| 1 | # Managed by Ansible — 0600, owned by {{ shithub_user }}. |
| 2 | # Sourced by shithubd-web.service via EnvironmentFile=. |
| 3 | # |
| 4 | # Naming contract: shithubd's config loader maps env vars by |
| 5 | # joining the TOML path with double underscores between segments |
| 6 | # (e.g., auth.email_from -> SHITHUB_AUTH__EMAIL_FROM). A handful |
| 7 | # of single-underscore names (SHITHUB_DATABASE_URL, SHITHUB_SESSION_KEY, |
| 8 | # SHITHUB_TOTP_KEY) are explicit aliases. Misnamed env vars are |
| 9 | # silently ignored — the binary falls back to defaults, which sends |
| 10 | # email to stdout instead of via Postmark. Match docs/internal/config.md |
| 11 | # for the canonical key names. |
| 12 | |
| 13 | SHITHUB_DATABASE_URL=postgresql://shithub:{{ shithub_db_password }}@127.0.0.1:5432/shithub?sslmode=disable |
| 14 | SHITHUB_WEB__ADDR=127.0.0.1:8080 |
| 15 | |
| 16 | # auth surface |
| 17 | SHITHUB_AUTH__BASE_URL=https://{{ shithub_domain }} |
| 18 | SHITHUB_AUTH__SITE_NAME=shithub |
| 19 | SHITHUB_AUTH__EMAIL_FROM={{ shithub_email_from }} |
| 20 | SHITHUB_AUTH__EMAIL_BACKEND={{ shithub_email_backend }} |
| 21 | |
| 22 | # SSH-git surface. Enabled flips the SSH clone URL on repo pages. |
| 23 | # The actual SSH service is sshd's Match-User-git block (see |
| 24 | # deploy/sshd_config.j2) calling shithubd's ssh-authkeys + ssh-shell |
| 25 | # subcommands. Both layers must be in place — toggling Enabled with |
| 26 | # no sshd config gives users an SSH URL that 5xx's at connect. |
| 27 | SHITHUB_AUTH__SSH__ENABLED=true |
| 28 | SHITHUB_AUTH__SSH__HOST=git@{{ shithub_domain }} |
| 29 | |
| 30 | # storage |
| 31 | SHITHUB_STORAGE__REPOS_ROOT={{ shithub_data_root }}/repos |
| 32 | {% if s3_bucket | default("") %} |
| 33 | # DigitalOcean Spaces runtime bucket via its S3-compatible API. |
| 34 | SHITHUB_STORAGE__S3__ENDPOINT={{ s3_endpoint }} |
| 35 | SHITHUB_STORAGE__S3__REGION={{ s3_region | default("us-east-1") }} |
| 36 | SHITHUB_STORAGE__S3__ACCESS_KEY_ID={{ s3_access_key_id }} |
| 37 | SHITHUB_STORAGE__S3__SECRET_ACCESS_KEY={{ s3_secret_access_key }} |
| 38 | SHITHUB_STORAGE__S3__BUCKET={{ s3_bucket }} |
| 39 | SHITHUB_STORAGE__S3__USE_SSL={{ (s3_use_ssl | default(true)) | ternary("true", "false") }} |
| 40 | SHITHUB_STORAGE__S3__FORCE_PATH_STYLE={{ (s3_force_path_style | default(false)) | ternary("true", "false") }} |
| 41 | {% endif %} |
| 42 | |
| 43 | # AEAD keys (32-byte base64). Aliased single-underscore names. |
| 44 | SHITHUB_SESSION_KEY={{ shithub_session_key_b64 }} |
| 45 | SHITHUB_TOTP_KEY={{ shithub_totp_key_b64 }} |
| 46 | |
| 47 | # Transactional email credentials. DKIM/SPF for the chosen provider |
| 48 | # must be configured at the DNS layer before deploy. |
| 49 | {% if shithub_email_backend == "postmark" %} |
| 50 | SHITHUB_AUTH__POSTMARK__SERVER_TOKEN={{ shithub_postmark_token }} |
| 51 | {% elif shithub_email_backend == "resend" %} |
| 52 | SHITHUB_AUTH__RESEND__API_KEY={{ shithub_resend_api_key }} |
| 53 | {% endif %} |