chore: migrate production deploy to net10 (racknerd cutover)

[shukebeta]

Follow-up to #21. The net10 migration is merged to master and staging is on SSH + framework-dependent deploy (verified). Production is not migrated yet — this ticket captures everything needed so we don't re-investigate.

Current production env (racknerd) — inspected live

	value
host alias	ssh racknerd (hostname racknerd-7bace0)
user	shukebeta
arch	x86_64
.NET installed	only .NET 8 — SDK 8.0.300, runtime Microsoft.NETCore.App 8.0.5 + Microsoft.AspNetCore.App 8.0.5
dotnet location	/home/shukebeta/.dotnet/dotnet (not on PATH)
systemd	user-level, Linger=yes (survives logout)
prod service	HappyNotes.Api.service — active, port 5012, WorkingDirectory=/var/www/HappyNotes.Api, ASPNETCORE_ENVIRONMENT=Production, ExecStart=/home/shukebeta/.dotnet/dotnet /var/www/HappyNotes.Api/HappyNotes.Api.dll
test service	HappyNotes.Api.test.service — defined, port 5013, /var/www/HappyNotes.Api.test, currently not running

The blocker

deploy-to-production.yml and deploy-to-production-test.yml run on a self-hosted runner ([self-hosted, linux, racknerd]) with setup-dotnet commented out, so dotnet build/dotnet publish use the box's ~/.dotnet SDK — which is 8.0.300. A net10 build will fail there. The matrix still says dotnet: ["8.0.x"] (cosmetic, not used by setup-dotnet).

Note: publish is --self-contained true --runtime linux-x64, but the service's ExecStart actually launches dotnet HappyNotes.Api.dll via the shared runtime — so it already behaves framework-dependent in practice.

Two ways forward

Option A (recommended): switch production to SSH + framework-dependent, matching staging

Build moves to the GitHub-hosted runner; racknerd only needs the .NET 10 ASP.NET Core runtime (no SDK).

1. Install net10 ASP.NET Core runtime on racknerd for user shukebeta (same ~/.dotnet via dotnet-install, or distro package). Verify: ~/.dotnet/dotnet --list-runtimes shows Microsoft.AspNetCore.App 10.x.
2. Rewrite both prod workflows from the self-hosted pattern to the SSH pattern in deploy-to-staging.yml (the template):
   • runs-on: ubuntu-latest, setup-dotnet 10.0.x
   • framework-dependent publish (drop --self-contained/--runtime)
   • appleboy/ssh-action + scp-action with key: ${{ secrets.SSH_PRIVATE_KEY }} (NOT key_path — the action runs in a container where the host key file isn't visible)
   • keep user systemd (systemctl --user, XDG_RUNTIME_DIR, linger already on)
   • the dotnet-path resolver in the staging workflow already probes $HOME/.dotnet/dotnet, so it works on racknerd as-is
3. Add production SSH secrets (racknerd is a different host than the arm staging box, so distinct names): host / user (shukebeta) / port / private key / deploy path. Keep separate prod vs test deploy paths (/var/www/HappyNotes.Api, /var/www/HappyNotes.Api.test) and ports (5012 / 5013).
4. Preserve production placeholders: PRODUCTION_MYSQL_PASSWORD, PRODUCTION_SYMMETRIC_SECURITY_KEY, PRODUCTION_SEQ_API_KEY, manticore arm.shukebeta.eu.org, redis arm.shukebeta.eu.org:6381, staging-happynotes-api.dev → happynotes-api (prod) / happynotes-api-test (test).

Option B: keep self-hosted runner

Install the full .NET 10 SDK on racknerd (~/.dotnet to keep using /home/shukebeta/.dotnet/dotnet), then just bump dotnet: ["8.0.x"] → ["10.0.x"] and confirm the build picks up the new SDK. More to maintain on the box (runner agent + SDK); inconsistent with staging.

Acceptance

• racknerd has the required net10 (runtime for A, SDK for B); --list-runtimes/--list-sdks confirms
• deploy-to-production.yml deploys net10, service active on 5012, /health OK
• deploy-to-production-test.yml deploys net10 to 5013 (currently stopped — decide if it should stay)
• Smoke-test Telegram + Mastodon sync paths against production
• Remove dotnet 8 from racknerd once green (per chore: exploratory migration to .NET 10 #21)

cc #21