You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+25-34Lines changed: 25 additions & 34 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,45 +8,32 @@ Designed for Gentoo systems in a local environment. Not intended to be exposed t
8
8
9
9
## Authentication and approval
10
10
11
-
Arbor uses local username/password authentication, with optional TOTP at login via `ARBOR_AUTH_MODE=totp`.
11
+
**Out of the box after a clean install:**password-only login, and privileged actions (install, uninstall, sync, etc.) require a password re-prompt in the browser (step-up re-auth) before they start. No root shell needed.
12
12
13
-
Privileged operations use a separate control, `ARBOR_APPROVAL_MODE`, so login requirements and root-action approval can be configured independently.
13
+
Two independent knobs let you change this:
14
14
15
-
The mode applies to install, uninstall, world update, sync, preserved-rebuild, depclean, overlay changes, and other root-backed admin operations.
15
+
-**`ARBOR_AUTH_MODE`** — what is required *at login* (password only, or password + TOTP)
16
+
-**`ARBOR_APPROVAL_MODE`** — what is required *per privileged action* after login
16
17
17
-
Minimal `/etc/arbor/arbor.env` examples:
18
+
They are independent: you can have TOTP at login with CLI approval, or no TOTP with step-up re-auth, or any combination.
19
+
20
+
**Important:**`ARBOR_AUTH_MODE=totp` requires that TOTP has already been enabled from the **Security page** in the web UI, which generates `/etc/arbor/totp.secret` automatically. Do not add `ARBOR_AUTH_MODE=totp` to the config before doing this or Arbor will refuse to start.
21
+
22
+
Common `/etc/arbor/arbor.env` setups:
18
23
19
24
```bash
20
-
#local-first HTTP on loopback (bootstrap default)
25
+
#Default: password login, browser step-up re-auth for privileged actions
21
26
ARBOR_TLS=0
22
-
23
-
# password login + CLI approval for privileged operations (default)
24
-
ARBOR_APPROVAL_MODE=cli
25
-
26
-
# direct HTTPS on Arbor itself (optional)
27
-
# ARBOR_TLS=1
28
-
# ARBOR_CERT=/etc/arbor/cert.pem
29
-
# ARBOR_KEY=/etc/arbor/key.pem
30
-
#
31
-
# password + TOTP at login, no per-action approval prompt — auto-approve
32
-
# must be acknowledged explicitly because it removes the second gate
33
-
ARBOR_AUTH_MODE=totp
34
27
ARBOR_APPROVAL_MODE=none
35
28
ARBOR_ALLOW_AUTO_APPROVAL=1
36
-
ARBOR_TOTP_SECRET_FILE=/etc/arbor/totp.secret
37
-
38
-
# password + TOTP at login, plus CLI approval for privileged operations
39
-
ARBOR_AUTH_MODE=totp
40
-
ARBOR_APPROVAL_MODE=cli
41
-
ARBOR_TOTP_SECRET_FILE=/etc/arbor/totp.secret
42
29
43
-
#Optional
44
-
#ARBOR_TOTP_ISSUER=Arbor
45
-
#ARBOR_TOTP_ACCOUNT_NAME=arbor@my-host
30
+
#Alternative: root-shell arbor-approve instead of browser re-prompt
31
+
#ARBOR_APPROVAL_MODE=cli
32
+
#(remove the two lines above)
46
33
47
-
#no per-action approval (refused at boot without the explicit ack)
48
-
ARBOR_APPROVAL_MODE=none
49
-
ARBOR_ALLOW_AUTO_APPROVAL=1
34
+
#Add TOTP at login on top of either of the above:
35
+
# ARBOR_AUTH_MODE=totp
36
+
# ARBOR_TOTP_SECRET_FILE=/etc/arbor/totp.secret # created by the Security page
50
37
```
51
38
52
39
### Login-time TOTP (2FA)
@@ -73,13 +60,17 @@ To disable TOTP, the owner must enter the **current password** and a fresh **TOT
73
60
74
61
After login, privileged operations follow `ARBOR_APPROVAL_MODE`:
75
62
76
-
-`ARBOR_APPROVAL_MODE=cli` (default): the authenticated session still needs root-shell confirmation via `arbor-approve`.
77
-
-`ARBOR_APPROVAL_MODE=none`: the authenticated session can start privileged actions immediately. **Refused at startup** unless `ARBOR_ALLOW_AUTO_APPROVAL=1` is also set, so the operator must explicitly acknowledge that the second gate is being removed.
78
-
-`ARBOR_APPROVAL_MODE=totp`: **no longer supported**. Existing deployments that used the legacy value are refused at startup with a migration message; choose `cli`, or `none` with the ack flag above.
63
+
-`ARBOR_APPROVAL_MODE=none` (default): the authenticated session requires a password re-prompt in the browser (step-up, valid 120 s) before each privileged action. `ARBOR_ALLOW_AUTO_APPROVAL=1` must be set alongside this.
64
+
-`ARBOR_APPROVAL_MODE=cli`: the authenticated session needs root-shell confirmation via `arbor-approve` instead of the browser re-prompt.
65
+
-`ARBOR_APPROVAL_MODE=totp`: **no longer supported**. Refused at startup with a migration message; choose `none` or `cli`.
66
+
67
+
#### `none` (default)
68
+
69
+
The browser prompts for the password before each privileged action. On success the action starts immediately — no root shell required.
79
70
80
-
#### `cli` (default)
71
+
#### `cli`
81
72
82
-
This is the original shell-first model and remains the safest mode for Arbor's intended local-first deployment.
73
+
This is the original shell-first model.
83
74
84
75
1. Start the action in the browser as usual.
85
76
2. Arbor creates a pending approval request and locks the UI.
0 commit comments