--- id: RAILIANCE-WP-0007 type: workplan title: "Deploy reuse-surface federation service on railiance01" domain: railiance repo: railiance-apps status: finished owner: codex topic_slug: railiance created: "2026-06-15" updated: "2026-06-15" state_hub_workstream_id: "7da18dd8-76b9-4a70-b9d7-de541afc65c0" --- # Deploy reuse-surface federation service on railiance01 Companion to **`reuse-surface` REUSE-WP-0011**. Own the S5 Helm release, ingress, and operator targets for the federation service on production cluster node `railiance01` (`92.205.130.254`). ## Goal Expose the helix_forge federation API at **`https://reuse.coulomb.social`** so repos can register capability index URLs via `reuse-surface hub` without per-machine `sources.yaml` maintenance. Gitea repo: `coulomb/reuse-surface` OCI image: `gitea.coulomb.social/coulomb/reuse-surface:` ## DNS evidence `reuse.coulomb.social` A → **`92.205.62.239`** (operator confirmed 2026-06-15). Ingress host configured in `charts/reuse-surface/values.yaml`. ## Upstream dependency | Upstream | Workplan | Required artifact | |---|---|---| | Service + image | `reuse-surface` REUSE-WP-0011 | Image `gitea.coulomb.social/coulomb/reuse-surface:`, `reuse-surface serve`, `/health` | Do not deploy until REUSE-WP-0011-T04 publishes a buildable image. ## Placement Follow the `inter-hub` pattern: - `charts/reuse-surface/` — Helm chart (Deployment, Service, Ingress, PVC) - `helm/reuse-surface-values.yaml` — non-secret overrides (image tag) - Secret `reuse-surface-env` with `REUSE_SURFACE_TOKEN` - `Makefile` targets: `reuse-dry-run`, `reuse-deploy`, `reuse-status`, `reuse-logs` - Namespace: `reuse` ## Safety contract - Do not commit decrypted SOPS values or `REUSE_SURFACE_TOKEN`. - Pin image tags in `helm/reuse-surface-values.yaml`. - PVC at `/data` for SQLite (`reuse.db`) and fetch cache. --- ## Scaffold Helm Chart For reuse-surface ```task id: RAILIANCE-WP-0007-T01 status: done priority: high state_hub_task_id: "d296f037-67a3-4b49-a773-6ebc2b252f3d" ``` Create `charts/reuse-surface/` with Deployment (`reuse-surface serve`), Service, PVC, Ingress, probes on `/health`. ## Add Values, Secret Template, And Makefile Targets ```task id: RAILIANCE-WP-0007-T02 status: done priority: high state_hub_task_id: "5050e2fb-b60c-4519-9168-81a6073fb4a2" ``` Add `helm/reuse-surface-values.yaml`, document Secret `reuse-surface-env`, and Makefile `reuse-*` targets. ## Configure Ingress For reuse.coulomb.social ```task id: RAILIANCE-WP-0007-T03 status: done priority: medium state_hub_task_id: "80dc308a-02e8-453c-a20a-d6f634b7ce12" ``` Ingress enabled in chart values: - `ingress.host: reuse.coulomb.social` - `cert-manager.io/cluster-issuer: letsencrypt-prod` - Traefik annotations matching `inter-hub` DNS A record live: `reuse.coulomb.social → 92.205.62.239`. ## Deploy Release To railiance01 ```task id: RAILIANCE-WP-0007-T04 status: done priority: medium state_hub_task_id: "14049fd1-3319-4a76-8b48-c4228a7939f7" ``` Helm revision 3 (image `cb7a6e4`). Pod Running; `/health` and `/v1/federated` verified. TLS pending DNS A → `92.205.130.254`. ## Post-Deploy Verification And Runbook ```task id: RAILIANCE-WP-0007-T05 status: done priority: low state_hub_task_id: "30b08789-4eb7-4182-87d1-8e464fc968d1" ``` Runbook `docs/reuse-surface-on-railiance01.md` updated with deploy evidence, token retrieval, and TLS/DNS operator note. Smoke checks pass via ingress resolve; public TLS awaits DNS A → `92.205.130.254`.