feat(bootstrap): forgejo admin + org + repo + operator key (T09)
bootstrapForgejo (idempotent, docker-exec — ADR-007) creates the headless admin via `forgejo admin user create` (run as the git user; no web installer, no default credentials — PLAN-002 §9.3), then via the image's own curl against the API: the olsitec org, an auto-init'd olsitec/foundation repo, and the operator's SSH public key. credentials.ts gains the forgejo admin slice (@pulumi/random) and writeCredentialsToVault now also writes foundation/forgejo/service-credentials. Live on cx33 Helsinki: admin + org + repo + key created. GOAL MET — `git clone git@git.olsitec.net:olsitec/foundation.git` (scp-form, :22) and `ssh://git@git.olsitec.net:2222/olsitec/foundation.git` both clone the repo. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
f1e1d6facd
commit
3a297d021e
3 changed files with 134 additions and 6 deletions
|
|
@ -35,10 +35,22 @@ export interface RustfsCredentials {
|
|||
serviceKeySecret: pulumi.Output<string>;
|
||||
}
|
||||
|
||||
/**
|
||||
* `foundation/forgejo/service-credentials` — the admin slice (CONTRACT_002 §2.3).
|
||||
* The crypto secrets (forgejoSecretKey/InternalToken/Jwt*) are auto-generated by
|
||||
* Forgejo into its app.ini (format-constrained — JWTs, not free random), so they
|
||||
* are not generated here; capturing them into Vault is a later refinement.
|
||||
*/
|
||||
export interface ForgejoCredentials {
|
||||
adminUser: string; // cfg.forgejo.adminUser (deterministic)
|
||||
adminPassword: pulumi.Output<string>;
|
||||
}
|
||||
|
||||
/** Everything generateCredentials() produces; grows as Wave-2 tasks land. */
|
||||
export interface FoundationCredentials {
|
||||
postgres: PostgresCredentials;
|
||||
rustfs: RustfsCredentials;
|
||||
forgejo: ForgejoCredentials;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -64,6 +76,10 @@ export function generateCredentials(ctx: DeployCtx): FoundationCredentials {
|
|||
serviceKeyId: secret("rustfs-service-key-id", 20), // S3 access-key id
|
||||
serviceKeySecret: secret("rustfs-service-key-secret", 40), // S3 secret
|
||||
},
|
||||
forgejo: {
|
||||
adminUser: ctx.cfg.forgejo.adminUser, // "platform-admin"
|
||||
adminPassword: secret("forgejo-admin-password"),
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
|
|
@ -82,6 +98,7 @@ IFS= read -r PG_FORGEJO_PW
|
|||
IFS= read -r RUSTFS_ADMIN_PW
|
||||
IFS= read -r RUSTFS_SVC_ID
|
||||
IFS= read -r RUSTFS_SVC_SECRET
|
||||
IFS= read -r FORGEJO_ADMIN_PW
|
||||
C=foundation-vault
|
||||
VE="-e VAULT_ADDR=http://127.0.0.1:8200 -e VAULT_TOKEN=$ROOT_TOKEN"
|
||||
|
||||
|
|
@ -99,7 +116,11 @@ jq -n --arg u "$RUSTFS_ADMIN_USER" --arg p "$RUSTFS_ADMIN_PW" --arg ki "$RUSTFS_
|
|||
'{rustfsAdminUser:$u,rustfsAdminPassword:$p,rustfsServiceKeyId:$ki,rustfsServiceKeySecret:$ks}' \
|
||||
| put rustfs/service-credentials
|
||||
|
||||
echo "vault: wrote postgres + rustfs service-credentials"`;
|
||||
jq -n --arg u "$FORGEJO_ADMIN_USER" --arg p "$FORGEJO_ADMIN_PW" \
|
||||
'{forgejoAdminUser:$u,forgejoAdminPassword:$p}' \
|
||||
| put forgejo/service-credentials
|
||||
|
||||
echo "vault: wrote postgres + rustfs + forgejo service-credentials"`;
|
||||
|
||||
/**
|
||||
* T06 — distribute the generated data-plane credentials into Vault (CONTRACT_002).
|
||||
|
|
@ -115,6 +136,7 @@ export function writeCredentialsToVault(
|
|||
const create = pulumi.interpolate`PG_SUPER_USER='${creds.postgres.superUser}'
|
||||
PG_FORGEJO_USER='${creds.postgres.forgejoDbUser}'
|
||||
RUSTFS_ADMIN_USER='${creds.rustfs.adminUser}'
|
||||
FORGEJO_ADMIN_USER='${creds.forgejo.adminUser}'
|
||||
${WRITE_CREDS}`;
|
||||
|
||||
return new command.remote.Command(
|
||||
|
|
@ -129,6 +151,7 @@ ${creds.postgres.forgejoDbPassword}
|
|||
${creds.rustfs.adminPassword}
|
||||
${creds.rustfs.serviceKeyId}
|
||||
${creds.rustfs.serviceKeySecret}
|
||||
${creds.forgejo.adminPassword}
|
||||
`,
|
||||
addPreviousOutputInEnv: false,
|
||||
triggers: [
|
||||
|
|
@ -138,6 +161,7 @@ ${creds.rustfs.serviceKeySecret}
|
|||
creds.rustfs.adminPassword,
|
||||
creds.rustfs.serviceKeyId,
|
||||
creds.rustfs.serviceKeySecret,
|
||||
creds.forgejo.adminPassword,
|
||||
],
|
||||
},
|
||||
{ dependsOn: [vault.init] },
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue