[default] # This option enables GARM to manage webhooks for repositories and organizations. Set this # to false to disable the API routes that manage webhooks. # # When managing webhooks, the PAT you're using must have the necessary access to create/list/delete # webhooks for repositories or organizations. enable_webhook_management = true # DEPRECATED: Use the [logging] section to set this option. # Uncomment this line if you'd like to log to a file instead of standard output. # log_file = "/tmp/runner-manager.log" # DEPRECATED: Use the [logging] section to set this option. # Enable streaming logs via web sockets. Use garm-cli debug-log. enable_log_streamer = false # Enable the golang debug server. See the documentation in the "doc" folder for more information. debug_server = false [logging] # Uncomment this line if you'd like to log to a file instead of standard output. # log_file = "/tmp/runner-manager.log" # enable_log_streamer enables streaming the logs over websockets enable_log_streamer = true # log_format is the output format of the logs. GARM uses structured logging and can # output as "text" or "json" log_format = "text" # log_level is the logging level GARM will output. Available log levels are: # * debug # * info # * warn # * error log_level = "debug" # log_source will output information about the function that generated the log line. log_source = false [metrics] # Toggle metrics. If set to false, the API endpoint for metrics collection will # be disabled. enable = true # Toggle to disable authentication (not recommended) on the metrics endpoint. # If you do disable authentication, I encourage you to put a reverse proxy in front # of garm and limit which systems can access that particular endpoint. Ideally, you # would enable some kind of authentication using the reverse proxy, if the built-in auth # is not sufficient for your needs. disable_auth = false [jwt_auth] # A JWT token secret used to sign tokens. # Obviously, this needs to be changed :). secret = ")9gk_4A6KrXz9D2u`0@MPea*sd6W`%@5MAWpWWJ3P3EqW~qB!!(Vd$FhNc*eU4vG" # Time to live for tokens. Both the instances and you will use JWT tokens to # authenticate against the API. However, this TTL is applied only to tokens you # get when logging into the API. The tokens issued to the instances we manage, # have a TTL based on the runner bootstrap timeout set on each pool. The minimum # TTL for this token is 24h. time_to_live = "8760h" [apiserver] # Bind the API to this IP bind = "0.0.0.0" # Bind the API to this port port = 9997 # Whether or not to set up TLS for the API endpoint. If this is set to true, # you must have a valid apiserver.tls section. use_tls = false # Set a list of allowed origins # By default, if this option is ommited or empty, we will check # only that the origin is the same as the originating server. # A literal of "*" will allow any origin cors_origins = ["*"] [apiserver.tls] # Path on disk to a x509 certificate bundle. # NOTE: if your certificate is signed by an intermediary CA, this file # must contain the entire certificate bundle needed for clients to validate # the certificate. This usually means concatenating the certificate and the # CA bundle you received. certificate = "" # The path on disk to the corresponding private key for the certificate. key = "" [apiserver.webui] enable = true [database] # Turn on/off debugging for database queries. debug = false # Database backend to use. Currently supported backends are: # * sqlite3 backend = "sqlite3" # the passphrase option is a temporary measure by which we encrypt the webhook # secret that gets saved to the database, using AES256. In the future, secrets # will be saved to something like Barbican or Vault, eliminating the need for # this. This setting needs to be 32 characters in size. passphrase = "shreotsinWadquidAitNefayctowUrph" [database.sqlite3] # Path on disk to the sqlite3 database file. db_file = "/etc/garm/garm.db" # busy_timeout_seconds is an optional parameter that will set the # sqlite3_busy_timeout to the specified value. This is useful when # GARM may be under heavy load and the database is locked by some # other go routine. The default value is 0. busy_timeout_seconds = 5 # Currently, providers are defined statically in the config. This is due to the fact # that we have not yet added support for storing secrets in something like Barbican # or Vault. This will change in the future. However, for now, it's important to remember # that once you create a pool using one of the providers defined here, the name of that # provider must not be changed, or the pool will no longer work. Make sure you remove any # pools before removing or changing a provider. [[provider]] # An arbitrary string describing this provider. name = "lxd_local" # Provider type. Garm is designed to allow creating providers which are used to spin # up compute resources, which in turn will run the github runner software. # Currently, LXD is the only supprted provider, but more will be written in the future. provider_type = "lxd" # A short description of this provider. The name, description and provider types will # be included in the information returned by the API when listing available providers. description = "Local LXD installation" # DisableJITConfig explicitly disables JIT configuration and forces runner registration # tokens to be used. This may happen if a provider has not yet been updated to support # JIT configuration. # # Set this to true if your provider does not support JIT configuration. disable_jit_config = false [provider.lxd] # the path to the unix socket that LXD is listening on. This works if garm and LXD # are on the same system, and this option takes precedence over the "url" option, # which connects over the network. unix_socket_path = "/var/snap/lxd/common/lxd/unix.socket" # When defining a pool for a repository or an organization, you have an option to # specify a "flavor". In LXD terms, this translates to "profiles". Profiles allow # you to customize your instances (memory, cpu, disks, nics, etc). # This option allows you to inject the "default" profile along with the profile selected # by the flavor. include_default_profile = false # instance_type defines the type of instances this provider will create. # # Options are: # # * virtual-machine (default) # * container # instance_type = "container" # enable/disable secure boot. If the image you select for the pool does not have a # signed bootloader, set this to false, otherwise your instances won't boot. secure_boot = false # Project name to use. You can create a separate project in LXD for runners. project_name = "default" # URL is the address on which LXD listens for connections (ex: https://example.com:8443) url = "" # garm supports certificate authentication for LXD remote connections. The easiest way # to get the needed certificates, is to install the lxc client and add a remote. The # client_certificate, client_key and tls_server_certificate can be then fetched from # $HOME/snap/lxd/common/config. client_certificate = "" client_key = "" tls_server_certificate = "" [provider.lxd.image_remotes] # Image remotes are important. These are the default remotes used by lxc. The names # of these remotes are important. When specifying an "image" for the pool, that image # can be a hash of an existing image on your local LXD installation or it can be a # remote image from one of these remotes. You can specify the images as follows: # Example: # # * ubuntu:20.04 # * ubuntu_daily:20.04 # * images:centos/8/cloud # # Ubuntu images come pre-installed with cloud-init which we use to set up the runner # automatically and customize the runner. For non Ubuntu images, you need to use the # variant that has "/cloud" in the name. Those images come with cloud-init. [provider.lxd.image_remotes.ubuntu] addr = "https://cloud-images.ubuntu.com/releases" public = true protocol = "simplestreams" skip_verify = false [provider.lxd.image_remotes.ubuntu_daily] addr = "https://cloud-images.ubuntu.com/daily" public = true protocol = "simplestreams" skip_verify = false [provider.lxd.image_remotes.images] addr = "https://images.linuxcontainers.org" public = true protocol = "simplestreams" skip_verify = false # These are examples of external providers. External providers are executables that # implement the needed interface to create/delete/list compute systems that are used # by garm to create runners. [[provider]] name = "openstack_external" description = "external openstack provider" provider_type = "external" # DisableJITConfig explicitly disables JIT configuration and forces runner registration # tokens to be used. This may happen if a provider has not yet been updated to support # JIT configuration. # # Set this to true if your provider does not support JIT configuration. disable_jit_config = false [provider.external] # config file passed to the executable via GARM_PROVIDER_CONFIG_FILE environment variable config_file = "/etc/garm/providers.d/openstack/keystonerc" # Absolute path to an executable that implements the provider logic. This executable can be # anything (bash, a binary, python, etc). See documentation in this repo on how to write an # external provider. provider_executable = "/etc/garm/providers.d/openstack/garm-external-provider" [[provider]] name = "azure_external" description = "external azure provider" provider_type = "external" # DisableJITConfig explicitly disables JIT configuration and forces runner registration # tokens to be used. This may happen if a provider has not yet been updated to support # JIT configuration. # # Set this to true if your provider does not support JIT configuration. disable_jit_config = false [provider.external] # config file passed to the executable via GARM_PROVIDER_CONFIG_FILE environment variable config_file = "/etc/garm/providers.d/azure/config.sh" # Absolute path to an executable that implements the provider logic. This executable can be # anything (bash, a binary, python, etc). See documentation in this repo on how to write an # external provider. provider_executable = "/etc/garm/providers.d/azure/garm-external-provider"