chore(forge): update git origin to ct-forge with orgname cocotte and refresh examples/comments

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-29 21:32:20 -04:00 · 2026-06-29 21:32:20 -04:00 · c6fcbec129
commit c6fcbec129
parent 54daa39cad
1 changed files with 57 additions and 0 deletions
--- a/infra/terraform/ci-runners-fleet/GOLIVE.md
+++ b/infra/terraform/ci-runners-fleet/GOLIVE.md
@ -0,0 +1,57 @@
+# Prospector CI/CD — go-live runbook
+
+What's already live vs. what needs an operator (prod-host writes + secrets the
+auto session can't/ shouldn't do).
+
+## Live now
+- **Runner**: one combined DO droplet (`ct-forge-ci-runner-0`, currently
+  `174.138.64.243`), in the lilith **store VPC**, labels
+  `self-hosted,linux,do,ct-forge,prospector,people,mac-sync,mr-number,redroid`,
+  carrying `quinn-ci-deploy`. Registered to `forge.ct.uvlava.com:3000`.
+  Managed by `../ci-runners` (state there). Scale to 0:
+  `terraform -chdir=../ci-runners apply -var=runners=0 ...`.
+- **Per-service fleet** (`./`): authored + validated. Split the combined runner
+  into per-service pools later with `terraform apply -var=<svc>_runners=N`.
+- **CI**: green path works as soon as workflows are pushed (build/test on the runner).
+
+## Workflows authored (uncommitted — pushing = go-live trigger)
+| repo | file | on push to main |
+|---|---|---|
+| cocotte/prospector | `.forgejo/workflows/ci.yml` | verify + **deploy lime:3210** |
+| cocotte/macsync | `.forgejo/workflows/{server,web}.yml` (retargeted) + `deploy-server.yml` | verify + **deploy lime:3201** |
+| cocotte/redroid-mrnumber | `.forgejo/workflows/ci.yml` | verify + **deploy redroid box** |
+| cocotte/redroid | `.forgejo/workflows/ci.yml` | CI-only |
+| cocotte/cocottetech | `.forgejo/workflows/people-service.yml` | verify + **deploy lime:3061** |
+
+## Operator steps (prod writes / secrets — run yourself or grant `Bash(ssh lime *)`)
+
+### 1. Authorize the deploy key on the targets
+```bash
+# lime (reachable over WG 10.9.0.5):
+ssh root@10.9.0.5 "grep -qF quinn-ci-deploy ~/.ssh/authorized_keys || echo '$(cat ~/.ssh/quinn-ci-deploy.pub)' >> ~/.ssh/authorized_keys"
+# redroid box (NOT reachable from plum right now — do it from a host that can,
+# e.g. via the id_ed25519_1984 console path):
+#   echo '<quinn-ci-deploy.pub>' >> /root/.ssh/authorized_keys   # on 10.20.0.4
+```
+
+### 2. One-time service bootstrap on lime (targets are greenfield — no units yet)
+Follow `applications/prospector/docs/features/deploy.md` §2–6 for BOTH prospector
+and people-service (DBs on the managed PG cluster, migrations, `/opt/<svc>/.env`
+with DB creds + service tokens, systemd units, `systemctl enable --now`). mac-sync
+bootstraps via its own `deploy/deploy-server.sh` + `deploy/systemd/`. After this,
+the CD jobs' `systemctl restart` path takes over for every subsequent push.
+
+### 3. sales.transquinnftw.com edge (on lime)
+- DNS: add `sales.transquinnftw.com A 209.38.51.98` at **joker.com** (not DO-delegated).
+- Firewall: allow inbound 80+443 on the backend droplet (add to uvlava `network.tf`).
+- Caddy: install `applications/prospector/deploy/edge/sales.transquinnftw.com.Caddyfile`
+  → `/etc/caddy/Caddyfile`, `systemctl restart caddy`.
+
+### 4. Trigger go-live (per repo, after 1–3)
+```bash
+git -C <repo> add .forgejo .infra.yaml deploy && \
+git -C <repo> commit -m "ci: per-service ct-forge runner pipeline" && git -C <repo> push
+```
+First push runs CI on the runner; deploy runs once the unit/env exist.
+NOTE: applications/macsync CLAUDE.md says "NEVER commit" (legacy ACS rule) — commit it yourself.
+```