doran/scripts/hetzner/bootstrap-secrets.env.example

# Copy this file to scripts/hetzner/bootstrap-secrets.env and fill in the values.
# Then run: source scripts/hetzner/bootstrap-secrets.env

export HCLOUD_TOKEN=replace_me
export SSH_PUBLIC_KEY_PATH="$HOME/.ssh/id_ed25519.pub"

# Optional project override. Defaults target the built-in unrip project overlay.
export PROJECT_NAME=unrip
export PROJECT_NAMESPACE=unrip
# export PROJECT_OVERLAY_DIR="$PWD/deploy/k8s/overlays/hetzner-single-node"
# export PROJECT_KUSTOMIZE_PATH="../../projects/unrip/base"
# export PROJECT_SECRET_NAME=unrip-secrets
# export PROJECT_SECRET_ENV_BASENAME=unrip.env
# export PROJECT_REGISTRY_SECRET_NAME=unrip-registry-creds
# export PROJECT_IMAGE_REPOSITORY=unrip
# export PROJECT_DEPLOYMENTS="near-intents-ingest dummy-reactor dummy-executor dummy-consumer"

# Tailscale-first admin access (recommended)
export TAILSCALE_AUTH_KEY=
# optional override; leave empty to auto-discover the node via local `tailscale status --json`
export TAILSCALE_CONTROL_PLANE_HOSTNAME=

# Optional fallback if you want public admin ports instead of Tailscale
export TF_ADMIN_CIDR_BLOCKS='[]'

# Public naming for ingress/TLS
export PUBLIC_DOMAIN=unrip-bootstrap.example.com
export BASE_DOMAIN=example.com
export FORGEJO_DOMAIN=git.example.com
export FORGEJO_ROOT_URL=https://git.example.com/
export REGISTRY_DOMAIN=registry.example.com
export LETSENCRYPT_EMAIL=ops@example.com

# Optional DNS automation: choose one provider
# Cloudflare
export CLOUDFLARE_API_TOKEN=
export CLOUDFLARE_ZONE_ID=
# Porkbun
export PORKBUN_API_KEY=
export PORKBUN_SECRET_API_KEY=

# Registry auth for CI/CD and image pulls
export REGISTRY_USERNAME=unrip
export REGISTRY_PASSWORD=replace_me

# Application and bootstrap secrets
export NEAR_INTENTS_API_KEY=replace_me
export FORGEJO_RUNNER_REGISTRATION_TOKEN=replace_me