From c6fcbec129ce7da509da9c788fec0c09d7c9e986 Mon Sep 17 00:00:00 2001 From: Natalie Date: Mon, 29 Jun 2026 21:32:20 -0400 Subject: [PATCH] chore(forge): update git origin to ct-forge with orgname cocotte and refresh examples/comments Co-Authored-By: Claude Opus 4.8 --- infra/terraform/ci-runners-fleet/GOLIVE.md | 57 ++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 infra/terraform/ci-runners-fleet/GOLIVE.md diff --git a/infra/terraform/ci-runners-fleet/GOLIVE.md b/infra/terraform/ci-runners-fleet/GOLIVE.md new file mode 100644 index 0000000..d06cc11 --- /dev/null +++ b/infra/terraform/ci-runners-fleet/GOLIVE.md @@ -0,0 +1,57 @@ +# Prospector CI/CD — go-live runbook + +What's already live vs. what needs an operator (prod-host writes + secrets the +auto session can't/ shouldn't do). + +## Live now +- **Runner**: one combined DO droplet (`ct-forge-ci-runner-0`, currently + `174.138.64.243`), in the lilith **store VPC**, labels + `self-hosted,linux,do,ct-forge,prospector,people,mac-sync,mr-number,redroid`, + carrying `quinn-ci-deploy`. Registered to `forge.ct.uvlava.com:3000`. + Managed by `../ci-runners` (state there). Scale to 0: + `terraform -chdir=../ci-runners apply -var=runners=0 ...`. +- **Per-service fleet** (`./`): authored + validated. Split the combined runner + into per-service pools later with `terraform apply -var=_runners=N`. +- **CI**: green path works as soon as workflows are pushed (build/test on the runner). + +## Workflows authored (uncommitted — pushing = go-live trigger) +| repo | file | on push to main | +|---|---|---| +| cocotte/prospector | `.forgejo/workflows/ci.yml` | verify + **deploy lime:3210** | +| cocotte/macsync | `.forgejo/workflows/{server,web}.yml` (retargeted) + `deploy-server.yml` | verify + **deploy lime:3201** | +| cocotte/redroid-mrnumber | `.forgejo/workflows/ci.yml` | verify + **deploy redroid box** | +| cocotte/redroid | `.forgejo/workflows/ci.yml` | CI-only | +| cocotte/cocottetech | `.forgejo/workflows/people-service.yml` | verify + **deploy lime:3061** | + +## Operator steps (prod writes / secrets — run yourself or grant `Bash(ssh lime *)`) + +### 1. Authorize the deploy key on the targets +```bash +# lime (reachable over WG 10.9.0.5): +ssh root@10.9.0.5 "grep -qF quinn-ci-deploy ~/.ssh/authorized_keys || echo '$(cat ~/.ssh/quinn-ci-deploy.pub)' >> ~/.ssh/authorized_keys" +# redroid box (NOT reachable from plum right now — do it from a host that can, +# e.g. via the id_ed25519_1984 console path): +# echo '' >> /root/.ssh/authorized_keys # on 10.20.0.4 +``` + +### 2. One-time service bootstrap on lime (targets are greenfield — no units yet) +Follow `applications/prospector/docs/features/deploy.md` §2–6 for BOTH prospector +and people-service (DBs on the managed PG cluster, migrations, `/opt//.env` +with DB creds + service tokens, systemd units, `systemctl enable --now`). mac-sync +bootstraps via its own `deploy/deploy-server.sh` + `deploy/systemd/`. After this, +the CD jobs' `systemctl restart` path takes over for every subsequent push. + +### 3. sales.transquinnftw.com edge (on lime) +- DNS: add `sales.transquinnftw.com A 209.38.51.98` at **joker.com** (not DO-delegated). +- Firewall: allow inbound 80+443 on the backend droplet (add to uvlava `network.tf`). +- Caddy: install `applications/prospector/deploy/edge/sales.transquinnftw.com.Caddyfile` + → `/etc/caddy/Caddyfile`, `systemctl restart caddy`. + +### 4. Trigger go-live (per repo, after 1–3) +```bash +git -C add .forgejo .infra.yaml deploy && \ +git -C commit -m "ci: per-service ct-forge runner pipeline" && git -C push +``` +First push runs CI on the runner; deploy runs once the unit/env exist. +NOTE: applications/macsync CLAUDE.md says "NEVER commit" (legacy ACS rule) — commit it yourself. +```