Commit graph

2 commits

Author SHA1 Message Date
dda83bdc87 feat(ci): baked CI image + runner config + self-check workflow (T14)
All checks were successful
CI / preflight (push) Successful in 19s
CI / typecheck (push) Successful in 27s
Stand up the foundation's own CI on its Forgejo runner. The committed scope here
is the self-contained half (toolchain + typecheck); the stack-state-dependent
pipelines (pulumi preview, backup-verify) need CI secrets + a state fetch and
land next.

- containers/ci-image/Dockerfile + VERSIONS IMAGE_CI: one baked image carrying
  exactly what preflight validates (pulumi/bun/node/docker/git/age/zstd/jq/vault/
  psql/mc). Built on the VM (like caddy-cloudflare) and used LOCALLY by the runner.
- runner.ts: give act_runner a config.yaml — container.network=foundation-net (so
  job containers reach foundation-forgejo:3000 for checkout + the data plane) and
  force_pull=false (use the local foundation-ci image, no registry). Self-heals on up.
- .forgejo/workflows/ci.yml: preflight (tools + versions vs VERSIONS pins) +
  typecheck (bun install + tsc --noEmit on bootstrap). Gates every push.
- run.sh / backup.sh / restore.sh / dr: take PULUMI_CONFIG_PASSPHRASE from env when
  set (CI secret), falling back to `pass` (operator) — so the scripts run pass-free
  in CI.

Reusable-workflows architecture (per the chosen direction) — the ecosystem CI
(semantic-release, docker/npm/bun builds, eslint/yamllint over the 999_testing.md
candidates) builds on this image + runner next phase.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-07-01 00:15:01 +02:00
d807a45c79 feat(dr): disaster restore to a fresh VM + runbook (T13)
Rehearsed and validated. The destructive sibling of backup/restore.sh:
rebuilds the ENTIRE egg on a fresh, Docker-equipped VM from the offsite,
age-encrypted bundle, in the mandated order (CONTRACT_004 §4.4):
Vault -> Postgres -> RustFS -> Forgejo.

- restore-to-fresh-vm.sh (operator): pulls the disaster-survivable secret set
  from passphrase-encrypted config (age identity + Vault OLD unseal keys/root
  token), ships VERSIONS + the VM-side restorer, runs it (secrets on stdin).
- restore-to-fresh-vm-remote.sh (VM-side): decrypt+verify bundle; restore Vault
  (init throwaway -> raft snapshot restore -force -> re-unseal with OLD keys,
  with a settle+retry loop because -force re-seals asynchronously); read every
  other service's creds back out of the restored Vault; restore Postgres, RustFS
  (buckets + scoped service account + blobs), and Forgejo (full /data incl.
  app.ini); publish git :22 only when free.
- RUNBOOK.md: the human procedure, the {repo+passphrase+offsite} trust chain,
  and §5 re-establish-ingress (DNS, Caddy, runner, re-key).

Rehearsal (throwaway cx33, offsite source, then destroyed): DR RESTORE OK —
Vault unsealed with OLD keys, postgres rows=2, forge healthy against restored
DB+S3, `git clone ssh://git@<vm>:2222/olsitec/foundation.git` returns all 28
commits, ai-baseline present. Trust chain proven end-to-end.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 23:58:07 +02:00