feat(bootstrap): real olsitec.net config + DNS records (steps 1+2)

CONTRACT_001 amendments: hosts.git, vm.sshPort (default 22; VM uses 222),
cloudflare.zoneId. config.ts + lib/context.ts (provider host uses sshPort).
- components/dns.ts: forge/vault/s3/git.olsitec.net A -> VM (DNS-only, own CF
  provider from encrypted token). Deployed + verified authoritative = 204.168.234.72.
- Pulumi.foundation.yaml: real config (olsitec.net, vm 204.168.234.72:222,
  letsencrypt-dns01) + encrypted secrets (cloudflare token, offsite creds).
  Master passphrase: pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE.
- run.sh: reproducible deploy (passphrase + ssh key from pass/home).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Andreas Niemann 2026-06-30 20:47:30 +02:00
parent db47037bdc
commit 185be52763
10 changed files with 141 additions and 60 deletions

View file

@ -8,6 +8,7 @@
import { loadConfig } from "./config";
import { buildBaseContext, DeployCtx } from "./lib/context";
import { deployNetwork } from "./components/network";
import { deployDns } from "./components/dns";
const cfg = loadConfig();
@ -16,6 +17,10 @@ const base = buildBaseContext(cfg);
const network = deployNetwork(base);
const ctx: DeployCtx = { ...base, network };
// --- public DNS records → the VM (independent of the container plane) ---
const dnsRecords = deployDns(ctx);
export const dnsHosts = dnsRecords.map((r) => r.name);
// =============================================================================
// PHASE 3 — DATA PLANE (depends on: network)
// T03 postgres · T04 rustfs · T05 vault (sealed)