fix: add AWS_ROLE_ARN and AWS_REGION for dstack-ingress STS (CPL-152)

[Garandor]

Summary

• dstack-ingress requires STS role assumption — direct IAM keys cause Invalid length for parameter RoleArn validation errors
• Uncomments AWS_ROLE_ARN and AWS_REGION in docker-compose.phala.yml and wires them through the deploy workflow as GitHub variables

Follows up on #181.

Changes

docker-compose.phala.yml

• AWS_ROLE_ARN and AWS_REGION are now required env vars (were commented out as "optional")
• Updated header docs to list CERTBOT_AWS_ROLE_ARN and CERTBOT_AWS_REGION

.github/workflows/deploy-phala.yml

• Added sed substitutions for CERTBOT_AWS_ROLE_ARN and CERTBOT_AWS_REGION (both GitHub variables)
• Updated header docs listing required vars

Required GitHub configuration

After merging, set these before deploying:

• Variable: CERTBOT_AWS_ROLE_ARN — IAM role ARN with Route 53 permissions (e.g. arn:aws:iam::<ACCOUNT>:role/certbot-route53-dns-challenge)
• Variable: CERTBOT_AWS_REGION — AWS region for STS endpoint (e.g. us-east-1)

Test plan

• docker-compose.phala.yml validates with docker compose config
• CI passes
• After setting vars, deploy to next and verify https://test.chipotle.litprotocol.com/health returns 200

🤖 Generated with Claude Code

[linear]

CPL-152 Update docker-compose + deploy workflow for Phase 0

PR: #181 (target: next)

What was done

docker-compose.phala.yml

• Added dstack-ingress service (pinned image @sha256: digest) for Route 53 DNS-01 TLS
• All required dstack-ingress env vars: DOMAIN, GATEWAY_DOMAIN (_.dstack-base-prod5.phala.network), DNS_PROVIDER, TARGET_ENDPOINT, CERTBOT_EMAIL, SET_CAA
• CERTBOT_EMAIL hardcoded to admin@litprotocol.com (public in ACME registration)
• Route 53 credentials via CERTBOT_-prefixed env vars (CERTBOT_AWS_ACCESS_KEY_ID, CERTBOT_AWS_SECRET_ACCESS_KEY)
• Optional AWS_ROLE_ARN / AWS_REGION documented as comments (not needed with direct IAM permissions)
• cert-data volume for Let's Encrypt persistence
• Comments link to dstack-ingress DNS_PROVIDERS.md
• lit-static stays removed (moved to Cloudflare Pages in CPL-33)

.github/workflows/deploy-phala.yml

• Custom domain is mandatory — no optional stripping logic
• main → api.chipotle.litprotocol.com, next → test.chipotle.litprotocol.com
• base_url and api_root_url derived from domain (no redundant URLs)
• CERTBOT_AWS_ACCESS_KEY_ID is a GitHub variable (not a secret)
• CERTBOT_AWS_SECRET_ACCESS_KEY is a GitHub secret

Required GitHub configuration

• Variable: CERTBOT_AWS_ACCESS_KEY_ID — Route 53 IAM access key
• Secret: CERTBOT_AWS_SECRET_ACCESS_KEY — Route 53 IAM secret key

Status

• Compose file validates
• Merged with next — conflicts resolved
• CI green
• Blocked on CPL-151 for IAM credentials + GitHub secrets

Blocked on

• CPL-151 (IAM credentials + GitHub secrets)