feat(bootstrap): real olsitec.net config + DNS records (steps 1+2)
CONTRACT_001 amendments: hosts.git, vm.sshPort (default 22; VM uses 222), cloudflare.zoneId. config.ts + lib/context.ts (provider host uses sshPort). - components/dns.ts: forge/vault/s3/git.olsitec.net A -> VM (DNS-only, own CF provider from encrypted token). Deployed + verified authoritative = 204.168.234.72. - Pulumi.foundation.yaml: real config (olsitec.net, vm 204.168.234.72:222, letsencrypt-dns01) + encrypted secrets (cloudflare token, offsite creds). Master passphrase: pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE. - run.sh: reproducible deploy (passphrase + ssh key from pass/home). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
db47037bdc
commit
185be52763
10 changed files with 141 additions and 60 deletions
|
|
@ -101,3 +101,18 @@ Namespace **`vaultCredentials:`** and **`foundation:`** as appropriate:
|
|||
Adding a service = add its `features.<x>` flag + its fixed names here, then its Vault keys in
|
||||
CONTRACT_002 and its container in CONTRACT_003. Breaking key renames require a minor version note in
|
||||
this contract and a coordinated update across consumers.
|
||||
|
||||
---
|
||||
|
||||
## Amendment 2026-06-30 (steps 1+2)
|
||||
|
||||
Added to the typed surface (FoundationConfig):
|
||||
- **`hosts.git`** — `git.olsitec.net`, dedicated Git-over-SSH host (forge+vault+s3+git set).
|
||||
- **`vm.sshPort`** — optional number, **default 22**; the test/initial Helsinki VM uses **222**
|
||||
(the vendored hetzner cloud-init moves sshd to 222). `lib/context.ts` builds the Docker-over-SSH
|
||||
provider host as `ssh://<user>@<host>:<sshPort>`.
|
||||
- **`cloudflare.zoneId`** — non-secret zone id for DNS records + ACME DNS-01. The matching API token
|
||||
is the secret `foundation:cloudflareApiToken` (§1.3).
|
||||
|
||||
The `foundation` stack is now the **initial Hetzner home** (olsitec.net, vm `204.168.234.72:222`).
|
||||
Master passphrase: `pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE` (the single external secret).
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue