docs: update .env.example and README documentation
This commit is contained in:
Jeremie Fraeys
parent
0fd3b4f9d0
commit
6ff842aa9e
2 changed files with 28 additions and 31 deletions
39
.env.example
39
.env.example
|
|
@ -3,39 +3,35 @@ ANSIBLE_PRIVATE_KEY_FILE=
|
|||
TF_VAR_region=ca-central
|
||||
TF_VAR_instance_type=g6-nanode-1
|
||||
TF_VAR_image=linode/debian13
|
||||
TF_VAR_group=
|
||||
TF_VAR_ssh_port=22
|
||||
TF_VAR_timezone=America/Toronto
|
||||
TF_VAR_add_cloudflare_ips=false
|
||||
|
||||
TF_VAR_enable_cloudflare_dns=false
|
||||
TF_VAR_enable_services_wildcard=true
|
||||
TF_VAR_object_storage_bucket=
|
||||
TF_VAR_object_storage_region=us-east-1
|
||||
|
||||
S3_BUCKET=
|
||||
S3_REGION=us-east-1
|
||||
S3_ENDPOINT=https://us-east-1.linodeobjects.com
|
||||
|
||||
RESTIC_REPOSITORY=
|
||||
RESTIC_AWS_DEFAULT_REGION=us-east-1
|
||||
INFRA_BACKUP_ONCALENDAR=daily
|
||||
RESTIC_KEEP_DAILY=7
|
||||
RESTIC_KEEP_WEEKLY=4
|
||||
RESTIC_KEEP_MONTHLY=6
|
||||
|
||||
ALERTMANAGER_SLACK_CHANNEL=#alerts
|
||||
ALERTMANAGER_SLACK_USERNAME=alertmanager
|
||||
TF_VAR_tf_state_bucket=
|
||||
TF_VAR_tf_state_region=us-east-1
|
||||
|
||||
AUTHELIA_SMTP_ADDRESS=
|
||||
AUTHELIA_SMTP_USERNAME=
|
||||
AUTHELIA_SMTP_PASSWORD=
|
||||
AUTHELIA_SMTP_SENDER=
|
||||
AUTHELIA_SMTP_IDENTIFIER=
|
||||
AUTHELIA_SMTP_STARTUP_CHECK_ADDRESS=
|
||||
AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK=false
|
||||
# AUTHELIA_NOTIFIER_TYPE=filesystem
|
||||
AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK=true
|
||||
AUTHELIA_NOTIFIER_TYPE=smtp
|
||||
|
||||
# Postmark SMTP Configuration
|
||||
INFRA_BACKUP_ONCALENDAR=daily
|
||||
RESTIC_KEEP_WEEKLY=4
|
||||
|
||||
# Vault-managed variables (defined in vault.yml)
|
||||
# AUTHELIA_SMTP_USERNAME=
|
||||
# AUTHELIA_SMTP_PASSWORD=
|
||||
# RESTIC_KEEP_DAILY=7
|
||||
# RESTIC_KEEP_MONTHLY=6
|
||||
# VAULT_DEPLOY_TOKEN=
|
||||
|
||||
# Optional: Postmark SMTP Configuration
|
||||
# POSTFIX_RELAYHOST=smtp.postmarkapp.com
|
||||
# POSTFIX_RELAYHOST_PORT=2525
|
||||
# POSTFIX_RELAYHOST_USERNAME=your-postmark-server-token
|
||||
|
|
@ -43,6 +39,3 @@ AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK=false
|
|||
# POSTFIX_SMTP_TLS_SECURITY_LEVEL=may
|
||||
# POSTFIX_ALLOWED_SENDER_DOMAINS=yourdomain.com
|
||||
# POSTFIX_ALLOW_EMPTY_SENDER_DOMAINS=true
|
||||
|
||||
# Deployment token for webhook authentication (must match DEPLOY_TOKEN secret in app repos)
|
||||
VAULT_DEPLOY_TOKEN=
|
||||
18
README.md
18
README.md
|
|
@ -284,27 +284,30 @@ ansible-playbook playbooks/web.yml --ask-vault-pass
|
|||
|
||||
## Notes
|
||||
|
||||
- **Grafana/Prometheus/Loki**: Deployed but DNS records commented out in Terraform. Enable by uncommenting in `terraform/main.tf`.
|
||||
- **Grafana/Prometheus/Loki**: Available as optional roles but not deployed by default (commented out in `services.yml`). Enable by uncommenting the role entries.
|
||||
- Loki is exposed on `services:3100` but allowlisted in UFW to `web` only.
|
||||
- Watchtower is enabled with label-based updates.
|
||||
- Airflow/Spark are intentionally optional and can be enabled later via `deploy_airflow` / `deploy_spark`.
|
||||
- **Traefik**: Uses file provider as fallback due to Docker API version mismatch (client 1.24 vs server 1.44). Services have static router definitions in `/opt/traefik/dynamic/base.yml`.
|
||||
- **Traefik**: Uses file provider exclusively (Docker socket access removed). Services have static router definitions in `/opt/traefik/dynamic/base.yml`.
|
||||
- **Postfix**: Relays through Postmark port 2525 (avoids ISP blocking on 587).
|
||||
- **Hardening**: SSH config and unattended-upgrades managed via `hardening` role to prevent StackScript drift.
|
||||
|
||||
## Role layout
|
||||
|
||||
Services host (`services`):
|
||||
|
||||
- `roles/traefik` (with file provider fallback for Docker API compatibility)
|
||||
- `roles/traefik` (file provider only - no Docker socket)
|
||||
- `roles/postfix` (Postmark SMTP relay for transactional email)
|
||||
- `roles/exporters` (node-exporter + cAdvisor)
|
||||
- `roles/app` (active - DNS enabled)
|
||||
- `roles/prometheus` (deployed but DNS commented out)
|
||||
- `roles/loki` (deployed but DNS commented out)
|
||||
- `roles/grafana` (deployed but DNS commented out)
|
||||
- `roles/prometheus` (optional - commented out in services.yml)
|
||||
- `roles/loki` (optional - commented out in services.yml)
|
||||
- `roles/grafana` (optional - commented out in services.yml)
|
||||
- `roles/forgejo`
|
||||
- `roles/alertmanager` (uses localhost:25 Postfix relay)
|
||||
- `roles/watchtower`
|
||||
- `roles/hardening` (SSH hardening, unattended-upgrades)
|
||||
- `roles/backups`
|
||||
- `roles/fail2ban` (Docker-based fail2ban)
|
||||
|
||||
Web host (`web`):
|
||||
|
||||
|
|
@ -312,6 +315,7 @@ Web host (`web`):
|
|||
- `roles/app_core` (optional shared Postgres/Redis)
|
||||
- `roles/forgejo_runner`
|
||||
- `roles/app_deployer` (CI/CD webhook and deployment automation)
|
||||
- `roles/hardening` (SSH hardening, unattended-upgrades)
|
||||
|
||||
## App Deployment
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue