foundation/bootstrap
Andreas Niemann 9618da1421 feat(bootstrap): forgejo actions runner (T10)
foundation-runner (forgejo/runner:6, digest-pinned). Registration is idempotent
(ADR-007): it reuses /data/.runner if present, else mints a token via
`forgejo actions generate-runner-token` and consumes it with `forgejo-runner
register` (the token never leaves the VM). The daemon runs as uid 1000 with the
host docker group (gid 996) added for socket access — root-equivalent and
co-located, the documented day-zero compromise (PLAN-002 R5 / PLAN-001 §4a); a
fenced or separate runner VM is the steady state.

Live on cx33 Helsinki: runner declared (labels docker,dind) and polling; a
hello-world `runs-on: docker` workflow pushed to olsitec/foundation ran to
success (workflow run #1). Acceptance T10 met.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 22:38:37 +02:00
..
components feat(bootstrap): forgejo actions runner (T10) 2026-06-30 22:38:37 +02:00
lib feat(bootstrap): postgres data-plane + remote helper (T03) 2026-06-30 21:10:34 +02:00
config.ts feat(bootstrap): real olsitec.net config + DNS records (steps 1+2) 2026-06-30 20:47:30 +02:00
index.ts feat(bootstrap): forgejo actions runner (T10) 2026-06-30 22:38:37 +02:00
package.json feat(bootstrap): postgres data-plane + remote helper (T03) 2026-06-30 21:10:34 +02:00
Pulumi.foundation.yaml feat(bootstrap): vault init/unseal + capture to encrypted config (T05) 2026-06-30 21:32:52 +02:00
Pulumi.yaml feat(bootstrap): Bun-workspace skeleton + typed config + vendored modules — T02 2026-06-30 18:06:21 +02:00
run.sh feat(bootstrap): vault init/unseal + capture to encrypted config (T05) 2026-06-30 21:32:52 +02:00
tsconfig.json feat(bootstrap): postgres data-plane + remote helper (T03) 2026-06-30 21:10:34 +02:00
vault-unseal.sh feat(bootstrap): vault init/unseal + capture to encrypted config (T05) 2026-06-30 21:32:52 +02:00