veza/infra/ansible/group_vars/prod.yml

# Prod-specific overrides. Same R720 host as staging in v1.0; separate
# Incus network + container prefix prevents staging/prod from sharing
# any state. Phase-2 (post v1.1) is expected to move prod to a
# dedicated host, at which point only `veza_incus_host` flips.
---
veza_env: prod
veza_release_channel: prod

veza_incus_host: veza-prod
veza_incus_network: veza-net
veza_incus_subnet: 10.0.20.0/24

veza_container_prefix: "veza-"  # production uses unprefixed names — the established convention

veza_incus_dns_suffix: lxd

haproxy_topology: blue-green

veza_public_host: veza.fr
veza_public_url: "https://veza.fr"
veza_cors_allowed_origins:
  - "https://veza.fr"
  - "https://app.veza.fr"

# Prod is INFO so 99th-percentile log volume stays manageable. Bump to
# DEBUG for a window via `ansible-playbook -e veza_log_level=DEBUG` if
# triaging an incident.
veza_log_level: INFO
veza_otel_sample_rate: "0.05"

veza_feature_flags:
  HYPERSWITCH_ENABLED: "true"
  STRIPE_CONNECT_ENABLED: "true"
  WEBAUTHN_ENABLED: "true"

# Larger retention than staging — prod rollback may need to reach a
# release from up to a month ago when the cause was latent.
veza_release_retention: 60

postgres_password: "{{ vault_postgres_password }}"
redis_password: "{{ vault_redis_password }}"
rabbitmq_password: "{{ vault_rabbitmq_password }}"
chore(ansible): recover group_vars files lost in parallel-commit shuffle Files originally part of the "split group_vars into all/{main,vault}" commit got dropped during a rebase/amend when parallel session work landed on the same area at the same time. The all/main.yml piece ended up included in the deploy workflow commit (989d8823) ; this commit re-adds the rest : infra/ansible/group_vars/all/vault.yml.example infra/ansible/group_vars/staging.yml infra/ansible/group_vars/prod.yml infra/ansible/group_vars/README.md + delete infra/ansible/group_vars/all.yml (superseded by all/main.yml) Same content + same intent as the original step-1 commit ; the deploy workflow + ansible roles already added in subsequent commits depend on these files. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-29 12:41:14 +00:00			`# Prod-specific overrides. Same R720 host as staging in v1.0; separate`
			`# Incus network + container prefix prevents staging/prod from sharing`
			`# any state. Phase-2 (post v1.1) is expected to move prod to a`
			# dedicated host, at which point only `veza_incus_host` flips.
			`---`
			`veza_env: prod`
			`veza_release_channel: prod`

			`veza_incus_host: veza-prod`
			`veza_incus_network: veza-net`
			`veza_incus_subnet: 10.0.20.0/24`

			`veza_container_prefix: "veza-" # production uses unprefixed names — the established convention`

			`veza_incus_dns_suffix: lxd`

			`haproxy_topology: blue-green`

			`veza_public_host: veza.fr`
			`veza_public_url: "https://veza.fr"`
			`veza_cors_allowed_origins:`
			`- "https://veza.fr"`
			`- "https://app.veza.fr"`

			`# Prod is INFO so 99th-percentile log volume stays manageable. Bump to`
			# DEBUG for a window via `ansible-playbook -e veza_log_level=DEBUG` if
			`# triaging an incident.`
			`veza_log_level: INFO`
			`veza_otel_sample_rate: "0.05"`

			`veza_feature_flags:`
			`HYPERSWITCH_ENABLED: "true"`
			`STRIPE_CONNECT_ENABLED: "true"`
			`WEBAUTHN_ENABLED: "true"`

			`# Larger retention than staging — prod rollback may need to reach a`
			`# release from up to a month ago when the cause was latent.`
			`veza_release_retention: 60`

			`postgres_password: "{{ vault_postgres_password }}"`
			`redis_password: "{{ vault_redis_password }}"`
			`rabbitmq_password: "{{ vault_rabbitmq_password }}"`