259 lines
13 KiB
TOML
259 lines
13 KiB
TOML
|
|
[default]
|
|
# This URL is used by instances to send back status messages as they install
|
|
# the github actions runner. Status messages can be seen by querying the
|
|
# runner status in garm.
|
|
# Note: If you're using a reverse proxy in front of your garm installation,
|
|
# this URL needs to point to the address of the reverse proxy. Using TLS is
|
|
# highly encouraged.
|
|
callback_url = "https://garm.example.com/api/v1/callbacks"
|
|
|
|
# This URL is used by instances to retrieve information they need to set themselves
|
|
# up. Access to this URL is granted using the same JWT token used to send back
|
|
# status updates. Once the instance transitions to "installed" or "failed" state,
|
|
# access to both the status and metadata endpoints is disabled.
|
|
# Note: If you're using a reverse proxy in front of your garm installation,
|
|
# this URL needs to point to the address of the reverse proxy. Using TLS is
|
|
# highly encouraged.
|
|
metadata_url = "https://garm.example.com/api/v1/metadata"
|
|
|
|
# This is the base URL where GARM will listen for webhook events from github. This
|
|
# URL can be directly configured in github to send events to.
|
|
# If GARM is allowed to manage webhooks, this URL will be used as a base to optionally
|
|
# create webhooks for repositories and organizations. To avoid clashes, the unique
|
|
# controller ID that gets generated when GARM is first installed, will be added as a suffix
|
|
# to this URL.
|
|
#
|
|
# For example, assuming that your GARM controller ID is "18225ce4-e3bd-43f0-9c85-7d7858bcc5b2"
|
|
# the webhook URL will be "https://garm.example.com/webhooks/18225ce4-e3bd-43f0-9c85-7d7858bcc5b2"
|
|
webhook_url = "https://garm.example.com/webhooks"
|
|
|
|
# This option enables GARM to manage webhooks for repositories and organizations. Set this
|
|
# to false to disable the API routes that manage webhooks.
|
|
#
|
|
# When managing webhooks, the PAT you're using must have the necessary access to create/list/delete
|
|
# webhooks for repositories or organizations.
|
|
enable_webhook_management = true
|
|
|
|
# Uncomment this line if you'd like to log to a file instead of standard output.
|
|
# log_file = "/tmp/runner-manager.log"
|
|
|
|
# Enable streaming logs via web sockets. Use garm-cli debug-log.
|
|
enable_log_streamer = false
|
|
|
|
# Enable the golang debug server. See the documentation in the "doc" folder for more information.
|
|
debug_server = false
|
|
|
|
[metrics]
|
|
# Toggle metrics. If set to false, the API endpoint for metrics collection will
|
|
# be disabled.
|
|
enable = true
|
|
# Toggle to disable authentication (not recommended) on the metrics endpoint.
|
|
# If you do disable authentication, I encourage you to put a reverse proxy in front
|
|
# of garm and limit which systems can access that particular endpoint. Ideally, you
|
|
# would enable some kind of authentication using the reverse proxy, if the built-in auth
|
|
# is not sufficient for your needs.
|
|
disable_auth = false
|
|
|
|
[jwt_auth]
|
|
# A JWT token secret used to sign tokens.
|
|
# Obviously, this needs to be changed :).
|
|
secret = ")9gk_4A6KrXz9D2u`0@MPea*sd6W`%@5MAWpWWJ3P3EqW~qB!!(Vd$FhNc*eU4vG"
|
|
|
|
# Time to live for tokens. Both the instances and you will use JWT tokens to
|
|
# authenticate against the API. However, this TTL is applied only to tokens you
|
|
# get when logging into the API. The tokens issued to the instances we manage,
|
|
# have a TTL based on the runner bootstrap timeout set on each pool. The minimum
|
|
# TTL for this token is 24h.
|
|
time_to_live = "8760h"
|
|
|
|
[apiserver]
|
|
# Bind the API to this IP
|
|
bind = "0.0.0.0"
|
|
# Bind the API to this port
|
|
port = 9997
|
|
# Whether or not to set up TLS for the API endpoint. If this is set to true,
|
|
# you must have a valid apiserver.tls section.
|
|
use_tls = false
|
|
# Set a list of allowed origins
|
|
# By default, if this option is ommited or empty, we will check
|
|
# only that the origin is the same as the originating server.
|
|
# A literal of "*" will allow any origin
|
|
cors_origins = ["*"]
|
|
[apiserver.tls]
|
|
# Path on disk to a x509 certificate bundle.
|
|
# NOTE: if your certificate is signed by an intermediary CA, this file
|
|
# must contain the entire certificate bundle needed for clients to validate
|
|
# the certificate. This usually means concatenating the certificate and the
|
|
# CA bundle you received.
|
|
certificate = ""
|
|
# The path on disk to the corresponding private key for the certificate.
|
|
key = ""
|
|
|
|
[database]
|
|
# Turn on/off debugging for database queries.
|
|
debug = false
|
|
# Database backend to use. Currently supported backends are:
|
|
# * sqlite3
|
|
backend = "sqlite3"
|
|
# the passphrase option is a temporary measure by which we encrypt the webhook
|
|
# secret that gets saved to the database, using AES256. In the future, secrets
|
|
# will be saved to something like Barbican or Vault, eliminating the need for
|
|
# this. This setting needs to be 32 characters in size.
|
|
passphrase = "shreotsinWadquidAitNefayctowUrph"
|
|
[database.sqlite3]
|
|
# Path on disk to the sqlite3 database file.
|
|
db_file = "/etc/garm/garm.db"
|
|
|
|
# Currently, providers are defined statically in the config. This is due to the fact
|
|
# that we have not yet added support for storing secrets in something like Barbican
|
|
# or Vault. This will change in the future. However, for now, it's important to remember
|
|
# that once you create a pool using one of the providers defined here, the name of that
|
|
# provider must not be changed, or the pool will no longer work. Make sure you remove any
|
|
# pools before removing or changing a provider.
|
|
[[provider]]
|
|
# An arbitrary string describing this provider.
|
|
name = "lxd_local"
|
|
# Provider type. Garm is designed to allow creating providers which are used to spin
|
|
# up compute resources, which in turn will run the github runner software.
|
|
# Currently, LXD is the only supprted provider, but more will be written in the future.
|
|
provider_type = "lxd"
|
|
# A short description of this provider. The name, description and provider types will
|
|
# be included in the information returned by the API when listing available providers.
|
|
description = "Local LXD installation"
|
|
# DisableJITConfig explicitly disables JIT configuration and forces runner registration
|
|
# tokens to be used. This may happen if a provider has not yet been updated to support
|
|
# JIT configuration.
|
|
#
|
|
# Set this to true if your provider does not support JIT configuration.
|
|
disable_jit_config = false
|
|
[provider.lxd]
|
|
# the path to the unix socket that LXD is listening on. This works if garm and LXD
|
|
# are on the same system, and this option takes precedence over the "url" option,
|
|
# which connects over the network.
|
|
unix_socket_path = "/var/snap/lxd/common/lxd/unix.socket"
|
|
# When defining a pool for a repository or an organization, you have an option to
|
|
# specify a "flavor". In LXD terms, this translates to "profiles". Profiles allow
|
|
# you to customize your instances (memory, cpu, disks, nics, etc).
|
|
# This option allows you to inject the "default" profile along with the profile selected
|
|
# by the flavor.
|
|
include_default_profile = false
|
|
# instance_type defines the type of instances this provider will create.
|
|
#
|
|
# Options are:
|
|
#
|
|
# * virtual-machine (default)
|
|
# * container
|
|
#
|
|
instance_type = "container"
|
|
# enable/disable secure boot. If the image you select for the pool does not have a
|
|
# signed bootloader, set this to false, otherwise your instances won't boot.
|
|
secure_boot = false
|
|
# Project name to use. You can create a separate project in LXD for runners.
|
|
project_name = "default"
|
|
# URL is the address on which LXD listens for connections (ex: https://example.com:8443)
|
|
url = ""
|
|
# garm supports certificate authentication for LXD remote connections. The easiest way
|
|
# to get the needed certificates, is to install the lxc client and add a remote. The
|
|
# client_certificate, client_key and tls_server_certificate can be then fetched from
|
|
# $HOME/snap/lxd/common/config.
|
|
client_certificate = ""
|
|
client_key = ""
|
|
tls_server_certificate = ""
|
|
[provider.lxd.image_remotes]
|
|
# Image remotes are important. These are the default remotes used by lxc. The names
|
|
# of these remotes are important. When specifying an "image" for the pool, that image
|
|
# can be a hash of an existing image on your local LXD installation or it can be a
|
|
# remote image from one of these remotes. You can specify the images as follows:
|
|
# Example:
|
|
#
|
|
# * ubuntu:20.04
|
|
# * ubuntu_daily:20.04
|
|
# * images:centos/8/cloud
|
|
#
|
|
# Ubuntu images come pre-installed with cloud-init which we use to set up the runner
|
|
# automatically and customize the runner. For non Ubuntu images, you need to use the
|
|
# variant that has "/cloud" in the name. Those images come with cloud-init.
|
|
[provider.lxd.image_remotes.ubuntu]
|
|
addr = "https://cloud-images.ubuntu.com/releases"
|
|
public = true
|
|
protocol = "simplestreams"
|
|
skip_verify = false
|
|
[provider.lxd.image_remotes.ubuntu_daily]
|
|
addr = "https://cloud-images.ubuntu.com/daily"
|
|
public = true
|
|
protocol = "simplestreams"
|
|
skip_verify = false
|
|
[provider.lxd.image_remotes.images]
|
|
addr = "https://images.linuxcontainers.org"
|
|
public = true
|
|
protocol = "simplestreams"
|
|
skip_verify = false
|
|
|
|
# These are examples of external providers. External providers are executables that
|
|
# implement the needed interface to create/delete/list compute systems that are used
|
|
# by garm to create runners.
|
|
[[provider]]
|
|
name = "openstack_external"
|
|
description = "external openstack provider"
|
|
provider_type = "external"
|
|
# DisableJITConfig explicitly disables JIT configuration and forces runner registration
|
|
# tokens to be used. This may happen if a provider has not yet been updated to support
|
|
# JIT configuration.
|
|
#
|
|
# Set this to true if your provider does not support JIT configuration.
|
|
disable_jit_config = false
|
|
[provider.external]
|
|
# config file passed to the executable via GARM_PROVIDER_CONFIG_FILE environment variable
|
|
config_file = "/etc/garm/providers.d/openstack/keystonerc"
|
|
# Absolute path to an executable that implements the provider logic. This executable can be
|
|
# anything (bash, a binary, python, etc). See documentation in this repo on how to write an
|
|
# external provider.
|
|
provider_executable = "/etc/garm/providers.d/openstack/garm-external-provider"
|
|
|
|
[[provider]]
|
|
name = "azure_external"
|
|
description = "external azure provider"
|
|
provider_type = "external"
|
|
# DisableJITConfig explicitly disables JIT configuration and forces runner registration
|
|
# tokens to be used. This may happen if a provider has not yet been updated to support
|
|
# JIT configuration.
|
|
#
|
|
# Set this to true if your provider does not support JIT configuration.
|
|
disable_jit_config = false
|
|
[provider.external]
|
|
# config file passed to the executable via GARM_PROVIDER_CONFIG_FILE environment variable
|
|
config_file = "/etc/garm/providers.d/azure/config.sh"
|
|
# Absolute path to an executable that implements the provider logic. This executable can be
|
|
# anything (bash, a binary, python, etc). See documentation in this repo on how to write an
|
|
# external provider.
|
|
provider_executable = "/etc/garm/providers.d/azure/garm-external-provider"
|
|
|
|
# This is a list of credentials that you can define as part of the repository
|
|
# or organization definitions. They are not saved inside the database, as there
|
|
# is no Vault integration (yet). This will change in the future.
|
|
# Credentials defined here can be listed using the API. Obviously, only the name
|
|
# and descriptions are returned.
|
|
[[github]]
|
|
name = "gabriel"
|
|
description = "github token or user gabriel"
|
|
# This is a personal token with access to the repositories and organizations
|
|
# you plan on adding to garm. The "workflow" option needs to be selected in order
|
|
# to work with repositories, and the admin:org needs to be set if you plan on
|
|
# adding an organization.
|
|
oauth2_token = "super secret token"
|
|
# base_url (optional) is the URL at which your GitHub Enterprise Server can be accessed.
|
|
# If these credentials are for github.com, leave this setting blank
|
|
base_url = "https://ghe.example.com"
|
|
# api_base_url (optional) is the base URL where the GitHub Enterprise Server API can be accessed.
|
|
# Leave this blank if these credentials are for github.com.
|
|
api_base_url = "https://ghe.example.com"
|
|
# upload_base_url (optional) is the base URL where the GitHub Enterprise Server upload API can be accessed.
|
|
# Leave this blank if these credentials are for github.com, or if you don't have a separate URL
|
|
# for the upload API.
|
|
upload_base_url = "https://api.ghe.example.com"
|
|
# ca_cert_bundle (optional) is the CA certificate bundle in PEM format that will be used by the github
|
|
# client to talk to the API. This bundle will also be sent to all runners as bootstrap params.
|
|
# Use this option if you're using a self signed certificate.
|
|
# Leave this blank if you're using github.com or if your certificare is signed by a valid CA.
|
|
ca_cert_bundle = "/etc/garm/ghe.crt"
|