josh/Vetting
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
273e7593bcea8d6f393fa08ae54b3653e67e88a0
Vetting/deploy/vetting.production.yaml
T
josh 273e7593bc
CI / Lint + build + test (push) Failing after 5m17s
Details
Fix LXC deploy: absolute paths + systemd section for StartLimit 
Service was crashing on every boot because vetting.example.yaml uses
./var/... relative paths that resolve to / under ProtectSystem=strict.
Ship a separate vetting.production.yaml with absolute /var/lib/vetting
+ /var/log/vetting paths that match the unit's ReadWritePaths, and
have install.sh copy that one. Also move StartLimit* keys into [Unit]
to silence the 'Unknown key' warning on modern systemd.
2026-04-17 22:02:03 -04:00

82 lines
2.5 KiB
YAML
Raw Blame History

server:
# Loopback-only by default; change to "0.0.0.0:8080" (or similar) once
# you've wired up TLS or fronted the service with a reverse proxy.
bind: "127.0.0.1:8080"
# Base URL the orchestrator is reachable at from the operator's
# browser. Used as the click-through link in notifications.
public_url: "http://127.0.0.1:8080"
tls:
enabled: false
cert_file: ""
key_file: ""
database:
path: "/var/lib/vetting/vetting.db"
artifacts:
dir: "/var/lib/vetting/artifacts"
# Days to keep per-run artifact files (report.html, report.json, fio,
# iperf, inventory.json, hold keys). DB rows are preserved. 0 = forever.
retention_days: 30
logs:
dir: "/var/log/vetting"
# Days to keep per-run log files. 0 = forever.
retention_days: 30
janitor:
# Interval between cleanup sweeps. 0 defaults to 60.
interval_minutes: 60
auth:
# bcrypt hash of your admin password.
# Generate via: gen-admin-password 'your-password'
admin_password_bcrypt: "$2a$10$REPLACE_ME_WITH_A_REAL_BCRYPT_HASH_0123456789abcdefABCDEFxx"
# Random 32-byte hex string used to sign session cookies.
# Generate via: openssl rand -hex 32
session_secret_hex: "0000000000000000000000000000000000000000000000000000000000000000"
session_ttl_hours: 24
dispatcher:
max_concurrent_runs: 3
pxe:
enabled: false
interface: "" # e.g. "eth0"
dhcp_range: "" # e.g. "10.77.0.100,10.77.0.200,12h"
orchestrator_url: "" # e.g. "http://10.77.0.1:8080"
tftp_root: "/var/lib/vetting/tftp" # holds ipxe.efi + undionly.kpxe
live_dir: "/var/lib/vetting/live" # holds vmlinuz + initrd.img; served at /live/*
# Notifications fire on StageFailed, SpecMismatch, HoldingOpened,
# RunCompleted. Declare one or more notifiers and route each event
# kind (and optionally severity) to a notifier by name. Delivery is
# fire-and-forget (one attempt per event, logged on failure).
#
# Example (uncomment and fill in):
#
# notifiers:
# - name: ops-ntfy
# type: ntfy
# server: https://ntfy.sh
# topic: vetting-YOUR-TOPIC
# - name: ops-discord
# type: discord
# webhook_url: https://discord.com/api/webhooks/XXX/YYY
# - name: ops-email
# type: smtp
# smtp:
# host: mail.lan
# port: 25
# from: vetting@lan.local
# to: [ops@lan.local]
#
# routes:
# - match_severity: [critical]
# notifier: ops-ntfy
# - match_kind: [RunCompleted]
# notifier: ops-ntfy
notifiers: []
routes: []
Reference in New Issue View Git Blame Copy Permalink