# Example `values.yaml`

The following snippet shows an example `values.yaml` file for a Helm installation of CircleCI server in an air-gapped environment.

## Resources

The chart assumes an environment with the following resources:

*   A K3s cluster for the installation of the Helm chart
    
*   MetalLB pre-configued on the K3s cluster for ingress
    
*   A private Docker registry at `docker.internal.example.com` running on port 5000 with no TLS encryption
    
*   A Nomad instance with mTLS disabled
    
*   A MinIO instance running at minio.internal.example.com, with its API listening on port 9000, and no TLS
    
*   A TLS certificate issued for both domains `server.internal.example.com` and `` *.server.internal.example.com` ``.
    

For more information about specific values, see the standard installation documentation, starting with [Phase 2 - Core services](https://circleci.com/docs/server-admin/server-4.4/installation/phase-2-core-services/).

## values.yaml

values.yaml

`````````

# Private docker registry at docker.internal.example.com:5000
global:
  domainName: "server.internal.example.com"
  license: '<<your-server-license-here>>'
  container:
    registry: "docker.internal.example.com:5000"
    org: "<image-registry-org>"

# GitHub Enterprise
github:
  hostname: "github.internal.example.com"
  unsafeDisableWebhookSSLVerification: true # If using self-signed certificates
  enterprise: true
  selfSignedCert: true # If using self-signed certificates
  # These must be generated and added manually from GitHub Enterprise
  clientId: "<<github-enterprise-oauth-app-client-id>>"
  clientSecret: "<<github-enterprise-oauth-app-client-secret>>"
  defaultToken: "<<github-enterprise-personal-application-token>>"

# TLS with your provider
tls:
  certificate: "<<your-generated-tls-certificate>>"
  privateKey: "<<your-generated-tls-private-key>>"

# Object storage with Minio
object_storage:
  bucketName: "circleci-data" # Update to the name of the bucket created in MinIO
  expireAfter: 0
  s3:
    enabled: true
    endpoint: "http://minio.internal.example.com:9000"
    accessKey: "<<minio-username>>"
    secretKey: "<<minio-password>>"

# Distributor using CircleCI Agent in Minio
distributor:
  agent_base_url: http://minio.internal.example.com:9000/circleci-data
  launch_agent_base_url: http://minio.internal.example.com:9000/circleci-data

# Nomad
nomad:
  buildAgentImage: "docker.internal.example.com:5000/circleci/picard" # Do not provide image version, only image name and registry
  server:
    gossip:
      encryption:
        key: "<<nomad-gossip-encryption-key>>"
    rpc:
      mTLS:
        enabled: false # mTLS is disabled - it is recommended that this be enabled

# Machine provisioner disabled - Requires cloud connectivity
machine_provisioner:
  enabled: false

# Additional nginx annotations
nginx:
  annotations:
    # This example uses MetalLB as a k3s load balancer
    metallb.universe.tf/allow-shared-ip: default

# The below values require no special modifications for an air-gapped environment

apiToken: "<<circleci-api-token>>"

sessionCookieKey: "<<circleci-session-cookie-key>>"

keyset:
  signing: '<<circleci-signing-key>>'
  encryption: '<<circleci-encryption-key>>'

mongodb:
  auth:
    rootPassword: "<<mongodb-root-password>>"
    password: "<<mongodb-password>>"

pusher:
  secret: "<<pusher-secret>>"

postgresql:
  auth:
    postgresPassword: "<<postgres-password>>"

rabbitmq:
  auth:
    password: "<<rabbitmq-password>>"
    erlangCookie: "<<rabbitmq-erlang-cookie>>"

docker_provisioner:
  enabled: false
`````````