feat(bootstrap): real olsitec.net config + DNS records (steps 1+2)
CONTRACT_001 amendments: hosts.git, vm.sshPort (default 22; VM uses 222), cloudflare.zoneId. config.ts + lib/context.ts (provider host uses sshPort). - components/dns.ts: forge/vault/s3/git.olsitec.net A -> VM (DNS-only, own CF provider from encrypted token). Deployed + verified authoritative = 204.168.234.72. - Pulumi.foundation.yaml: real config (olsitec.net, vm 204.168.234.72:222, letsencrypt-dns01) + encrypted secrets (cloudflare token, offsite creds). Master passphrase: pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE. - run.sh: reproducible deploy (passphrase + ssh key from pass/home). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
db47037bdc
commit
185be52763
10 changed files with 141 additions and 60 deletions
|
|
@ -1,46 +1,34 @@
|
|||
# Pulumi.foundation.yaml — stack config for the single `foundation` stack.
|
||||
# Pulumi.foundation.yaml — stack config for the `foundation` stack (initial Hetzner home).
|
||||
#
|
||||
# THIS FILE CONTAINS NON-SECRET PLACEHOLDERS ONLY (CONTRACT_001 §1.2).
|
||||
# All keys here are reproducible/derivable and safe to commit in plaintext.
|
||||
# NON-SECRET values only here (CONTRACT_001 §1.2) — safe to commit in plaintext.
|
||||
# Secrets (CONTRACT_001 §1.3) are added by `pulumi config set --secret` as
|
||||
# `secure: v1:…` (passphrase-encrypted): foundation:cloudflareApiToken,
|
||||
# foundation:backup.offsiteAccessKey/SecretKey, and later vaultCredentials:*.
|
||||
#
|
||||
# NO secrets are committed yet (CONTRACT_001 §1.3). The secret keys
|
||||
# vaultCredentials:rootToken, vaultCredentials:unsealKeys,
|
||||
# foundation:cloudflareApiToken, foundation:backup.offsiteAccessKey/SecretKey
|
||||
# are added by LATER tasks as `secure: v1:…` passphrase-encrypted values
|
||||
# (T05 Vault init capture, etc.). There is intentionally NO `encryptionsalt`
|
||||
# line yet because no secret has been encrypted into this stack — committing an
|
||||
# encryptionsalt (or any secret material) is forbidden by baseline D2.
|
||||
#
|
||||
# OPERATOR NOTE: every `pulumi preview/up` under the passphrase provider rewrites
|
||||
# this file — it appends an `encryptionsalt:` line and quotes scalars ("2222",
|
||||
# "true"). Before committing, STRIP any `encryptionsalt:` line that Pulumi added
|
||||
# (no secret depends on it yet; D2 forbids committing it). The loader (config.ts)
|
||||
# reads scalars via getNumber/getBoolean, so quoted or unquoted both parse.
|
||||
#
|
||||
# Image digests are NOT here — they live in foundation/VERSIONS (determinism, D5).
|
||||
# Master passphrase: pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE (the ONE
|
||||
# external secret). Image digests live in foundation/VERSIONS, not here (D5).
|
||||
config:
|
||||
# --- identity / networking (CONTRACT_001) ---
|
||||
foundation:baseDomain: olsitec.de
|
||||
foundation:hosts.forge: forge.olsitec.de
|
||||
foundation:hosts.vault: vault.olsitec.de
|
||||
foundation:hosts.s3: s3.olsitec.de
|
||||
foundation:forgeSshPort: 2222
|
||||
|
||||
# --- deployment target (Docker-over-SSH provider; key path comes from ENV) ---
|
||||
# Placeholder VM coordinates — replaced with the real foundation VM in Phase 0 / T03+.
|
||||
foundation:vm.host: 192.0.2.10
|
||||
foundation:vm.user: deploy
|
||||
|
||||
# --- container plane (CONTRACT_003 §3.1) ---
|
||||
# --- identity / networking (real: olsitec.net) ---
|
||||
foundation:baseDomain: olsitec.net
|
||||
foundation:hosts.forge: forge.olsitec.net
|
||||
foundation:hosts.vault: vault.olsitec.net
|
||||
foundation:hosts.s3: s3.olsitec.net
|
||||
foundation:hosts.git: git.olsitec.net
|
||||
foundation:forgeSshPort: "2222"
|
||||
# --- deployment target: the Helsinki cx33 VM (Docker-over-SSH, port 222) ---
|
||||
foundation:vm.host: 204.168.234.72
|
||||
foundation:vm.user: root
|
||||
foundation:vm.sshPort: "222"
|
||||
# --- container plane (CONTRACT_003) ---
|
||||
foundation:network.name: foundation-net
|
||||
foundation:network.subnet: 172.30.0.0/24
|
||||
foundation:dataRoot: /srv/foundation
|
||||
|
||||
# --- TLS strategy (day-zero starts internal-ca, switch to LE later — CONTRACT_001) ---
|
||||
foundation:tls.mode: internal-ca
|
||||
foundation:tls.acmeEmail: platform@olsitec.de
|
||||
|
||||
# --- fixed names (derived, non-secret; creds are generated → Vault) ---
|
||||
# --- TLS: real Let's Encrypt via Cloudflare DNS-01 ---
|
||||
foundation:tls.mode: letsencrypt-dns01
|
||||
foundation:tls.acmeEmail: a.niemann@olsitec.de
|
||||
# --- Cloudflare (DNS records + DNS-01); token is a SECRET set separately ---
|
||||
foundation:cloudflare.zoneId: 27e587d5574d5fd6e2cf75b9e914a02c
|
||||
# --- fixed names (derived, non-secret; creds generated → Vault) ---
|
||||
foundation:postgres.db: foundation
|
||||
foundation:postgres.forgejoDb: forgejo
|
||||
foundation:rustfs.buckets:
|
||||
|
|
@ -50,23 +38,25 @@ config:
|
|||
- foundation-backups
|
||||
foundation:forgejo.adminUser: platform-admin
|
||||
foundation:forgejo.orgName: olsitec
|
||||
# PLAN-001 §4a runner labels (docker + dind backends).
|
||||
foundation:runner.labels:
|
||||
- docker:docker://node:20-bookworm
|
||||
- dind:docker://-
|
||||
|
||||
# --- credential feature flags (ADR-002; selects what @pulumi/random generates) ---
|
||||
# NOTE: index.ts is a T02 no-op scaffold — these flags create NOTHING yet.
|
||||
# They are committed so the typed surface is complete and later tasks read them.
|
||||
foundation:features.postgres: true
|
||||
foundation:features.rustfs: true
|
||||
foundation:features.forgejo: true
|
||||
foundation:features.runner: true
|
||||
foundation:features.backup: true
|
||||
foundation:features.registry: true
|
||||
|
||||
# --- backup (offsite creds are SECRET → seeded later, not here) ---
|
||||
# --- credential feature flags (ADR-002) ---
|
||||
foundation:features.postgres: "true"
|
||||
foundation:features.rustfs: "true"
|
||||
foundation:features.forgejo: "true"
|
||||
foundation:features.runner: "true"
|
||||
foundation:features.backup: "true"
|
||||
foundation:features.registry: "true"
|
||||
# --- backup: offsite = home Synology MinIO (CONTRACT_004); creds are SECRET ---
|
||||
foundation:backup.bucket: foundation-backups
|
||||
foundation:backup.offsiteEndpoint: https://offsite.example.invalid:9000
|
||||
foundation:backup.retentionDaily: 7
|
||||
foundation:backup.retentionWeekly: 4
|
||||
foundation:backup.offsiteEndpoint: https://minio.wob.olsitec.de:19000
|
||||
foundation:backup.retentionDaily: "7"
|
||||
foundation:backup.retentionWeekly: "4"
|
||||
foundation:cloudflareApiToken:
|
||||
secure: v1:xDFqTVZxRm2nvIrQ:ddjNyqKi4C27Fppp9YA0B+gNZPtjWig/NBC6y9dR3cQ8xfNfwEsEHxvRgn8aUTH9UrmjXtLEoYk=
|
||||
foundation:backup.offsiteAccessKey:
|
||||
secure: v1:svEvJ5K9u+FMnpV/:RztjS8VMSxrdgpBtbNpBPA6gfPLVgnABp77diBC6nWGHZRnG
|
||||
foundation:backup.offsiteSecretKey:
|
||||
secure: v1:lkkGBjgmJqVziusc:gpmw5lkfFAjXzeFikhtQnvWObYpKD3Bq5XSmrBA/vlLaoqqxFGAAO4Cq7V8nOLZ926x3fXukPQI=
|
||||
encryptionsalt: v1:5YhUt8BVfH0=:v1:DPCHl+7zwn4RaMPj:A19tZzBlZ1NmDtTWrHreEKk5e8idyw==
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue