fix: [nomad-step-3] S3-fix-2 — wp-oauth REPO_ROOT still wrong + seed/deploy must interleave (#948)

bin/disinto

@@ -923,42 +923,29 @@ _disinto_init_nomad() {
     echo "[import] no --import-env/--import-sops — skipping; set them or seed kv/disinto/* manually before deploying secret-dependent services"
   fi
 
-  # Seed Vault for services that ship their own seeder (S2.6, #928).
-  # Convention: tools/vault-seed-<svc>.sh — auto-invoked when --with <svc>
-  # is requested. Runs AFTER vault-import so that real imported values
-  # win over generated seeds when both are present; each seeder is
-  # idempotent on a per-key basis (see vault-seed-forgejo.sh's
-  # "missing → generate, present → unchanged" contract), so re-running
-  # init does not rotate existing keys. Services without a seeder are
-  # silently skipped — keeps this loop forward-compatible with Step 3+
-  # services that may ship their own seeder without touching bin/disinto.
-  #
-  # VAULT_ADDR is passed explicitly because cluster-up.sh writes the
-  # profile.d export *during* this same init run, so the current shell
-  # hasn't sourced it yet; sibling vault-* scripts (engines/policies/
-  # auth/import) default VAULT_ADDR internally via _hvault_default_env,
-  # but vault-seed-forgejo.sh requires the caller to set it.
-  #
-  # The non-root branch invokes the seeder as `sudo -n -- env VAR=val
-  # script` rather than `sudo -n VAR=val -- script`: sudo treats bare
-  # `VAR=val` args as sudoers env-assignments, which the default
-  # `env_reset=on` policy silently discards unless the variable is in
-  # `env_keep` (VAULT_ADDR is not). Using `env` as the actual command
-  # sets VAULT_ADDR in the child process regardless of sudoers policy.
+  # Interleaved seed/deploy per service (S2.6, #928, #948).
+  # We interleave seed + deploy per service (not batch all seeds then all deploys)
+  # so that OAuth-dependent services can reach their dependencies during seeding.
+  # E.g., seed-forgejo → deploy-forgejo → seed-woodpecker (OAuth can now reach
+  # running forgejo) → deploy-woodpecker.
   if [ -n "$with_services" ]; then
     local vault_addr="${VAULT_ADDR:-http://127.0.0.1:8200}"
-    local _seed_seen=""
-    local IFS=','
-    for svc in $with_services; do
-      svc=$(echo "$svc" | xargs)  # trim whitespace
-      # Map sub-services to parent seed name (S3.4)
+
+    # Build ordered deploy list (S3.4): forgejo → woodpecker-server → woodpecker-agent
+    local DEPLOY_ORDER=""
+    for ordered_svc in forgejo woodpecker-server woodpecker-agent; do
+      if echo ",$with_services," | grep -q ",$ordered_svc,"; then
+        DEPLOY_ORDER="${DEPLOY_ORDER:+${DEPLOY_ORDER} }${ordered_svc}"
+      fi
+    done
+
+    local IFS=' '
+    for svc in $DEPLOY_ORDER; do
+      # Seed this service (if seed script exists)
       local seed_name="$svc"
       case "$svc" in
         woodpecker-server|woodpecker-agent) seed_name="woodpecker" ;;
       esac
-      # Deduplicate
-      if echo ",$_seed_seen," | grep -q ",$seed_name,"; then continue; fi
-      _seed_seen="${_seed_seen:+${_seed_seen},}${seed_name}"
       local seed_script="${FACTORY_ROOT}/tools/vault-seed-${seed_name}.sh"
       if [ -x "$seed_script" ]; then
         echo ""
@@ -973,43 +960,27 @@ _disinto_init_nomad() {
           sudo -n -- env "VAULT_ADDR=$vault_addr" "$seed_script" || exit $?
         fi
       fi
-    done
-  fi
 
-  # Deploy services if requested
-  if [ -n "$with_services" ]; then
-    echo ""
-    echo "── Deploying services ─────────────────────────────────"
-
-    # Build ordered deploy list (S3.4): forgejo → woodpecker-server → woodpecker-agent
-    local DEPLOY_ORDER=""
-    for ordered_svc in forgejo woodpecker-server woodpecker-agent; do
-      if echo ",$with_services," | grep -q ",$ordered_svc,"; then
-        DEPLOY_ORDER="${DEPLOY_ORDER:+${DEPLOY_ORDER} }${ordered_svc}"
-      fi
-    done
-
-    local -a deploy_cmd=("$deploy_sh")
-    local IFS=' '
-    for svc in $DEPLOY_ORDER; do
-      # Check jobspec exists
+      # Deploy this service
+      echo ""
+      echo "── Deploying ${svc} ───────────────────────────────────────"
       local jobspec_path="${FACTORY_ROOT}/nomad/jobs/${svc}.hcl"
       if [ ! -f "$jobspec_path" ]; then
         echo "Error: jobspec not found: ${jobspec_path}" >&2
         exit 1
       fi
-      deploy_cmd+=("$svc")
-    done
 
-    if [ "$(id -u)" -eq 0 ]; then
-      "${deploy_cmd[@]}" || exit $?
-    else
-      if ! command -v sudo >/dev/null 2>&1; then
-        echo "Error: deploy.sh must run as root and sudo is not installed" >&2
-        exit 1
+      local -a deploy_cmd=("$deploy_sh" "$svc")
+      if [ "$(id -u)" -eq 0 ]; then
+        "${deploy_cmd[@]}" || exit $?
+      else
+        if ! command -v sudo >/dev/null 2>&1; then
+          echo "Error: deploy.sh must run as root and sudo is not installed" >&2
+          exit 1
+        fi
+        sudo -n -- "${deploy_cmd[@]}" || exit $?
       fi
-      sudo -n -- "${deploy_cmd[@]}" || exit $?
-    fi
+    done
 
     # Print final summary
     echo ""

lib/init/nomad/wp-oauth-register.sh

@@ -43,7 +43,7 @@ set -euo pipefail
 
 # Source the hvault module for Vault helpers
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
 # shellcheck source=../../../lib/hvault.sh
 source "${REPO_ROOT}/lib/hvault.sh"