foundation/bootstrap/Pulumi.foundation.yaml
Andreas Niemann 57c4eadea7 feat(bootstrap): Bun-workspace skeleton + typed config + vendored modules — T02
- Bun workspaces (packages/* + bootstrap); Pulumi nodejs runtime under
  packagemanager: bun (no npm fallback needed).
- bootstrap/config.ts: typed FoundationConfig per CONTRACT_001; loadConfig()
  fails closed, aggregating all missing+malformed keys in one error. Reads flat
  dotted keys; image digests excluded (they live in VERSIONS, D5).
- bootstrap/Pulumi.foundation.yaml: non-secret placeholders only (RFC-5737 vm.host,
  .invalid offsite); no encryptionsalt/secrets committed (D2). pulumi preview = 0
  resources under the passphrase provider via gitignored file:// state backend.
- Stage-1 vendoring: packages/pulumi-{docker,vault} as @olsitec/* (source-only,
  logic unchanged). vault's 5 type-only imports from modules/olsitec re-homed
  verbatim into pulumi-vault/olsitec-types.ts to keep the egg self-contained.

Realizes PLAN-002 §10 T02; ADR-005 / 000_TOPOLOGY.md §5 Stage-1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-30 18:06:21 +02:00

72 lines
3.2 KiB
YAML

# Pulumi.foundation.yaml — stack config for the single `foundation` stack.
#
# THIS FILE CONTAINS NON-SECRET PLACEHOLDERS ONLY (CONTRACT_001 §1.2).
# All keys here are reproducible/derivable and safe to commit in plaintext.
#
# NO secrets are committed yet (CONTRACT_001 §1.3). The secret keys
# vaultCredentials:rootToken, vaultCredentials:unsealKeys,
# foundation:cloudflareApiToken, foundation:backup.offsiteAccessKey/SecretKey
# are added by LATER tasks as `secure: v1:…` passphrase-encrypted values
# (T05 Vault init capture, etc.). There is intentionally NO `encryptionsalt`
# line yet because no secret has been encrypted into this stack — committing an
# encryptionsalt (or any secret material) is forbidden by baseline D2.
#
# OPERATOR NOTE: every `pulumi preview/up` under the passphrase provider rewrites
# this file — it appends an `encryptionsalt:` line and quotes scalars ("2222",
# "true"). Before committing, STRIP any `encryptionsalt:` line that Pulumi added
# (no secret depends on it yet; D2 forbids committing it). The loader (config.ts)
# reads scalars via getNumber/getBoolean, so quoted or unquoted both parse.
#
# Image digests are NOT here — they live in foundation/VERSIONS (determinism, D5).
config:
# --- identity / networking (CONTRACT_001) ---
foundation:baseDomain: olsitec.de
foundation:hosts.forge: forge.olsitec.de
foundation:hosts.vault: vault.olsitec.de
foundation:hosts.s3: s3.olsitec.de
foundation:forgeSshPort: 2222
# --- deployment target (Docker-over-SSH provider; key path comes from ENV) ---
# Placeholder VM coordinates — replaced with the real foundation VM in Phase 0 / T03+.
foundation:vm.host: 192.0.2.10
foundation:vm.user: deploy
# --- container plane (CONTRACT_003 §3.1) ---
foundation:network.name: foundation-net
foundation:network.subnet: 172.30.0.0/24
foundation:dataRoot: /srv/foundation
# --- TLS strategy (day-zero starts internal-ca, switch to LE later — CONTRACT_001) ---
foundation:tls.mode: internal-ca
foundation:tls.acmeEmail: platform@olsitec.de
# --- fixed names (derived, non-secret; creds are generated → Vault) ---
foundation:postgres.db: foundation
foundation:postgres.forgejoDb: forgejo
foundation:rustfs.buckets:
- forgejo-packages
- forgejo-artifacts
- forgejo-lfs
- foundation-backups
foundation:forgejo.adminUser: platform-admin
foundation:forgejo.orgName: olsitec
# PLAN-001 §4a runner labels (docker + dind backends).
foundation:runner.labels:
- docker:docker://node:20-bookworm
- dind:docker://-
# --- credential feature flags (ADR-002; selects what @pulumi/random generates) ---
# NOTE: index.ts is a T02 no-op scaffold — these flags create NOTHING yet.
# They are committed so the typed surface is complete and later tasks read them.
foundation:features.postgres: true
foundation:features.rustfs: true
foundation:features.forgejo: true
foundation:features.runner: true
foundation:features.backup: true
foundation:features.registry: true
# --- backup (offsite creds are SECRET → seeded later, not here) ---
foundation:backup.bucket: foundation-backups
foundation:backup.offsiteEndpoint: https://offsite.example.invalid:9000
foundation:backup.retentionDaily: 7
foundation:backup.retentionWeekly: 4