fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912)

2026-04-16 20:19:03 +00:00 · 2026-04-16 20:19:03 +00:00 · 797e0ab155
commit 797e0ab155
parent 29df502038
5 changed files with 195 additions and 33 deletions
--- a/tools/vault-apply-policies.sh
+++ b/tools/vault-apply-policies.sh
@ -82,6 +82,16 @@ if [ "${#POLICY_FILES[@]}" -eq 0 ]; then
  die "no *.hcl files in ${POLICIES_DIR}"
 fi

+# Default VAULT_ADDR if not set (fixes issue #2)
+VAULT_ADDR="${VAULT_ADDR:-http://127.0.0.1:8200}"
+export VAULT_ADDR
+
+# Resolve VAULT_TOKEN if not set (fixes issue #2)
+if [ -z "${VAULT_TOKEN:-}" ] && [ -f /etc/vault.d/root.token ]; then
+  VAULT_TOKEN="$(cat /etc/vault.d/root.token)"
+  export VAULT_TOKEN
+fi
+
 # ── Dry-run: print plan + exit (no Vault calls) ──────────────────────────────
 if [ "$dry_run" = true ]; then
  log "dry-run — ${#POLICY_FILES[@]} policy file(s) in ${POLICIES_DIR}"
@ -94,9 +104,6 @@ if [ "$dry_run" = true ]; then
 fi

 # ── Live run: Vault connectivity check ───────────────────────────────────────
-[ -n "${VAULT_ADDR:-}" ] \
-  || die "VAULT_ADDR is not set — export VAULT_ADDR=http://127.0.0.1:8200"
-
 # hvault_token_lookup both resolves the token (env or /etc/vault.d/root.token)
 # and confirms the server is reachable with a valid token. Fail fast here so
 # the per-file loop below doesn't emit N identical "HTTP 403" errors.
--- a/tools/vault-import.sh
+++ b/tools/vault-import.sh
@ -236,14 +236,14 @@ vault-import.sh — Import .env and sops-decrypted secrets into Vault KV
 Usage:
  vault-import.sh \
    --env /path/to/.env \
-    --sops /path/to/.env.vault.enc \
-    --age-key /path/to/age/keys.txt \
+    [--sops /path/to/.env.vault.enc] \
+    [--age-key /path/to/age/keys.txt] \
    [--dry-run]

 Options:
  --env       Path to .env file (required)
-  --sops      Path to sops-encrypted .env.vault.enc file (required)
-  --age-key   Path to age keys file (required)
+  --sops      Path to sops-encrypted .env.vault.enc file (optional)
+  --age-key   Path to age keys file (required if --sops is provided)
  --dry-run   Print import plan without writing to Vault (optional)
  --help      Show this help message

@ -256,11 +256,12 @@ Mapping:
    - WOODPECKER_* → kv/disinto/shared/woodpecker/<lowercase_key>
    - FORWARD_AUTH_SECRET, CHAT_OAUTH_* → kv/disinto/shared/chat/<lowercase_key>

-  From sops-decrypted .env.vault.enc:
+  From sops-decrypted .env.vault.enc (if --sops provided):
    - GITHUB_TOKEN, CODEBERG_TOKEN, CLAWHUB_TOKEN, DEPLOY_KEY, NPM_TOKEN, DOCKER_HUB_TOKEN
      → kv/disinto/runner/<NAME>/value

 Examples:
+  vault-import.sh --env .env                          # Import .env only (no sops)
  vault-import.sh --env .env --sops .env.vault.enc --age-key age-keys.txt
  vault-import.sh --env .env --sops .env.vault.enc --age-key age-keys.txt --dry-run
 EOF
@ -276,26 +277,28 @@ EOF
  if [ -z "$env_file" ]; then
    _die "Missing required argument: --env"
  fi
-  if [ -z "$sops_file" ]; then
-    _die "Missing required argument: --sops"
-  fi
-  if [ -z "$age_key_file" ]; then
-    _die "Missing required argument: --age-key"
+  # --sops and --age-key are optional:
+  #   - If --sops is provided, --age-key is required
+  #   - If --sops is not provided, --age-key is not needed
+  if [ -n "$sops_file" ] && [ -z "$age_key_file" ]; then
+    _die "Missing required argument: --age-key (required when --sops is provided)"
  fi

  # Validate files exist
  if [ ! -f "$env_file" ]; then
    _die "Environment file not found: $env_file"
  fi
-  if [ ! -f "$sops_file" ]; then
+  if [ -n "$sops_file" ] && [ ! -f "$sops_file" ]; then
    _die "Sops file not found: $sops_file"
  fi
-  if [ ! -f "$age_key_file" ]; then
+  if [ -n "$age_key_file" ] && [ ! -f "$age_key_file" ]; then
    _die "Age key file not found: $age_key_file"
  fi

-  # Security check: age key permissions
-  _validate_age_key_perms "$age_key_file"
+  # Security check: age key permissions (only if age key is provided)
+  if [ -n "$age_key_file" ]; then
+    _validate_age_key_perms "$age_key_file"
+  fi

  # Security check: VAULT_ADDR must be localhost
  _check_vault_addr
@ -307,12 +310,16 @@ EOF
  _log "Loading environment from: $env_file"
  _load_env_file "$env_file"

-  # Decrypt sops file
-  _log "Decrypting sops file: $sops_file"
-  local sops_env
-  sops_env="$(_decrypt_sops "$sops_file" "$age_key_file")"
-  # shellcheck disable=SC2086
-  eval "$sops_env"
+  # Decrypt sops file if --sops was provided
+  local sops_env=""
+  if [ -n "$sops_file" ]; then
+    _log "Decrypting sops file: $sops_file"
+    sops_env="$(_decrypt_sops "$sops_file" "$age_key_file")"
+    # shellcheck disable=SC2086
+    eval "$sops_env"
+  else
+    _log "No --sops provided — skipping sops decryption"
+  fi

  # Collect all import operations
  declare -a operations=()
@ -397,8 +404,12 @@ EOF
  if $dry_run; then
    _log "=== DRY-RUN: Import plan ==="
    _log "Environment file: $env_file"
-    _log "Sops file: $sops_file"
-    _log "Age key: $age_key_file"
+    if [ -n "$sops_file" ]; then
+      _log "Sops file: $sops_file"
+      _log "Age key: $age_key_file"
+    else
+      _log "Sops file: (not provided)"
+    fi
    _log ""
    _log "Planned operations:"
    for op in "${operations[@]}"; do
@ -413,8 +424,12 @@ EOF

  _log "=== Starting Vault import ==="
  _log "Environment file: $env_file"
-  _log "Sops file: $sops_file"
-  _log "Age key: $age_key_file"
+  if [ -n "$sops_file" ]; then
+    _log "Sops file: $sops_file"
+    _log "Age key: $age_key_file"
+  else
+    _log "Sops file: (not provided — skipping sops-based imports)"
+  fi
  _log ""

  local created=0