stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
7503c19b8ffa7f2891e5e672f9cfbf7efa4e2efb
git.stella-ops.org/docs/21_INSTALL_GUIDE.md
StellaOps Bot 7503c19b8f Add determinism tests for verdict artifact generation and update SHA256 sums script 
- Implemented comprehensive tests for verdict artifact generation to ensure deterministic outputs across various scenarios, including identical inputs, parallel execution, and change ordering.
- Created helper methods for generating sample verdict inputs and computing canonical hashes.
- Added tests to validate the stability of canonical hashes, proof spine ordering, and summary statistics.
- Introduced a new PowerShell script to update SHA256 sums for files, ensuring accurate hash generation and file integrity checks.
2025-12-24 02:17:34 +02:00

71 lines
2.4 KiB
Markdown
Executable File
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Installation guide (Docker Compose + air-gap)
This guide explains how to run StellaOps from this repository using deterministic deployment bundles under `deploy/`.
## Prerequisites
- Docker Engine with Compose v2.
- Enough disk for container images plus scan artifacts (SBOMs, logs, caches).
- For production-style installs, plan for persistent volumes (PostgreSQL + object storage) and a secrets provider.
## Connected host (dev / evaluation)
StellaOps ships reproducible Compose profiles pinned to immutable digests.
```bash
cd deploy/compose
cp env/dev.env.example dev.env
docker compose --env-file dev.env -f docker-compose.dev.yaml config
docker compose --env-file dev.env -f docker-compose.dev.yaml up -d
```
Verify:
```bash
docker compose --env-file dev.env -f docker-compose.dev.yaml ps
```
Defaults (from `deploy/compose/env/dev.env.example`):
- UI: `https://localhost:8443`
- Scanner API: `http://localhost:8444` (insecure; use the profiles front door for TLS)
## Air-gapped host (Compose profile)
Use the air-gap profile to avoid outbound hostnames and to align defaults with offline operation:
```bash
cd deploy/compose
cp env/airgap.env.example airgap.env
docker compose --env-file airgap.env -f docker-compose.airgap.yaml config
docker compose --env-file airgap.env -f docker-compose.airgap.yaml up -d
```
For offline bundles, imports, and update workflows, use:
- `docs/24_OFFLINE_KIT.md`
- `docs/airgap/overview.md`
- `docs/airgap/importer.md`
- `docs/airgap/controller.md`
## Hardening: require Authority for Concelier job triggers
If Concelier is exposed to untrusted networks, require Authority-issued tokens for `/jobs*` endpoints:
```bash
CONCELIER_AUTHORITY__ENABLED=true
CONCELIER_AUTHORITY__ALLOWANONYMOUSFALLBACK=false
```
Store the client secret outside source control (Docker secrets, mounted file, or Kubernetes Secret). For audit fields and alerting guidance, see `docs/modules/concelier/operations/authority-audit-runbook.md`.
## Quota / licensing (optional)
Quota enforcement is configuration-driven. For the current posture and operational implications, see:
- `docs/33_333_QUOTA_OVERVIEW.md`
- `docs/30_QUOTA_ENFORCEMENT_FLOW1.md`
- `docs/license-jwt-quota.md`
## Next steps
- Quick start: `docs/quickstart.md`
- Architecture overview: `docs/40_ARCHITECTURE_OVERVIEW.md`
- Detailed technical index: `docs/technical/README.md`
- Roadmap: `docs/05_ROADMAP.md`
Reference in New Issue View Git Blame Copy Permalink