-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathfly.toml
More file actions
82 lines (70 loc) · 2.93 KB
/
fly.toml
File metadata and controls
82 lines (70 loc) · 2.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
# fly.toml - Protocol Soup main application
# Deploy with: fly deploy
#
# For SPIFFE support, first deploy the SPIRE Server:
# fly launch --config fly.spire-server.toml --name protocolsoup-spire
# fly secrets set SPIRE_JOIN_TOKEN=$(fly ssh console -a protocolsoup-spire -C "/opt/spire/bin/spire-server token generate -spiffeID spiffe://protocolsoup.com/agent/fly -ttl 86400 | grep Token | awk '{print \$2}'")
app = 'protocolsoup'
primary_region = 'syd'
[build]
dockerfile = 'docker/Dockerfile.fly'
[env]
PORT = '8080'
SHOWCASE_BASE_URL = 'https://protocolsoup.com'
SHOWCASE_CORS_ORIGINS = 'https://protocolsoup.com,https://www.protocolsoup.com,https://protocolsoup.fly.dev'
SHOWCASE_DEBUG = 'false'
SHOWCASE_ENV = 'production'
SHOWCASE_LISTEN_ADDR = ':8080'
SHOWCASE_FRONTEND_ORIGIN = 'http://127.0.0.1:3000'
BACKEND_ORIGIN = 'http://127.0.0.1:8080'
NEXT_PUBLIC_SITE_URL = 'https://protocolsoup.com'
SHOWCASE_MOCK_IDP = 'true'
# SPIFFE/SPIRE Configuration
# The agent will connect to SPIRE Server via Fly private network
SPIRE_SERVER_ADDRESS = 'protocolsoup-spire.internal'
SPIFFE_TRUST_DOMAIN = 'protocolsoup.com'
SPIRE_DATA_DIR = '/data/spire'
# SCIM Configuration - uses subdirectory of shared volume
SCIM_DATA_DIR = '/data/scim'
# Secrets required (set via `fly secrets set`):
# - SPIRE_JOIN_TOKEN: Join token from SPIRE Server for agent bootstrap
# - SCIM_API_TOKEN: Bearer token for SCIM authentication
#
# Optional OID4VP verifier_attestation secrets:
# - OID4VP_VERIFIER_ATTESTATION_ISSUER: override attestation issuer URL (defaults to <SHOWCASE_BASE_URL>/oid4vp/verifier-attestation)
# - OID4VP_VERIFIER_ATTESTATION_CLIENT_ID: override verifier_attestation client_id (defaults to verifier_attestation:<public-host>)
# - OID4VP_VERIFIER_ATTESTATION_PRIVATE_KEY_PEM: PEM-encoded stable signing key for verifier attestation JWT/JWKS continuity across restarts
#
# Optional OID4VP x509_san_dns verifier secrets:
# - OID4VP_X509_SANDNS_CLIENT_ID: x509_san_dns verifier identifier (for example x509_san_dns:verifier.protocolsoup.com)
# - OID4VP_X509_SANDNS_CERT_CHAIN_PEM: PEM-encoded certificate chain for request-object signing
# - OID4VP_X509_SANDNS_PRIVATE_KEY_PEM: PEM-encoded private key matching the leaf certificate
[http_service]
internal_port = 8080
force_https = true
auto_stop_machines = 'stop'
auto_start_machines = true
min_machines_running = 1
processes = ['app']
[http_service.concurrency]
type = 'requests'
hard_limit = 250
soft_limit = 200
[[http_service.checks]]
interval = '15s'
timeout = '5s'
grace_period = '30s' # Extended for SPIRE Agent startup
method = 'GET'
path = '/health'
# Persistent volume for all app data (SPIRE + SCIM)
# Using single volume since Fly.io only supports 1 mount per machine
[[mounts]]
source = "protocolsoup_data"
destination = "/data"
[[vm]]
memory = '512mb'
cpu_kind = 'shared'
cpus = 1
[[metrics]]
port = 9091
path = '/metrics'