--- # Service account the CI prod-deploy workflow uses to drive docker on the hosts. # Membership in the docker group is root-equivalent (docker socket access), which # is all the deploy workflow needs; the account is deliberately not given sudo. deploy_user: deploy # Public half of the dedicated CI deploy SSH key, read from the controller at run # time. The private half is generated on the controller during provisioning and # stored ONLY in the Gitea PROD_SSH_KEY secret; it is never committed. Override the # path with -e deploy_ci_pubkey_path=/path/to/key.pub if the key lives elsewhere. deploy_ci_pubkey_path: "{{ lookup('env', 'HOME') }}/.ssh/scrabble_ci_deploy_ed25519.pub" deploy_ci_pubkey: "{{ lookup('file', deploy_ci_pubkey_path) }}" # Base directory the deploy workflow rsyncs compose files, config, certs and dumps # into. Owned by deploy_user so the workflow needs no elevation. scrabble_base_dir: /opt/scrabble # Docker daemon json-file log rotation, mirroring the compose x-logging anchor so # the host's own containers (and any ad-hoc runs) rotate identically. docker_log_max_size: "10m" docker_log_max_file: "3"