Fix LXC deploy: absolute paths + systemd section for StartLimit
CI / Lint + build + test (push) Failing after 5m17s
CI / Lint + build + test (push) Failing after 5m17s
Service was crashing on every boot because vetting.example.yaml uses ./var/... relative paths that resolve to / under ProtectSystem=strict. Ship a separate vetting.production.yaml with absolute /var/lib/vetting + /var/log/vetting paths that match the unit's ReadWritePaths, and have install.sh copy that one. Also move StartLimit* keys into [Unit] to silence the 'Unknown key' warning on modern systemd.
This commit is contained in:
@@ -0,0 +1,81 @@
|
||||
server:
|
||||
# Loopback-only by default; change to "0.0.0.0:8080" (or similar) once
|
||||
# you've wired up TLS or fronted the service with a reverse proxy.
|
||||
bind: "127.0.0.1:8080"
|
||||
# Base URL the orchestrator is reachable at from the operator's
|
||||
# browser. Used as the click-through link in notifications.
|
||||
public_url: "http://127.0.0.1:8080"
|
||||
tls:
|
||||
enabled: false
|
||||
cert_file: ""
|
||||
key_file: ""
|
||||
|
||||
database:
|
||||
path: "/var/lib/vetting/vetting.db"
|
||||
|
||||
artifacts:
|
||||
dir: "/var/lib/vetting/artifacts"
|
||||
# Days to keep per-run artifact files (report.html, report.json, fio,
|
||||
# iperf, inventory.json, hold keys). DB rows are preserved. 0 = forever.
|
||||
retention_days: 30
|
||||
|
||||
logs:
|
||||
dir: "/var/log/vetting"
|
||||
# Days to keep per-run log files. 0 = forever.
|
||||
retention_days: 30
|
||||
|
||||
janitor:
|
||||
# Interval between cleanup sweeps. 0 defaults to 60.
|
||||
interval_minutes: 60
|
||||
|
||||
auth:
|
||||
# bcrypt hash of your admin password.
|
||||
# Generate via: gen-admin-password 'your-password'
|
||||
admin_password_bcrypt: "$2a$10$REPLACE_ME_WITH_A_REAL_BCRYPT_HASH_0123456789abcdefABCDEFxx"
|
||||
# Random 32-byte hex string used to sign session cookies.
|
||||
# Generate via: openssl rand -hex 32
|
||||
session_secret_hex: "0000000000000000000000000000000000000000000000000000000000000000"
|
||||
session_ttl_hours: 24
|
||||
|
||||
dispatcher:
|
||||
max_concurrent_runs: 3
|
||||
|
||||
pxe:
|
||||
enabled: false
|
||||
interface: "" # e.g. "eth0"
|
||||
dhcp_range: "" # e.g. "10.77.0.100,10.77.0.200,12h"
|
||||
orchestrator_url: "" # e.g. "http://10.77.0.1:8080"
|
||||
tftp_root: "/var/lib/vetting/tftp" # holds ipxe.efi + undionly.kpxe
|
||||
live_dir: "/var/lib/vetting/live" # holds vmlinuz + initrd.img; served at /live/*
|
||||
|
||||
# Notifications fire on StageFailed, SpecMismatch, HoldingOpened,
|
||||
# RunCompleted. Declare one or more notifiers and route each event
|
||||
# kind (and optionally severity) to a notifier by name. Delivery is
|
||||
# fire-and-forget (one attempt per event, logged on failure).
|
||||
#
|
||||
# Example (uncomment and fill in):
|
||||
#
|
||||
# notifiers:
|
||||
# - name: ops-ntfy
|
||||
# type: ntfy
|
||||
# server: https://ntfy.sh
|
||||
# topic: vetting-YOUR-TOPIC
|
||||
# - name: ops-discord
|
||||
# type: discord
|
||||
# webhook_url: https://discord.com/api/webhooks/XXX/YYY
|
||||
# - name: ops-email
|
||||
# type: smtp
|
||||
# smtp:
|
||||
# host: mail.lan
|
||||
# port: 25
|
||||
# from: vetting@lan.local
|
||||
# to: [ops@lan.local]
|
||||
#
|
||||
# routes:
|
||||
# - match_severity: [critical]
|
||||
# notifier: ops-ntfy
|
||||
# - match_kind: [RunCompleted]
|
||||
# notifier: ops-ntfy
|
||||
|
||||
notifiers: []
|
||||
routes: []
|
||||
Reference in New Issue
Block a user