vortex-bench.env.example

# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: Copyright the Vortex contributors
#
# Template for /etc/vortex-bench.env on the EC2 host.
#
# install.sh copies this template into place if /etc/vortex-bench.env is
# missing; the operator then fills in the secrets. The file must be
# mode 0600 owned by the user systemd runs the service as (ec2-user by
# default). systemd's EnvironmentFile= reads this for both the server
# unit and the deploy/backup timers.

# Bearer token CI presents on POST /api/ingest. Constant-time compared.
# Generate with: openssl rand -hex 32
INGEST_BEARER_TOKEN=

# Bearer token operators present on /api/admin/snapshot and /api/admin/sql.
# Independent of INGEST_BEARER_TOKEN so the two can rotate separately.
# Generate with: openssl rand -hex 32
ADMIN_BEARER_TOKEN=

# DuckDB file the server opens. Lives outside any git checkout so a
# `git pull` never touches it.
VORTEX_BENCH_DB=/var/lib/vortex-bench/bench.duckdb

# Where /api/admin/snapshot writes per-table Vortex snapshots (schema.sql
# plus one <table>.vortex file per table). backup.sh uploads the contents
# to S3 then deletes them, so this dir is transient.
VORTEX_BENCH_SNAPSHOT_DIR=/var/lib/vortex-bench/snapshots

# Where DuckDB installs extensions. Defaults to
# `<VORTEX_BENCH_DB parent>/duckdb-extensions`. The systemd unit's
# `ProtectHome=read-only` blocks DuckDB's default `~/.duckdb/extensions/...`
# install path, so this needs to live under a writable STATE_DIR subdir.
# Override only if you keep state outside /var/lib/vortex-bench.
#VORTEX_BENCH_EXTENSION_DIR=/var/lib/vortex-bench/duckdb-extensions

# `host:port` the *public* listener binds to (ingest, read API, HTML,
# /health). Behind a reverse proxy (or just exposed directly on the
# EC2 SG), 0.0.0.0 is correct.
VORTEX_BENCH_BIND=0.0.0.0:3000

# `host:port` the *admin* listener binds to. Must remain loopback-only
# so `/api/admin/*` never reaches the public network even when
# VORTEX_BENCH_BIND opens 0.0.0.0. backup.sh / inspect.sh talk to this
# address via $ADMIN_URL.
VORTEX_BENCH_ADMIN_BIND=127.0.0.1:3001

# tracing-subscriber env filter spec.
VORTEX_BENCH_LOG=info,vortex_bench_server=info

# --- ops scripts only (not consumed by the server itself) --------------

# Repo checkout the deploy timer pulls and builds from. Owned by the
# same user as the systemd services so `git pull` and `cargo build` don't
# need sudo. This is a checkout of THIS standalone repo
# (https://github.com/vortex-data/benchmarks-website.git) — its Cargo
# workspace is at the repo root, so deploy.sh builds
# `${REPO_DIR}/target/release/vortex-bench-server` directly, and the ops
# scripts live at `${REPO_DIR}/ops/` (NOT `${REPO_DIR}/benchmarks-website/ops/`,
# the old monorepo layout). To re-point an existing monorepo-checkout host,
# see docs/runbooks/v3-host-repoint.md (a re-clone, not a remote swap).
REPO_DIR=/home/ec2-user/benchmarks-website

# Branch the deploy timer tracks (this repo's main line).
DEPLOY_BRANCH=develop

# S3 prefix backup.sh syncs hourly snapshots to. The instance IAM role
# must already permit s3:PutObject under this prefix.
S3_BACKUP_PREFIX=s3://vortex-benchmark-results-database/v3-backups

# URL of the *public* listener, used by deploy.sh's /health check.
SERVER_URL=http://127.0.0.1:3000

# URL of the *admin* listener, used by backup.sh (/api/admin/snapshot)
# and inspect.sh (/api/admin/sql). Defaults to http://127.0.0.1:3001
# when unset; override only if you changed VORTEX_BENCH_ADMIN_BIND.
ADMIN_URL=http://127.0.0.1:3001

# Number of versioned binaries deploy.sh keeps under $BIN_DIR after a
# successful deploy. Defaults to 3 (current + previous + one buffer).
# Drop to 1 during a disk-pressure incident per the ops/README.md
# "Disk full" runbook, then bounce the deploy timer.
#KEEP_BINARIES=3