[nomad-step-2] S2-fix-F — wire tools/vault-seed-<svc>.sh into bin/disinto --with <svc> #928

New issue

Closed

opened 2026-04-16 21:54:14 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-16 21:54:14 +00:00

Collaborator

Final Step-2 loose end. tools/vault-seed-forgejo.sh exists and works correctly — when invoked, it seeds kv/disinto/shared/forgejo with generated secret_key + internal_token, which unblocks nomad/jobs/forgejo.hcl's template.

But: bin/disinto init --backend=nomad --with forgejo never calls it. Result on a fresh LXC with empty Vault: the forgejo alloc hits Template Missing: vault.read(kv/data/disinto/shared/forgejo), waits until healthy_deadline = 5m, Nomad marks it unhealthy, deploy.sh times out, operator has to manually run vault-seed-forgejo.sh and nomad alloc restart to recover.

Fix

In bin/disinto's _disinto_init_nomad path, after the vault-import.sh step (if applicable) but before lib/init/nomad/deploy.sh is called with forgejo:

for svc in $(echo "$services" | tr ',' ' '); do
  seed_script="${FACTORY_ROOT}/tools/vault-seed-${svc}.sh"
  if [ -x "$seed_script" ]; then
    echo "── Seeding Vault for $svc ─────────────────────────────"
    "$seed_script"
  fi
done

This convention lets later services (Woodpecker in Step 3, chat/edge in Step 5/6) ship their own vault-seed-<svc>.sh and get auto-invoked by --with <svc> without adding more code to bin/disinto.

Acceptance criteria

Fresh LXC + ./bin/disinto init --backend=nomad --import-env /tmp/.env --with forgejo completes with forgejo healthy inside deploy.sh's 240s window — no manual seed step required.
Forgejo env FORGEJO__security__SECRET_KEY matches vault kv get kv/disinto/shared/forgejo's secret_key.
Re-running the init is idempotent — vault-seed-forgejo.sh itself is already idempotent (does not rotate keys).
shellcheck clean.

Non-goals

Not modifying tools/vault-seed-forgejo.sh itself — it already works.
Not adding seed scripts for services that don't exist yet — only wire what's present.

Labels / meta

backlog + bug-report. Tight scope — wiring only, 10-line loop in bin/disinto.

Final Step-2 loose end. `tools/vault-seed-forgejo.sh` exists and works correctly — when invoked, it seeds `kv/disinto/shared/forgejo` with generated `secret_key` + `internal_token`, which unblocks `nomad/jobs/forgejo.hcl`'s template. But: `bin/disinto init --backend=nomad --with forgejo` never calls it. Result on a fresh LXC with empty Vault: the forgejo alloc hits `Template Missing: vault.read(kv/data/disinto/shared/forgejo)`, waits until `healthy_deadline = 5m`, Nomad marks it unhealthy, `deploy.sh` times out, operator has to manually run `vault-seed-forgejo.sh` and `nomad alloc restart` to recover. ## Fix In `bin/disinto`'s `_disinto_init_nomad` path, after the `vault-import.sh` step (if applicable) but **before** `lib/init/nomad/deploy.sh` is called with `forgejo`: ```bash for svc in $(echo "$services" | tr ',' ' '); do seed_script="${FACTORY_ROOT}/tools/vault-seed-${svc}.sh" if [ -x "$seed_script" ]; then echo "── Seeding Vault for $svc ─────────────────────────────" "$seed_script" fi done ``` This convention lets later services (Woodpecker in Step 3, chat/edge in Step 5/6) ship their own `vault-seed-<svc>.sh` and get auto-invoked by `--with <svc>` without adding more code to `bin/disinto`. ## Acceptance criteria - Fresh LXC + `./bin/disinto init --backend=nomad --import-env /tmp/.env --with forgejo` completes with forgejo healthy inside `deploy.sh`'s 240s window — no manual seed step required. - Forgejo env `FORGEJO__security__SECRET_KEY` matches `vault kv get kv/disinto/shared/forgejo`'s `secret_key`. - Re-running the init is idempotent — `vault-seed-forgejo.sh` itself is already idempotent (does not rotate keys). - `shellcheck` clean. ## Non-goals - Not modifying `tools/vault-seed-forgejo.sh` itself — it already works. - Not adding seed scripts for services that don't exist yet — only wire what's present. ## Labels / meta - `backlog` + `bug-report`. Tight scope — wiring only, 10-line loop in `bin/disinto`.