From 3d7b67060e8f2e1c1c73a90f1d8bcf5413b2e14b Mon Sep 17 00:00:00 2001 From: Sharang Parnerkar Date: Mon, 18 May 2026 22:13:32 +0200 Subject: [PATCH] =?UTF-8?q?fix(iac):=20drop=20vms/=20=E2=80=94=20Orca=20do?= =?UTF-8?q?es=20not=20provision=20VMs?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Re-read the Orca spec: 'orca nodes' lists already-joined hosts and 'orca join' attaches an existing node to a cluster, but Orca does not provision the VMs themselves. VM provisioning (SysEleven OpenStack via Terraform) is a separate concern and will land in a dedicated repo under the M1.2 milestone, not in orca-platform. Removes vms/{vm-edge,vm-control,vm-data,stage}.toml + vms/README.md. Updates README directory tree and milestone fill-in table to reflect that M1.2's VM specs live elsewhere. validate.sh stops checking vms/. Refs: M1.1 --- CHANGELOG.md | 2 +- README.md | 7 +------ scripts/validate.sh | 7 ------- vms/README.md | 6 ------ vms/stage.toml | 20 -------------------- vms/vm-control.toml | 20 -------------------- vms/vm-data.toml | 20 -------------------- vms/vm-edge.toml | 26 -------------------------- 8 files changed, 2 insertions(+), 106 deletions(-) delete mode 100644 vms/README.md delete mode 100644 vms/stage.toml delete mode 100644 vms/vm-control.toml delete mode 100644 vms/vm-data.toml delete mode 100644 vms/vm-edge.toml diff --git a/CHANGELOG.md b/CHANGELOG.md index 03e2b30..1db7ac2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,7 +6,7 @@ Generated section is appended on release tag via `git-cliff` (see `.gitea/workfl ## [Unreleased] ### Added -- feat(iac): scaffold orca-platform — manifests/, overlays/, vms/, dns/, scripts/, Makefile (M1.1) +- feat(iac): scaffold orca-platform — manifests/, overlays/, dns/, scripts/, Makefile (M1.1) - ### Changed diff --git a/README.md b/README.md index 5a8f380..2387f84 100644 --- a/README.md +++ b/README.md @@ -29,11 +29,6 @@ The single source of truth for which container runs on which VM in which environ │ ├── dev/overlay.toml no-op; dev runs docker-compose per-service │ ├── stage/overlay.toml include manifests/stage/, image_tag=env-stage │ └── prod/overlay.toml include vm-{edge,control,data}, image_tag=env-prod -├── vms/ # OpenStack VM specs (consumed by M1.2 provisioner) -│ ├── vm-edge.toml m2.small, public IP, identity+infra -│ ├── vm-control.toml m2.medium, private, control plane -│ ├── vm-data.toml m2.medium, private, data plane (scale driver) -│ └── stage.toml m2.small, public IP, ephemeral ├── dns/ │ └── breakpilot.com.zone.template PowerDNS zone — body lands in M0.3 ├── cluster.toml.tmpl # Cluster-level config (acme_email, backup, ai); rendered per env @@ -63,7 +58,7 @@ Each stub manifest in `manifests/` carries a header comment naming the milestone | Milestone | What it fills in | |---|---| | **M0.3** | `vm-edge/powerdns-auth.toml`, DNS zone body, orca-proxy routes | -| **M1.2** | VM provisioning (consumes `vms/*.toml`); brings `make apply` online | +| **M1.2** | VM provisioning (Terraform/OpenStack in a separate repo); brings `make apply` online | | **M1.3** | Backup cron services + `scripts/restore-drill.sh` | | **M2.1** | `vm-edge/keycloak.toml` + `pg-keycloak.toml` | | **M3.1** | `vm-edge/infisical.toml` + `pg-infisical.toml` + `redis-infisical.toml` | diff --git a/scripts/validate.sh b/scripts/validate.sh index e3e4de4..7f06eae 100755 --- a/scripts/validate.sh +++ b/scripts/validate.sh @@ -49,13 +49,6 @@ for p in sorted(root.glob('overlays/*/overlay.toml')): tomllib.load(open(p, 'rb')) except Exception as e: errs.append(f'{p}: TOML parse: {e}') -# Validate VMs parse too -for p in sorted(root.glob('vms/*.toml')): - count += 1 - try: - tomllib.load(open(p, 'rb')) - except Exception as e: - errs.append(f'{p}: TOML parse: {e}') print(f'checked {count} files') for e in errs: print(' ', e) diff --git a/vms/README.md b/vms/README.md deleted file mode 100644 index f155bc2..0000000 --- a/vms/README.md +++ /dev/null @@ -1,6 +0,0 @@ -# VM specs - -Source of truth for the four billable VMs in `INFRASTRUCTURE.md §1`. These -files are consumed by the M1.2 provisioning step (Terraform/OpenStack against -SysEleven DUS2). Orca itself ignores this directory — it deals with services, -not infrastructure. diff --git a/vms/stage.toml b/vms/stage.toml deleted file mode 100644 index 301261b..0000000 --- a/vms/stage.toml +++ /dev/null @@ -1,20 +0,0 @@ -# stage — single-VM stage environment. App plane only, ephemeral DBs. -# Calls OUT to prod Keycloak + prod Stalwart per §2 isolation rules. - -[vm] -name = "stage" -env = "stage" -flavor = "m2.small" # 2 vCPU, 8 GB RAM -public_ip = true # tester access without VPN -region = "DUS2" -private_network = "platform-stage" -private_ip_cidr = "10.1.1.0/24" - -[vm.disk] -block_volume_gb = 50 # pg-stage + mongo-stage + qdrant-stage; reset per release - -[vm.firewall] -ingress_public = [ - { proto = "tcp", ports = [80, 443], source = "0.0.0.0/0", purpose = "stage portal" }, -] -ingress_private = [] # stage does not accept private traffic from prod diff --git a/vms/vm-control.toml b/vms/vm-control.toml deleted file mode 100644 index 137eccb..0000000 --- a/vms/vm-control.toml +++ /dev/null @@ -1,20 +0,0 @@ -# vm-control — Control plane (portal, tenant-registry, ERPNext, Stalwart). -# See INFRASTRUCTURE.md §1, §2, §6. - -[vm] -name = "vm-control" -env = "prod" -flavor = "m2.medium" # 4 vCPU, 16 GB RAM -public_ip = false # only reachable via vm-edge orca-proxy -region = "DUS2" -private_network = "platform-prod" -private_ip_cidr = "10.0.2.0/24" - -[vm.disk] -block_volume_gb = 250 # MariaDB (ERPNext) + Stalwart mail spool, medium growth - -[vm.firewall] -ingress_public = [] # no public ingress -ingress_private = [ - { proto = "tcp", ports = "all", source = "10.0.0.0/16", purpose = "intra-platform" }, -] diff --git a/vms/vm-data.toml b/vms/vm-data.toml deleted file mode 100644 index e5f7436..0000000 --- a/vms/vm-data.toml +++ /dev/null @@ -1,20 +0,0 @@ -# vm-data — Data plane (CERTifAI, compliance, pg-app, MongoDB, MinIO). -# Scale driver — bump flavor at Tier B/C per §13. - -[vm] -name = "vm-data" -env = "prod" -flavor = "m2.medium" # 4 vCPU, 16 GB RAM (Tier B bump: m2.large) -public_ip = false -region = "DUS2" -private_network = "platform-prod" -private_ip_cidr = "10.0.3.0/24" - -[vm.disk] -block_volume_gb = 500 # MongoDB + pg-app + Qdrant + MinIO, fast growth (scales with N customers) - -[vm.firewall] -ingress_public = [] -ingress_private = [ - { proto = "tcp", ports = "all", source = "10.0.0.0/16", purpose = "intra-platform" }, -] diff --git a/vms/vm-edge.toml b/vms/vm-edge.toml deleted file mode 100644 index 335a235..0000000 --- a/vms/vm-edge.toml +++ /dev/null @@ -1,26 +0,0 @@ -# vm-edge — Identity + Infra plane, public IP, root auth dependency. -# See INFRASTRUCTURE.md §1, §2. - -[vm] -name = "vm-edge" -env = "prod" -flavor = "m2.small" # 2 vCPU, 8 GB RAM -public_ip = true -region = "DUS2" -private_network = "platform-prod" -private_ip_cidr = "10.0.1.0/24" - -[vm.disk] -block_volume_gb = 50 # pg-keycloak + pg-infisical + Gitea repos (slow growth) - -[vm.firewall] -# vm-edge is the only host accepting public traffic. Everything else is -# behind the private network. -ingress_public = [ - { proto = "tcp", ports = [80, 443], source = "0.0.0.0/0", purpose = "orca-proxy HTTP/HTTPS" }, - { proto = "tcp", ports = [53], source = "0.0.0.0/0", purpose = "PowerDNS (TCP)" }, - { proto = "udp", ports = [53], source = "0.0.0.0/0", purpose = "PowerDNS (UDP)" }, -] -ingress_private = [ - { proto = "tcp", ports = "all", source = "10.0.0.0/16", purpose = "intra-platform" }, -]