CloudNebulaProject/solstice-ci
SHA256
1
0
Fork 0
mirror of https://codeberg.org/Toasterson/solstice-ci.git synced 2026-04-10 21:30:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
solstice-ci/deploy/podman/.env.sample
Till Wegmueller c2fefb5167
Add per-job SSH key support, refactor scheduler for SSH-based job execution, and remove unused runner endpoint 
- Introduce fields in `JobContext` for per-job SSH configuration, including user, key paths, and PEM contents.
- Update the scheduler to support SSH-based execution of jobs, including VM lifecycle management and SSH session handling.
- Add utility functions for SSH execution, guest IP discovery, and runner deployment.
- Remove the unused `/runners/{name}` HTTP endpoint and its associated logic.
- Simplify router creation by refactoring out disabled runner directory handling.

Signed-off-by: Till Wegmueller <toasterson@gmail.com>
2025-11-15 18:37:30 +01:00

71 lines
No EOL
3.4 KiB
Text
Raw Blame History

# Copy to .env and adjust values. This file is consumed by podman compose.
# Deployment environment: staging or prod
ENV=staging
# Base domain used for routing. External hostnames are *.svc.${DOMAIN} (no ENV in hostname)
DOMAIN=solstice-ci.org
# ACME email for Let's Encrypt registration
TRAEFIK_ACME_EMAIL=ops@solstice-ci.org
# Optional: set Let's Encrypt CA server (leave empty for production, set to staging for tests)
# For staging, uncomment:
# TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory
# Admin credentials (override in real deployments via secret store)
POSTGRES_USER=solstice
POSTGRES_PASSWORD=change-me
# Databases are created by postgres-setup: solstice_staging and solstice_prod
# Services will connect to postgres database: solstice_${ENV}
POSTGRES_DB=solstice
# RabbitMQ uses a single broker with per-env vhosts: solstice-staging, solstice-prod
RABBITMQ_DEFAULT_USER=solstice
RABBITMQ_DEFAULT_PASS=change-me
MINIO_ROOT_USER=solstice
MINIO_ROOT_PASSWORD=change-me
# Buckets per env (created by minio-setup): solstice-logs-staging, solstice-logs-prod
# Optionally set to the env-specific bucket name (set in your shell, not here): e.g., solstice-logs-staging or solstice-logs-prod
# Leave empty to skip custom bucket creation in minio-setup
MINIO_BUCKET=
# Traefik dashboard basic auth user:password hash (htpasswd -nB admin)
# Example: admin:$2y$05$kN2K0... (bcrypt)
TRAEFIK_DASHBOARD_AUTH=
# Host ports to bind Traefik
# Note: Rootless Podman cannot bind privileged ports (<1024). For rootless runs, use high ports
# like 8080/4443, or configure the host sysctl net.ipv4.ip_unprivileged_port_start=80 (requires root)
# to allow binding 80/443.
TRAEFIK_HTTP_PORT=8080
TRAEFIK_HTTPS_PORT=4443
# Orchestrator libvirt integration (Linux hosts)
# URI to the system libvirt on the host; usually qemu:///system
LIBVIRT_URI=qemu:///system
# Libvirt virtual network to attach VMs to; ensure it exists/active on host
LIBVIRT_NETWORK=default
# Host path to the orchestrator image map YAML; mounted read-only into the container
# Default points to the repo example. Change to a production path on your host.
ORCH_IMAGE_MAP_PATH=../../examples/orchestrator-image-map.yaml
# Host directory where base images are stored (or downloaded to by the orchestrator)
# This will be mounted at /var/lib/solstice/images in the container. Ensure local_path in the YAML points there.
ORCH_IMAGES_DIR=/var/lib/solstice/images
# Host working directory for per-VM overlays and logs; mounted read-write
# The libvirt backend will use /var/lib/solstice-ci inside the container; map it to a persistent host path.
ORCH_WORK_DIR=/var/lib/solstice-ci
# Host directory containing workflow runner binaries
# These files are mounted into the orchestrator at /opt/solstice/runners and uploaded into VMs over SSH.
# Default points to the workspace target/runners where mise tasks may place built artifacts.
RUNNER_DIR_HOST=../../target/runners
# SSH connectivity tuning for orchestrator -> VM
# Timeout (seconds) for establishing SSH connection to newly started VMs
SSH_CONNECT_TIMEOUT_SECS=300
# Forge Integration secrets (set per deployment)
# Shared secret used to validate Forgejo/Gitea webhooks (X-Gitea-Signature HMAC-SHA256)
WEBHOOK_SECRET=
# Forgejo API token used to post commit statuses back to the forge
FORGEJO_TOKEN=
# Optional: Forgejo API base URL (not secret, but commonly configured alongside the token)
# Example: https://codeberg.org/api/v1
FORGEJO_BASE_URL=
Reference in a new issue View git blame Copy permalink