| 1 | # shithub production inventory — single-droplet at launch (S37 design). |
| 2 | # |
| 3 | # Copy to `inventory/production` and edit before deploying. The real |
| 4 | # inventory file is .gitignored; this example documents the variables |
| 5 | # the roles read. |
| 6 | |
| 7 | [shithub] |
| 8 | shithub-prod ansible_host=192.0.2.10 ansible_user=root |
| 9 | |
| 10 | [shithub:vars] |
| 11 | # Public host shithubd serves under (Caddy auto-cert covers this). |
| 12 | shithub_domain=shithub.example |
| 13 | # Container/process owner (created by the base role). |
| 14 | shithub_user=shithub |
| 15 | shithub_group=shithub |
| 16 | # Block-volume mount point. ALL stateful data (repos, pgdata, tmp) |
| 17 | # lives under here so the root disk never fills up. |
| 18 | shithub_data_root=/data |
| 19 | # pgx pool size; matches the worker pool too. |
| 20 | shithub_db_pool_max=20 |
| 21 | # Transactional sender + DKIM/SPF are configured before the deploy. |
| 22 | # Backend is `postmark` or `resend`; set the matching secret below |
| 23 | # (vault both — they are not safe to commit). |
| 24 | shithub_email_from="shithub <noreply@shithub.example>" |
| 25 | shithub_email_backend=resend |
| 26 | # shithub_postmark_token=... # when backend=postmark |
| 27 | shithub_resend_api_key=re_REPLACE_ME # when backend=resend |
| 28 | # Runtime object storage. DigitalOcean Spaces uses virtual-hosted style |
| 29 | # addressing and TLS; region remains us-east-1 for SigV4 signing. |
| 30 | s3_endpoint=nyc3.digitaloceanspaces.com |
| 31 | s3_region=us-east-1 |
| 32 | s3_bucket=shithub-prod |
| 33 | s3_access_key_id=REPLACE_ME |
| 34 | s3_secret_access_key=REPLACE_ME |
| 35 | s3_use_ssl=true |
| 36 | s3_force_path_style=false |
| 37 | # WireGuard peer for the bare-metal monitoring box. |
| 38 | wg_metal_endpoint=metal.shithub.example:51820 |
| 39 | wg_metal_pubkey=REPLACE_ME |
| 40 | |
| 41 | # Grafana Cloud (free tier) — Prometheus remote_write target. Get |
| 42 | # these from grafana.com → Stack → Prometheus details. Token is |
| 43 | # from Access Policies with metrics:write scope. |
| 44 | # See docs/internal/runbooks/observability.md for the full signup. |
| 45 | # The host below varies — copy the exact "Remote Write Endpoint" |
| 46 | # shown on the Prometheus details page (region + tenant differ). |
| 47 | grafana_cloud_prom_url=https://prometheus-prod-XX-prod-REGION.grafana.net/api/prom/push |
| 48 | grafana_cloud_prom_user=REPLACE_ME # numeric tenant id |
| 49 | grafana_cloud_prom_token=REPLACE_ME # access-policy token |
| 50 | |
| 51 | # Optional Actions runner on this host. Generate the token with: |
| 52 | # shithubd admin runner register --name prod-runner-1 --labels self-hosted,linux,ubuntu-latest,x64 --capacity 1 --output json |
| 53 | # Store the real token in ansible-vault or your secret manager. |
| 54 | # shithub_runner_enabled=true |
| 55 | # shithub_runner_token=REPLACE_ME |
| 56 | # shithub_runner_labels=self-hosted,linux,ubuntu-latest,x64 |
| 57 | # shithub_runner_capacity=1 |
| 58 | # shithub_runner_default_image=ghcr.io/tenseleyflow/shithub/runner-nix:1.0 |
| 59 | # The role creates shithub-actions on shact0 (172.30.0.1/24), runs |
| 60 | # dnsmasq on that bridge, and enforces direct-IP egress denial with |
| 61 | # shithub-runner-firewall.service. |
| 62 |