diff --git a/CHANGELOG.md b/CHANGELOG.md index 03e2b30..1db7ac2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ Generated section is appended on release tag via `git-cliff` (see `.gitea/workfl ## [Unreleased] ### Added -- feat(iac): scaffold orca-platform — manifests/, overlays/, vms/, dns/, scripts/, Makefile (M1.1) +- feat(iac): scaffold orca-platform — manifests/, overlays/, dns/, scripts/, Makefile (M1.1) - ### Changed diff --git a/README.md b/README.md index 5a8f380..2387f84 100644 --- a/README.md +++ b/README.md @@ -29,11 +29,6 @@ The single source of truth for which container runs on which VM in which environ │ ├── dev/overlay.toml no-op; dev runs docker-compose per-service │ ├── stage/overlay.toml include manifests/stage/, image_tag=env-stage │ └── prod/overlay.toml include vm-{edge,control,data}, image_tag=env-prod -├── vms/ # OpenStack VM specs (consumed by M1.2 provisioner) -│ ├── vm-edge.toml m2.small, public IP, identity+infra -│ ├── vm-control.toml m2.medium, private, control plane -│ ├── vm-data.toml m2.medium, private, data plane (scale driver) -│ └── stage.toml m2.small, public IP, ephemeral ├── dns/ │ └── breakpilot.com.zone.template PowerDNS zone — body lands in M0.3 ├── cluster.toml.tmpl # Cluster-level config (acme_email, backup, ai); rendered per env @@ -63,7 +58,7 @@ Each stub manifest in `manifests/` carries a header comment naming the milestone | Milestone | What it fills in | |---|---| | **M0.3** | `vm-edge/powerdns-auth.toml`, DNS zone body, orca-proxy routes | -| **M1.2** | VM provisioning (consumes `vms/*.toml`); brings `make apply` online | +| **M1.2** | VM provisioning (Terraform/OpenStack in a separate repo); brings `make apply` online | | **M1.3** | Backup cron services + `scripts/restore-drill.sh` | | **M2.1** | `vm-edge/keycloak.toml` + `pg-keycloak.toml` | | **M3.1** | `vm-edge/infisical.toml` + `pg-infisical.toml` + `redis-infisical.toml` | diff --git a/scripts/validate.sh b/scripts/validate.sh index e3e4de4..7f06eae 100755 --- a/scripts/validate.sh +++ b/scripts/validate.sh @@ -49,13 +49,6 @@ for p in sorted(root.glob('overlays/*/overlay.toml')): tomllib.load(open(p, 'rb')) except Exception as e: errs.append(f'{p}: TOML parse: {e}') -# Validate VMs parse too -for p in sorted(root.glob('vms/*.toml')): - count += 1 - try: - tomllib.load(open(p, 'rb')) - except Exception as e: - errs.append(f'{p}: TOML parse: {e}') print(f'checked {count} files') for e in errs: print(' ', e) diff --git a/vms/README.md b/vms/README.md deleted file mode 100644 index f155bc2..0000000 --- a/vms/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# VM specs - -Source of truth for the four billable VMs in `INFRASTRUCTURE.md §1`. These -files are consumed by the M1.2 provisioning step (Terraform/OpenStack against -SysEleven DUS2). Orca itself ignores this directory — it deals with services, -not infrastructure. diff --git a/vms/stage.toml b/vms/stage.toml deleted file mode 100644 index 301261b..0000000 --- a/vms/stage.toml +++ /dev/null @@ -1,20 +0,0 @@ -# stage — single-VM stage environment. App plane only, ephemeral DBs. -# Calls OUT to prod Keycloak + prod Stalwart per §2 isolation rules. - -[vm] -name = "stage" -env = "stage" -flavor = "m2.small" # 2 vCPU, 8 GB RAM -public_ip = true # tester access without VPN -region = "DUS2" -private_network = "platform-stage" -private_ip_cidr = "10.1.1.0/24" - -[vm.disk] -block_volume_gb = 50 # pg-stage + mongo-stage + qdrant-stage; reset per release - -[vm.firewall] -ingress_public = [ - { proto = "tcp", ports = [80, 443], source = "0.0.0.0/0", purpose = "stage portal" }, -] -ingress_private = [] # stage does not accept private traffic from prod diff --git a/vms/vm-control.toml b/vms/vm-control.toml deleted file mode 100644 index 137eccb..0000000 --- a/vms/vm-control.toml +++ /dev/null @@ -1,20 +0,0 @@ -# vm-control — Control plane (portal, tenant-registry, ERPNext, Stalwart). -# See INFRASTRUCTURE.md §1, §2, §6. - -[vm] -name = "vm-control" -env = "prod" -flavor = "m2.medium" # 4 vCPU, 16 GB RAM -public_ip = false # only reachable via vm-edge orca-proxy -region = "DUS2" -private_network = "platform-prod" -private_ip_cidr = "10.0.2.0/24" - -[vm.disk] -block_volume_gb = 250 # MariaDB (ERPNext) + Stalwart mail spool, medium growth - -[vm.firewall] -ingress_public = [] # no public ingress -ingress_private = [ - { proto = "tcp", ports = "all", source = "10.0.0.0/16", purpose = "intra-platform" }, -] diff --git a/vms/vm-data.toml b/vms/vm-data.toml deleted file mode 100644 index e5f7436..0000000 --- a/vms/vm-data.toml +++ /dev/null @@ -1,20 +0,0 @@ -# vm-data — Data plane (CERTifAI, compliance, pg-app, MongoDB, MinIO). -# Scale driver — bump flavor at Tier B/C per §13. - -[vm] -name = "vm-data" -env = "prod" -flavor = "m2.medium" # 4 vCPU, 16 GB RAM (Tier B bump: m2.large) -public_ip = false -region = "DUS2" -private_network = "platform-prod" -private_ip_cidr = "10.0.3.0/24" - -[vm.disk] -block_volume_gb = 500 # MongoDB + pg-app + Qdrant + MinIO, fast growth (scales with N customers) - -[vm.firewall] -ingress_public = [] -ingress_private = [ - { proto = "tcp", ports = "all", source = "10.0.0.0/16", purpose = "intra-platform" }, -] diff --git a/vms/vm-edge.toml b/vms/vm-edge.toml deleted file mode 100644 index 335a235..0000000 --- a/vms/vm-edge.toml +++ /dev/null @@ -1,26 +0,0 @@ -# vm-edge — Identity + Infra plane, public IP, root auth dependency. -# See INFRASTRUCTURE.md §1, §2. - -[vm] -name = "vm-edge" -env = "prod" -flavor = "m2.small" # 2 vCPU, 8 GB RAM -public_ip = true -region = "DUS2" -private_network = "platform-prod" -private_ip_cidr = "10.0.1.0/24" - -[vm.disk] -block_volume_gb = 50 # pg-keycloak + pg-infisical + Gitea repos (slow growth) - -[vm.firewall] -# vm-edge is the only host accepting public traffic. Everything else is -# behind the private network. -ingress_public = [ - { proto = "tcp", ports = [80, 443], source = "0.0.0.0/0", purpose = "orca-proxy HTTP/HTTPS" }, - { proto = "tcp", ports = [53], source = "0.0.0.0/0", purpose = "PowerDNS (TCP)" }, - { proto = "udp", ports = [53], source = "0.0.0.0/0", purpose = "PowerDNS (UDP)" }, -] -ingress_private = [ - { proto = "tcp", ports = "all", source = "10.0.0.0/16", purpose = "intra-platform" }, -]