators to use (default [irma,dummy,employeeid]) - --auth.irma.autoupdateschemas set if you want automatically update the IRMA schemas every 60 minutes. (default true) - --auth.irma.schememanager string IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'. (default "pbdf") - --configfile string Nuts config file (default "./config/nuts.yaml") - --cpuprofile string When set, a CPU profile is written to the given path. Ignored when strictmode is set. - --crypto.external.address string Address of the external storage service. - --crypto.external.timeout duration Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s). (default 100ms) - --crypto.storage string Storage to use, 'external' for an external backend (experimental), 'fs' for file system (for development purposes), 'vaultkv' for Vault KV store (recommended, will be replaced by external backend in future). - --crypto.vault.address string The Vault address. If set it overwrites the VAULT_ADDR env var. - --crypto.vault.pathprefix string The Vault path prefix. (default "kv") - --crypto.vault.timeout duration Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). (default 5s) - --crypto.vault.token string The Vault token. If set it overwrites the VAULT_TOKEN env var. - --datadir string Directory where the node stores its files. (default "./data") - --discovery.client.refresh_interval duration Interval at which the client synchronizes with the Discovery Server; refreshing Verifiable Presentations of local DIDs and loading changes, updating the local copy. It only will actually refresh registrations of local DIDs that about to expire (less than 1/4th of their lifetime left). Specified as Golang duration (e.g. 1m, 1h30m). (default 10m0s) - --discovery.definitions.directory string Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start. (default "./config/discovery") - --discovery.server.ids strings IDs of the Discovery Service for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start. - --events.nats.hostname string Hostname for the NATS server (default "0.0.0.0") - --events.nats.port int Port where the NATS server listens on (default 4222) - --events.nats.storagedir string Directory where file-backed streams are stored in the NATS server - --events.nats.timeout int Timeout for NATS server operations (default 30) - --goldenhammer.enabled Whether to enable automatically fixing DID documents with the required endpoints. (default true) - --goldenhammer.interval duration The interval in which to check for DID documents to fix. (default 10m0s) - --http.internal.address string Address and port the server will be listening to for internal-facing endpoints. (default "127.0.0.1:8081") - --http.internal.auth.audience string Expected audience for JWT tokens (default: hostname) - --http.internal.auth.authorizedkeyspath string Path to an authorized_keys file for trusted JWT signers - --http.internal.auth.type string Whether to enable authentication for /internal endpoints, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. - --http.log string What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). (default "metadata") - --http.public.address string Address and port the server will be listening to for public-facing endpoints. (default ":8080") - --httpclient.timeout duration Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax. (default 30s) - --internalratelimiter When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. (default true) - --jsonld.contexts.localmapping stringToString This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. (default [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson]) - --jsonld.contexts.remoteallowlist strings In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. (default [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1]) - --loggerformat string Log format (text, json) (default "text") - --network.bootstrapnodes strings List of bootstrap nodes (':') which the node initially connect to. - --network.connectiontimeout int Timeout before an outbound connection attempt times out (in milliseconds). (default 5000) - --network.enablediscovery Whether to enable automatic connecting to other nodes. (default true) - --network.grpcaddr string Local address for gRPC to listen on. If empty the gRPC server won't be started and other nodes will not be able to connect to this node (outbound connections can still be made). (default ":5555") - --network.maxbackoff duration Maximum between outbound connections attempts to unresponsive nodes (in Golang duration format, e.g. '1h', '30m'). (default 24h0m0s) - --network.nodedid string Specifies the DID of the party that operates this node. It is used to identify the node on the network. If the DID document does not exist of is deactivated, the node will not start. - --network.protocols ints Specifies the list of network protocols to enable on the server. They are specified by version (1, 2). If not set, all protocols are enabled. - --network.v2.diagnosticsinterval int Interval (in milliseconds) that specifies how often the node should broadcast its diagnostic information to other nodes (specify 0 to disable). (default 5000) - --network.v2.gossipinterval int Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes. (default 5000) - --pki.maxupdatefailhours int Maximum number of hours that a denylist update can fail (default 4) - --pki.softfail Do not reject certificates if their revocation status cannot be established when softfail is true (default true) - --policy.address string The address of a remote policy server. Mutual exclusive with policy.directory. - --policy.directory string Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping. Mutual exclusive with policy.address. (default "./config/policy") - --storage.bbolt.backup.directory string Target directory for BBolt database backups. - --storage.bbolt.backup.interval duration Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed. - --storage.redis.address string Redis database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. - --storage.redis.database string Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance. - --storage.redis.password string Redis database password. If set, it overrides the username in the connection URL. - --storage.redis.sentinel.master string Name of the Redis Sentinel master. Setting this property enables Redis Sentinel. - --storage.redis.sentinel.nodes strings Addresses of the Redis Sentinels to connect to initially. Setting this property enables Redis Sentinel. - --storage.redis.sentinel.password string Password for authenticating to Redis Sentinels. - --storage.redis.sentinel.username string Username for authenticating to Redis Sentinels. - --storage.redis.tls.truststorefile string PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). - --storage.redis.username string Redis database username. If set, it overrides the username in the connection URL. - --storage.session.redis.address string Redis session database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. - --storage.session.redis.password string Redis session database password. If set, it overrides the username in the connection URL. - --storage.session.redis.sentinel.master string Name of the Redis Sentinel master. Setting this property enables Redis Sentinel. - --storage.session.redis.sentinel.nodes strings Addresses of the Redis Sentinels to connect to initially. Setting this property enables Redis Sentinel. - --storage.session.redis.sentinel.password string Password for authenticating to Redis Sentinels. - --storage.session.redis.sentinel.username string Username for authenticating to Redis Sentinels. - --storage.sql.connection string Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL'). - --strictmode When set, insecure settings are forbidden. (default true) - --tls.certfile string PEM file containing the certificate for the gRPC server (also used as client certificate). Required in strict mode. - --tls.certheader string Name of the HTTP header that will contain the client certificate when TLS is offloaded for gRPC. - --tls.certkeyfile string PEM file containing the private key of the gRPC server certificate. Required in strict mode. - --tls.offload string Whether to enable TLS offloading for incoming gRPC connections. Enable by setting it to 'incoming'. If enabled 'tls.certheader' must be configured as well. - --tls.truststorefile string PEM file containing the trusted CA certificates for authenticating remote gRPC servers. Required in strict mode. (default "./config/ssl/truststore.pem") - --url string Public facing URL of the server (required). Must be HTTPS when strictmode is set. - --vcr.openid4vci.definitionsdir string Directory with the additional credential definitions the node could issue (experimental, may change without notice). - --vcr.openid4vci.enabled Enable issuing and receiving credentials over OpenID4VCI. (default true) - --vcr.openid4vci.timeout duration Time-out for OpenID4VCI HTTP client operations. (default 30s) - --verbosity string Log level (trace, debug, info, warn, error) (default "info") + --auth.accesstokenlifespan int defines how long (in seconds) an access token is valid. Uses default in strict mode. (default 60) + --auth.clockskew int allowed JWT Clock skew in milliseconds (default 5000) + --auth.contractvalidators strings sets the different contract validators to use (default [irma,dummy,employeeid]) + --auth.irma.autoupdateschemas set if you want automatically update the IRMA schemas every 60 minutes. (default true) + --auth.irma.schememanager string IRMA schemeManager to use for attributes. Can be either 'pbdf' or 'irma-demo'. (default "pbdf") + --configfile string Nuts config file (default "./config/nuts.yaml") + --cpuprofile string When set, a CPU profile is written to the given path. Ignored when strictmode is set. + --crypto.external.address string Address of the external storage service. + --crypto.external.timeout duration Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s). (default 100ms) + --crypto.storage string Storage to use, 'external' for an external backend (experimental), 'fs' for file system (for development purposes), 'vaultkv' for Vault KV store (recommended, will be replaced by external backend in future). + --crypto.vault.address string The Vault address. If set it overwrites the VAULT_ADDR env var. + --crypto.vault.pathprefix string The Vault path prefix. (default "kv") + --crypto.vault.timeout duration Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). (default 5s) + --crypto.vault.token string The Vault token. If set it overwrites the VAULT_TOKEN env var. + --datadir string Directory where the node stores its files. (default "./data") + --discovery.client.refresh_interval duration Interval at which the client synchronizes with the Discovery Server; refreshing Verifiable Presentations of local DIDs and loading changes, updating the local copy. It only will actually refresh registrations of local DIDs that about to expire (less than 1/4th of their lifetime left). Specified as Golang duration (e.g. 1m, 1h30m). (default 10m0s) + --discovery.definitions.directory string Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start. (default "./config/discovery") + --discovery.server.ids strings IDs of the Discovery Service for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start. + --events.nats.hostname string Hostname for the NATS server (default "0.0.0.0") + --events.nats.port int Port where the NATS server listens on (default 4222) + --events.nats.storagedir string Directory where file-backed streams are stored in the NATS server + --events.nats.timeout int Timeout for NATS server operations (default 30) + --goldenhammer.enabled Whether to enable automatically fixing DID documents with the required endpoints. (default true) + --goldenhammer.interval duration The interval in which to check for DID documents to fix. (default 10m0s) + --http.internal.address string Address and port the server will be listening to for internal-facing endpoints. (default "127.0.0.1:8081") + --http.internal.auth.audience string Expected audience for JWT tokens (default: hostname) + --http.internal.auth.authorizedkeyspath string Path to an authorized_keys file for trusted JWT signers + --http.internal.auth.type string Whether to enable authentication for /internal endpoints, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. + --http.log string What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). When debug vebosity is set the authorization headers are also logged when the request is fully logged. (default "metadata") + --http.public.address string Address and port the server will be listening to for public-facing endpoints. (default ":8080") + --httpclient.timeout duration Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax. (default 30s) + --internalratelimiter When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. (default true) + --jsonld.contexts.localmapping stringToString This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. (default [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson]) + --jsonld.contexts.remoteallowlist strings In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. (default [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1]) + --loggerformat string Log format (text, json) (default "text") + --network.bootstrapnodes strings List of bootstrap nodes (':') which the node initially connect to. + --network.connectiontimeout int Timeout before an outbound connection attempt times out (in milliseconds). (default 5000) + --network.enablediscovery Whether to enable automatic connecting to other nodes. (default true) + --network.grpcaddr string Local address for gRPC to listen on. If empty the gRPC server won't be started and other nodes will not be able to connect to this node (outbound connections can still be made). (default ":5555") + --network.maxbackoff duration Maximum between outbound connections attempts to unresponsive nodes (in Golang duration format, e.g. '1h', '30m'). (default 24h0m0s) + --network.nodedid string Specifies the DID of the party that operates this node. It is used to identify the node on the network. If the DID document does not exist of is deactivated, the node will not start. + --network.protocols ints Specifies the list of network protocols to enable on the server. They are specified by version (1, 2). If not set, all protocols are enabled. + --network.v2.diagnosticsinterval int Interval (in milliseconds) that specifies how often the node should broadcast its diagnostic information to other nodes (specify 0 to disable). (default 5000) + --network.v2.gossipinterval int Interval (in milliseconds) that specifies how often the node should gossip its new hashes to other nodes. (default 5000) + --pki.maxupdatefailhours int Maximum number of hours that a denylist update can fail (default 4) + --pki.softfail Do not reject certificates if their revocation status cannot be established when softfail is true (default true) + --policy.address string The address of a remote policy server. Mutual exclusive with policy.directory. + --policy.directory string Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping. Mutual exclusive with policy.address. (default "./config/policy") + --storage.bbolt.backup.directory string Target directory for BBolt database backups. + --storage.bbolt.backup.interval duration Interval, formatted as Golang duration (e.g. 10m, 1h) at which BBolt database backups will be performed. + --storage.redis.address string Redis database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. + --storage.redis.database string Redis database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance. + --storage.redis.password string Redis database password. If set, it overrides the username in the connection URL. + --storage.redis.sentinel.master string Name of the Redis Sentinel master. Setting this property enables Redis Sentinel. + --storage.redis.sentinel.nodes strings Addresses of the Redis Sentinels to connect to initially. Setting this property enables Redis Sentinel. + --storage.redis.sentinel.password string Password for authenticating to Redis Sentinels. + --storage.redis.sentinel.username string Username for authenticating to Redis Sentinels. + --storage.redis.tls.truststorefile string PEM file containing the trusted CA certificate(s) for authenticating remote Redis servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). + --storage.redis.username string Redis database username. If set, it overrides the username in the connection URL. + --storage.session.redis.address string Redis session database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. If not set it, defaults to an in-memory database. + --storage.session.redis.database string Redis session database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance. + --storage.session.redis.password string Redis session database password. If set, it overrides the username in the connection URL. + --storage.session.redis.tls.truststorefile string PEM file containing the trusted CA certificate(s) for authenticating remote Redis session servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). + --storage.session.redis.username string Redis session database username. If set, it overrides the username in the connection URL. + --storage.sql.connection string Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL'). + --strictmode When set, insecure settings are forbidden. (default true) + --tls.certfile string PEM file containing the certificate for the gRPC server (also used as client certificate). Required in strict mode. + --tls.certheader string Name of the HTTP header that will contain the client certificate when TLS is offloaded for gRPC. + --tls.certkeyfile string PEM file containing the private key of the gRPC server certificate. Required in strict mode. + --tls.offload string Whether to enable TLS offloading for incoming gRPC connections. Enable by setting it to 'incoming'. If enabled 'tls.certheader' must be configured as well. + --tls.truststorefile string PEM file containing the trusted CA certificates for authenticating remote gRPC servers. Required in strict mode. (default "./config/ssl/truststore.pem") + --url string Public facing URL of the server (required). Must be HTTPS when strictmode is set. + --vcr.openid4vci.definitionsdir string Directory with the additional credential definitions the node could issue (experimental, may change without notice). + --vcr.openid4vci.enabled Enable issuing and receiving credentials over OpenID4VCI. (default true) + --vcr.openid4vci.timeout duration Time-out for OpenID4VCI HTTP client operations. (default 30s) + --verbosity string Log level (trace, debug, info, warn, error) (default "info") nuts config ^^^^^^^^^^^ diff --git a/docs/pages/deployment/configuration.rst b/docs/pages/deployment/configuration.rst index 9c6ef7417b..88f6919944 100644 --- a/docs/pages/deployment/configuration.rst +++ b/docs/pages/deployment/configuration.rst @@ -91,7 +91,7 @@ In addition, it requires ``auth.irma.schememanager=pbdf``. As a general safety precaution ``auth.contractvalidators`` ignores the ``dummy`` option if configured, requesting an access token from another node on ``/n2n/auth/v1/accesstoken`` does not return any error details, -``auth.accesstokenlifespan`` is always 60 seconds, ``http.default.cors.origin`` does not allow a wildcard (``*``), +``auth.accesstokenlifespan`` is always 60 seconds, json-ld context can only be downloaded from trusted domains configured in ``jsonld.contexts.remoteallowlist``, and the ``internalratelimiter`` is always on. diff --git a/docs/pages/deployment/server_options.rst b/docs/pages/deployment/server_options.rst index 8bb35e0717..2f49f7d824 100755 --- a/docs/pages/deployment/server_options.rst +++ b/docs/pages/deployment/server_options.rst @@ -2,46 +2,51 @@ :widths: 20 30 50 :class: options-table - ===================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ - Key Default Description - ===================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ - configfile ./config/nuts.yaml Nuts config file - cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set. - datadir ./data Directory where the node stores its files. - internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. - loggerformat text Log format (text, json) - strictmode true When set, insecure settings are forbidden. - url Public facing URL of the server (required). Must be HTTPS when strictmode is set. - verbosity info Log level (trace, debug, info, warn, error) - httpclient.timeout 30s Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax. - **Crypto** - crypto.storage Storage to use, 'external' for an external backend (experimental), 'fs' for file system (for development purposes), 'vaultkv' for Vault KV store (recommended, will be replaced by external backend in future). - crypto.external.address Address of the external storage service. - crypto.external.timeout 100ms Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s). - crypto.vault.address The Vault address. If set it overwrites the VAULT_ADDR env var. - crypto.vault.pathprefix kv The Vault path prefix. - crypto.vault.timeout 5s Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). - crypto.vault.token The Vault token. If set it overwrites the VAULT_TOKEN env var. - **Discovery** - discovery.client.refresh_interval 10m0s Interval at which the client synchronizes with the Discovery Server; refreshing Verifiable Presentations of local DIDs and loading changes, updating the local copy. It only will actually refresh registrations of local DIDs that about to expire (less than 1/4th of their lifetime left). Specified as Golang duration (e.g. 1m, 1h30m). - discovery.definitions.directory ./config/discovery Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start. - discovery.server.ids [] IDs of the Discovery Service for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start. - **HTTP** - http.log metadata What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). - http.internal.address 127.0.0.1:8081 Address and port the server will be listening to for internal-facing endpoints. - http.internal.auth.audience Expected audience for JWT tokens (default: hostname) - http.internal.auth.authorizedkeyspath Path to an authorized_keys file for trusted JWT signers - http.internal.auth.type Whether to enable authentication for /internal endpoints, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. - http.public.address \:8080 Address and port the server will be listening to for public-facing endpoints. - **JSONLD** - jsonld.contexts.localmapping [https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson,https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. - jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. - **PKI** - pki.maxupdatefailhours 4 Maximum number of hours that a denylist update can fail - pki.softfail true Do not reject certificates if their revocation status cannot be established when softfail is true - **Storage** - storage.sql.connection Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL'). - **policy** - policy.address The address of a remote policy server. Mutual exclusive with policy.directory. - policy.directory ./config/policy Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping. Mutual exclusive with policy.address. - ===================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ + ======================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ + Key Default Description + ======================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================ + configfile ./config/nuts.yaml Nuts config file + cpuprofile When set, a CPU profile is written to the given path. Ignored when strictmode is set. + datadir ./data Directory where the node stores its files. + internalratelimiter true When set, expensive internal calls are rate-limited to protect the network. Always enabled in strict mode. + loggerformat text Log format (text, json) + strictmode true When set, insecure settings are forbidden. + url Public facing URL of the server (required). Must be HTTPS when strictmode is set. + verbosity info Log level (trace, debug, info, warn, error) + httpclient.timeout 30s Request time-out for HTTP clients, such as '10s'. Refer to Golang's 'time.Duration' syntax for a more elaborate description of the syntax. + **Crypto** + crypto.storage Storage to use, 'external' for an external backend (experimental), 'fs' for file system (for development purposes), 'vaultkv' for Vault KV store (recommended, will be replaced by external backend in future). + crypto.external.address Address of the external storage service. + crypto.external.timeout 100ms Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s). + crypto.vault.address The Vault address. If set it overwrites the VAULT_ADDR env var. + crypto.vault.pathprefix kv The Vault path prefix. + crypto.vault.timeout 5s Timeout of client calls to Vault, in Golang time.Duration string format (e.g. 1s). + crypto.vault.token The Vault token. If set it overwrites the VAULT_TOKEN env var. + **Discovery** + discovery.client.refresh_interval 10m0s Interval at which the client synchronizes with the Discovery Server; refreshing Verifiable Presentations of local DIDs and loading changes, updating the local copy. It only will actually refresh registrations of local DIDs that about to expire (less than 1/4th of their lifetime left). Specified as Golang duration (e.g. 1m, 1h30m). + discovery.definitions.directory ./config/discovery Directory to load Discovery Service Definitions from. If not set, the discovery service will be disabled. If the directory contains JSON files that can't be parsed as service definition, the node will fail to start. + discovery.server.ids [] IDs of the Discovery Service for which to act as server. If an ID does not map to a loaded service definition, the node will fail to start. + **HTTP** + http.log metadata What to log about HTTP requests. Options are 'nothing', 'metadata' (log request method, URI, IP and response code), and 'metadata-and-body' (log the request and response body, in addition to the metadata). When debug vebosity is set the authorization headers are also logged when the request is fully logged. + http.internal.address 127.0.0.1:8081 Address and port the server will be listening to for internal-facing endpoints. + http.internal.auth.audience Expected audience for JWT tokens (default: hostname) + http.internal.auth.authorizedkeyspath Path to an authorized_keys file for trusted JWT signers + http.internal.auth.type Whether to enable authentication for /internal endpoints, specify 'token_v2' for bearer token mode or 'token' for legacy bearer token mode. + http.public.address \:8080 Address and port the server will be listening to for public-facing endpoints. + **JSONLD** + jsonld.contexts.localmapping [https://w3id.org/vc/status-list/2021/v1=assets/contexts/w3c-statuslist2021.ldjson,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json=assets/contexts/lds-jws2020-v1.ldjson,https://schema.org=assets/contexts/schema-org-v13.ldjson,https://nuts.nl/credentials/v1=assets/contexts/nuts.ldjson,https://www.w3.org/2018/credentials/v1=assets/contexts/w3c-credentials-v1.ldjson] This setting allows mapping external URLs to local files for e.g. preventing external dependencies. These mappings have precedence over those in remoteallowlist. + jsonld.contexts.remoteallowlist [https://schema.org,https://www.w3.org/2018/credentials/v1,https://w3c-ccg.github.io/lds-jws2020/contexts/lds-jws2020-v1.json,https://w3id.org/vc/status-list/2021/v1] In strict mode, fetching external JSON-LD contexts is not allowed except for context-URLs listed here. + **PKI** + pki.maxupdatefailhours 4 Maximum number of hours that a denylist update can fail + pki.softfail true Do not reject certificates if their revocation status cannot be established when softfail is true + **Storage** + storage.session.redis.address Redis session database server address. This can be a simple 'host:port' or a Redis connection URL with scheme, auth and other options. If not set it, defaults to an in-memory database. + storage.session.redis.database Redis session database name, which is used as prefix every key. Can be used to have multiple instances use the same Redis instance. + storage.session.redis.password Redis session database password. If set, it overrides the username in the connection URL. + storage.session.redis.username Redis session database username. If set, it overrides the username in the connection URL. + storage.session.redis.tls.truststorefile PEM file containing the trusted CA certificate(s) for authenticating remote Redis session servers. Can only be used when connecting over TLS (use 'rediss://' as scheme in address). + storage.sql.connection Connection string for the SQL database. If not set it, defaults to a SQLite database stored inside the configured data directory. Note: using SQLite is not recommended in production environments. If using SQLite anyways, remember to enable foreign keys ('_foreign_keys=on') and the write-ahead-log ('_journal_mode=WAL'). + **policy** + policy.address The address of a remote policy server. Mutual exclusive with policy.directory. + policy.directory ./config/policy Directory to read policy files from. Policy files are JSON files that contain a scope to PresentationDefinition mapping. Mutual exclusive with policy.address. + ======================================== ================================================================================================================================================================================================================================================================================================================================================================================================= ============================================================================================================================================================================================================================================================================================================================================