olsitec-foundation platform repo
Close the known gap: foundation/forgejo/service-credentials held only the admin user/pw; the crypto secrets Forgejo auto-generates into app.ini were never captured. Make that path single-owned at GATE B and write admin + crypto together. - credentials.ts: drop the forgejo block from the GATE-A writer (its crypto secrets don't exist until Forgejo first-starts) and add writeForgejoCredentialsToVault — runs after forgejo.ready, reads SECRET_KEY, INTERNAL_TOKEN, LFS_JWT_SECRET ([server]) and oauth2 JWT_SECRET straight off the live app.ini via docker-exec (ADR-007), and puts the full path. One writer per Vault path avoids a put/patch race on re-runs. - index.ts: wire it at GATE B (dependsOn vault.init + forgejo.ready). Keys: forgejoAdminUser, forgejoAdminPassword, forgejoSecretKey, forgejoInternalToken, forgejoJwtSecret, forgejoOauth2JwtSecret. Validated live: forgejo path now has all six; postgres/rustfs paths intact through the GATE-A writer replacement; idempotent at 43 unchanged. FINDING: forgejoSecretKey mirrors EMPTY — skipping the web installer (INSTALL_LOCK) left Forgejo's [security] SECRET_KEY unset. Fixed next commit. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .forgejo/workflows | ||
| backup | ||
| bootstrap | ||
| containers/caddy-cloudflare | ||
| documentation | ||
| dr | ||
| offsite-backup | ||
| packages | ||
| preflight | ||
| provision | ||
| .gitignore | ||
| bun.lock | ||
| package.json | ||
| README.md | ||
| VERSIONS | ||
olsitec-foundation
The self-hosting platform "egg": a single Pulumi project that brings up Forgejo (+ Actions +
OCI/npm registry), PostgreSQL, HashiCorp Vault, RustFS (S3), and a reverse proxy as plain OCI
containers on one VM — recoverable from {a VM, this repo, the master passphrase}.
This is Layer 0. Kubernetes, ArgoCD and everything else are Layer-1 consumers of this foundation (see ADR-004).
Layout
bootstrap/— the egg Pulumi project (phases, components, config).packages/— shared, publishable Pulumi modules (@olsitec/pulumi-*).preflight/— host & toolchain validation (run before any deploy).backup/,dr/— backup + disaster-recovery automation..forgejo/workflows/— CI (preflight, pulumi preview/up, backup-verify).documentation/— planning, ADRs, contracts, baseline overlay. Readdocumentation/000_baseline.mdanddocumentation/000_TOPOLOGY.mdfirst.
Status
Planning complete (PLAN-001 vision, PLAN-002 strategy, ADR-004/005 accepted). Implementation not yet started — next step is T00 (contracts) per PLAN-002 §10.
Recovery in one line
git clone this repo → set PULUMI_CONFIG_PASSPHRASE → ./preflight/preflight.sh →
pulumi up → restore latest offsite backup. Full procedure: dr/RUNBOOK.md (TBD, task T13).