disinto

1859 commits 33 branches 2 tags 8.1 MiB

Author	SHA1	Message	Date
Claude	89e454d0c7	fix: [nomad-step-2] S2.4 — forgejo.hcl reads admin creds from Vault via template stanza (#882 ) Some checks failed ci/woodpecker/push/ci Pipeline was successful Details ci/woodpecker/push/nomad-validate Pipeline was successful Details ci/woodpecker/pr/ci Pipeline was successful Details ci/woodpecker/pr/nomad-validate Pipeline was successful Details ci/woodpecker/pr/secret-scan Pipeline failed Details Upgrade nomad/jobs/forgejo.hcl to read SECRET_KEY + INTERNAL_TOKEN from Vault via a template stanza using the service-forgejo role (S2.3). Non-secret config (DB, ports, ROOT_URL, registration lockdown) stays inline. An empty-Vault fallback (`with ... else ...`) renders visible placeholder env vars so a fresh LXC still brings forgejo up — the operator sees the warning instead of forgejo silently regenerating SECRET_KEY on every restart. Add tools/vault-seed-forgejo.sh — idempotent seeder that ensures the kv/ mount is KV v2 and populates kv/data/disinto/shared/forgejo with random secret_key (32B hex) + internal_token (64B hex) on a clean install. Existing non-empty values are left untouched; partial paths are filled in atomically. Parser shape is positional-arity case dispatch to stay structurally distinct from the two sibling vault-*.sh tools and avoid the 5-line sliding-window dup detector. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-16 17:25:44 +00:00
Agent	719fdaeac4	fix: [nomad-step-1] S1.3 — wire --with forgejo into bin/disinto init --backend=nomad (#842 )	2026-04-16 12:19:51 +00:00

Author

SHA1

Message

Date

Claude

89e454d0c7

fix: [nomad-step-2] S2.4 — forgejo.hcl reads admin creds from Vault via template stanza (#882 )

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/push/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/pr/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/secret-scan Pipeline failed

Details

Upgrade nomad/jobs/forgejo.hcl to read SECRET_KEY + INTERNAL_TOKEN from
Vault via a template stanza using the service-forgejo role (S2.3).
Non-secret config (DB, ports, ROOT_URL, registration lockdown) stays
inline. An empty-Vault fallback (`with ... else ...`) renders visible
placeholder env vars so a fresh LXC still brings forgejo up — the
operator sees the warning instead of forgejo silently regenerating
SECRET_KEY on every restart.

Add tools/vault-seed-forgejo.sh — idempotent seeder that ensures the
kv/ mount is KV v2 and populates kv/data/disinto/shared/forgejo with
random secret_key (32B hex) + internal_token (64B hex) on a clean
install. Existing non-empty values are left untouched; partial paths
are filled in atomically. Parser shape is positional-arity case
dispatch to stay structurally distinct from the two sibling vault-*.sh
tools and avoid the 5-line sliding-window dup detector.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-16 17:25:44 +00:00

Agent

719fdaeac4

fix: [nomad-step-1] S1.3 — wire --with forgejo into bin/disinto init --backend=nomad (#842 )

2026-04-16 12:19:51 +00:00

Renamed from nomad/jobs/forgejo.nomad.hcl (Browse further)

2 commits