> This file helps you quickly understand what this repository is about,
> when it is relevant, and when it is not.
> It is intentionally lightweight and may be incomplete.
---
## One-liner
S1 Infrastructure Substrate of the Railiance OAS Stack — Git-driven OS provisioning, security hardening, and server baseline using Terraform, cloud-init, and Ansible.
---
## Core Idea
Railiance is structured as five independent repos per OAS Stack layer. This repo is S1 — the foundation. It provisions bare-metal/cloud servers (Hetzner, HostEurope), hardens the OS, manages secrets (SOPS/age), and validates the resulting baseline with Goss tests. S1 must be converged and verified before any higher layer (Kubernetes, platform, etc.) can run.
---
## In Scope
- OS provisioning via Terraform (Hetzner, HostEurope providers)
- First-boot configuration via cloud-init
- OS convergence via Ansible (base, security, sops_agent roles)
- Security hardening and firewall rules
- Secret management: SOPS/age encryption at rest in Git
- Goss specification and test suite for OS baseline validation
- Server inventory management (`inventory/servers.yaml` — source of truth)
- SSH access management
---
## Out of Scope (per ADR-003)
- Kubernetes runtime → railiance-cluster (S2)
- Platform services → railiance-platform (S3)
- Developer tooling → railiance-enablement (S4)
- Application deployments → railiance-apps (S5)
- No cross-layer re-configuration from higher layers
---
## Relevant When
- Provisioning new servers for the Railiance stack
- OS hardening, Ansible convergence, or Goss verification
- Managing server inventory or SSH access
- Rotating SOPS/age keys or updating secrets
---
## Not Relevant When
- Kubernetes, platform services, or application work (wrong layer)
- Server is already provisioned and converged (use cluster/platform repos)
---
## Current State
- Status: active / productive
- Implementation: single-server HostEurope baseline complete (RAIL-HO-WP-0001); server spec + test suite active (WP-0002); 5-repo stack restructure active (WP-0003)
- Stability: high for single-server bootstrap; proven in production (92.205.62.239)
- Usage: foundation for all Railiance deployments; used daily for convergence and verification
Designed for remote execution from HostEurope (92.205.130.254). SSH reverse tunnel required for State Hub access: `ssh -R 8000:127.0.0.1:8000 tegwick@92.205.130.254`.