coulomb/railiance-forge
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move Gitea deploy surface into forge

Browse Source
This commit is contained in:
Bernd Worsch
2026-06-05 13:19:10 +02:00
parent 8b9f3b341d
commit 9ce24968cd
13 changed files with 219 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
Makefile
View File

@@ -3,9 +3,14 @@ SHELL := /usr/bin/env bash
GITEA_RELEASE ?= gitea
GITEA_NAMESPACE ?= default
GITEA_CHART ?= gitea-charts/gitea
GITEA_VALUES ?= helm/gitea-values.sops.yaml
GITEA_REGISTRY_VALUES ?= helm/gitea-registry-values.yaml
GITEA_INGRESS ?= manifests/gitea-ingress.yaml
GITEA_DB_CLUSTER ?= gitea-db
GITEA_DB_NAMESPACE ?= databases
REGISTRY_DOCS ?= docs/gitea-container-registry.md docs/gitea-package-registry.md
SOPS_SENTINEL ?= $(GITEA_VALUES)
##@ Operator checks
@@ -26,6 +31,9 @@ check-tools: ## Check local tools used by forge operator targets
fi; \
exit $$missing
check-sops: ## Verify the configured SOPS sentinel can decrypt
sops -d $(SOPS_SENTINEL) >/dev/null
registry-docs: ## Print canonical registry docs
@for doc in $(REGISTRY_DOCS); do \
printf '\n## %s\n\n' "$$doc"; \
@@ -34,6 +42,15 @@ registry-docs: ## Print canonical registry docs
##@ Current Gitea
gitea-deploy: ## Deploy / upgrade current Gitea forge runtime
helm upgrade --install $(GITEA_RELEASE) $(GITEA_CHART) \
-f <(sops -d $(GITEA_VALUES)) \
-f $(GITEA_REGISTRY_VALUES) \
--namespace $(GITEA_NAMESPACE) --create-namespace
gitea-ingress-deploy: ## Apply the Gitea OCI registry ingress
kubectl apply -f $(GITEA_INGRESS)
gitea-status: ## Read-only status for current Gitea runtime and database
kubectl get pods -n $(GITEA_NAMESPACE) -l app.kubernetes.io/instance=$(GITEA_RELEASE)
kubectl get svc -n $(GITEA_NAMESPACE) $(GITEA_RELEASE) --ignore-not-found
@@ -53,4 +70,4 @@ help: ## Show this help
/^[a-zA-Z0-9_-]+:.*?##/ { printf " \033[36m%-20s\033[0m %s\n", $$1, $$2 } \
/^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) }' $(MAKEFILE_LIST)
.PHONY: check-tools registry-docs gitea-status help
.PHONY: check-tools check-sops registry-docs gitea-deploy gitea-ingress-deploy gitea-status help

8
README.md
View File

@@ -14,10 +14,9 @@ Start with:
4. `docs/`
5. `workplans/`
Current implementation status: early extraction. Canonical registry operation
docs and read-only status targets live here now. Deploy-capable Gitea Helm,
SOPS, and manifest files remain in `railiance-apps` until the explicit
migration review in `RAILIANCE-WP-0006-T03`.
Current implementation status: active forge extraction. Canonical registry
operation docs, deploy-capable Gitea files, and operator targets live here now.
No live Helm deploy or Kubernetes apply was run as part of the move.
Useful entry points:
@@ -25,4 +24,5 @@ Useful entry points:
make registry-docs
make check-tools
make gitea-status
make gitea-deploy
```

24
SCOPE.md
View File

@@ -30,8 +30,8 @@ The practical contract is:
4. `railiance-apps` consumes forge artifacts and deploys user-facing workloads.
Canonical registry operation docs and read-only forge checks now live here.
Deploy-capable Gitea Helm/SOPS/manifests remain in `railiance-apps` until the
explicit migration gate for live-affecting files is reviewed.
Deploy-capable Gitea Helm/SOPS/manifests also live here now; `railiance-apps`
keeps only transitional compatibility wrappers for old operator entry points.
---
@@ -105,20 +105,20 @@ explicit migration gate for live-affecting files is reviewed.
## Current State
- Status: early extraction.
- Status: active forge extraction.
- Implementation: repository contract, registry docs, initial operating
contracts, and read-only operator targets are present.
- Stability: emerging but non-disruptive; no deploy-capable Gitea state has
moved yet.
contracts, deploy-capable Gitea files, and operator targets are present.
- Stability: emerging but non-disruptive; files moved without any Helm deploy,
SOPS decryption, or Kubernetes apply.
- Usage: canonical reference point for forge and registry responsibilities
currently transitioning out of `railiance-apps`.
Known starting point:
- `railiance-apps` currently owns Gitea Helm values, registry overlays, ingress,
and deploy-capable Gitea Makefile targets.
- `railiance-forge` owns registry operation docs, operating contracts, and
read-only status entry points.
- `railiance-forge` owns Gitea Helm values, registry overlays, ingress,
operating contracts, and deploy/status entry points.
- `railiance-apps` keeps app release ownership and transitional compatibility
wrappers for old Gitea commands.
- `railiance-enablement` owns the intent for delivery templates and developer
paved paths, but not forge runtime operation.
- `railiance-forge` should absorb forge runtime and artifact infrastructure
@@ -154,8 +154,8 @@ Known starting point:
## Related / Overlapping
- `railiance-apps` - currently hosts Gitea deployment files and registry docs;
should become a consumer after extraction.
- `railiance-apps` - consumes forge artifacts in S5 app releases and keeps
transitional pointers/wrappers for old Gitea paths.
- `railiance-enablement` - owns reusable CI/CD templates, SDKs, buildpacks, and
developer portal paths.
- `railiance-platform` - provides database, storage, backup, and runtime secret

43
docs/current-forge-asset-inventory.md
View File

@@ -2,18 +2,20 @@
Date: 2026-06-05
This inventory covers forge-related assets currently visible in
This inventory covers forge-related assets that were originally visible in
`/home/worsch/railiance-apps`. It supports `FORGE-WP-0001-T03` and the
coordinating `RAILIANCE-WP-0006` extraction plan.
No files have been moved yet. This document assigns each candidate asset a
target disposition for the first migration plan.
Canonical docs and deploy-capable Gitea files have now moved into
`railiance-forge`. `railiance-apps` keeps compatibility pointers and wrappers
while app-release ownership remains there.
## Summary
| Disposition | Meaning |
|-------------|---------|
| Move | Canonical file should move to `railiance-forge`. |
| Moved | Canonical file has moved to `railiance-forge`. |
| Copy pointer | Copy canonical content to `railiance-forge`, leave a short pointer in `railiance-apps` temporarily. |
| Leave | Keep in `railiance-apps`; it is S5 app-release surface. |
| Adapt | Keep local behavior, but update references after forge extraction. |
@@ -23,21 +25,21 @@ target disposition for the first migration plan.
| Asset | Current role | Target disposition | Notes |
|-------|--------------|--------------------|-------|
| `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Move | Must preserve secret boundary; move without decrypting. |
| `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Move | This is forge runtime config, not S5 app config. |
| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Move | Forge owns Gitea/registry exposure; cluster ingress primitives remain S2. |
| `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Move or supersede | Likely keep only as historical migration reference if still useful. |
| `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Move | Recreate in `railiance-forge/Makefile`; remove from S5 after compatibility window. |
| `make gitea-deploy` | Deploy/upgrade current Gitea release. | Move | Should become `railiance-forge` operator target. |
| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Move | Should become `railiance-forge` operator target. |
| `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Move | Keep database status as consumer evidence; S3 still owns DB implementation. |
| `helm/gitea-values.sops.yaml` | SOPS-encrypted Gitea Helm values. | Moved | Now `railiance-forge/helm/gitea-values.sops.yaml`; moved without decrypting. |
| `helm/gitea-registry-values.yaml` | Non-secret overlay enabling Gitea package/container registry behavior. | Moved | Now `railiance-forge/helm/gitea-registry-values.yaml`. |
| `manifests/gitea-ingress.yaml` | Registry-facing Gitea ingress for `/v2`. | Moved | Now `railiance-forge/manifests/gitea-ingress.yaml`; labels left unchanged until next reviewed deploy. |
| `releases/gitea/values.yaml` | Legacy/plain Gitea release values reference. | Moved | Now `railiance-forge/releases/gitea/values.yaml`; review before using as active deploy input. |
| `Makefile` variables `GITEA_*` | Gitea release/chart/value/ingress defaults. | Moved | Forge owns canonical variables; apps keeps only release/name compatibility variables. |
| `make gitea-deploy` | Deploy/upgrade current Gitea release. | Moved | Forge owns target; apps delegates during compatibility window. |
| `make gitea-ingress-deploy` | Apply Gitea registry ingress. | Moved | Forge owns target; apps delegates during compatibility window. |
| `make gitea-status` | Check Gitea pod/service/ingress and `gitea-db` status. | Moved | Forge owns target; apps delegates during compatibility window. |
## Copy With Compatibility Pointer
| Asset | Current role | Target disposition | Notes |
|-------|--------------|--------------------|-------|
| `docs/gitea-container-registry.md` | Canonical operator recipe for container registry host, auth, pull secrets, storage note. | Copy pointer | Copy to `railiance-forge/docs/`; leave S5 pointer for app consumers. |
| `docs/gitea-package-registry.md` | Python package registry publishing/install recipe and `issue-core` handoff. | Copy pointer | Forge owns endpoint/registry posture; app/source repos own package release details. |
| `docs/gitea-container-registry.md` | Canonical operator recipe for container registry host, auth, pull secrets, storage note. | Moved | Forge doc is canonical; app-side file is a compatibility pointer. |
| `docs/gitea-package-registry.md` | Python package registry publishing/install recipe and `issue-core` handoff. | Moved | Forge doc is canonical; app-side file is a compatibility pointer. |
| `workplans/RAIL-AP-WP-0001-gitea-container-registry.md` | Historical implementation evidence for enabling Gitea registry in S5. | Copy pointer or archive | Keep historical record in S5, but create forge follow-up for storage/retention/restore posture. |
| `workplans/RAILIANCE-WP-0006-railiance-forge-extraction.md` | Cross-repo coordination plan. | Leave plus pointer | Remains in `railiance-apps` as extraction coordinator; forge work proceeds in `FORGE-WP-*`. |
@@ -67,7 +69,7 @@ target disposition for the first migration plan.
| `SCOPE.md` | Currently lists Gitea as S5-owned workload. | Adapt | After migration, describe forge as upstream release infrastructure. |
| `INTENT.md` | Mentions Gitea/current forge as S5 workload/learning surface. | Adapt | Keep S5 intent but remove long-term forge ownership language. |
| `AGENTS.md` | Repo identity still says application Helm releases, Gitea, coulomb services. | Adapt | Update after Gitea files move. Also update task status examples to State Hub canon. |
| `Makefile` `SOPS_SENTINEL ?= $(GITEA_VALUES)` | `check-sops` currently validates Gitea SOPS values. | Adapt | Once Gitea values move, choose an S5 sentinel or make the check no-op when no SOPS file exists. |
| `Makefile` `SOPS_SENTINEL` | `check-sops` validates the forge-owned Gitea SOPS sentinel for compatibility. | Adapted | Apps points at `/home/worsch/railiance-forge/helm/gitea-values.sops.yaml`. |
| `tools/check-sops.sh` | Generic SOPS sentinel check. | Leave/adapt | Useful beyond forge, but current default must change after move. |
| `.custodian-brief.md` | Generated State Hub brief. | Generated | Do not edit manually; consistency sync updates it. |
@@ -82,21 +84,20 @@ target disposition for the first migration plan.
## First Safe Move Candidate
The first migration should avoid live service changes and move documentation
before deployment configuration:
The first migration avoided live service changes and moved documentation before
deployment configuration:
1. Copy `docs/gitea-container-registry.md` and
`docs/gitea-package-registry.md` into `railiance-forge/docs/`.
2. Replace the originals in `railiance-apps` with short compatibility pointers.
3. Add a `railiance-forge/Makefile` with read-only/status targets first.
4. Move deploy-capable Gitea targets only after the operator path is reviewed.
5. Keep app-side compatibility wrappers until operators have switched.
This gives operators a new canonical forge home while keeping current S5 app
This gives operators a canonical forge home while keeping current S5 app
runbooks discoverable.
## Remote Creation Note
Creating `coulomb/railiance-forge` on the current Gitea instance is blocked:
the configured `tea` login `coulomb` exists, but the stored token is invalid as
of 2026-06-05. The local repo is initialized and State Hub-registered, but
`origin` should not be added until the remote repository exists.
`coulomb/railiance-forge` now exists and the local repo is pushed to
`gitea-remote:coulomb/railiance-forge.git`.

33
docs/deploy-capable-gitea-move-review.md
View File

@@ -2,8 +2,8 @@
Date: 2026-06-05
Status: ready for operator review. No deploy-capable files have been moved by
this review, and no live cluster command is authorized by this document.
Status: executed as a file ownership move. No live Helm deploy, SOPS
decryption, or Kubernetes apply was run.
## Goal
@@ -15,13 +15,13 @@ breaking operator muscle memory.
| Current path in `railiance-apps` | Sensitivity | Proposed target | Action |
|---|---:|---|---|
| `helm/gitea-values.sops.yaml` | SOPS-encrypted | `railiance-forge/helm/gitea-values.sops.yaml` | Move after confirming SOPS age access still works from the new repo. Do not decrypt into Git. |
| `helm/gitea-registry-values.yaml` | Non-secret | `railiance-forge/helm/gitea-registry-values.yaml` | Move with the registry docs. |
| `manifests/gitea-ingress.yaml` | Non-secret | `railiance-forge/manifests/gitea-ingress.yaml` | Move and update ownership labels from `railiance-apps` to `railiance-forge` if desired. |
| `releases/gitea/values.yaml` | Plaintext legacy/operator values | `railiance-forge/releases/gitea/values.yaml` or archive | Review before moving; it contains old CoulombCore-era chart notes and a placeholder password comment. |
| `make gitea-deploy` | Deploy-capable | `railiance-forge/Makefile` | Move only after app-side compatibility target is ready. |
| `make gitea-ingress-deploy` | Deploy-capable | `railiance-forge/Makefile` | Move only after app-side compatibility target is ready. |
| `make gitea-status` | Read-only | `railiance-forge/Makefile` | Already introduced as read-only target. |
| `helm/gitea-values.sops.yaml` | SOPS-encrypted | `railiance-forge/helm/gitea-values.sops.yaml` | Moved without decrypting. |
| `helm/gitea-registry-values.yaml` | Non-secret | `railiance-forge/helm/gitea-registry-values.yaml` | Moved. |
| `manifests/gitea-ingress.yaml` | Non-secret | `railiance-forge/manifests/gitea-ingress.yaml` | Moved without live apply. |
| `releases/gitea/values.yaml` | Plaintext legacy/operator values | `railiance-forge/releases/gitea/values.yaml` | Moved as legacy evidence; review before use as active deploy input. |
| `make gitea-deploy` | Deploy-capable | `railiance-forge/Makefile` | Moved; app-side target delegates. |
| `make gitea-ingress-deploy` | Deploy-capable | `railiance-forge/Makefile` | Moved; app-side target delegates. |
| `make gitea-status` | Read-only | `railiance-forge/Makefile` | Moved; app-side target delegates. |
## Proposed Target Layout
@@ -98,14 +98,15 @@ the transition:
- `make gitea-deploy` and `make gitea-ingress-deploy` should either delegate to
forge or fail with a clear message that deploy ownership has moved.
## Resolved During Move
- `releases/gitea/values.yaml` moved as legacy evidence, not as the preferred
active deploy input.
- `manifests/gitea-ingress.yaml` labels were left unchanged to avoid mixing the
file move with a live-facing manifest semantic change.
- The SOPS sentinel in forge points at `helm/gitea-values.sops.yaml`.
## Open Questions
- Should `releases/gitea/values.yaml` move as an active file or be archived as
legacy evidence?
- Should `manifests/gitea-ingress.yaml` labels change from
`app.kubernetes.io/part-of: railiance-apps` to `railiance-forge` during the
move, or stay stable until the next deploy?
- Should the SOPS sentinel in forge point at `helm/gitea-values.sops.yaml` once
that file moves?
- What restore-drill evidence is required before package data becomes
production-critical?

17
docs/first-migration-plan.md
View File

@@ -2,14 +2,15 @@
Date: 2026-06-05
Status: Phase 1 is underway. The remote repository exists and is pushed, so the
earlier Gitea API blocker no longer applies.
Status: Phases 1 through 3 are complete as file ownership moves. No live Helm
deploy, SOPS decryption, or Kubernetes apply was run.
This plan starts the extraction of forge ownership from `railiance-apps` into
`railiance-forge` without changing the live Gitea deployment.
The rule for the first migration is simple: move knowledge and read-only
operator entry points before moving deploy-capable configuration.
operator entry points before moving deploy-capable configuration. That sequence
has now been followed.
## Goals
@@ -63,18 +64,18 @@ Initial `railiance-forge/Makefile` targets:
- `check-tools`: minimal local tool check for `kubectl`, `helm`, `sops`, and
optional `tea`.
Do not add `gitea-deploy` in this phase.
`gitea-deploy` was intentionally deferred until Phase 3.
Validation:
- Targets are read-only.
- Targets either succeed or fail with clear missing-tool messages.
- `railiance-apps` still owns deploy-capable Gitea targets during the
transition.
- `railiance-apps` still has compatibility wrappers during the transition.
## Phase 3 - Deploy-Capable Target Review
Move deploy-capable Gitea ownership only after Phase 1 and Phase 2 are reviewed.
This is now complete as a file move.
Candidate moves:
@@ -123,5 +124,5 @@ aligned with `origin/main`.
## Next Recommended Action
Complete Phase 1 documentation canonicalization and Phase 2 read-only operator
targets, then review the deploy-capable Gitea file move separately.
Complete Phase 4 S5 scope cleanup and decide when compatibility wrappers in
`railiance-apps` can be retired.

15
docs/gitea-container-registry.md
View File

@@ -1,8 +1,8 @@
# Gitea Container Registry
This is the canonical Railiance operating note for the current Gitea container
registry. Compatibility pointers remain in `railiance-apps` while deploy-capable
Gitea Helm and manifest files still live there.
registry. Compatibility pointers remain in `railiance-apps`; deploy-capable
Gitea Helm and manifest files now live in this repo.
## Registry Target
@@ -10,12 +10,11 @@ Use `gitea.coulomb.social` as the approved registry host. The `/v2` ingress is
live as of 2026-05-15 and returns the OCI registry authentication challenge over
HTTPS.
Registry-specific Gitea settings are currently carried in
`/home/worsch/railiance-apps/helm/gitea-registry-values.yaml`, a non-secret
overlay applied after the SOPS values file by `make gitea-deploy`. It explicitly
enables packages, permits container and PyPI uploads without an app-level size
cap, clears globally disabled repo units, and moves `ROOT_URL` to the HTTPS
host.
Registry-specific Gitea settings are carried in
`helm/gitea-registry-values.yaml`, a non-secret overlay applied after the SOPS
values file by `make gitea-deploy`. It explicitly enables packages, permits
container and PyPI uploads without an app-level size cap, clears globally
disabled repo units, and moves `ROOT_URL` to the HTTPS host.
Image names should use the Gitea owner and package path:

11
docs/gitea-package-registry.md
View File

@@ -1,13 +1,12 @@
# Gitea Package Registry
This is the canonical Railiance operating note for the current Gitea Python
package registry. Compatibility pointers remain in `railiance-apps` while
deploy-capable Gitea Helm and manifest files still live there.
package registry. Compatibility pointers remain in `railiance-apps`;
deploy-capable Gitea Helm and manifest files now live in this repo.
Gitea package support is enabled by
`/home/worsch/railiance-apps/helm/gitea-registry-values.yaml`. That overlay is
applied after the encrypted base values by `make gitea-deploy` and enables both
container packages and Python packages.
Gitea package support is enabled by `helm/gitea-registry-values.yaml`. That
overlay is applied after the encrypted base values by `make gitea-deploy` and
enables both container packages and Python packages.
## Python Packages

11
helm/gitea-registry-values.yaml Normal file
View File

@@ -0,0 +1,11 @@
# Non-secret Gitea registry settings layered after the SOPS values file.
gitea:
config:
packages:
ENABLED: true
LIMIT_SIZE_CONTAINER: -1
LIMIT_SIZE_PYPI: -1
repository:
DISABLED_REPO_UNITS: ""
server:
ROOT_URL: "https://gitea.coulomb.social/"

58
helm/gitea-values.sops.yaml Normal file
View File

@@ -0,0 +1,58 @@
#ENC[AES256_GCM,data:jLG3K9KRtV7zKrLfJ0J42LAc17nX8UKbB2KWJSXZPFQ+5cZjA3RFbQ==,iv:Ync2fzES+Oj1L/yfSLxInef5IgQWpJdK9Wd8fTLinSU=,tag:gHEiHLzOI1eiuAhntcCU2A==,type:comment]
#ENC[AES256_GCM,data:z6zvj2FcfFTmf7D8ZgbW8Wi68s4O,iv:kwaB3n64IQR4slfLFnQqjtQO9oxm5MkVqvtt53BArqc=,tag:ftjV1jtGa57QSpLOJGGDqA==,type:comment]
#ENC[AES256_GCM,data:ty8rXwAdeJjr7wA0hXpdDOmpPVaqnCavzzO6/RI9SYpcQ3pnIsBxmIpcdx6hqbkH,iv:YDYrEMvrKX0sGIPIBYbJUdOcPwx84CFQQSmR8+QIZuA=,tag:P/0IbdxCxofZPn+OlSLU0Q==,type:comment]
#ENC[AES256_GCM,data:2LqlFLbhpKrQH0r6RrgECOpxD74+zK7Ksl26BEhsKukOYBzk8sAfHkRcH2G7Ndk/cgCJjD7Ndk7ogh1d,iv:Z7ueOEVthvm/peyDAT4XpuIvl4if346iitWne7/1HFs=,tag:ziXDL/9d00jGGxOJtK5C8Q==,type:comment]
#
#ENC[AES256_GCM,data:G6Jzdr5V/IKyvcG3j6lmD1N6i1vYrOnYWLAQ1e/gnctgMufKqcW7kJA9Cdj7Vw==,iv:093mO8+QElI5tqs6DgTJiO71OLAppbxvGafmpXlt6G0=,tag:MRzd9UupZkdsk3DRKKbp0g==,type:comment]
#ENC[AES256_GCM,data:DHEo5mRMm0hiEAR++0uJdnmMuZFuecKXfl0rrYeQxNWRAUqgjL8+y0E97Q==,iv:qh7rewpXW0XEe1wLM8nTipByShnG2SO9UGVXgm3Gcd4=,tag:FfC/iiBnaqnP5gZiYmBomA==,type:comment]
#ENC[AES256_GCM,data:7nU7Z8dZ2JP+WfTIBcc4zoEZUaaqyOiip/Vn/txJm7Eetc9mso7JGKTHSkXV/a9Kqp96yZG6mEaXoh0jFQfmX1ItJOAq6uUtUav0I76FK2coQ2lnTTpPt5LzRWH3Gw==,iv:p7/MR5adZt48uJtpuLHnydcy7af6YOcjRj9Mgknc8aw=,tag:gqvosX3nSHsDLR0E6BJ9MA==,type:comment]
gitea:
config:
server:
DOMAIN: ENC[AES256_GCM,data:PxKHJeRtHMJFvQMpDl+VFSNcRv4=,iv:L1UtCaBrEoRlyJH36Yd55b7WFhTZMUTYAP6knC6Qfxc=,tag:hFton+zOgXPF+gCzqNEKyQ==,type:str]
ROOT_URL: ENC[AES256_GCM,data:tDJQG/468fYtXlyKGcl43bmMALvlEJhgxM4/,iv:4u4WzQbZZ1utshFrdtTXmxYMHSX9Mei5rq1I+z8iwpY=,tag:ibrCAk7esdOArFrhB4Qi3w==,type:str]
SSH_DOMAIN: ENC[AES256_GCM,data:bz41+PZAvGMoJPcNPpSMPfi5L5A=,iv:qG78QHcxFgxmgv+hOcAR3JadM5fL4euBtXk392ILI7A=,tag:M23NRlCTxcAchTfE8S5nKg==,type:str]
database:
DB_TYPE: ENC[AES256_GCM,data:A9DE1lAHDLQ=,iv:BJz5BmhvZBNmZ/wL/f/160tNFUN1QOS+cj4jmCrxILA=,tag:D8XHegqVEOYTtMScKoRkeg==,type:str]
HOST: ENC[AES256_GCM,data:eWWPMjljR4EY63qUmXvtS5VW7evpP261nOCiLljy79Ft+j8pwkAnEA2+iaY=,iv:cJIB2SbEIA+BeAViwJZNP+eOhTP1Y3vFgN8JKGUKQWE=,tag:Ej1YhpzuNcJXy9jbg8LnIw==,type:str]
NAME: ENC[AES256_GCM,data:8Zp5FNs=,iv:qhrWkp15Oy0SsCiJvGsUBg4vv6X0ez2x2NWqk3XUsno=,tag:4qj1XQf8vHkDGynjUa9JVg==,type:str]
USER: ENC[AES256_GCM,data:m4Ln0J8=,iv:BmNO265BQVtTCIIF/T5fbNRZBEPZz8tPSeam7ToVSAM=,tag:Lwr7AxxckJ3B/Ff4l+FNIg==,type:str]
PASSWD: ENC[AES256_GCM,data:tIKMvA4=,iv:FxnmkHazpThExFgsRqeMfFQhTbhPH6+o0fK9xURwqBs=,tag:1mohGBT+ynExzUoM3CtU5Q==,type:str]
SSL_MODE: ENC[AES256_GCM,data:MHrNNVnCUw==,iv:V5voIFrtJicropHf5FpTWlq6Gk+Vvw1z7ax24fAzcAU=,tag:/DoDYoBb/tv9egi1lJ7xdw==,type:str]
cache:
ADAPTER: ENC[AES256_GCM,data:mFEneE8=,iv:fwJm8bK1QH8WoVbFa2oCRQivdVkw0RjPVFNPc5Ecn5U=,tag:XhgsZmHoaReE43JJb9XdGw==,type:str]
HOST: ENC[AES256_GCM,data:0dx6Jh8lf/VWCEUMCi48oJdB0Yfkrk0zkkyVI9pRJeUV3y6XRZnTYP/e0zTXxhMfXS3bNnGqacZSelgVy4jc7pl354iU94EcIz1Rh2x3bs0W18rzMy5ATuOhdhnlY/Ly1BSWwPkldEPTSw==,iv:cyAPLzWPOeJo7LDXaw27in4IblZxcR3pVXPegqV9Vp4=,tag:UYSmXMDDkPWXE3fO+z6MiA==,type:str]
session:
PROVIDER: ENC[AES256_GCM,data:I/43BCQ=,iv:IHbcRbE8C8g8h5sTOyKqUafEVZ6QJuLo71j69Z49AIw=,tag:oiz4f/BF827YbH5jJKp8uQ==,type:str]
PROVIDER_CONFIG: ENC[AES256_GCM,data:2Qu3Fd7Fov5Qw/E/YXwvynwojFwZpWyOvlvKmRs03Ir8usjlRctRCvfcmW3g8EolkY2xQhmZzd9All/33nJMetA1bZ0MAU5ct5U1tkxiOBEcrruix8WzuokQi+5cPxTfu0bHZYDvrtlpIQ==,iv:3xDoJeUa5OLN9dGJEIqIK2SN9bVZE9Gf2sP1rOYyzEk=,tag:D+9iPT+YYxOOOZckqO+KbQ==,type:str]
queue:
TYPE: ENC[AES256_GCM,data:lk3WVMg=,iv:vy2hD1xZf123IwqWbI3a9cI1GUmMpOc+Klw80seQj44=,tag:Y2WkIaCszv201aV7NRPPtw==,type:str]
CONN_STR: ENC[AES256_GCM,data:/vl9QR4MYnGngiIhXT2bum1rWXZwNz/FyqfWG8QmdKrpNE+vquXWACFiTWhH9Hf8g+OUWzaOqZqn+ph8yZNHFaZqzBNZPyGyyVk7sU1SeUs0iUhPf29/jQGRFHOxxFSx/2FIVVblMhtA7A==,iv:WUx7iG2LqxdoPDNDbhk/tVhRWqgIXjCePMHOM4SpicU=,tag:Xnk7qomvqys2APA4t5Vf9A==,type:str]
postgresql-ha:
enabled: ENC[AES256_GCM,data:f0h+GvU=,iv:RDIU37NlWBC1KE3eFSZJxiAkudEIgtwLAicfOcYDcVI=,tag:7GlCCxpNXjyP/tuwG+aA6A==,type:bool]
postgresql:
enabled: ENC[AES256_GCM,data:P4WyaR0=,iv:iIiB5j0ZJrizO1LTzGUp1u1i+8L8AispkEUT2sr1gws=,tag:HqNdr1rPSgb8xAv7jhL1UA==,type:bool]
redis-cluster:
enabled: ENC[AES256_GCM,data:7h2ZNb0=,iv:qOWCgiCfnbv79EddfSNbBKT/q8JB24gMKfmlEX0g++U=,tag:iNW/PRCqRBX2oPop1ERALg==,type:bool]
valkey-cluster:
enabled: ENC[AES256_GCM,data:9ffS+Mo=,iv:GVVBb/JN1Zzj4h6j0jVpoMMHnkFpsJdr5VgSpUXhmUY=,tag:N9vypan+ueWk+RcpL5K6Fw==,type:bool]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1aq8twfd78wvpra0had8cezcnj96tj4q0068edrz5jez8d6xwmflqdepsh4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbHdUNmpkaFozVDJMY2tG
TlVBeUJNSlJPcTR5aXhVMkN1MUVLMHJ3NXdVClhkdDhGVTJ6NEdWeGVHeEo2SkZB
aldWZ25kK3JDcWxsL0Q2c3BYbGI2c2cKLS0tIDU5bEdxTjVvKzlSUlpIZGhRMS9Q
MnNPMnl0SEc3NVRvVHJhNW53aWxiWTAK2TIz10Md0eNyTzpuxml1CDvCW9Cq6gEt
8zHyWNA1LayXct2mvcgVmMWyO8+nl7ZIaqhZHGNzC0cLaOqwD2o4bQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-27T09:02:37Z"
mac: ENC[AES256_GCM,data:a1pdWiw64d16D1IFRd8PskvOsjAP6YFBzGZICfaN4ABHiQfNeIrSfeYxtvF6SwfK2bXxIfEcvC2Ofl6VKQtXwftmu1jruZeXSGtpAybwsVx8XPxmJNWKJwpfQaSUoE+/Wg1nmpJYBVUPDhVUwnGumnYQB+sXLdrMQD24HjbT4Zc=,iv:ETirgEDjX4aWNLVe1n86jsU2ShdWY728YMgBkMl4JSE=,tag:jX052pHamAbdaB8wJbYaSA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

29
manifests/gitea-ingress.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea
namespace: default
labels:
app.kubernetes.io/name: gitea
app.kubernetes.io/instance: gitea
app.kubernetes.io/part-of: railiance-apps
railiance/component: gitea-registry
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: traefik
rules:
- host: gitea.coulomb.social
http:
paths:
- path: /v2
pathType: Prefix
backend:
service:
name: gitea
port:
number: 3000
tls:
- hosts:
- gitea.coulomb.social
secretName: gitea-tls

20
releases/gitea/values.yaml Normal file
View File

@@ -0,0 +1,20 @@
# Gitea Helm values — COULOMBCORE cluster
# Chart: gitea/gitea version: 12.5.0
# Release name: gitea namespace: default
#
# Applied via:
# helm upgrade gitea gitea/gitea --version 12.5.0 -n default -f releases/gitea/values.yaml
postgresql-ha:
pgpool:
adminPassword: changeme4 # TODO: move to sealed secret / external secret
# Right-sized for single-node COULOMBCORE (2 vCPU budget is tight).
# Default was 250m request which caused scheduling failures — see INC-001.
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 200m
memory: 384Mi

9
workplans/FORGE-WP-0002-registry-docs-and-readonly-ops.md
View File

@@ -4,7 +4,7 @@ type: workplan
title: "Canonical registry docs and read-only forge operations"
domain: railiance
repo: railiance-forge
status: active
status: finished
owner: codex
topic_slug: railiance
planning_priority: high
@@ -105,7 +105,7 @@ competing canonical sources.
```task
id: FORGE-WP-0002-T05
status: todo
status: done
priority: high
state_hub_task_id: "6f6fc3a4-a883-4803-84e7-2700629d397a"
```
@@ -115,3 +115,8 @@ After operator review, move deploy-capable Gitea files and commands into
Done when `railiance-forge` owns Gitea deploy/status/ingress commands and
`railiance-apps` no longer carries live forge deployment files as S5 scope.
Completed on 2026-06-05. The Gitea SOPS values, registry overlay, ingress
manifest, legacy release values, and deploy/status Makefile targets now live in
`railiance-forge`. `railiance-apps` keeps compatibility wrappers only. No live
deploy, SOPS decryption, or Kubernetes apply was run.