CONTRACT_001 amendments: hosts.git, vm.sshPort (default 22; VM uses 222), cloudflare.zoneId. config.ts + lib/context.ts (provider host uses sshPort). - components/dns.ts: forge/vault/s3/git.olsitec.net A -> VM (DNS-only, own CF provider from encrypted token). Deployed + verified authoritative = 204.168.234.72. - Pulumi.foundation.yaml: real config (olsitec.net, vm 204.168.234.72:222, letsencrypt-dns01) + encrypted secrets (cloudflare token, offsite creds). Master passphrase: pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE. - run.sh: reproducible deploy (passphrase + ssh key from pass/home). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
9 lines
578 B
Bash
Executable file
9 lines
578 B
Bash
Executable file
#!/usr/bin/env bash
|
|
# Reproducible foundation deploy. Master passphrase = the single external secret.
|
|
set -euo pipefail
|
|
DIR="$(cd "$(dirname "$0")" && pwd)"
|
|
export PULUMI_CONFIG_PASSPHRASE="$(pass olsitec-foundation/PULUMI_CONFIG_PASSPHRASE)"
|
|
# Test/initial deploy uses the dedicated VM key on port 222 (config carries host+port).
|
|
export SSH_PRIVATE_KEY_PATH="${SSH_PRIVATE_KEY_PATH:-${HOME}/.ssh/foundation-test_ed25519}"
|
|
pulumi login "file://${DIR}/state" >/dev/null
|
|
( cd "$DIR" && (pulumi stack select foundation 2>/dev/null || pulumi stack init foundation) && pulumi "$@" )
|