Configuration
Agent — /etc/tyr/tyrd.yaml
unregistered_agents: auditheartbeat_interval_s: 30buffer_size_mb: 500debug_mode: falseenrollment_token: "tyr_et_..."ca_cert_path: /etc/tyr/ca.pemdata_dir: /var/lib/tyr| Key | Type | Default | Description |
|---|---|---|---|
unregistered_agents | enum | audit | audit / quarantine / deny — behavior for unknown AI processes |
heartbeat_interval_s | int | 30 | gRPC heartbeat cadence |
buffer_size_mb | int | 500 | On-disk event buffer (MiB) for offline operation |
debug_mode | bool | false | Verbose logging |
enrollment_token | string | — | One-time token for first-boot enrollment |
ca_cert_path | string | — | Server CA certificate path |
data_dir | string | /var/lib/tyr | Agent state directory |
CLI flags override config. Missing config file → defaults are used.
Server — environment only
tyr-server is configured entirely via environment variables today. See Environment variables for the full list.
Minimal:
DATABASE_URL=postgres://user:pass@host:5432/tyrTYR_WEB_DIR=/usr/share/tyr/webEverything else has sensible defaults.
Precedence
Agent:
- CLI flag
- Config file (
--configoverride or/etc/tyr/tyrd.yaml) - Environment variable (e.g.
TYR_ENROLLMENT_TOKEN) - Default
Server:
- Environment variable
- Default
Reloading
- Agent config: restart
tyrd. No SIGHUP handler today. - Policies: hot-reloaded on assignment — no restart required.
- Server config: requires restart.
Example bundle for a new host
sudo mkdir -p /etc/tyrsudo tee /etc/tyr/tyrd.yaml <<'EOF'unregistered_agents: auditheartbeat_interval_s: 30buffer_size_mb: 500enrollment_token: "tyr_et_a8d7f3e2c1b9..."ca_cert_path: /etc/tyr/ca.pemdata_dir: /var/lib/tyrEOFcurl -sSL https://tyr.example.com:7701/api/v1/ca.pem | sudo tee /etc/tyr/ca.pem→ Next: tyrd flags · Environment variables