# Secure Nushell Configuration for Infrastructure Servers # Auto-generated by provisioning system # Security-first configuration $env.config = { show_banner: false use_ansi_coloring: true edit_mode: emacs # Security settings shell_integration: false cd_with_abbreviations: false filesize_metric: true table_mode: rounded # History settings (limited for security) history: { max_size: 1000 sync_on_enter: true file_format: "plaintext" isolation: true } # Completion settings completions: { case_sensitive: false quick: true partial: true algorithm: "prefix" external: { enable: {% if taskserv.nushell_external_completions | default(false) %}true{% else %}false{% endif %} max_results: 100 completer: null } } # Performance limits table: { mode: rounded index_mode: always trim: { methodology: wrapping wrapping_try_keep_words: true truncating_suffix: "..." } } # Error handling error_style: "fancy" # Hooks for security and audit hooks: { pre_prompt: [{ condition: {|| true } code: {|| # Audit logging if ($env.NUSHELL_AUDIT_ENABLED? | default false) { $"(date now | format date '%Y-%m-%d %H:%M:%S') - Session active" | save -a $env.NUSHELL_AUDIT_FILE } } }] pre_execution: [{ condition: {|| true } code: {|| |cmd| # Command validation and audit if ($env.NUSHELL_AUDIT_ENABLED? | default false) { $"(date now | format date '%Y-%m-%d %H:%M:%S') - Command: ($cmd)" | save -a $env.NUSHELL_AUDIT_FILE } # Security check for blocked commands let blocked = ($env.NUSHELL_BLOCKED_COMMANDS? | default "" | split row ",") let cmd_name = ($cmd | split row " " | first) if $cmd_name in $blocked { error make {msg: $"Command '($cmd_name)' is blocked for security reasons"} } } }] command_not_found: [{ condition: {|| true } code: {|| |cmd_name| $"Command '($cmd_name)' not found. Available commands are restricted for security." } }] } # Menus disabled for security menus: [] # Keybindings (minimal for security) keybindings: [ { name: completion_menu modifier: none keycode: tab mode: [emacs vi_normal vi_insert] event: { until: [ { send: menu name: completion_menu } { send: menunext } ] } } ] } # Security aliases (read-only operations) alias ll = ls -la alias df = df -h alias free = free -h alias pstree = ps aux --forest # Restricted environment setup {% if taskserv.nushell_readonly | default(true) %} # Read-only mode - disable write operations def rm [] { error make {msg: "rm command disabled in read-only mode"} } def mv [] { error make {msg: "mv command disabled in read-only mode"} } def cp [] { error make {msg: "cp command disabled in read-only mode"} } def chmod [] { error make {msg: "chmod command disabled in read-only mode"} } def chown [] { error make {msg: "chown command disabled in read-only mode"} } {% endif %} # Load observability modules if enabled {% if taskserv.nushell_metrics | default(true) %} source $"($env.NUSHELL_HOME)/observability/collect.nu" {% endif %} # Session timeout warning def session-check [] { let start_time = (date now) let timeout = ($env.NUSHELL_SESSION_TIMEOUT? | default 900 | into int) if ((date now) - $start_time) > ($timeout * 1sec) { print "⚠️ Session timeout approaching. Please complete your tasks." } } # Initialize secure environment print $"🛡️ Nushell secure mode active - execution mode: ($env.NUSHELL_EXECUTION_MODE? | default 'restricted')" if ($env.NUSHELL_READONLY_MODE? | default true) { print "📖 Read-only mode enabled" } print $"⏱️ Session timeout: ($env.NUSHELL_SESSION_TIMEOUT? | default 900) seconds"