diff --git a/docs/reuse-surface-on-railiance01.md b/docs/reuse-surface-on-railiance01.md index a50e937..0e07c56 100644 --- a/docs/reuse-surface-on-railiance01.md +++ b/docs/reuse-surface-on-railiance01.md @@ -5,26 +5,31 @@ Federation service deployment for **`https://reuse.coulomb.social`**. Companion workplans: **RAILIANCE-WP-0007** (Helm release), **REUSE-WP-0011** (service + CLI). -## DNS and TLS +## Hosts and DNS -| Record | Target | Notes | +| Server | IP | Role | |---|---|---| -| `reuse.coulomb.social` A | **`92.205.130.254`** | Cluster Traefik ingress (same as `hub.coulomb.social`) | +| **Railiance01** | **`92.205.62.239`** | Production k3s — **deploy here** | +| CoulombCore | `92.205.130.254` | Bootstrap / prerelease only | -Let's Encrypt HTTP-01 requires traffic to reach this cluster. An earlier A record -to `92.205.62.239` does not satisfy the challenge until DNS propagates to the -ingress IP. +| Record | Production target | Current public DNS (2026-06-15) | +|---|---|---| +| `reuse.coulomb.social` A | **`92.205.62.239`** | `217.160.0.212` (must be updated at registrar) | +| `hub.coulomb.social` A | `92.205.62.239` (future) | `92.205.130.254` (CoulombCore bootstrap OK for now) | + +Let's Encrypt HTTP-01 on Railiance01 requires the public A record to reach +**`92.205.62.239`**. Service is live on the production cluster; TLS waits on DNS. ```bash dig +short reuse.coulomb.social A -kubectl get certificate -n reuse +KUBECONFIG=~/.kube/config-hosteurope kubectl get certificate -n reuse ``` -Until `certificate/reuse-surface-tls` is Ready, smoke checks from a workstation: +Until DNS propagates and `certificate/reuse-surface-tls` is Ready: ```bash -curl -k --resolve reuse.coulomb.social:443:92.205.130.254 https://reuse.coulomb.social/health -kubectl port-forward -n reuse svc/reuse-surface 18001:8000 +curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/health +KUBECONFIG=~/.kube/config-hosteurope kubectl port-forward -n reuse svc/reuse-surface 18001:8000 export REUSE_SURFACE_URL=http://127.0.0.1:18001 ``` @@ -50,19 +55,23 @@ kubectl create secret generic reuse-surface-env \ --from-literal=REUSE_SURFACE_TOKEN='' \ --dry-run=client -o yaml | kubectl apply -f - -make reuse-dry-run -make reuse-deploy -make reuse-status +# Production (Railiance01) +KUBECONFIG=~/.kube/config-hosteurope make reuse-deploy +KUBECONFIG=~/.kube/config-hosteurope make reuse-status + +# Restore kubeconfig from the node if missing: +# ssh tegwick@92.205.62.239 'sudo cat /etc/rancher/k3s/k3s.yaml' \ +# | sed 's|127.0.0.1|92.205.62.239|' > ~/.kube/config-hosteurope ``` ## Smoke checks ```bash -curl -k --resolve reuse.coulomb.social:443:92.205.130.254 https://reuse.coulomb.social/health +curl -k --resolve reuse.coulomb.social:443:92.205.62.239 https://reuse.coulomb.social/health -export REUSE_SURFACE_TOKEN=$(kubectl get secret reuse-surface-env -n reuse \ +export REUSE_SURFACE_TOKEN=$(KUBECONFIG=~/.kube/config-hosteurope kubectl get secret reuse-surface-env -n reuse \ -o jsonpath='{.data.REUSE_SURFACE_TOKEN}' | base64 -d) -export REUSE_SURFACE_URL=https://reuse.coulomb.social # after TLS Ready +export REUSE_SURFACE_URL=https://reuse.coulomb.social # after DNS + TLS Ready reuse-surface hub status reuse-surface hub list curl -fsS "$REUSE_SURFACE_URL/v1/federated" | jq '.capabilities | length'