Configuration

KairOS Red endpoint agent can be configured via CLI flags, a configuration file, or environment variables. The precedence order is: CLI flags > environment variables > config file > defaults.

CLI Options

kairos [command] [flags] Commands: enroll       Enroll a device with the KairOS Red network connect      Connect to a VNI disconnect   Disconnect from a VNI vni          Manage Virtual Network Interfaces status       Show connection status doctor       Run diagnostic checks version      Show version information Global Flags: --config string       Path to configuration file (default: /etc/kairos/config.yaml) --log-level string    Log level: debug, info, warn, error (default: "info") --log-format string   Log format: text, json (default: "text") --data-dir string     Data directory for persistent state (default: /var/lib/kairos)

Enroll Command

kairos enroll [flags] Flags: --token string       Enrollment token (required) --name string        Device display name --tags strings       Comma-separated tags for device classification --endpoint string    Control plane endpoint URL --vni string         VNI to join after enrollment

Connect Command

kairos connect [flags] Flags: --vni string            VNI name or ID to connect to --relay string          Relay node address (optional) --tunnel-mode string    Tunnel mode: mesh, hub-spoke (default: "mesh") --mtu int               MTU for the tunnel interface (default: 1400) --post-quantum          Force post-quantum key exchange (default: true)

Configuration File Format

The configuration file uses YAML format. By default, the agent looks for the config at /etc/kairos/config.yaml.

# /etc/kairos/config.yaml # Device identity device: name: "prod-server-01" tags: - production - us-east-1 # Control plane connection control_plane: endpoint: "https://control.kairosnetwork.red" timeout: 30s retry_interval: 5s # VNI configuration vnis: - name: "corporate" cidr: "10.0.0.0/16" auto_connect: true tunnel_mode: mesh mtu: 1400 - name: "management" cidr: "10.99.0.0/24" auto_connect: false # Relay configuration relay: preferred: [] fallback: "cloudflare" local_relay: false # Logging logging: level: "info" format: "json" file: "/var/log/kairos/agent.log" # Policy policy: local_evaluation: true policy_dir: "/etc/kairos/policies/" default_action: "deny"

Environment Variables

All configuration options can be set via environment variables. CLI flags take precedence over environment variables.

Environment VariableDescriptionDefault
KAIROS_ENDPOINTControl plane endpoint URLhttps://control.kairosnetwork.red
KAIROS_LOG_LEVELLog level (debug, info, warn, error)info
KAIROS_LOG_FORMATLog format (text, json)text
KAIROS_DATA_DIRData directory/var/lib/kairos
KAIROS_CONFIG_FILEPath to config file/etc/kairos/config.yaml
KAIROS_ENROLLMENT_TOKENDevice enrollment tokennone
KAIROS_DEFAULT_VNIDefault VNI to connect tonone
KAIROS_TUNNEL_MODEDefault tunnel mode (mesh, hub-spoke)mesh
KAIROS_MTUDefault MTU for tunnels1400
KAIROS_PQC_ENABLEDEnable post-quantum key exchangetrue
KAIROS_RELAY_NODEPreferred relay node addressnone
KAIROS_LOCAL_RELAYEnable local relay modefalse

Example: Minimal Configuration

# Using environment variables export KAIROS_ENDPOINT=https://control.kairosnetwork.red export KAIROS_LOG_LEVEL=info export KAIROS_DEFAULT_VNI=corporate # Run with env vars kairos connect

Configuration Precedence

The configuration system follows this precedence (highest to lowest):

  1. CLI flags (highest priority)
  2. Environment variables
  3. Configuration file
  4. Built-in defaults (lowest priority)

Next Steps