The IngressRouteTCP resource was being silently ignored because
Traefik CRDs were never installed. This caused SSH traffic on
port 22 to be handled as HTTP, returning 400 Bad Request.
Add CRD installation step before Traefik deployment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Deploy PowerDNS on k3s with SQLite backend
- Add DNS ports 53 UDP/TCP to security group
- Configure zones for superviber.com, muffinlabs.ai, letemcook.com,
appbasecamp.com, thanksforborrowing.com
- Add deploy-powerdns.sh standalone deployment script
- Document in RFC 0003
Glue records updated at GoDaddy to point ns1/ns2 to 3.218.167.115.
DNS verified working via Google DNS (8.8.8.8).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HelmChart values schema changed in newer Traefik versions causing
installation failures. Replaced with direct Deployment + RBAC manifests
which work reliably with Traefik v3.2.
Also adds SSH public key variable for admin access.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use lowercase terraform template vars in user-data.sh
- Increase S3 lifecycle transition to 30 days (STANDARD_IA minimum)
- Increase expiration to 60 days
Infrastructure successfully deployed:
- Instance: i-06e1198106d251a0e
- Elastic IP: 54.82.131.189
- Backup bucket: hearth-backups-181640953119
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Decision from 12-expert alignment dialogue on single-user scale.
Implements Option E with modifications:
- t4g.small spot instance (~$5/mo)
- k3s with Traefik for ingress + Let's Encrypt TLS
- SQLite database for Forgejo
- S3 backups with 30-day lifecycle
- EBS gp3 20GB encrypted
- Admin SSH on port 2222, Git SSH on port 22
Total cost: ~$7.50/month
Includes:
- terraform/minimal/ - full terraform configuration
- terraform/bootstrap/ - state backend (already applied)
- docs/spikes/0001-single-user-scale.md - decision documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
