# Hetzner single-node overlay

This overlay turns the shared platform and `unrip` project bases into a concrete first-node bootstrap target for the Terraform-provisioned k3s VM.

## Before apply
Create real secret material from the examples:

```bash
cp deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env.example deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env.example deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd.example deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd
```

Update:
- ingress hosts in `ingress-hosts.patch.yaml`
- ACME email in `issuer-email.patch.yaml`
- project secret values in `secrets/unrip.env`
- Forgejo secret values in `secrets/forgejo.env`
- registry htpasswd in `secrets/registry.htpasswd`

## Apply
```bash
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
```

## What gets installed
- shared platform namespaces for registry, ingress, cert-manager, and Forgejo
- project namespace `unrip`
- Redpanda plus a topic bootstrap job inside `unrip`
- app worker deployments referencing `unrip-secrets`
- Forgejo and Forgejo runner referencing `forgejo-secrets`
- private registry protected by htpasswd from `registry-secrets`
- nginx ingress and ACME issuers for TLS

For future projects, do not reuse `unrip`; create a new project namespace and matching `<project>-config`, `<project>-secrets`, and `<project>-registry-creds` resources.