global: profile: mirror-managed release: version: "2025.10.0-edge" channel: edge manifestSha256: "822f82987529ea38d2321dbdd2ef6874a4062a117116a20861c26a8df1807beb" image: pullPolicy: IfNotPresent labels: stellaops.io/channel: edge configMaps: mirror-gateway: data: mirror.conf: | proxy_cache_path /var/cache/nginx/mirror levels=1:2 keys_zone=mirror_cache:100m max_size=10g inactive=12h use_temp_path=off; map $request_uri $mirror_cache_key { default $scheme$request_method$host$request_uri; } upstream concelier_backend { server stellaops-concelier:8445; keepalive 32; } upstream excititor_backend { server stellaops-excititor:8448; keepalive 32; } server { listen 80; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl http2; server_name mirror-primary.stella-ops.org; ssl_certificate /etc/nginx/tls/mirror-primary.crt; ssl_certificate_key /etc/nginx/tls/mirror-primary.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; auth_basic "StellaOps Mirror – primary"; auth_basic_user_file /etc/nginx/secrets/mirror-primary.htpasswd; include /etc/nginx/conf.d/mirror-locations.conf; } server { listen 443 ssl http2; server_name mirror-community.stella-ops.org; ssl_certificate /etc/nginx/tls/mirror-community.crt; ssl_certificate_key /etc/nginx/tls/mirror-community.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; auth_basic "StellaOps Mirror – community"; auth_basic_user_file /etc/nginx/secrets/mirror-community.htpasswd; include /etc/nginx/conf.d/mirror-locations.conf; } mirror-locations.conf: | proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_redirect off; add_header X-Cache-Status $upstream_cache_status always; location = /healthz { default_type application/json; return 200 '{"status":"ok"}'; } location /concelier/exports/ { proxy_pass http://concelier_backend/concelier/exports/; proxy_cache mirror_cache; proxy_cache_key $mirror_cache_key; proxy_cache_valid 200 5m; proxy_cache_valid 404 1m; add_header Cache-Control "public, max-age=300, immutable" always; } location /concelier/ { proxy_pass http://concelier_backend/concelier/; proxy_cache off; } location /excititor/mirror/ { proxy_pass http://excititor_backend/excititor/mirror/; proxy_cache mirror_cache; proxy_cache_key $mirror_cache_key; proxy_cache_valid 200 5m; proxy_cache_valid 404 1m; add_header Cache-Control "public, max-age=300, immutable" always; } location /excititor/ { proxy_pass http://excititor_backend/excititor/; proxy_cache off; } location / { return 404; } services: concelier: image: registry.stella-ops.org/stellaops/concelier@sha256:dafef3954eb4b837e2c424dd2d23e1e4d60fa83794840fac9cd3dea1d43bd085 service: port: 8445 env: ASPNETCORE_URLS: "http://+:8445" CONCELIER__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops_mirror:mirror-password@stellaops-mongo:27017/concelier?authSource=admin" CONCELIER__STORAGE__S3__ENDPOINT: "http://stellaops-minio:9000" CONCELIER__STORAGE__S3__ACCESSKEYID: "stellaops-mirror" CONCELIER__STORAGE__S3__SECRETACCESSKEY: "mirror-minio-secret" CONCELIER__TELEMETRY__SERVICENAME: "stellaops-concelier-mirror" CONCELIER__MIRROR__ENABLED: "true" CONCELIER__MIRROR__EXPORTROOT: "/exports/json" CONCELIER__MIRROR__LATESTDIRECTORYNAME: "latest" CONCELIER__MIRROR__MIRRORDIRECTORYNAME: "mirror" CONCELIER__MIRROR__REQUIREAUTHENTICATION: "true" CONCELIER__MIRROR__MAXINDEXREQUESTSPERHOUR: "600" CONCELIER__MIRROR__DOMAINS__0__ID: "primary" CONCELIER__MIRROR__DOMAINS__0__DISPLAYNAME: "Primary Mirror" CONCELIER__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "true" CONCELIER__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "3600" CONCELIER__MIRROR__DOMAINS__1__ID: "community" CONCELIER__MIRROR__DOMAINS__1__DISPLAYNAME: "Community Mirror" CONCELIER__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "false" CONCELIER__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "1800" CONCELIER__AUTHORITY__ENABLED: "true" CONCELIER__AUTHORITY__ALLOWANONYMOUSFALLBACK: "false" CONCELIER__AUTHORITY__ISSUER: "https://authority.stella-ops.org" CONCELIER__AUTHORITY__METADATAADDRESS: "" CONCELIER__AUTHORITY__CLIENTID: "stellaops-concelier-mirror" CONCELIER__AUTHORITY__CLIENTSECRETFILE: "/run/secrets/concelier-authority-client" CONCELIER__AUTHORITY__CLIENTSCOPES__0: "concelier.mirror.read" CONCELIER__AUTHORITY__AUDIENCES__0: "api://concelier.mirror" CONCELIER__AUTHORITY__BYPASSNETWORKS__0: "10.0.0.0/8" CONCELIER__AUTHORITY__BYPASSNETWORKS__1: "127.0.0.1/32" CONCELIER__AUTHORITY__BYPASSNETWORKS__2: "::1/128" CONCELIER__AUTHORITY__RESILIENCE__ENABLERETRIES: "true" CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__0: "00:00:01" CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__1: "00:00:02" CONCELIER__AUTHORITY__RESILIENCE__RETRYDELAYS__2: "00:00:05" CONCELIER__AUTHORITY__RESILIENCE__ALLOWOFFLINECACHEFALLBACK: "true" CONCELIER__AUTHORITY__RESILIENCE__OFFLINECACHETOLERANCE: "00:10:00" volumeMounts: - name: concelier-jobs mountPath: /var/lib/concelier/jobs - name: concelier-exports mountPath: /exports/json - name: concelier-secrets mountPath: /run/secrets readOnly: true volumes: - name: concelier-jobs persistentVolumeClaim: claimName: concelier-mirror-jobs - name: concelier-exports persistentVolumeClaim: claimName: concelier-mirror-exports - name: concelier-secrets secret: secretName: concelier-mirror-auth excititor: image: registry.stella-ops.org/stellaops/excititor@sha256:d9bd5cadf1eab427447ce3df7302c30ded837239771cc6433b9befb895054285 env: ASPNETCORE_URLS: "http://+:8448" EXCITITOR__STORAGE__MONGO__CONNECTIONSTRING: "mongodb://stellaops_mirror:mirror-password@stellaops-mongo:27017/excititor?authSource=admin" EXCITITOR__STORAGE__MONGO__DATABASENAME: "excititor" EXCITITOR__ARTIFACTS__FILESYSTEM__ROOT: "/exports" EXCITITOR__ARTIFACTS__FILESYSTEM__OVERWRITEEXISTING: "false" EXCITITOR__MIRROR__DOMAINS__0__ID: "primary" EXCITITOR__MIRROR__DOMAINS__0__DISPLAYNAME: "Primary Mirror" EXCITITOR__MIRROR__DOMAINS__0__REQUIREAUTHENTICATION: "true" EXCITITOR__MIRROR__DOMAINS__0__MAXINDEXREQUESTSPERHOUR: "300" EXCITITOR__MIRROR__DOMAINS__0__MAXDOWNLOADREQUESTSPERHOUR: "2400" EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__KEY: "consensus-json" EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__FORMAT: "json" EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__0__VIEW: "consensus" EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__KEY: "consensus-openvex" EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__FORMAT: "openvex" EXCITITOR__MIRROR__DOMAINS__0__EXPORTS__1__VIEW: "consensus" EXCITITOR__MIRROR__DOMAINS__1__ID: "community" EXCITITOR__MIRROR__DOMAINS__1__DISPLAYNAME: "Community Mirror" EXCITITOR__MIRROR__DOMAINS__1__REQUIREAUTHENTICATION: "false" EXCITITOR__MIRROR__DOMAINS__1__MAXINDEXREQUESTSPERHOUR: "120" EXCITITOR__MIRROR__DOMAINS__1__MAXDOWNLOADREQUESTSPERHOUR: "600" EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__KEY: "community-consensus" EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__FORMAT: "json" EXCITITOR__MIRROR__DOMAINS__1__EXPORTS__0__VIEW: "consensus" volumeMounts: - name: excititor-exports mountPath: /exports - name: excititor-secrets mountPath: /run/secrets readOnly: true volumes: - name: excititor-exports persistentVolumeClaim: claimName: excititor-mirror-exports - name: excititor-secrets secret: secretName: excititor-mirror-auth mongo: class: infrastructure image: docker.io/library/mongo@sha256:c258b26dbb7774f97f52aff52231ca5f228273a84329c5f5e451c3739457db49 service: port: 27017 command: - mongod - --bind_ip_all env: MONGO_INITDB_ROOT_USERNAME: "stellaops_mirror" MONGO_INITDB_ROOT_PASSWORD: "mirror-password" volumeMounts: - name: mongo-data mountPath: /data/db volumeClaims: - name: mongo-data claimName: mirror-mongo-data minio: class: infrastructure image: docker.io/minio/minio@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e service: port: 9000 command: - server - /data - --console-address - :9001 env: MINIO_ROOT_USER: "stellaops-mirror" MINIO_ROOT_PASSWORD: "mirror-minio-secret" volumeMounts: - name: minio-data mountPath: /data volumeClaims: - name: minio-data claimName: mirror-minio-data mirror-gateway: image: docker.io/library/nginx@sha256:208b70eefac13ee9be00e486f79c695b15cef861c680527171a27d253d834be9 service: type: LoadBalancer port: 443 portName: https targetPort: 443 configMounts: - name: mirror-gateway-conf mountPath: /etc/nginx/conf.d configMap: mirror-gateway volumeMounts: - name: mirror-gateway-tls mountPath: /etc/nginx/tls readOnly: true - name: mirror-gateway-secrets mountPath: /etc/nginx/secrets readOnly: true - name: mirror-cache mountPath: /var/cache/nginx volumes: - name: mirror-gateway-tls secret: secretName: mirror-gateway-tls - name: mirror-gateway-secrets secret: secretName: mirror-gateway-htpasswd - name: mirror-cache emptyDir: {}