[nomad-step-3] S3-fix-2 — wp-oauth REPO_ROOT still wrong + seed/deploy must interleave #948

New issue

Closed

opened 2026-04-17 08:18:45 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-17 08:18:45 +00:00

Collaborator

Two bugs block Step 3 end-to-end. Found during wipe+verify on fresh LXC.

Bug 1 — wp-oauth-register.sh REPO_ROOT still wrong (line 46)

PR #945 fixed the shellcheck directive comment (line 47) but NOT the runtime variable:

# line 46 — WRONG: goes 2 levels up from lib/init/nomad/ → lands in lib/
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
# line 48 — then this resolves to lib/lib/hvault.sh
source "${REPO_ROOT}/lib/hvault.sh"

Fix line 46: REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)" (3 levels up: nomad → init → lib → repo root).

One line change. Exact location: lib/init/nomad/wp-oauth-register.sh:46.

Bug 2 — seed/deploy ordering: all seeds run before any deploy

bin/disinto's _disinto_init_nomad runs the seed loop for ALL services before calling deploy.sh. But vault-seed-woodpecker.sh step 3 calls wp-oauth-register.sh which needs a running Forgejo to register the OAuth app. At seed time, forgejo hasn't been deployed yet → OAuth silently fails → forgejo_client + forgejo_secret never written to KV → woodpecker-server template blocks on Missing: vault.read(kv/data/disinto/shared/woodpecker).

Fix: interleave seed + deploy per service, not batch all seeds then batch all deploys:

for svc in $DEPLOY_ORDER; do
  # Skip services not in --with list
  [[ " $services " != *" $svc "* ]] && continue
  # Seed this service (if seed script exists)
  seed_script="${FACTORY_ROOT}/tools/vault-seed-${svc}.sh"
  [ -x "$seed_script" ] && "$seed_script"
  # Deploy this service
  deploy_single "$svc"
done

This way: seed-forgejo → deploy-forgejo (now running) → seed-woodpecker (OAuth can reach forgejo) → deploy-woodpecker.

Location: bin/disinto in _disinto_init_nomad, the section between vault-import and the deploy call. Currently there are two separate loops (seed loop + deploy call); merge into one interleaved loop.

Acceptance criteria

Fresh LXC + disinto init --backend=nomad --import-env /tmp/.env --with forgejo,woodpecker completes with:
- No lib/lib/hvault.sh errors
- OAuth app registered in Forgejo
- woodpecker-server healthy at :8000
- woodpecker-agent visible in WP UI
Re-running is idempotent.
shellcheck clean.

Labels / meta

backlog + bug-report. Two focused fixes, same PR.

Two bugs block Step 3 end-to-end. Found during wipe+verify on fresh LXC. ## Bug 1 — wp-oauth-register.sh REPO_ROOT still wrong (line 46) PR #945 fixed the shellcheck directive comment (line 47) but NOT the runtime variable: ```bash # line 46 — WRONG: goes 2 levels up from lib/init/nomad/ → lands in lib/ REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)" # line 48 — then this resolves to lib/lib/hvault.sh source "${REPO_ROOT}/lib/hvault.sh" ``` Fix line 46: `REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"` (3 levels up: nomad → init → lib → repo root). One line change. Exact location: `lib/init/nomad/wp-oauth-register.sh:46`. ## Bug 2 — seed/deploy ordering: all seeds run before any deploy `bin/disinto`'s `_disinto_init_nomad` runs the seed loop for ALL services before calling `deploy.sh`. But `vault-seed-woodpecker.sh` step 3 calls `wp-oauth-register.sh` which needs a running Forgejo to register the OAuth app. At seed time, forgejo hasn't been deployed yet → OAuth silently fails → `forgejo_client` + `forgejo_secret` never written to KV → woodpecker-server template blocks on `Missing: vault.read(kv/data/disinto/shared/woodpecker)`. **Fix:** interleave seed + deploy per service, not batch all seeds then batch all deploys: ```bash for svc in $DEPLOY_ORDER; do # Skip services not in --with list [[ " $services " != *" $svc "* ]] && continue # Seed this service (if seed script exists) seed_script="${FACTORY_ROOT}/tools/vault-seed-${svc}.sh" [ -x "$seed_script" ] && "$seed_script" # Deploy this service deploy_single "$svc" done ``` This way: seed-forgejo → deploy-forgejo (now running) → seed-woodpecker (OAuth can reach forgejo) → deploy-woodpecker. Location: `bin/disinto` in `_disinto_init_nomad`, the section between vault-import and the deploy call. Currently there are two separate loops (seed loop + deploy call); merge into one interleaved loop. ## Acceptance criteria - Fresh LXC + `disinto init --backend=nomad --import-env /tmp/.env --with forgejo,woodpecker` completes with: - No `lib/lib/hvault.sh` errors - OAuth app registered in Forgejo - woodpecker-server healthy at :8000 - woodpecker-agent visible in WP UI - Re-running is idempotent. - `shellcheck` clean. ## Labels / meta - `backlog` + `bug-report`. Two focused fixes, same PR.