From 8fb173763c741f8b4a651a14ace47aae3d16c77b Mon Sep 17 00:00:00 2001 From: dev-qwen2 Date: Fri, 17 Apr 2026 08:24:00 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20[nomad-step-3]=20S3-fix-2=20=E2=80=94=20?= =?UTF-8?q?wp-oauth=20REPO=5FROOT=20still=20wrong=20+=20seed/deploy=20must?= =?UTF-8?q?=20interleave=20(#948)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bin/disinto | 89 ++++++++++------------------- lib/init/nomad/wp-oauth-register.sh | 2 +- 2 files changed, 31 insertions(+), 60 deletions(-) diff --git a/bin/disinto b/bin/disinto index 39817cf..f40218a 100755 --- a/bin/disinto +++ b/bin/disinto @@ -923,42 +923,29 @@ _disinto_init_nomad() { echo "[import] no --import-env/--import-sops — skipping; set them or seed kv/disinto/* manually before deploying secret-dependent services" fi - # Seed Vault for services that ship their own seeder (S2.6, #928). - # Convention: tools/vault-seed-.sh — auto-invoked when --with - # is requested. Runs AFTER vault-import so that real imported values - # win over generated seeds when both are present; each seeder is - # idempotent on a per-key basis (see vault-seed-forgejo.sh's - # "missing → generate, present → unchanged" contract), so re-running - # init does not rotate existing keys. Services without a seeder are - # silently skipped — keeps this loop forward-compatible with Step 3+ - # services that may ship their own seeder without touching bin/disinto. - # - # VAULT_ADDR is passed explicitly because cluster-up.sh writes the - # profile.d export *during* this same init run, so the current shell - # hasn't sourced it yet; sibling vault-* scripts (engines/policies/ - # auth/import) default VAULT_ADDR internally via _hvault_default_env, - # but vault-seed-forgejo.sh requires the caller to set it. - # - # The non-root branch invokes the seeder as `sudo -n -- env VAR=val - # script` rather than `sudo -n VAR=val -- script`: sudo treats bare - # `VAR=val` args as sudoers env-assignments, which the default - # `env_reset=on` policy silently discards unless the variable is in - # `env_keep` (VAULT_ADDR is not). Using `env` as the actual command - # sets VAULT_ADDR in the child process regardless of sudoers policy. + # Interleaved seed/deploy per service (S2.6, #928, #948). + # We interleave seed + deploy per service (not batch all seeds then all deploys) + # so that OAuth-dependent services can reach their dependencies during seeding. + # E.g., seed-forgejo → deploy-forgejo → seed-woodpecker (OAuth can now reach + # running forgejo) → deploy-woodpecker. if [ -n "$with_services" ]; then local vault_addr="${VAULT_ADDR:-http://127.0.0.1:8200}" - local _seed_seen="" - local IFS=',' - for svc in $with_services; do - svc=$(echo "$svc" | xargs) # trim whitespace - # Map sub-services to parent seed name (S3.4) + + # Build ordered deploy list (S3.4): forgejo → woodpecker-server → woodpecker-agent + local DEPLOY_ORDER="" + for ordered_svc in forgejo woodpecker-server woodpecker-agent; do + if echo ",$with_services," | grep -q ",$ordered_svc,"; then + DEPLOY_ORDER="${DEPLOY_ORDER:+${DEPLOY_ORDER} }${ordered_svc}" + fi + done + + local IFS=' ' + for svc in $DEPLOY_ORDER; do + # Seed this service (if seed script exists) local seed_name="$svc" case "$svc" in woodpecker-server|woodpecker-agent) seed_name="woodpecker" ;; esac - # Deduplicate - if echo ",$_seed_seen," | grep -q ",$seed_name,"; then continue; fi - _seed_seen="${_seed_seen:+${_seed_seen},}${seed_name}" local seed_script="${FACTORY_ROOT}/tools/vault-seed-${seed_name}.sh" if [ -x "$seed_script" ]; then echo "" @@ -973,43 +960,27 @@ _disinto_init_nomad() { sudo -n -- env "VAULT_ADDR=$vault_addr" "$seed_script" || exit $? fi fi - done - fi - # Deploy services if requested - if [ -n "$with_services" ]; then - echo "" - echo "── Deploying services ─────────────────────────────────" - - # Build ordered deploy list (S3.4): forgejo → woodpecker-server → woodpecker-agent - local DEPLOY_ORDER="" - for ordered_svc in forgejo woodpecker-server woodpecker-agent; do - if echo ",$with_services," | grep -q ",$ordered_svc,"; then - DEPLOY_ORDER="${DEPLOY_ORDER:+${DEPLOY_ORDER} }${ordered_svc}" - fi - done - - local -a deploy_cmd=("$deploy_sh") - local IFS=' ' - for svc in $DEPLOY_ORDER; do - # Check jobspec exists + # Deploy this service + echo "" + echo "── Deploying ${svc} ───────────────────────────────────────" local jobspec_path="${FACTORY_ROOT}/nomad/jobs/${svc}.hcl" if [ ! -f "$jobspec_path" ]; then echo "Error: jobspec not found: ${jobspec_path}" >&2 exit 1 fi - deploy_cmd+=("$svc") - done - if [ "$(id -u)" -eq 0 ]; then - "${deploy_cmd[@]}" || exit $? - else - if ! command -v sudo >/dev/null 2>&1; then - echo "Error: deploy.sh must run as root and sudo is not installed" >&2 - exit 1 + local -a deploy_cmd=("$deploy_sh" "$svc") + if [ "$(id -u)" -eq 0 ]; then + "${deploy_cmd[@]}" || exit $? + else + if ! command -v sudo >/dev/null 2>&1; then + echo "Error: deploy.sh must run as root and sudo is not installed" >&2 + exit 1 + fi + sudo -n -- "${deploy_cmd[@]}" || exit $? fi - sudo -n -- "${deploy_cmd[@]}" || exit $? - fi + done # Print final summary echo "" diff --git a/lib/init/nomad/wp-oauth-register.sh b/lib/init/nomad/wp-oauth-register.sh index 6d2a4cd..8076482 100755 --- a/lib/init/nomad/wp-oauth-register.sh +++ b/lib/init/nomad/wp-oauth-register.sh @@ -43,7 +43,7 @@ set -euo pipefail # Source the hvault module for Vault helpers SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" -REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)" +REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)" # shellcheck source=../../../lib/hvault.sh source "${REPO_ROOT}/lib/hvault.sh"