NotAShelf/circus
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: update README with new config keys; link security document

Browse source 
Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: I8820dfb50f2b236a66d1e57aa36b6b0d6a6a6964
This commit is contained in:
raf 2026-02-28 12:17:47 +03:00
commit bffc6f4ec5
Signed by: NotAShelf
GPG key ID: 29D95B64378DB4BF
1 changed files with 53 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

17
docs/README.md
View file

@ -186,7 +186,7 @@ development.
<!--markdownlint-disable MD013 --> <!--markdownlint-disable MD013 -->
| Section | Key | Default | Description | | Section | Key | Default | Description |
| --------------- | ---------------------- | --------------------------------------------- | ----------------------------------------- | | --------------- | ---------------------- | --------------------------------------------- | ----------------------------------------------------- |
| `database` | `url` | `postgresql://fc_ci:password@localhost/fc_ci` | PostgreSQL connection URL | | `database` | `url` | `postgresql://fc_ci:password@localhost/fc_ci` | PostgreSQL connection URL |
| `database` | `max_connections` | `20` | Maximum connection pool size | | `database` | `max_connections` | `20` | Maximum connection pool size |
| `database` | `min_connections` | `5` | Minimum idle connections | | `database` | `min_connections` | `5` | Minimum idle connections |
@ -200,8 +200,9 @@ development.
| `server` | `api_key` | none | Optional legacy API key (prefer DB keys) | | `server` | `api_key` | none | Optional legacy API key (prefer DB keys) |
| `server` | `cors_permissive` | `false` | Allow all CORS origins | | `server` | `cors_permissive` | `false` | Allow all CORS origins |
| `server` | `allowed_origins` | `[]` | Allowed CORS origins list | | `server` | `allowed_origins` | `[]` | Allowed CORS origins list |
| `server` | `rate_limit_rps` | none | Requests per second limit | | `server` | `force_secure_cookies` | `false` | Force Secure flag on cookies (enable for HTTPS proxy) |
| `server` | `rate_limit_burst` | none | Burst size for rate limiting | | `server` | `rate_limit_rps` | none | Requests per second limit per IP (DoS protection) |
| `server` | `rate_limit_burst` | none | Burst size for rate limiting (e.g., 20) |
| `evaluator` | `poll_interval` | `60` | Seconds between git poll cycles | | `evaluator` | `poll_interval` | `60` | Seconds between git poll cycles |
| `evaluator` | `git_timeout` | `600` | Git operation timeout (seconds) | | `evaluator` | `git_timeout` | `600` | Git operation timeout (seconds) |
| `evaluator` | `nix_timeout` | `1800` | Nix evaluation timeout (seconds) | | `evaluator` | `nix_timeout` | `1800` | Nix evaluation timeout (seconds) |
@ -300,6 +301,11 @@ proxy:
server.host = "127.0.0.1"; server.host = "127.0.0.1";
server.port = 3000; server.port = 3000;
# Security: enable when behind HTTPS reverse proxy
server.force_secure_cookies = true;
server.rate_limit_rps = 100;
server.rate_limit_burst = 20;
evaluator.poll_interval = 300; evaluator.poll_interval = 300;
evaluator.restrict_eval = true; evaluator.restrict_eval = true;
queue_runner.workers = 8; queue_runner.workers = 8;
@ -369,6 +375,11 @@ Ensure the PostgreSQL server on the head node allows connections from builder
machines via `pg_hba.conf` (the NixOS `services.postgresql` module handles this machines via `pg_hba.conf` (the NixOS `services.postgresql` module handles this
with `authentication` settings). with `authentication` settings).
## Security
FC implements multiple security layers to protect your CI infrastructure. See
[the security document](./SECURITY.md) for more details.
## Authentication ## Authentication
FC supports two authentication methods: FC supports two authentication methods: