--- # ============================================================================= # Ansible Vault - Encrypted Secrets (EXAMPLE) # ============================================================================= # # This is an EXAMPLE file showing what should go in your encrypted vault. # DO NOT commit actual secrets to version control. # # HOW TO CREATE THE REAL VAULT: # 1. Copy this file's contents # 2. Run: ansible-vault create group_vars/vault.yml # 3. Paste and edit with your actual values # 4. Save and exit # # HOW TO MANAGE THE VAULT: # - Edit: ansible-vault edit group_vars/vault.yml # - View: ansible-vault view group_vars/vault.yml # - Rekey: ansible-vault rekey group_vars/vault.yml # # SECURITY NOTES: # - Never commit the vault password to version control # - Store vault password in a secure location (password manager, etc.) # - Consider using --vault-password-file for automation # - Add vault.yml to .gitignore (this example file is safe to commit) # # ============================================================================= # ----------------------------------------------------------------------------- # Gitea Instance Configuration # ----------------------------------------------------------------------------- # URL of your Gitea instance (including https://). # This is where the runner will connect to pick up jobs. # Example: "https://git.example.com" vault_gitea_instance_url: "https://git.karmaxplan.ru" # ----------------------------------------------------------------------------- # Runner Registration Token # ----------------------------------------------------------------------------- # Registration token from Gitea for authenticating new runners. # # HOW TO GET THIS TOKEN: # 1. Log into Gitea as admin # 2. Go to: Site Administration > Actions > Runners # URL: {{ vault_gitea_instance_url }}/-/admin/actions/runners # 3. Click "Create new Runner" # 4. Copy the displayed token # # IMPORTANT: # - Tokens are SINGLE-USE: one token = one runner registration # - Generate a new token for each server you deploy to # - Token expires if not used within a certain time vault_act_runner_token: "" # ----------------------------------------------------------------------------- # Package Registry Configuration # ----------------------------------------------------------------------------- # These values enable the runner to authenticate with Gitea's package registry. # This is needed if your workflows push/pull container images or packages. # Hostname of the Gitea package registry. # Usually the same as your Gitea instance hostname (without https://). vault_gitea_registry: "git.karmaxplan.ru" # Service account username for package registry operations. # Best practice: Create a dedicated "actions" user in Gitea for CI/CD. # This user should have appropriate permissions for your repositories. vault_gitea_actions_user: "actions" # Personal Access Token (PAT) for package registry authentication. # # HOW TO CREATE THE PAT: # 1. Log into Gitea as the service account (e.g., "actions") # 2. Go to: User Settings > Applications # URL: {{ vault_gitea_instance_url }}/user/settings/applications # 3. Under "Generate New Token", enter a name (e.g., "act-runner-packages") # 4. Select scopes: # - read:package (required for pulling images) # - write:package (required for pushing images) # 5. Click "Generate Token" # 6. Copy the token immediately (it won't be shown again) # # SECURITY NOTES: # - This token grants package access - keep it secret # - Rotate tokens periodically # - Use the minimum required scopes vault_gitea_packages_token: "" # ----------------------------------------------------------------------------- # Optional: Sudo Password (if using non-root user with password sudo) # ----------------------------------------------------------------------------- # Uncomment if your ansible_user requires a password for sudo. # vault_sudo_password: ""