generated from coulomb/repo-seed
tegwick
0a72ee91ea
Some checks failed
Test / test (push) Has been cancelled
Helm chart at deploy/helm/inter-hub/ with Deployment, Service, Ingress (Traefik + letsencrypt-prod), and migration init container. Runbook at deploy/railiance/RUNBOOK.md with build, push, rotate, rollback procedures. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3.7 KiB
3.7 KiB
inter-hub on Railiance01 — Runbook
Architecture
- Cluster: Railiance01 (K3s, 92.205.62.239)
- Namespace:
inter-hub - Image registry:
92.205.130.254:32166/coulomb/inter-hub:<sha>(Gitea on CoulombCore) - Database: CloudNativePG cluster
net-kingdom-pgindatabasesnamespace- RW endpoint:
net-kingdom-pg-rw.databases.svc.cluster.local:5432 - Database:
interhub, User:interhub
- RW endpoint:
- Ingress: Traefik →
hub.coulomb.social(TLS via letsencrypt-prod) - Secrets:
inter-hub-envSecret ininter-hubnamespace
Deployment
# From workstation (image already built and pushed):
helm upgrade --install inter-hub deploy/helm/inter-hub \
--namespace inter-hub --create-namespace \
--set image.tag=<sha>
Image Build (on haskelseed)
ssh root@192.168.178.135
cd /root/inter-hub
git pull # (requires Gitea auth — see Gitea credentials section)
nix build .#docker --accept-flake-config --option lazy-trees false
# Push to Gitea registry:
skopeo copy docker-archive:result \
docker://92.205.130.254:32166/coulomb/inter-hub:<sha> \
--dest-creds "tegwick:<GITEA_TOKEN>" \
--dest-tls-verify=false
Gitea Registry Credentials
The Gitea token for registry push is stored in ~/.config/tea/config.yml on the
workstation. If the token has expired, generate a new one:
- Go to http://92.205.130.254:32166 → Settings → Applications → Generate new token
- Scope:
package:write - Update
~/.config/tea/config.ymlon the workstation - Update the
GITEA_TOKENin any CI/CD secrets
Database Migration
IHP migrations run automatically on startup via the init container in the Deployment. To run migrations manually:
kubectl exec -n inter-hub deploy/inter-hub -- /bin/App migrate
To check migration status:
kubectl exec -n databases net-kingdom-pg-1 -- psql -U postgres interhub -c "\dt"
Logs
kubectl logs -n inter-hub -l app=inter-hub --tail=100 -f
# Previous pod logs:
kubectl logs -n inter-hub -l app=inter-hub --previous --tail=50
Restart / Rollback
# Restart:
kubectl rollout restart deployment/inter-hub -n inter-hub
kubectl rollout status deployment/inter-hub -n inter-hub
# Rollback to previous image:
kubectl rollout undo deployment/inter-hub -n inter-hub
# Rollback to specific version:
helm rollback inter-hub 1 --namespace inter-hub
Secret Rotation
To rotate the session secret:
kubectl create secret generic inter-hub-env \
--namespace inter-hub \
--from-literal=DATABASE_URL='...' \
--from-literal=IHP_SESSION_SECRET='<new-64-char-hex>' \
--from-literal=IHP_BASEURL='https://hub.coulomb.social' \
--from-literal=PORT='8000' \
--from-literal=IHP_ENV='Production' \
--dry-run=client -o yaml | kubectl apply -f -
kubectl rollout restart deployment/inter-hub -n inter-hub
To rotate the database password:
- Update the password in PostgreSQL (via kubectl exec to the CNPG pod)
- Update the
inter-hub-envsecret - Restart the deployment
Smoke Test
curl -s https://hub.coulomb.social/ | grep "Inter-Hub" # Landing 200
curl -s https://hub.coulomb.social/capabilities | grep "Capabilities"
curl -s https://hub.coulomb.social/api/v2/hubs # 401 expected
curl -H "Authorization: Bearer <api-key>" https://hub.coulomb.social/api/v2/hubs # 200
Database Connection Check
kubectl exec -n inter-hub deploy/inter-hub -- \
/bin/sh -c 'psql $DATABASE_URL -c "SELECT version();"'
haskelseed Build VM
- Host: 192.168.178.135
- Access:
ssh root@192.168.178.135(password in team secrets) - Repo:
/root/inter-hub(git initialized locally; pull requires Gitea token) - Build logs:
/tmp/nix-build-docker.log - Nix store:
/dev/sdb1(100 GB, mounted at/nix)