Security and networking

Authentication

Basic authentication

Configure basic authentication in the plugins section of your configuration file.

CLI configuration:

plugins {
    authentication {
        type = "basic"
        username = "myUserName"
        password = "mySecretPass"
    }
}

Agent configuration:

plugins {
    authentication {
        type = "basic"
        authorizedUsers = new Listing<User> {
            new {
                username = "myUserName"
                // BCrypt salted password hash
                password = "$2y$10$ki1wCrM94EViuTv0dRNEVuP3ujj2/uu2Zh8/FyFvExjZyrsdtr1SS"
            }
        }
    }
}

Generate BCrypt password hashes:

htpasswd -bnBC 10 "" yourPassword | tr -d ':'

TLS

Enable TLS for secure agent communication:

agent {
    server {
        hostname = "agent.example.com"
        tlsCert = "/path/to/cert.crt"
        tlsKey = "/path/to/cert.key"
    }
}

See the server settings reference for additional options.

Tailscale (experimental)

Connect the agent to your Tailscale network without installing the Tailscale client. This provides secure, centralized access without complex VPC or VPN configuration.

plugins {
    network {
        type = "tailscale"
        hostname = "formae-agent"
        tls = true  // Auto TLS termination via Tailscale
        authKey = "tskey-auth-..."
        advertiseTags {
            "tag:formae"
        }
    }
}

Property	Description
`hostname`	Device name on your tailnet
`tls`	Enable automatic TLS certificate from Tailscale
`authKey`	Tailscale auth key for device registration
`advertiseTags`	Tags for ACL-based access control