fix: [nomad-step-3] S3-fix-2 — wp-oauth REPO_ROOT still wrong + seed/deploy must interleave (#948)

2026-04-17 08:24:00 +00:00 · 2026-04-17 08:24:00 +00:00 · 8fb173763c
commit 8fb173763c
parent c829d7781b
2 changed files with 31 additions and 60 deletions
--- a/bin/disinto
+++ b/bin/disinto
@ -923,42 +923,29 @@ _disinto_init_nomad() {
    echo "[import] no --import-env/--import-sops — skipping; set them or seed kv/disinto/* manually before deploying secret-dependent services"
  fi
-  # Seed Vault for services that ship their own seeder (S2.6, #928).
+  # Interleaved seed/deploy per service (S2.6, #928, #948).
-  # Convention: tools/vault-seed-<svc>.sh — auto-invoked when --with <svc>
+  # We interleave seed + deploy per service (not batch all seeds then all deploys)
-  # is requested. Runs AFTER vault-import so that real imported values
+  # so that OAuth-dependent services can reach their dependencies during seeding.
-  # win over generated seeds when both are present; each seeder is
+  # E.g., seed-forgejo → deploy-forgejo → seed-woodpecker (OAuth can now reach
-  # idempotent on a per-key basis (see vault-seed-forgejo.sh's
+  # running forgejo) → deploy-woodpecker.
  # "missing → generate, present → unchanged" contract), so re-running
  # init does not rotate existing keys. Services without a seeder are
  # silently skipped — keeps this loop forward-compatible with Step 3+
  # services that may ship their own seeder without touching bin/disinto.
  #
  # VAULT_ADDR is passed explicitly because cluster-up.sh writes the
  # profile.d export *during* this same init run, so the current shell
  # hasn't sourced it yet; sibling vault-* scripts (engines/policies/
  # auth/import) default VAULT_ADDR internally via _hvault_default_env,
  # but vault-seed-forgejo.sh requires the caller to set it.
  #
  # The non-root branch invokes the seeder as `sudo -n -- env VAR=val
  # script` rather than `sudo -n VAR=val -- script`: sudo treats bare
  # `VAR=val` args as sudoers env-assignments, which the default
  # `env_reset=on` policy silently discards unless the variable is in
  # `env_keep` (VAULT_ADDR is not). Using `env` as the actual command
  # sets VAULT_ADDR in the child process regardless of sudoers policy.
  if [ -n "$with_services" ]; then
    local vault_addr="${VAULT_ADDR:-http://127.0.0.1:8200}"
-    local _seed_seen=""
+
-    local IFS=','
+    # Build ordered deploy list (S3.4): forgejo → woodpecker-server → woodpecker-agent
-    for svc in $with_services; do
+    local DEPLOY_ORDER=""
-      svc=$(echo "$svc" | xargs)  # trim whitespace
+    for ordered_svc in forgejo woodpecker-server woodpecker-agent; do
-      # Map sub-services to parent seed name (S3.4)
+      if echo ",$with_services," | grep -q ",$ordered_svc,"; then
        DEPLOY_ORDER="${DEPLOY_ORDER:+${DEPLOY_ORDER} }${ordered_svc}"
      fi
    done
    local IFS=' '
    for svc in $DEPLOY_ORDER; do
      # Seed this service (if seed script exists)
      local seed_name="$svc"
      case "$svc" in
        woodpecker-server|woodpecker-agent) seed_name="woodpecker" ;;
      esac
      # Deduplicate
      if echo ",$_seed_seen," | grep -q ",$seed_name,"; then continue; fi
      _seed_seen="${_seed_seen:+${_seed_seen},}${seed_name}"
      local seed_script="${FACTORY_ROOT}/tools/vault-seed-${seed_name}.sh"
      if [ -x "$seed_script" ]; then
        echo ""
@ -973,43 +960,27 @@ _disinto_init_nomad() {
          sudo -n -- env "VAULT_ADDR=$vault_addr" "$seed_script" || exit $?
        fi
      fi
    done
  fi
-  # Deploy services if requested
+      # Deploy this service
-  if [ -n "$with_services" ]; then
+      echo ""
-    echo ""
+      echo "── Deploying ${svc} ───────────────────────────────────────"
    echo "── Deploying services ─────────────────────────────────"
    # Build ordered deploy list (S3.4): forgejo → woodpecker-server → woodpecker-agent
    local DEPLOY_ORDER=""
    for ordered_svc in forgejo woodpecker-server woodpecker-agent; do
      if echo ",$with_services," | grep -q ",$ordered_svc,"; then
        DEPLOY_ORDER="${DEPLOY_ORDER:+${DEPLOY_ORDER} }${ordered_svc}"
      fi
    done
    local -a deploy_cmd=("$deploy_sh")
    local IFS=' '
    for svc in $DEPLOY_ORDER; do
      # Check jobspec exists
      local jobspec_path="${FACTORY_ROOT}/nomad/jobs/${svc}.hcl"
      if [ ! -f "$jobspec_path" ]; then
        echo "Error: jobspec not found: ${jobspec_path}" >&2
        exit 1
      fi
      deploy_cmd+=("$svc")
    done
-    if [ "$(id -u)" -eq 0 ]; then
+      local -a deploy_cmd=("$deploy_sh" "$svc")
-      "${deploy_cmd[@]}" || exit $?
+      if [ "$(id -u)" -eq 0 ]; then
-    else
+        "${deploy_cmd[@]}" || exit $?
-      if ! command -v sudo >/dev/null 2>&1; then
+      else
-        echo "Error: deploy.sh must run as root and sudo is not installed" >&2
+        if ! command -v sudo >/dev/null 2>&1; then
-        exit 1
+          echo "Error: deploy.sh must run as root and sudo is not installed" >&2
          exit 1
        fi
        sudo -n -- "${deploy_cmd[@]}" || exit $?
      fi
-      sudo -n -- "${deploy_cmd[@]}" || exit $?
+    done
    fi
    # Print final summary
    echo ""
--- a/lib/init/nomad/wp-oauth-register.sh
+++ b/lib/init/nomad/wp-oauth-register.sh
@ -43,7 +43,7 @@ set -euo pipefail
 # Source the hvault module for Vault helpers
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
 # shellcheck source=../../../lib/hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"