fix: [nomad-step-0] S0.4 — disinto init --backend=nomad --empty orchestrator (cluster-up) (#824)

Wires S0.1–S0.3 into a single idempotent bring-up script and replaces
the S0.1 stub in _disinto_init_nomad so `disinto init --backend=nomad
--empty` produces a running empty single-node cluster on a fresh box.

lib/init/nomad/cluster-up.sh (new):
  1. install.sh                (nomad + vault binaries)
  2. systemd-nomad.sh          (unit + enable, not started)
  3. systemd-vault.sh          (unit + vault.hcl + enable)
  4. host-volume dirs under /srv/disinto/* (matching nomad/client.hcl)
  5. /etc/nomad.d/{server,client}.hcl (content-compare before write)
  6. vault-init.sh             (first-run init + unseal + persist keys)
  7. systemctl start vault     (poll until unsealed; fail-fast on
                                is-failed)
  8. systemctl start nomad     (poll until ≥1 node ready)
  9. /etc/profile.d/disinto-nomad.sh (VAULT_ADDR + NOMAD_ADDR for
                                      interactive shells)
  Re-running on a healthy box is a no-op — each sub-step is itself
  idempotent and steps 7/8 fast-path when already active + healthy.
  `--dry-run` prints the full step list and exits 0.

bin/disinto:
  - _disinto_init_nomad: replaces the S0.1 stub. Invokes cluster-up.sh
    directly (as root) or via `sudo -n` otherwise. Both `--empty` and
    the default (no flag) call cluster-up.sh today; Step 1 will branch
    on $empty to gate job deployment. --dry-run forwards through.
  - disinto_init: adds `--empty` flag parsing; rejects `--empty`
    combined with `--backend=docker` explicitly instead of silently
    ignoring it.
  - usage: documents `--empty` and drops the "stub, S0.1" annotation
    from --backend.

Closes #824.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

lib/init/nomad/cluster-up.sh

@@ -0,0 +1,337 @@
+#!/usr/bin/env bash
+# =============================================================================
+# lib/init/nomad/cluster-up.sh — Empty Nomad+Vault cluster orchestrator (S0.4)
+#
+# Wires together the S0.1–S0.3 building blocks into one idempotent
+# "bring up a single-node Nomad+Vault cluster" script:
+#
+#   1. install.sh                  (nomad + vault binaries)
+#   2. systemd-nomad.sh            (nomad.service — unit + enable, not started)
+#   3. systemd-vault.sh            (vault.service — unit + vault.hcl + enable)
+#   4. Host-volume dirs            (/srv/disinto/* matching nomad/client.hcl)
+#   5. /etc/nomad.d/*.hcl          (server.hcl + client.hcl from repo)
+#   6. vault-init.sh               (first-run init + unseal + persist keys)
+#   7. systemctl start vault       (auto-unseal via ExecStartPost; poll)
+#   8. systemctl start nomad       (poll until ≥1 ready node)
+#   9. /etc/profile.d/disinto-nomad.sh  (VAULT_ADDR + NOMAD_ADDR for shells)
+#
+# This is the "empty cluster" orchestrator — no jobs deployed. Subsequent
+# Step-1 issues layer job deployment on top of this checkpoint.
+#
+# Idempotency contract:
+#   Running twice back-to-back on a healthy box is a no-op. Each sub-step
+#   is itself idempotent — see install.sh / systemd-*.sh / vault-init.sh
+#   headers for the per-step contract. Fast-paths in steps 7 and 8 skip
+#   the systemctl start when the service is already active + healthy.
+#
+# Usage:
+#   sudo lib/init/nomad/cluster-up.sh            # bring cluster up
+#   sudo lib/init/nomad/cluster-up.sh --dry-run  # print step list, exit 0
+#
+# Environment (override polling for slow boxes):
+#   VAULT_POLL_SECS  max seconds to wait for vault to unseal (default: 30)
+#   NOMAD_POLL_SECS  max seconds to wait for nomad node=ready (default: 60)
+#
+# Exit codes:
+#   0  success (cluster up, or already up)
+#   1  precondition or step failure
+# =============================================================================
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
+
+# Sub-scripts (siblings in this directory).
+INSTALL_SH="${SCRIPT_DIR}/install.sh"
+SYSTEMD_NOMAD_SH="${SCRIPT_DIR}/systemd-nomad.sh"
+SYSTEMD_VAULT_SH="${SCRIPT_DIR}/systemd-vault.sh"
+VAULT_INIT_SH="${SCRIPT_DIR}/vault-init.sh"
+
+# In-repo Nomad configs copied to /etc/nomad.d/.
+NOMAD_CONFIG_DIR="/etc/nomad.d"
+NOMAD_SERVER_HCL_SRC="${REPO_ROOT}/nomad/server.hcl"
+NOMAD_CLIENT_HCL_SRC="${REPO_ROOT}/nomad/client.hcl"
+
+# /etc/profile.d entry — makes VAULT_ADDR + NOMAD_ADDR available to
+# interactive shells without requiring the operator to source anything.
+PROFILE_D_FILE="/etc/profile.d/disinto-nomad.sh"
+
+# Host-volume paths — MUST match the `host_volume "..."` declarations
+# in nomad/client.hcl. Adding a host_volume block there requires adding
+# its path here so the dir exists before nomad starts (otherwise client
+# fingerprinting fails and the node stays in "initializing").
+HOST_VOLUME_DIRS=(
+  "/srv/disinto/forgejo-data"
+  "/srv/disinto/woodpecker-data"
+  "/srv/disinto/agent-data"
+  "/srv/disinto/project-repos"
+  "/srv/disinto/caddy-data"
+  "/srv/disinto/chat-history"
+  "/srv/disinto/ops-repo"
+)
+
+# Default API addresses — matches the listener bindings in
+# nomad/server.hcl and nomad/vault.hcl. If either file ever moves
+# off 127.0.0.1 / default port, update both places together.
+VAULT_ADDR_DEFAULT="http://127.0.0.1:8200"
+NOMAD_ADDR_DEFAULT="http://127.0.0.1:4646"
+
+VAULT_POLL_SECS="${VAULT_POLL_SECS:-30}"
+NOMAD_POLL_SECS="${NOMAD_POLL_SECS:-60}"
+
+log() { printf '[cluster-up] %s\n' "$*"; }
+die() { printf '[cluster-up] ERROR: %s\n' "$*" >&2; exit 1; }
+
+# ── Flag parsing ─────────────────────────────────────────────────────────────
+dry_run=false
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --dry-run) dry_run=true; shift ;;
+    -h|--help)
+      cat <<EOF
+Usage: sudo $(basename "$0") [--dry-run]
+
+Brings up an empty single-node Nomad+Vault cluster (idempotent).
+
+  --dry-run   Print the step list without performing any action.
+EOF
+      exit 0
+      ;;
+    *) die "unknown flag: $1" ;;
+  esac
+done
+
+# ── Dry-run: print step list + exit ──────────────────────────────────────────
+if [ "$dry_run" = true ]; then
+  cat <<EOF
+[dry-run] Step 1/9: install nomad + vault binaries
+  → sudo ${INSTALL_SH}
+
+[dry-run] Step 2/9: write + enable nomad.service (NOT started)
+  → sudo ${SYSTEMD_NOMAD_SH}
+
+[dry-run] Step 3/9: write + enable vault.service + vault.hcl (NOT started)
+  → sudo ${SYSTEMD_VAULT_SH}
+
+[dry-run] Step 4/9: create host-volume dirs under /srv/disinto/
+EOF
+  for d in "${HOST_VOLUME_DIRS[@]}"; do
+    printf '  → install -d -m 0755 %s\n' "$d"
+  done
+  cat <<EOF
+
+[dry-run] Step 5/9: install /etc/nomad.d/server.hcl + client.hcl from repo
+  → ${NOMAD_SERVER_HCL_SRC} → ${NOMAD_CONFIG_DIR}/server.hcl
+  → ${NOMAD_CLIENT_HCL_SRC} → ${NOMAD_CONFIG_DIR}/client.hcl
+
+[dry-run] Step 6/9: first-run vault init + persist unseal.key + root.token
+  → sudo ${VAULT_INIT_SH}
+
+[dry-run] Step 7/9: systemctl start vault + poll until unsealed (≤${VAULT_POLL_SECS}s)
+
+[dry-run] Step 8/9: systemctl start nomad + poll until ≥1 node ready (≤${NOMAD_POLL_SECS}s)
+
+[dry-run] Step 9/9: write ${PROFILE_D_FILE}
+  → export VAULT_ADDR=${VAULT_ADDR_DEFAULT}
+  → export NOMAD_ADDR=${NOMAD_ADDR_DEFAULT}
+
+Dry run complete — no changes made.
+EOF
+  exit 0
+fi
+
+# ── Preconditions ────────────────────────────────────────────────────────────
+if [ "$(id -u)" -ne 0 ]; then
+  die "must run as root (spawns install/systemd/vault-init sub-scripts)"
+fi
+
+command -v systemctl >/dev/null 2>&1 \
+  || die "systemctl not found (systemd required)"
+
+for f in "$INSTALL_SH" "$SYSTEMD_NOMAD_SH" "$SYSTEMD_VAULT_SH" "$VAULT_INIT_SH"; do
+  [ -x "$f" ] || die "sub-script missing or non-executable: ${f}"
+done
+
+[ -f "$NOMAD_SERVER_HCL_SRC" ] \
+  || die "source config not found: ${NOMAD_SERVER_HCL_SRC}"
+[ -f "$NOMAD_CLIENT_HCL_SRC" ] \
+  || die "source config not found: ${NOMAD_CLIENT_HCL_SRC}"
+
+# ── Helpers ──────────────────────────────────────────────────────────────────
+
+# install_file_if_differs SRC DST MODE
+#   Copy SRC to DST (root:root with MODE) iff on-disk content differs.
+#   No-op + log otherwise — preserves mtime, avoids spurious reloads.
+install_file_if_differs() {
+  local src="$1" dst="$2" mode="$3"
+  if [ -f "$dst" ] && cmp -s "$src" "$dst"; then
+    log "unchanged: ${dst}"
+    return 0
+  fi
+  log "writing: ${dst}"
+  install -m "$mode" -o root -g root "$src" "$dst"
+}
+
+# vault_status_json — echo `vault status -format=json`, or '' on unreachable.
+#   vault status exit codes: 0 = unsealed, 2 = sealed/uninit, 1 = unreachable.
+#   We treat all of 0/2 as "reachable with state"; 1 yields empty output.
+#   Wrapped in `|| true` so set -e doesn't abort on exit 2 (the expected
+#   sealed-state case during first-boot polling).
+vault_status_json() {
+  VAULT_ADDR="$VAULT_ADDR_DEFAULT" vault status -format=json 2>/dev/null || true
+}
+
+# vault_is_unsealed — true iff vault reachable AND initialized AND unsealed.
+vault_is_unsealed() {
+  local out init sealed
+  out="$(vault_status_json)"
+  [ -n "$out" ] || return 1
+  init="$(printf '%s' "$out" | jq -r '.initialized' 2>/dev/null)" || init=""
+  sealed="$(printf '%s' "$out" | jq -r '.sealed' 2>/dev/null)" || sealed=""
+  [ "$init" = "true" ] && [ "$sealed" = "false" ]
+}
+
+# nomad_ready_count — echo the number of ready nodes, or 0 on error.
+#   `nomad node status -json` returns a JSON array of nodes, each with a
+#   .Status field ("initializing" | "ready" | "down" | "disconnected").
+nomad_ready_count() {
+  local out
+  out="$(NOMAD_ADDR="$NOMAD_ADDR_DEFAULT" nomad node status -json 2>/dev/null || true)"
+  if [ -z "$out" ]; then
+    printf '0'
+    return 0
+  fi
+  printf '%s' "$out" \
+    | jq '[.[] | select(.Status == "ready")] | length' 2>/dev/null \
+    || printf '0'
+}
+
+# ── Step 1/9: install.sh (nomad + vault binaries) ────────────────────────────
+log "── Step 1/9: install nomad + vault binaries ──"
+"$INSTALL_SH"
+
+# ── Step 2/9: systemd-nomad.sh (unit + enable, not started) ──────────────────
+log "── Step 2/9: install nomad.service (enable, not start) ──"
+"$SYSTEMD_NOMAD_SH"
+
+# ── Step 3/9: systemd-vault.sh (unit + vault.hcl + enable) ───────────────────
+log "── Step 3/9: install vault.service + vault.hcl (enable, not start) ──"
+"$SYSTEMD_VAULT_SH"
+
+# ── Step 4/9: host-volume dirs matching nomad/client.hcl ─────────────────────
+log "── Step 4/9: host-volume dirs under /srv/disinto/ ──"
+# Parent /srv/disinto/ first (install -d handles missing parents, but being
+# explicit makes the log output read naturally as a top-down creation).
+install -d -m 0755 -o root -g root "/srv/disinto"
+for d in "${HOST_VOLUME_DIRS[@]}"; do
+  if [ -d "$d" ]; then
+    log "unchanged: ${d}"
+  else
+    log "creating: ${d}"
+    install -d -m 0755 -o root -g root "$d"
+  fi
+done
+
+# ── Step 5/9: /etc/nomad.d/server.hcl + client.hcl ───────────────────────────
+log "── Step 5/9: install /etc/nomad.d/{server,client}.hcl ──"
+# systemd-nomad.sh already created /etc/nomad.d/. Re-assert for clarity +
+# in case someone runs cluster-up.sh with an exotic step ordering later.
+install -d -m 0755 -o root -g root "$NOMAD_CONFIG_DIR"
+install_file_if_differs "$NOMAD_SERVER_HCL_SRC" "${NOMAD_CONFIG_DIR}/server.hcl" 0644
+install_file_if_differs "$NOMAD_CLIENT_HCL_SRC" "${NOMAD_CONFIG_DIR}/client.hcl" 0644
+
+# ── Step 6/9: vault-init (first-run init + unseal + persist keys) ────────────
+log "── Step 6/9: vault-init (no-op after first run) ──"
+# vault-init.sh spawns a temporary vault server if systemd isn't managing
+# one, runs `operator init`, writes unseal.key + root.token, unseals once,
+# then stops the temp server (EXIT trap). After it returns, port 8200 is
+# free for systemctl-managed vault to take in step 7.
+"$VAULT_INIT_SH"
+
+# ── Step 7/9: systemctl start vault + poll until unsealed ────────────────────
+log "── Step 7/9: start vault + poll until unsealed ──"
+if systemctl is-active --quiet vault && vault_is_unsealed; then
+  log "vault already active + unsealed — skip start"
+else
+  systemctl start vault
+  ready=0
+  for i in $(seq 1 "$VAULT_POLL_SECS"); do
+    # Fail fast if systemd has already marked the unit as failed — usually
+    # ExecStartPost tripping because unseal.key is absent / corrupted.
+    if systemctl is-failed --quiet vault; then
+      log "vault.service entered failed state — systemctl status follows:"
+      systemctl --no-pager --full status vault >&2 || true
+      die "vault.service failed to start"
+    fi
+    if vault_is_unsealed; then
+      log "vault unsealed after ${i}s"
+      ready=1
+      break
+    fi
+    sleep 1
+  done
+  if [ "$ready" -ne 1 ]; then
+    log "vault did not unseal within ${VAULT_POLL_SECS}s — status follows:"
+    systemctl --no-pager --full status vault >&2 || true
+    die "vault failed to become unsealed"
+  fi
+fi
+
+# ── Step 8/9: systemctl start nomad + poll until ≥1 node ready ───────────────
+log "── Step 8/9: start nomad + poll until ≥1 node ready ──"
+if systemctl is-active --quiet nomad && [ "$(nomad_ready_count)" -ge 1 ]; then
+  log "nomad already active + ≥1 node ready — skip start"
+else
+  systemctl start nomad
+  ready=0
+  for i in $(seq 1 "$NOMAD_POLL_SECS"); do
+    if systemctl is-failed --quiet nomad; then
+      log "nomad.service entered failed state — systemctl status follows:"
+      systemctl --no-pager --full status nomad >&2 || true
+      die "nomad.service failed to start"
+    fi
+    if [ "$(nomad_ready_count)" -ge 1 ]; then
+      log "nomad has ready node after ${i}s"
+      ready=1
+      break
+    fi
+    sleep 1
+  done
+  if [ "$ready" -ne 1 ]; then
+    log "nomad had no ready nodes within ${NOMAD_POLL_SECS}s — status follows:"
+    systemctl --no-pager --full status nomad >&2 || true
+    die "nomad failed to reach ≥1 ready node"
+  fi
+fi
+
+# ── Step 9/9: /etc/profile.d/disinto-nomad.sh ────────────────────────────────
+log "── Step 9/9: write ${PROFILE_D_FILE} ──"
+# Shell rc fragments in /etc/profile.d/ are sourced by /etc/profile for
+# every interactive login shell. Setting VAULT_ADDR + NOMAD_ADDR here means
+# the operator can run `vault status` / `nomad node status` straight after
+# `ssh factory-box` without fumbling env vars.
+desired_profile="# /etc/profile.d/disinto-nomad.sh — written by lib/init/nomad/cluster-up.sh
+# Interactive-shell defaults for Vault + Nomad clients on this box.
+export VAULT_ADDR=${VAULT_ADDR_DEFAULT}
+export NOMAD_ADDR=${NOMAD_ADDR_DEFAULT}
+"
+if [ -f "$PROFILE_D_FILE" ] \
+   && printf '%s' "$desired_profile" | cmp -s - "$PROFILE_D_FILE"; then
+  log "unchanged: ${PROFILE_D_FILE}"
+else
+  log "writing: ${PROFILE_D_FILE}"
+  # Subshell + EXIT trap: guarantees the tempfile is cleaned up on both
+  # success AND set-e-induced failure of `install`. A function-scoped
+  # RETURN trap does NOT fire on errexit-abort in bash — the subshell is
+  # the reliable cleanup boundary here.
+  (
+    tmp="$(mktemp)"
+    trap 'rm -f "$tmp"' EXIT
+    printf '%s' "$desired_profile" > "$tmp"
+    install -m 0644 -o root -g root "$tmp" "$PROFILE_D_FILE"
+  )
+fi
+
+log "── done: empty nomad+vault cluster is up ──"
+log "   Vault:  ${VAULT_ADDR_DEFAULT}  (Sealed=false Initialized=true)"
+log "   Nomad:  ${NOMAD_ADDR_DEFAULT}  (≥1 node ready)"