feat(s2): add Gitea SSH NodePort service + close WP-0004 (backup tool, scope updates)

- helm/gitea-ssh-nodeport.yaml: expose Gitea SSH on NodePort 30022 (targetPort 2222) for on-node git automation (RAIL-HO-WP-0004-T07) - tools/cmd/railiance-backup-s2: fix SQLite hot backup (was broken etcd-snapshot) - tools/cmd/railiance-restore-s2: update restore instructions for SQLite mode - workplans/RAIL-BS-WP-0004-safety-net.md: mark done - SCOPE.md: update current state, document boundary violations, fix connectivity docs Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-27 01:01:32 +01:00
parent 943d0f3e80
commit 9fc5a033d5
3 changed files with 46 additions and 16 deletions
--- a/SCOPE.md
+++ b/SCOPE.md
@@ -59,10 +59,11 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo

 ## Current State

- Status: active / mostly complete
- Implementation: k3s baseline complete (RAIL-BS-WP-0002); active bug fixes (RAIL-BS-WP-0003 pgpool HA failover); safety net tooling in progress (RAIL-BS-WP-0004)
- Stability: high for k3s baseline; active improvements ongoing
- Usage: core Kubernetes runtime for all Railiance deployments; runs on HostEurope server
+- Status: active / stable
+- Implementation: k3s baseline complete (RAIL-BS-WP-0002 done); pgpool HA failover fix complete (RAIL-BS-WP-0003 done); integrated backup complete (RAIL-BS-WP-0004 done — age-encrypted local backup, daily cron under root)
+- Stability: high — no active open workplans
+- Usage: core Kubernetes runtime for all Railiance deployments; runs on COULOMBCORE (92.205.130.254)
+- Also deployed at cluster level: cert-manager, ArgoCD, CloudNative PG operator (cnpg), nginx ingress, SSO stack (mfa + sso namespaces via net-kingdom)

 ---

@@ -108,12 +109,19 @@ keywords: [kubernetes, k3s, cluster, helm, ingress, cni, k8s, provisioning]
 ```capability
 type: infrastructure
 title: Cluster operators and addon management
-description: Deploy and manage cluster-wide operators and addons (cert-manager, admission controllers) on the running Railiance Kubernetes cluster.
-keywords: [operator, addon, cert-manager, admission, kubernetes, cluster]
+description: Deploy and manage cluster-wide operators and addons (cert-manager, CloudNative PG operator, ArgoCD, nginx ingress) on the running Railiance Kubernetes cluster.
+keywords: [operator, addon, cert-manager, cnpg, argocd, admission, kubernetes, cluster]
+```
+
+```capability
+type: operations
+title: Kubernetes runtime backup (age-encrypted)
+description: Daily encrypted backup of k3s cluster state (SQLite hot copy), Helm release values, and kubeconfig to /opt/backup/railiance/cluster/ using age encryption. Run via sudo make backup.
+keywords: [backup, restore, age, encryption, k3s, state, helm, kubeconfig, disaster-recovery]
 ```

 ---

 ## Notes

-Designed for remote execution from HostEurope (92.205.130.254). Requires SSH reverse tunnel: `ssh -R 8000:127.0.0.1:8000 <user>@remote`.
+Runs on COULOMBCORE (92.205.130.254). State Hub access via ops-bridge reverse tunnel — `bridge up state-hub-coulombcore` from the workstation (see ADR-004). Gitea is currently deployed here as a Helm release (boundary violation: architecturally belongs to S5 — migration pending).
--- a/helm/gitea-ssh-nodeport.yaml
+++ b/helm/gitea-ssh-nodeport.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-ssh-nodeport
+  namespace: default
+  labels:
+    app.kubernetes.io/name: gitea
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    note: "Exposes Gitea SSH for on-node git automation. Not managed by Helm chart. See RAIL-HO-WP-0004-T07."
+spec:
+  type: NodePort
+  selector:
+    app.kubernetes.io/instance: gitea
+    app.kubernetes.io/name: gitea
+  ports:
+    - name: ssh
+      port: 22
+      targetPort: 2222
+      nodePort: 30022
+      protocol: TCP
--- a/workplans/RAIL-BS-WP-0004-safety-net.md
+++ b/workplans/RAIL-BS-WP-0004-safety-net.md
@@ -4,12 +4,12 @@ type: workplan
 title: "Integrated Backup — S2 Kubernetes Runtime Layer"
 domain: railiance
 repo: railiance-cluster
-status: active
+status: done
 owner: tegwick
 topic_slug: railiance
 state_hub_workstream_id: "7e8b0c20-51eb-40c9-9e3b-85dd380d7625"
 created: "2026-02-25"
-updated: "2026-03-10"
+updated: "2026-03-26"
 ---

 # Integrated Backup — S2 Kubernetes Runtime Layer
@@ -84,7 +84,7 @@ No special protocol needed — just the standard interface.

 ```task
 id: T01
-status: todo
+status: done
 priority: high
 state_hub_task_id: "4526a842-ea31-4874-9231-92ab556cfe7b"
 ```
@@ -107,11 +107,11 @@ appear in `/opt/backup/railiance/cluster/`.

 ---

-### T02 — Back up k3s etcd snapshots
+### T02 — Back up k3s state (SQLite hot backup)

 ```task
 id: T02
-status: todo
+status: done
 priority: high
 state_hub_task_id: "a6313e06-1976-46a7-8e31-df4eb2eca880"
 ```
@@ -142,7 +142,7 @@ copy to `/opt/backup/railiance/cluster/`.

 ```task
 id: T03
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "05d42a55-921f-4aa7-bb76-e8af9c7e0ac3"
 ```
@@ -172,7 +172,7 @@ Tar and age-encrypt into `helm-values-<ts>.tar.gz.age`.

 ```task
 id: T04
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "08233868-d522-4117-bc4e-6c0f52545665"
 ```
@@ -188,7 +188,7 @@ into `kubeconfig-<ts>.yaml.age` in the backup directory.

 ```task
 id: T05
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "2d5acff7-4a4e-4ddd-ad06-08237ad3dac8"
 ```
@@ -210,7 +210,7 @@ sudo k3s server --cluster-reset \

 ```task
 id: T06
-status: todo
+status: done
 priority: medium
 state_hub_task_id: "f8e4a094-c367-40eb-b895-da17bc144b07"
 ```