sam/dev_arc_aws
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
dev_arc_aws/deploy/.env.example
Samuel James 066a4f97bc Add Forgejo Actions build + deploy pipeline (registry -> racknerd2) 
Build the frontend and backend images in CI, push them to the Forgejo
container registry, and deploy to racknerd2 (validation host) over the
NetBird mesh. racknerd2 only pulls + runs (1.9 GiB RAM, never builds).

- .forgejo/workflows/build.yml: on push to main / manual, build both
  images and push :latest + :<sha> to forgejo.snsnetlabs.com/sam/...
  (installs the docker CLI in the job; relies on the runner's
  docker_host=automount to reach the host engine).
- .forgejo/workflows/deploy.yml: manual dispatch; SSH to racknerd2,
  docker compose pull + up -d, then /api/health check.
- deploy/docker-compose.yml: registry-image compose. Ports bound to the
  mesh IP only (Docker bypasses ufw), so the app is reachable over the
  mesh, not the public interface.
- deploy/.env.example + deploy/README.md: deploy host config + full
  pipeline/prereq docs.
- .gitignore: ignore real .env / deploy/.env.

Co-authored-by: Samuel James <ssamjame@amazon.com>
Co-authored-by: Kiro <noreply@kiro.dev>
2026-06-25 10:04:59 -04:00

24 lines
979 B
Text
Raw Permalink Blame History

# Copy to `.env` next to deploy/docker-compose.yml ON racknerd2 (never commit the real .env).
# Compose loads it automatically.
# Image tag to deploy. The build workflow pushes both :latest and the commit
# SHA; use :latest for rolling validation or pin a SHA for a specific build.
ARCHNEST_TAG=latest
# Interface the app is published on. Mesh IP only — do NOT bind 0.0.0.0.
ARCHNEST_BIND_IP=100.96.217.250
# Origin the frontend is served from (used for CORS). Mesh URL for validation.
ARCHNEST_CORS_ORIGIN=http://100.96.217.250:8080
# 32-byte hex. Signs auth JWTs. Generate: openssl rand -hex 32
ARCHNEST_JWT_SECRET=
# 32-byte hex. Encrypts integration secrets at rest (AES-256-GCM).
# Changing this after data exists makes existing secrets undecryptable.
# Generate: openssl rand -hex 32
ARCHNEST_SECRET_KEY=
# Exactly 32 ASCII chars (used literally as an AES-256-CBC key for Guacamole).
# Generate: openssl rand -base64 24 | cut -c1-32
ARCHNEST_GUAC_CRYPT_KEY=
Reference in a new issue View git blame Copy permalink