diff --git a/deploy/install.sh b/deploy/install.sh index 0df4dc9..3084cab 100644 --- a/deploy/install.sh +++ b/deploy/install.sh @@ -110,9 +110,12 @@ if [[ -n "${GEN_PW}" ]]; then fi echo "==> installing config and systemd unit" +# vetting.production.yaml uses absolute /var/lib/vetting + /var/log/vetting +# paths that match the systemd unit's ReadWritePaths. vetting.example.yaml +# uses ./var/... relatives and is only correct for `make run` in a dev tree. if [[ ! -f "${CONFIG_DIR}/vetting.yaml" ]]; then install -m 0640 -o root -g "${SERVICE_USER}" \ - "${SCRIPT_DIR}/vetting.example.yaml" \ + "${SCRIPT_DIR}/vetting.production.yaml" \ "${CONFIG_DIR}/vetting.yaml" echo " -> installed default config at ${CONFIG_DIR}/vetting.yaml" else diff --git a/deploy/vetting.production.yaml b/deploy/vetting.production.yaml new file mode 100644 index 0000000..1da1190 --- /dev/null +++ b/deploy/vetting.production.yaml @@ -0,0 +1,81 @@ +server: + # Loopback-only by default; change to "0.0.0.0:8080" (or similar) once + # you've wired up TLS or fronted the service with a reverse proxy. + bind: "127.0.0.1:8080" + # Base URL the orchestrator is reachable at from the operator's + # browser. Used as the click-through link in notifications. + public_url: "http://127.0.0.1:8080" + tls: + enabled: false + cert_file: "" + key_file: "" + +database: + path: "/var/lib/vetting/vetting.db" + +artifacts: + dir: "/var/lib/vetting/artifacts" + # Days to keep per-run artifact files (report.html, report.json, fio, + # iperf, inventory.json, hold keys). DB rows are preserved. 0 = forever. + retention_days: 30 + +logs: + dir: "/var/log/vetting" + # Days to keep per-run log files. 0 = forever. + retention_days: 30 + +janitor: + # Interval between cleanup sweeps. 0 defaults to 60. + interval_minutes: 60 + +auth: + # bcrypt hash of your admin password. + # Generate via: gen-admin-password 'your-password' + admin_password_bcrypt: "$2a$10$REPLACE_ME_WITH_A_REAL_BCRYPT_HASH_0123456789abcdefABCDEFxx" + # Random 32-byte hex string used to sign session cookies. + # Generate via: openssl rand -hex 32 + session_secret_hex: "0000000000000000000000000000000000000000000000000000000000000000" + session_ttl_hours: 24 + +dispatcher: + max_concurrent_runs: 3 + +pxe: + enabled: false + interface: "" # e.g. "eth0" + dhcp_range: "" # e.g. "10.77.0.100,10.77.0.200,12h" + orchestrator_url: "" # e.g. "http://10.77.0.1:8080" + tftp_root: "/var/lib/vetting/tftp" # holds ipxe.efi + undionly.kpxe + live_dir: "/var/lib/vetting/live" # holds vmlinuz + initrd.img; served at /live/* + +# Notifications fire on StageFailed, SpecMismatch, HoldingOpened, +# RunCompleted. Declare one or more notifiers and route each event +# kind (and optionally severity) to a notifier by name. Delivery is +# fire-and-forget (one attempt per event, logged on failure). +# +# Example (uncomment and fill in): +# +# notifiers: +# - name: ops-ntfy +# type: ntfy +# server: https://ntfy.sh +# topic: vetting-YOUR-TOPIC +# - name: ops-discord +# type: discord +# webhook_url: https://discord.com/api/webhooks/XXX/YYY +# - name: ops-email +# type: smtp +# smtp: +# host: mail.lan +# port: 25 +# from: vetting@lan.local +# to: [ops@lan.local] +# +# routes: +# - match_severity: [critical] +# notifier: ops-ntfy +# - match_kind: [RunCompleted] +# notifier: ops-ntfy + +notifiers: [] +routes: [] diff --git a/deploy/vetting.service b/deploy/vetting.service index 2a529dc..6966d28 100644 --- a/deploy/vetting.service +++ b/deploy/vetting.service @@ -1,8 +1,10 @@ [Unit] Description=Vetting orchestrator (post-repair hardware validation) -Documentation=https://github.com/your-org/vetting +Documentation=https://gitea.thewrightserver.net/josh/Vetting After=network-online.target Wants=network-online.target +StartLimitBurst=5 +StartLimitIntervalSec=60 [Service] Type=simple @@ -38,11 +40,9 @@ RestrictNamespaces=true LockPersonality=true # Restart policy — crash out loudly on startup errors, but recover from -# transient failures. +# transient failures. (StartLimit* lives under [Unit] in modern systemd.) Restart=on-failure RestartSec=5 -StartLimitBurst=5 -StartLimitIntervalSec=60 # Logs go to journald; the orchestrator's own per-run log files live # under /var/log/vetting regardless.