dev_arc_aws/deploy/.env.example

# Copy to `.env` next to deploy/docker-compose.yml ON racknerd2 (never commit the real .env).
# Compose loads it automatically.

# Image tag to deploy. The build workflow pushes both :latest and the commit
# SHA; use :latest for rolling validation or pin a SHA for a specific build.
ARCHNEST_TAG=latest

# Interface the app is published on. Mesh IP only — do NOT bind 0.0.0.0.
ARCHNEST_BIND_IP=100.96.217.250

# Origin the frontend is served from (used for CORS). Mesh URL for validation.
ARCHNEST_CORS_ORIGIN=http://100.96.217.250:8080

# 32-byte hex. Signs auth JWTs.        Generate: openssl rand -hex 32
ARCHNEST_JWT_SECRET=

# 32-byte hex. Encrypts integration secrets at rest (AES-256-GCM).
# Changing this after data exists makes existing secrets undecryptable.
# Generate: openssl rand -hex 32
ARCHNEST_SECRET_KEY=

# Exactly 32 ASCII chars (used literally as an AES-256-CBC key for Guacamole).
# Generate: openssl rand -base64 24 | cut -c1-32
ARCHNEST_GUAC_CRYPT_KEY=
Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) Build the frontend and backend images in CI, push them to the Forgejo container registry, and deploy to racknerd2 (validation host) over the NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds). - .forgejo/workflows/build.yml: on push to main / manual, build both images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/... (installs the docker CLI in the job; relies on the runner's docker_host=automount to reach the host engine). - .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2, docker compose pull + up -d, then /api/health check. - deploy/docker-compose.yml: registry-image compose. Ports bound to the mesh IP only (Docker bypasses ufw), so the app is reachable over the mesh, not the public interface. - deploy/.env.example + deploy/README.md: deploy host config + full pipeline/prereq docs. - .gitignore: ignore real .env / deploy/.env. Co-authored-by: Samuel James <ssamjame@amazon.com> Co-authored-by: Kiro <noreply@kiro.dev> 2026-06-25 10:04:59 -04:00			# Copy to `.env` next to deploy/docker-compose.yml ON racknerd2 (never commit the real .env).
			`# Compose loads it automatically.`

			`# Image tag to deploy. The build workflow pushes both :latest and the commit`
			`# SHA; use :latest for rolling validation or pin a SHA for a specific build.`
			`ARCHNEST_TAG=latest`

			`# Interface the app is published on. Mesh IP only — do NOT bind 0.0.0.0.`
			`ARCHNEST_BIND_IP=100.96.217.250`

			`# Origin the frontend is served from (used for CORS). Mesh URL for validation.`
			`ARCHNEST_CORS_ORIGIN=http://100.96.217.250:8080`

			`# 32-byte hex. Signs auth JWTs. Generate: openssl rand -hex 32`
			`ARCHNEST_JWT_SECRET=`

			`# 32-byte hex. Encrypts integration secrets at rest (AES-256-GCM).`
			`# Changing this after data exists makes existing secrets undecryptable.`
			`# Generate: openssl rand -hex 32`
			`ARCHNEST_SECRET_KEY=`

			`# Exactly 32 ASCII chars (used literally as an AES-256-CBC key for Guacamole).`
			`# Generate: openssl rand -base64 24 \| cut -c1-32`
			`ARCHNEST_GUAC_CRYPT_KEY=`