CLI Flags#
Command-line flags for the operator and syncer components.
Operator Flags#
| Flag | Default | Description |
|---|---|---|
--pages-domain | pages.kup6s.com | Base domain for auto-generated subdomains |
--cluster-issuer | letsencrypt-prod | cert-manager ClusterIssuer name |
--nginx-namespace | kup6s-pages | Namespace where nginx service runs |
--nginx-service-name | kup6s-pages-nginx | Name of the nginx service |
--pages-tls-mode | individual | TLS mode for auto-generated domains: individual or wildcard |
--pages-wildcard-secret | pages-wildcard-tls | Secret name for wildcard certificate (only used with --pages-tls-mode=wildcard) |
--metrics-bind-address | :8080 | Metrics endpoint |
--health-probe-bind-address | :8081 | Health probe endpoint |
TLS Modes#
| Mode | Description |
|---|---|
individual | Creates a Certificate per site using HTTP-01 challenge. Works without DNS provider API access. |
wildcard | References a pre-existing wildcard certificate. Requires external DNS-01 setup for wildcard cert issuance. |
Note: Wildcard mode requires a pre-existing
*.{pagesDomain}certificate. This must be created externally using DNS-01 challenge, as Let’s Encrypt doesn’t support wildcard certs via HTTP-01.
Example#
go run ./cmd/operator \
--pages-domain=pages.example.com \
--cluster-issuer=letsencrypt-prod \
--nginx-namespace=kup6s-pages \
--nginx-service-name=kup6s-pages-nginx \
--pages-tls-mode=individualSyncer Flags#
| Flag | Default | Description |
|---|---|---|
--sites-root | /sites | Directory where sites are stored |
--sync-interval | 5m | Default interval for polling repos |
--webhook-addr | :8080 | Webhook HTTP server address |
--allowed-hosts | Required | Comma-separated allowlist of Git hosts |
--webhook-secret | "" | Secret for webhook HMAC validation |
Example#
go run ./cmd/syncer \
--sites-root=/sites \
--sync-interval=5m \
--webhook-addr=:8080 \
--allowed-hosts=github.com,gitlab.com,forgejo.example.com \
--webhook-secret=your-secret-hereAllowed Hosts#
The --allowed-hosts flag provides SSRF (Server-Side Request Forgery) protection. The syncer will only clone repositories from these hosts.
Common values:
github.comgitlab.combitbucket.orgcodeberg.org
Wildcards are supported for self-hosted instances:
*.gitlab.example.comgit.internal.company.com
Example:
--allowed-hosts=github.com,gitlab.com,*.gitlab.internal.example.com