# shithub production inventory — single-droplet at launch (S37 design). # # Copy to `inventory/production` and edit before deploying. The real # inventory file is .gitignored; this example documents the variables # the roles read. [shithub] shithub-prod ansible_host=192.0.2.10 ansible_user=root [shithub:vars] # Public host shithubd serves under (Caddy auto-cert covers this). shithub_domain=shithub.example # Container/process owner (created by the base role). shithub_user=shithub shithub_group=shithub # Block-volume mount point. ALL stateful data (repos, pgdata, tmp) # lives under here so the root disk never fills up. shithub_data_root=/data # pgx pool size; matches the worker pool too. shithub_db_pool_max=20 # Postmark sender + DKIM are configured before the deploy. shithub_email_from="shithub " shithub_email_backend=postmark # Runtime object storage. DigitalOcean Spaces uses virtual-hosted style # addressing and TLS; region remains us-east-1 for SigV4 signing. s3_endpoint=nyc3.digitaloceanspaces.com s3_region=us-east-1 s3_bucket=shithub-prod s3_access_key_id=REPLACE_ME s3_secret_access_key=REPLACE_ME s3_use_ssl=true s3_force_path_style=false # WireGuard peer for the bare-metal monitoring box. wg_metal_endpoint=metal.shithub.example:51820 wg_metal_pubkey=REPLACE_ME # Grafana Cloud (free tier) — Prometheus remote_write target. Get # these from grafana.com → Stack → Prometheus details. Token is # from Access Policies with metrics:write scope. # See docs/internal/runbooks/observability.md for the full signup. # The host below varies — copy the exact "Remote Write Endpoint" # shown on the Prometheus details page (region + tenant differ). grafana_cloud_prom_url=https://prometheus-prod-XX-prod-REGION.grafana.net/api/prom/push grafana_cloud_prom_user=REPLACE_ME # numeric tenant id grafana_cloud_prom_token=REPLACE_ME # access-policy token # Optional Actions runner on this host. Generate the token with: # shithubd admin runner register --name prod-runner-1 --labels self-hosted,linux,ubuntu-latest --capacity 1 # Store the real token in ansible-vault or your secret manager. # shithub_runner_enabled=true # shithub_runner_token=REPLACE_ME # shithub_runner_labels=self-hosted,linux,ubuntu-latest # shithub_runner_capacity=1 # shithub_runner_default_image=ghcr.io/shithub/runner-nix:1.0 # The role creates shithub-actions on shact0 (172.30.0.1/24), runs # dnsmasq on that bridge, and enforces direct-IP egress denial with # shithub-runner-firewall.service.