solstice-ci/deploy/podman/.env.sample

# Copy to .env and adjust values. This file is consumed by podman compose.
# Deployment environment: staging or prod
ENV=staging
# Base domain used for routing. External hostnames are *.svc.${DOMAIN} (no ENV in hostname)
DOMAIN=solstice-ci.org
# ACME email for Let's Encrypt registration
TRAEFIK_ACME_EMAIL=ops@solstice-ci.org
# Optional: set Let's Encrypt CA server (leave empty for production, set to staging for tests)
# For staging, uncomment:
# TRAEFIK_ACME_CASERVER=https://acme-staging-v02.api.letsencrypt.org/directory

# Admin credentials (override in real deployments via secret store)
POSTGRES_USER=solstice
POSTGRES_PASSWORD=change-me
# Databases are created by postgres-setup: solstice_staging and solstice_prod
# Services will connect to postgres database: solstice_${ENV}
POSTGRES_DB=solstice

# RabbitMQ uses a single broker with per-env vhosts: solstice-staging, solstice-prod
RABBITMQ_DEFAULT_USER=solstice
RABBITMQ_DEFAULT_PASS=change-me

MINIO_ROOT_USER=solstice
MINIO_ROOT_PASSWORD=change-me
# Buckets per env (created by minio-setup): solstice-logs-staging, solstice-logs-prod
# Optionally set to the env-specific bucket name (set in your shell, not here): e.g., solstice-logs-staging or solstice-logs-prod
# Leave empty to skip custom bucket creation in minio-setup
MINIO_BUCKET=

# Traefik dashboard basic auth user:password hash (htpasswd -nB admin)
# Example: admin:$2y$05$kN2K0... (bcrypt)
TRAEFIK_DASHBOARD_AUTH=

# Host ports to bind Traefik
# Note: Rootless Podman cannot bind privileged ports (<1024). For rootless runs, use high ports
# like 8080/4443, or configure the host sysctl net.ipv4.ip_unprivileged_port_start=80 (requires root)
# to allow binding 80/443.
TRAEFIK_HTTP_PORT=8080
TRAEFIK_HTTPS_PORT=4443

# Orchestrator libvirt integration (Linux hosts)
# URI to the system libvirt on the host; usually qemu:///system
LIBVIRT_URI=qemu:///system
# Libvirt virtual network to attach VMs to; ensure it exists/active on host
LIBVIRT_NETWORK=default
# Host path to the orchestrator image map YAML; mounted read-only into the container
# Default points to the repo example. Change to a production path on your host.
ORCH_IMAGE_MAP_PATH=../../examples/orchestrator-image-map.yaml
# Host directory where base images are stored (or downloaded to by the orchestrator)
# This will be mounted at /var/lib/solstice/images in the container. Ensure local_path in the YAML points there.
ORCH_IMAGES_DIR=/var/lib/solstice/images
# Host working directory for per-VM overlays and logs; mounted read-write
# The libvirt backend will use /var/lib/solstice-ci inside the container; map it to a persistent host path.
ORCH_WORK_DIR=/var/lib/solstice-ci
# Host directory containing workflow runner binaries to be served by the orchestrator
# Files in this directory are served read-only at http(s)://runner.svc.${DOMAIN}/runners/{filename}
# Default points to the workspace target/runners where mise tasks may place built artifacts.
RUNNER_DIR_HOST=../../target/runners

# When orchestrator runs behind NAT or in containers, set the public contact address
# that VMs can reach for gRPC log streaming (host:port). This overrides autodetection.
# Example: grpc.${ENV}.${DOMAIN}:443 (when terminated by Traefik) or a public IP:port
ORCH_CONTACT_ADDR=

# Preferred: Provide a public base URL for runner binaries; the orchestrator will construct
# full URLs like ${SOLSTICE_RUNNER_BASE_URL}/runners/solstice-runner(-linux|-illumos)
# Example: https://runner.svc.${DOMAIN}
SOLSTICE_RUNNER_BASE_URL=

# Forge Integration secrets (set per deployment)
# Shared secret used to validate Forgejo/Gitea webhooks (X-Gitea-Signature HMAC-SHA256)
WEBHOOK_SECRET=
# Forgejo API token used to post commit statuses back to the forge
FORGEJO_TOKEN=
# Optional: Forgejo API base URL (not secret, but commonly configured alongside the token)
# Example: https://codeberg.org/api/v1
FORGEJO_BASE_URL=