Configuration
vine reads operator configuration from a TOML file, by default:
/etc/libvine/vine.toml
The file defines overlay membership, local TUN settings, bootstrap peers, allowlisted peer prefixes,
and runtime policy toggles. Identity is configured by path, but identity itself is still derived from
libself material on disk rather than from overlay IP addresses.
Example
[node]
name = "alpha"
network_id = "home-net"
identity_path = "/var/lib/libvine/identity"
[tun]
name = "vine0"
address = "10.42.0.1"
prefix_len = 24
mtu = 1400
[[bootstrap_peers]]
peer_id = "seed-a"
address = "udp://198.51.100.10:4100"
[[allowed_peers]]
peer_id = "beta"
prefix = "10.42.1.0/24"
relay_capable = false
[[allowed_peers]]
peer_id = "relay-a"
prefix = "10.42.254.0/24"
relay_capable = true
[policy]
strict_allowlist = true
allow_relay = true
allow_signaling_upgrade = true
Sections
[node]
name: operator-facing node labelnetwork_id: shared overlay network identifieridentity_path: absolute path to the persistedlibselfidentity file
[tun]
name: Linux TUN interface nameaddress: local overlay IPv4 addressprefix_len: local prefix lengthmtu: interface MTU
[[bootstrap_peers]]
peer_id: remote authenticated peer identifieraddress: bootstrap transport address
[[allowed_peers]]
peer_id: remote authenticated peer identifierprefix: overlay prefix owned by that peerrelay_capable: whether the peer may act as a relay fallback
[policy]
strict_allowlist: require explicit peer allowlistingallow_relay: permit relay fallbackallow_signaling_upgrade: permit direct-path upgrade after signaling
Validation
Use:
vine config validate -c /etc/libvine/vine.toml
Validation currently checks:
- TOML-shaped section and key parsing
- repeated
bootstrap_peersandallowed_peersrecords - boolean and integer field decoding
- config path must be absolute and not group/world writable
- identity path must be absolute and point to a
0600file
Malformed config should be rejected before daemon startup rather than at packet-forwarding time.