Production Deployment
Checklist and guidance for deploying Oore CI in a production environment.
Prerequisites
- macOS host with all prerequisites installed
- A domain name for your instance (e.g.,
ci.mycompany.com) - TLS certificate for the domain
- Remote auth configured (OIDC default via OIDC guides, or
trusted_proxyif deployed behind an identity-aware proxy)
Deployment checklist
1. Build from source
bash
git clone https://github.com/devaryakjha/oore.build.git
cd Oore CI
cargo build --release -p oored
cargo build --release -p ooreThe release binaries are at target/release/oored and target/release/oore.
2. Configure the daemon
Set environment variables:
bash
export OORED_LISTEN_ADDR=127.0.0.1:8787
export OORE_CORS_ORIGINS=https://ci.mycompany.com
export RUST_LOG=info3. Set up a reverse proxy
Place a reverse proxy (nginx, Caddy, etc.) in front of the daemon to handle TLS termination:
nginx
server {
listen 443 ssl;
server_name ci.mycompany.com;
ssl_certificate /etc/ssl/certs/ci.mycompany.com.pem;
ssl_certificate_key /etc/ssl/private/ci.mycompany.com.key;
location /v1/ {
proxy_pass http://127.0.0.1:8787;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /healthz {
proxy_pass http://127.0.0.1:8787;
}
location /metrics {
proxy_pass http://127.0.0.1:8787;
# Restrict to internal monitoring network
allow 10.0.0.0/8;
deny all;
}
}4. Run the setup wizard
bash
./target/release/oore setup token --ttl 15m
./target/release/oore setup --daemon-url http://127.0.0.1:87875. Configure artifact storage
For production, use S3 or R2 instead of local storage. See Configure Storage.
6. Verify
bash
curl https://ci.mycompany.com/v1/public/setup-status
curl https://ci.mycompany.com/healthzSecurity hardening
- TLS: Always use HTTPS for production. The daemon itself doesn't handle TLS.
- CORS: Set
OORE_CORS_ORIGINSto your production domain only. - Firewall: The daemon should only be accessible through the reverse proxy.
- Backups: Schedule regular database backups (see Backup and Restore).
- Monitoring: Set up health checks and metrics collection (see Monitoring).