feat(s2): add Gitea SSH NodePort service + close WP-0004 (backup tool, scope updates)

- helm/gitea-ssh-nodeport.yaml: expose Gitea SSH on NodePort 30022 (targetPort 2222)
  for on-node git automation (RAIL-HO-WP-0004-T07)
- tools/cmd/railiance-backup-s2: fix SQLite hot backup (was broken etcd-snapshot)
- tools/cmd/railiance-restore-s2: update restore instructions for SQLite mode
- workplans/RAIL-BS-WP-0004-safety-net.md: mark done
- SCOPE.md: update current state, document boundary violations, fix connectivity docs

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
tegwick 2026-03-27 01:01:32 +01:00
parent 943d0f3e80
commit 9fc5a033d5
3 changed files with 46 additions and 16 deletions

View file

@ -59,10 +59,11 @@ Railiance is structured as five independent repos per OAS Stack layer. This repo
## Current State
- Status: active / mostly complete
- Implementation: k3s baseline complete (RAIL-BS-WP-0002); active bug fixes (RAIL-BS-WP-0003 pgpool HA failover); safety net tooling in progress (RAIL-BS-WP-0004)
- Stability: high for k3s baseline; active improvements ongoing
- Usage: core Kubernetes runtime for all Railiance deployments; runs on HostEurope server
- Status: active / stable
- Implementation: k3s baseline complete (RAIL-BS-WP-0002 done); pgpool HA failover fix complete (RAIL-BS-WP-0003 done); integrated backup complete (RAIL-BS-WP-0004 done — age-encrypted local backup, daily cron under root)
- Stability: high — no active open workplans
- Usage: core Kubernetes runtime for all Railiance deployments; runs on COULOMBCORE (92.205.130.254)
- Also deployed at cluster level: cert-manager, ArgoCD, CloudNative PG operator (cnpg), nginx ingress, SSO stack (mfa + sso namespaces via net-kingdom)
---
@ -108,12 +109,19 @@ keywords: [kubernetes, k3s, cluster, helm, ingress, cni, k8s, provisioning]
```capability
type: infrastructure
title: Cluster operators and addon management
description: Deploy and manage cluster-wide operators and addons (cert-manager, admission controllers) on the running Railiance Kubernetes cluster.
keywords: [operator, addon, cert-manager, admission, kubernetes, cluster]
description: Deploy and manage cluster-wide operators and addons (cert-manager, CloudNative PG operator, ArgoCD, nginx ingress) on the running Railiance Kubernetes cluster.
keywords: [operator, addon, cert-manager, cnpg, argocd, admission, kubernetes, cluster]
```
```capability
type: operations
title: Kubernetes runtime backup (age-encrypted)
description: Daily encrypted backup of k3s cluster state (SQLite hot copy), Helm release values, and kubeconfig to /opt/backup/railiance/cluster/ using age encryption. Run via sudo make backup.
keywords: [backup, restore, age, encryption, k3s, state, helm, kubeconfig, disaster-recovery]
```
---
## Notes
Designed for remote execution from HostEurope (92.205.130.254). Requires SSH reverse tunnel: `ssh -R 8000:127.0.0.1:8000 <user>@remote`.
Runs on COULOMBCORE (92.205.130.254). State Hub access via ops-bridge reverse tunnel — `bridge up state-hub-coulombcore` from the workstation (see ADR-004). Gitea is currently deployed here as a Helm release (boundary violation: architecturally belongs to S5 — migration pending).