nomad

HCL and Docker files for Nomad deployments
git clone https://git.in0rdr.ch/nomad.git
Log | Files | Refs | Pull requests |Archive

config.ini.tmpl (8157B)

      1 # https://git.sr.ht/~sircmpwn/meta.sr.ht/tree/master/item/config.example.ini
      2 
      3 [sr.ht]
      4 #
      5 # The name of your network of sr.ht-based sites
      6 site-name=p0c
      7 #
      8 # The top-level info page for your site
      9 site-info=https://p0c.ch
     10 #
     11 # site-name, site-blurb
     12 site-blurb=proof of concepts for fun and profit
     13 #
     14 # If this != production, we add a banner to each page
     15 environment=production
     16 #
     17 # Contact information for the site owners
     18 owner-name=Andreas Gruhler
     19 owner-email=contact@p0c.ch
     20 #
     21 # The source code for your fork of sr.ht
     22 source-url=https://git.sr.ht/~sircmpwn/srht
     23 #
     24 # Link to your instance's privacy policy. Uses the sr.ht privacy policy as the
     25 # default, which describes the information collected by the upstream SourceHut
     26 # code.
     27 privacy-policy=
     28 #
     29 # A key used for encrypting session cookies. Use `srht-keygen service` to
     30 # generate the service key. This must be shared between each node of the same
     31 # service (e.g. git1.sr.ht and git2.sr.ht), but different services may use
     32 # different keys. If you configure all of your services with the same
     33 # config.ini, you may use the same service-key for all of them.
     34 service-key={{with secret "kv/meta"}}{{index .Data.data.service_key}}{{end}}
     35 #
     36 # A secret key to encrypt internal messages with. Use `srht-keygen network` to
     37 # generate this key. It must be consistent between all services and nodes.
     38 network-key={{with secret "kv/meta"}}{{index .Data.data.network_key}}{{end}}
     39 #
     40 # The redis host URL. This is used for caching and temporary storage, and must
     41 # be shared between nodes (e.g. git1.sr.ht and git2.sr.ht), but need not be
     42 # shared between services. It may be shared between services, however, with no
     43 # ill effect, if this better suits your infrastructure.
     44 redis-host=redis://{{ env "NOMAD_ADDR_redis" }}
     45 #
     46 # Optional email address for reporting security-related issues.
     47 security-address=contact@p0c.ch
     48 #
     49 # The global domain of the site. If unset, the global domain will be determined
     50 # from the service URL: each service is assumed to be a sub-domain of the global
     51 # domain, i.e. of the form `meta.globaldomain.com`.
     52 global-domain=p0c.ch
     53 #
     54 # Path to static asses (default PREFIX from make installation)
     55 # https://git.sr.ht/~sircmpwn/core.sr.ht/tree/master/item/Makefile
     56 assets=/usr/local/share/sourcehut
     57 
     58 [abused]
     59 #
     60 # Optional abused configuration for mitigating abusive traffic & usage
     61 #
     62 # See https://sr.ht/~sircmpwn/abused/
     63 endpoint=
     64 token=
     65 
     66 [objects]
     67 #
     68 # Configure S3-compatible object storage for services. Optional.
     69 #
     70 # Minio is recommended as a FOSS solution over AWS: https://min.io
     71 s3-upstream=
     72 s3-access-key=
     73 s3-secret-key=
     74 
     75 [mail]
     76 #
     77 # Outgoing SMTP settings
     78 smtp-host={{with secret "kv/meta"}}{{index .Data.data.smtp_host}}{{end}}
     79 smtp-port={{with secret "kv/meta"}}{{index .Data.data.smtp_port}}{{end}}
     80 smtp-from={{with secret "kv/meta"}}{{index .Data.data.smtp_from}}{{end}}
     81 #
     82 # Default: starttls
     83 # Options: starttls, tls, insecure
     84 smtp-encryption=starttls
     85 #
     86 # Default: plain
     87 # Options: plain, none
     88 smtp-auth=plain
     89 # user / password are required if smtp-auth is plain
     90 smtp-user={{with secret "kv/meta"}}{{index .Data.data.smtp_user}}{{end}}
     91 smtp-password={{with secret "kv/meta"}}{{index .Data.data.smtp_password}}{{end}}
     92 #
     93 # Application exceptions are emailed to this address
     94 error-to=contact@p0c.ch
     95 error-from=contact@p0c.ch
     96 #
     97 # You should generate a PGP key to allow users to authenticate emails received
     98 # from your services. Use `gpg --edit-key [key id]` to remove the password from
     99 # your private key, then export it to a file and set pgp-privkey to the path to
    100 # that file. pgp-pubkey should be set to the path to your public key, and
    101 # pgp-key-id should be set to the key ID string. Outgoing emails are signed with
    102 # this PGP key.
    103 pgp-privkey={{ env "NOMAD_SECRETS_DIR" }}/pgp_privkey.pem
    104 pgp-pubkey={{ env "NOMAD_SECRETS_DIR" }}/pgp_pubkey.pem
    105 pgp-key-id={{with secret "kv/meta"}}{{index .Data.data.pgp_key_id}}{{end}}
    106 
    107 [webhooks]
    108 #
    109 # base64-encoded Ed25519 key for signing webhook payloads. This should be
    110 # consistent between all services.
    111 #
    112 # Use the `srht-keygen webhook` command to generate this key. Put the private
    113 # key here and distribute the public key to anyone who would want to verify
    114 # webhook payloads from your service.
    115 private-key={{with secret "kv/meta"}}{{index .Data.data.webhook_private_key}}{{end}}
    116 
    117 [meta.sr.ht]
    118 #
    119 # URL meta.sr.ht is being served at (protocol://domain)
    120 origin=https://meta.p0c.ch
    121 #
    122 # Address and port to bind the debug server to
    123 #debug-host=0.0.0.0
    124 #debug-port={{ env "NOMAD_PORT_web" }}
    125 #
    126 # Configures the SQLAlchemy connection string for the database.
    127 connection-string=postgresql://meta:{{with secret "kv/meta"}}{{index .Data.data.postgresql_password}}{{end}}@postgres.lan/meta
    128 #
    129 # Set to "yes" to automatically run migrations on package upgrade.
    130 migrate-on-upgrade=yes
    131 #
    132 # The redis connection used for the webhooks worker
    133 webhooks=redis://{{ env "NOMAD_ADDR_redis" }}/1
    134 
    135 #
    136 # Origin URL for the API
    137 # By default, the API port is 100 more than the web port
    138 #api-origin=http://{{ env "NOMAD_ADDR_api" }}
    139 
    140 [meta.sr.ht::api]
    141 #
    142 # Maximum complexity of GraphQL queries. The higher this number, the more work
    143 # that API clients can burden the API backend with. Complexity is equal to the
    144 # number of discrete fields which would be returned to the user. 200 is a good
    145 # default.
    146 max-complexity=200
    147 
    148 #
    149 # The maximum time the API backend will spend processing a single API request.
    150 #
    151 # See https://golang.org/pkg/time/#ParseDuration
    152 max-duration=3s
    153 
    154 #
    155 # Set of IP subnets which are permitted to utilize internal API
    156 # authentication. This should be limited to the subnets from which your
    157 # *.sr.ht services are running.
    158 #
    159 # Comma-separated, CIDR notation.
    160 internal-ipnet=127.0.0.0/8,::1/128,192.168.0.0/16,10.0.0.0/8
    161 
    162 #
    163 # Queue size for account deletion operations.
    164 #
    165 # Default: 512
    166 #account-del-queue-size=512
    167 
    168 [meta.sr.ht::settings]
    169 #
    170 # If "no", public registration will not be permitted.
    171 registration=no
    172 #
    173 # Where to redirect new users upon registration
    174 onboarding-redirect=https://meta.p0c.ch
    175 #
    176 # If "yes", the user will be sent the stock sourcehut welcome emails after
    177 # signup (requires cron to be configured properly). These are specific to the
    178 # sr.ht instance so you probably want to patch these before enabling this.
    179 welcome-emails=no
    180 #
    181 # If "yes", the user will be sent an email reminder if their registered PGP key
    182 # will expire soon (requires cron to be configured properly).
    183 key-expiration-emails=no
    184 
    185 [meta.sr.ht::aliases]
    186 #
    187 # You can add aliases for the client IDs of commonly used OAuth clients here.
    188 #
    189 # Example:
    190 # git.sr.ht=12345
    191 
    192 [meta.sr.ht::billing]
    193 #
    194 # "yes" to enable the billing system
    195 enabled=no
    196 
    197 #
    198 # Get your keys at https://dashboard.stripe.com/account/apikeys
    199 stripe-public-key=
    200 stripe-secret-key=
    201 
    202 # List of countries to refuse paid service to (for reasons of e.g. sanctions
    203 # compliance). Space-separated list of ISO 3166 two-letter codes.
    204 prohibited-countries=
    205 
    206 [meta.sr.ht::auth]
    207 #
    208 # What authentication method to use.
    209 #   builtin:  use sr.ht builtin authentication
    210 #   unix-pam: use Unix PAM authentication
    211 #auth-method=builtin
    212 
    213 [meta.sr.ht::auth::unix-pam]
    214 #
    215 # The default email domain to assign to newly created users when they first log
    216 # in.
    217 # User's email will be set to <username>@<email-default-domain>
    218 email-default-domain=p0c.ch
    219 #
    220 # The PAM service to use for logging in.
    221 #service=sshd
    222 #
    223 # Whether to automatically create new users when authentication succeeds but the
    224 # user is not in the database.
    225 create-users=yes
    226 #
    227 # The UNIX group users need to belong to to have access to sourcehut.
    228 # If set,
    229 # only users belonging to this group will be able to log into the site.
    230 # If unset, any user on the system is able to log in if PAM authentication
    231 # succeeds.
    232 user-group=
    233 #
    234 # The UNIX group users need to belong to to have administrator permissions.
    235 # If set, administrator status on the site will be synced with group
    236 # association. Additionally, any user of this group will also be able to access
    237 # sourcehut even if they are not in the group specified in user-group.
    238 # If unset, administrator status can be manually assigned from the web
    239 # interface.
    240 admin-group=wheel
    241 
    242 [todo.sr.ht]
    243 origin=https://todo.p0c.ch