devops folders consolidate

2026-01-25 23:27:41 +02:00
parent 6e687b523a
commit a743bb9a1d
613 changed files with 8611 additions and 41846 deletions
--- a/devops/compose/env/stellaops.env.example
+++ b/devops/compose/env/stellaops.env.example
@@ -0,0 +1,171 @@
+# =============================================================================
+# STELLA OPS ENVIRONMENT CONFIGURATION
+# =============================================================================
+# Main environment template for docker-compose.stella-ops.yml
+# Copy to .env and customize for your deployment.
+#
+# Usage:
+#   cp env/stellaops.env.example .env
+#   docker compose -f docker-compose.stella-ops.yml up -d
+#
+# =============================================================================
+
+# =============================================================================
+# INFRASTRUCTURE
+# =============================================================================
+
+# PostgreSQL Database
+POSTGRES_USER=stellaops
+POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD
+POSTGRES_DB=stellaops_platform
+POSTGRES_PORT=5432
+
+# Valkey (Redis-compatible cache and messaging)
+VALKEY_PORT=6379
+
+# RustFS Object Storage
+RUSTFS_HTTP_PORT=8080
+
+# =============================================================================
+# CORE SERVICES
+# =============================================================================
+
+# Authority (OAuth2/OIDC)
+AUTHORITY_ISSUER=https://authority.example.com
+AUTHORITY_PORT=8440
+AUTHORITY_OFFLINE_CACHE_TOLERANCE=00:30:00
+
+# Signer
+SIGNER_POE_INTROSPECT_URL=https://licensing.example.com/introspect
+SIGNER_PORT=8441
+
+# Attestor
+ATTESTOR_PORT=8442
+
+# Issuer Directory
+ISSUER_DIRECTORY_PORT=8447
+ISSUER_DIRECTORY_SEED_CSAF=true
+
+# Concelier
+CONCELIER_PORT=8445
+
+# Notify
+NOTIFY_WEB_PORT=8446
+
+# Web UI
+UI_PORT=8443
+
+# =============================================================================
+# SCANNER CONFIGURATION
+# =============================================================================
+
+SCANNER_WEB_PORT=8444
+
+# Queue configuration (Valkey only - NATS removed)
+SCANNER__QUEUE__BROKER=valkey://valkey:6379
+
+# Event streaming
+SCANNER_EVENTS_ENABLED=false
+SCANNER_EVENTS_DRIVER=valkey
+SCANNER_EVENTS_DSN=valkey:6379
+SCANNER_EVENTS_STREAM=stella.events
+SCANNER_EVENTS_PUBLISH_TIMEOUT_SECONDS=5
+SCANNER_EVENTS_MAX_STREAM_LENGTH=10000
+
+# Surface cache configuration
+SCANNER_SURFACE_FS_ENDPOINT=http://rustfs:8080
+SCANNER_SURFACE_FS_BUCKET=surface-cache
+SCANNER_SURFACE_CACHE_ROOT=/var/lib/stellaops/surface
+SCANNER_SURFACE_CACHE_QUOTA_MB=4096
+SCANNER_SURFACE_PREFETCH_ENABLED=false
+SCANNER_SURFACE_TENANT=default
+SCANNER_SURFACE_FEATURES=
+SCANNER_SURFACE_SECRETS_PROVIDER=file
+SCANNER_SURFACE_SECRETS_NAMESPACE=
+SCANNER_SURFACE_SECRETS_ROOT=/etc/stellaops/secrets
+SCANNER_SURFACE_SECRETS_FALLBACK_PROVIDER=
+SCANNER_SURFACE_SECRETS_ALLOW_INLINE=false
+SURFACE_SECRETS_HOST_PATH=./offline/surface-secrets
+
+# Offline Kit configuration
+SCANNER_OFFLINEKIT_ENABLED=false
+SCANNER_OFFLINEKIT_REQUIREDSSE=true
+SCANNER_OFFLINEKIT_REKOROFFLINEMODE=true
+SCANNER_OFFLINEKIT_TRUSTROOTDIRECTORY=/etc/stellaops/trust-roots
+SCANNER_OFFLINEKIT_REKORSNAPSHOTDIRECTORY=/var/lib/stellaops/rekor-snapshot
+SCANNER_OFFLINEKIT_TRUSTROOTS_HOST_PATH=./offline/trust-roots
+SCANNER_OFFLINEKIT_REKOR_SNAPSHOT_HOST_PATH=./offline/rekor-snapshot
+
+# =============================================================================
+# SCHEDULER CONFIGURATION
+# =============================================================================
+
+# Queue configuration (Valkey only - NATS removed)
+SCHEDULER__QUEUE__KIND=Valkey
+SCHEDULER__QUEUE__VALKEY__URL=valkey:6379
+SCHEDULER_SCANNER_BASEADDRESS=http://scanner-web:8444
+
+# =============================================================================
+# REKOR / SIGSTORE CONFIGURATION
+# =============================================================================
+
+# Rekor server URL (default: public Sigstore, use http://rekor-v2:3000 for local)
+REKOR_SERVER_URL=https://rekor.sigstore.dev
+REKOR_VERSION=V2
+REKOR_TILE_BASE_URL=
+REKOR_LOG_ID=c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d
+REKOR_TILES_IMAGE=ghcr.io/sigstore/rekor-tiles:latest
+
+# =============================================================================
+# ADVISORY AI CONFIGURATION
+# =============================================================================
+
+ADVISORY_AI_WEB_PORT=8448
+ADVISORY_AI_SBOM_BASEADDRESS=http://scanner-web:8444
+ADVISORY_AI_INFERENCE_MODE=Local
+ADVISORY_AI_REMOTE_BASEADDRESS=
+ADVISORY_AI_REMOTE_APIKEY=
+
+# =============================================================================
+# CRYPTO CONFIGURATION
+# =============================================================================
+
+# Crypto profile: default, china, russia, eu
+STELLAOPS_CRYPTO_PROFILE=default
+
+# Enable crypto simulation (for testing)
+STELLAOPS_CRYPTO_ENABLE_SIM=0
+STELLAOPS_CRYPTO_SIM_URL=http://sim-crypto:8080
+
+# CryptoPro (Russia only) - requires EULA acceptance
+CRYPTOPRO_PORT=18080
+CRYPTOPRO_ACCEPT_EULA=0
+CRYPTOPRO_CONTAINER_NAME=stellaops-signing
+CRYPTOPRO_USE_MACHINE_STORE=true
+CRYPTOPRO_PROVIDER_TYPE=80
+
+# SM Remote (China only)
+SM_REMOTE_PORT=56080
+SM_SOFT_ALLOWED=1
+SM_REMOTE_HSM_URL=
+SM_REMOTE_HSM_API_KEY=
+SM_REMOTE_HSM_TIMEOUT=30000
+
+# =============================================================================
+# NETWORKING
+# =============================================================================
+
+# External reverse proxy network (Traefik, Envoy, etc.)
+FRONTDOOR_NETWORK=stellaops_frontdoor
+
+# =============================================================================
+# TELEMETRY (optional)
+# =============================================================================
+
+OTEL_GRPC_PORT=4317
+OTEL_HTTP_PORT=4318
+OTEL_PROMETHEUS_PORT=9464
+PROMETHEUS_PORT=9090
+TEMPO_PORT=3200
+LOKI_PORT=3100
+PROMETHEUS_RETENTION=15d