2026-06-30 18:18:40 +02:00
|
|
|
// index.ts — foundation bootstrap entrypoint (the egg, PLAN-002 §0, Layer 0).
|
2026-06-30 18:06:21 +02:00
|
|
|
//
|
2026-06-30 18:18:40 +02:00
|
|
|
// Phase orchestration (PLAN-002 §2, §5). Components are created against the shared
|
|
|
|
|
// provider + foundation-net (ADR-006); GATES between phases are Pulumi dependsOn
|
|
|
|
|
// edges, NOT imperative sequencing, so `pulumi up` derives the order. Wave-2+ tasks
|
|
|
|
|
// fill the marked slots — this file is the single composition point; components stay
|
|
|
|
|
// pure factories in components/*.
|
|
|
|
|
import { loadConfig } from "./config";
|
|
|
|
|
import { buildBaseContext, DeployCtx } from "./lib/context";
|
|
|
|
|
import { deployNetwork } from "./components/network";
|
2026-06-30 20:47:30 +02:00
|
|
|
import { deployDns } from "./components/dns";
|
2026-06-30 21:37:26 +02:00
|
|
|
import {
|
|
|
|
|
generateCredentials,
|
|
|
|
|
writeCredentialsToVault,
|
|
|
|
|
} from "./components/credentials";
|
2026-06-30 21:10:34 +02:00
|
|
|
import { deployPostgres } from "./components/postgres";
|
2026-06-30 21:19:53 +02:00
|
|
|
import { deployRustfs } from "./components/rustfs";
|
feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft
storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to
the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init +
unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the
foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root
token on stdout — marked secret and NOT streamed (logging:Stderr) so they never
reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the
one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an
idempotent guard that avoids churning the config. vault-unseal.sh is the
passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an
SSH stdin pipe. run.sh also now pins the Pulumi backend per-process
(PULUMI_BACKEND_URL) instead of a global `pulumi login`.
Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to
encrypted config, idempotent re-up reuses stored keys, container-restart reseal
recovered by vault-unseal.sh. Acceptance T05 met.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 21:32:52 +02:00
|
|
|
import { deployVault } from "./components/vault";
|
2026-06-30 21:54:12 +02:00
|
|
|
import { deployProxy } from "./components/proxy";
|
2026-06-30 22:23:39 +02:00
|
|
|
import { deployForgejo } from "./components/forgejo";
|
2026-06-30 18:06:21 +02:00
|
|
|
|
2026-06-30 18:18:40 +02:00
|
|
|
const cfg = loadConfig();
|
2026-06-30 18:06:21 +02:00
|
|
|
|
2026-06-30 18:18:40 +02:00
|
|
|
// --- shared substrate: provider + network (always first) ---
|
|
|
|
|
const base = buildBaseContext(cfg);
|
|
|
|
|
const network = deployNetwork(base);
|
|
|
|
|
const ctx: DeployCtx = { ...base, network };
|
2026-06-30 18:06:21 +02:00
|
|
|
|
2026-06-30 20:47:30 +02:00
|
|
|
// --- public DNS records → the VM (independent of the container plane) ---
|
|
|
|
|
const dnsRecords = deployDns(ctx);
|
|
|
|
|
export const dnsHosts = dnsRecords.map((r) => r.name);
|
|
|
|
|
|
2026-06-30 21:10:34 +02:00
|
|
|
// --- credentials: generation is pure (no deps); Vault distribution is T06 ---
|
|
|
|
|
const credentials = generateCredentials(ctx);
|
|
|
|
|
|
2026-06-30 18:18:40 +02:00
|
|
|
// =============================================================================
|
|
|
|
|
// PHASE 3 — DATA PLANE (depends on: network)
|
feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft
storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to
the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init +
unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the
foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root
token on stdout — marked secret and NOT streamed (logging:Stderr) so they never
reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the
one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an
idempotent guard that avoids churning the config. vault-unseal.sh is the
passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an
SSH stdin pipe. run.sh also now pins the Pulumi backend per-process
(PULUMI_BACKEND_URL) instead of a global `pulumi login`.
Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to
encrypted config, idempotent re-up reuses stored keys, container-restart reseal
recovered by vault-unseal.sh. Acceptance T05 met.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 21:32:52 +02:00
|
|
|
// T03 postgres ✓ · T04 rustfs ✓ · T05 vault ✓
|
2026-06-30 18:18:40 +02:00
|
|
|
// -----------------------------------------------------------------------------
|
2026-06-30 21:10:34 +02:00
|
|
|
const postgres = deployPostgres(ctx, credentials.postgres);
|
2026-06-30 21:19:53 +02:00
|
|
|
const rustfs = deployRustfs(ctx, credentials.rustfs);
|
feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft
storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to
the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init +
unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the
foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root
token on stdout — marked secret and NOT streamed (logging:Stderr) so they never
reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the
one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an
idempotent guard that avoids churning the config. vault-unseal.sh is the
passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an
SSH stdin pipe. run.sh also now pins the Pulumi backend per-process
(PULUMI_BACKEND_URL) instead of a global `pulumi login`.
Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to
encrypted config, idempotent re-up reuses stored keys, container-restart reseal
recovered by vault-unseal.sh. Acceptance T05 met.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 21:32:52 +02:00
|
|
|
const vault = deployVault(ctx);
|
2026-06-30 21:37:26 +02:00
|
|
|
|
|
|
|
|
// --- GATE A: Vault init + unseal (T05). T06 writes the generated data-plane creds
|
|
|
|
|
// into Vault (CONTRACT_002), dependsOn vault.init so it runs only once unsealed.
|
|
|
|
|
const vaultCreds = writeCredentialsToVault(ctx, credentials, vault);
|
2026-06-30 18:18:40 +02:00
|
|
|
// =============================================================================
|
|
|
|
|
// PHASE 6 — FORGE (depends on: credentials, GATE A)
|
2026-06-30 21:54:12 +02:00
|
|
|
// T07 caddy ✓ · T08 forgejo · T10 runner
|
2026-06-30 18:18:40 +02:00
|
|
|
// -----------------------------------------------------------------------------
|
2026-06-30 21:54:12 +02:00
|
|
|
const proxy = deployProxy(ctx);
|
2026-06-30 22:23:39 +02:00
|
|
|
const forgejo = deployForgejo(ctx, {
|
|
|
|
|
postgres,
|
|
|
|
|
rustfs,
|
|
|
|
|
pgCreds: credentials.postgres,
|
|
|
|
|
rustfsCreds: credentials.rustfs,
|
|
|
|
|
});
|
2026-06-30 18:18:40 +02:00
|
|
|
// --- GATE B: Forgejo healthy → handover (T11) + runner registration (T10).
|
|
|
|
|
// const runner = deployRunner(ctx, { forgejo, credentials });
|
|
|
|
|
// =============================================================================
|
2026-06-30 18:06:21 +02:00
|
|
|
|
2026-06-30 18:18:40 +02:00
|
|
|
// Stack outputs (extended as phases land).
|
2026-06-30 21:37:26 +02:00
|
|
|
// vaultCreds (T06) is a gate for Forgejo (T08) — it has no output to export yet.
|
|
|
|
|
void vaultCreds;
|
|
|
|
|
|
2026-06-30 22:23:39 +02:00
|
|
|
export const phase = "T08-forgejo"; // forge live (postgres + rustfs + caddy + ssh)
|
2026-06-30 21:54:12 +02:00
|
|
|
export const caddyImageId = proxy.imageId;
|
2026-06-30 22:23:39 +02:00
|
|
|
export const forgejoEndpoint = forgejo.endpoint;
|
|
|
|
|
void forgejo.ready; // GATE B for T09/T10
|
2026-06-30 18:18:40 +02:00
|
|
|
export const networkName = network.name;
|
|
|
|
|
export const vmTarget = `${cfg.vm.user}@${cfg.vm.host}`;
|
2026-06-30 21:10:34 +02:00
|
|
|
export const postgresEndpoint = postgres.endpoint;
|
2026-06-30 21:19:53 +02:00
|
|
|
export const rustfsEndpoint = rustfs.endpoint;
|
feat(bootstrap): vault init/unseal + capture to encrypted config (T05)
foundation-vault (hashicorp/vault:1.18, digest-pinned) with integrated raft
storage in foundation-vault-data (-> /vault/file, which the entrypoint chowns to
the vault user), IPC_LOCK for mlock, internal only (8200 unpublished). Init +
unseal reuse the olsitec-core pattern but over docker-exec/SSH (ADR-007): the
foundation-vault-init command inits 1-of-1 Shamir, unseals, and emits keys + root
token on stdout — marked secret and NOT streamed (logging:Stderr) so they never
reach the terminal/logs (D2). run.sh captures them into vaultCredentials:* (the
one bootstrap secret that cannot live in Vault, CONTRACT_002 §2.4) with an
idempotent guard that avoids churning the config. vault-unseal.sh is the
passphrase-gated reboot helper (ADR-004): reads keys from config, unseals over an
SSH stdin pipe. run.sh also now pins the Pulumi backend per-process
(PULUMI_BACKEND_URL) instead of a global `pulumi login`.
Live on cx33 Helsinki: initialized + unsealed (raft 1.18.5), keys captured to
encrypted config, idempotent re-up reuses stored keys, container-restart reseal
recovered by vault-unseal.sh. Acceptance T05 met.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 21:32:52 +02:00
|
|
|
export const vaultEndpoint = vault.endpoint;
|
|
|
|
|
// Captured by run.sh into vaultCredentials:* (passphrase-encrypted config) after
|
|
|
|
|
// `up` — the one bootstrap secret that cannot live in Vault (CONTRACT_002 §2.4).
|
|
|
|
|
export const vaultUnsealKeys = vault.unsealKeys;
|
|
|
|
|
export const vaultRootToken = vault.rootToken;
|
2026-06-30 18:18:40 +02:00
|
|
|
export const enabledFeatures = Object.entries(cfg.features)
|
2026-06-30 18:06:21 +02:00
|
|
|
.filter(([, on]) => on)
|
|
|
|
|
.map(([name]) => name);
|