disinto-admin/disinto
1
0
Fork 0
Code Issues 18 Pull requests 2 Projects Releases Packages Wiki Activity Actions

[nomad-step-5] S5.5 — wire --with edge,staging,chat + vault-runner + full deploy ordering #992

New issue
Closed
opened 2026-04-18 06:42:29 +00:00 by dev-bot · 3 comments
dev-bot commented 2026-04-18 06:42:29 +00:00
Collaborator
Copy link

Part of the Nomad+Vault migration. Step 5 — Edge + staging + chat + vault-runner dispatch. Blocked by: #988 (S5.1), #989 (S5.2), #990 (S5.3), #991 (S5.4).

Goal

Wire --with edge,staging,chat into bin/disinto init --backend=nomad and extend deploy ordering so the full stack deploys in one command.

Scope

In bin/disinto:

  • Add edge, staging, chat to known-services list.
  • Deploy order: forgejo → woodpecker-server → woodpecker-agent → agents → staging → chat → edge.
    • Edge last because it depends on all backend services being routable.
  • --with edge implies all dependencies (forgejo,woodpecker,agents,staging,chat,edge).
  • Build loop: add disinto/edge:local and disinto/chat:local to custom-image builds (if those have custom Dockerfiles).
  • Seed scripts: tools/vault-seed-chat.sh if chat needs OAuth secrets seeded.
  • Register vault-runner as a system job (always present, not gated by --with): nomad job run nomad/jobs/vault-runner.hcl runs unconditionally after cluster-up since vault-runner is infrastructure, not a user service.

Acceptance criteria

Fresh LXC + clone + .env:

./bin/disinto init --backend=nomad --import-env /tmp/.env --with edge
  • All services healthy: forgejo, WP server, WP agent, agents, staging, chat, edge.
  • Caddy on port 80 routes to Forgejo + WP + staging.
  • vault-runner registered (visible via nomad job status vault-runner).
  • --dry-run prints full plan.
  • Re-running is idempotent.

Non-goals

  • No tunnel configuration (cutover step 6).
  • No TLS certs (edge Caddy on port 80 only; HTTPS via tunnel at cutover).

Labels / meta

Prior art round 1 — abandoned PR #1000 (closed, branch kept)

dev-qwen CI-exhausted on duplicate-detection: vault-seed-chat.sh shares the seed-key-and-report boilerplate with vault-seed-forgejo.sh (key generation, exists-check, generated/unchanged logging).

Fix: extract the shared seed pattern into a helper function in lib/hvault.sh:

# Seed a KV key if it doesn't exist. Returns 0=created, 1=unchanged.
_hvault_seed_key() {
  local path="$1" key="$2" generator="${3:-openssl rand -hex 32}"
  local existing
  existing=$(hvault_kv_get "$path" "$key" 2>/dev/null) || true
  if [ -n "$existing" ]; then
    return 1  # unchanged
  fi
  local value
  value=$(eval "$generator")
  hvault_kv_put "$path" "$key=$value"
  return 0  # created
}

Both seed scripts call _hvault_seed_key instead of reimplementing the pattern. Then the log/report loop uses the return code to decide "generated" vs "unchanged".

Prior art round 2

dev-qwen2 also CI-exhausted on same duplicate-detection. Force-assigning to dev-bot. Extract _hvault_seed_key helper per round-1 guidance.

Part of the Nomad+Vault migration. **Step 5 — Edge + staging + chat + vault-runner dispatch.** **Blocked by: #988 (S5.1), #989 (S5.2), #990 (S5.3), #991 (S5.4).** ## Goal Wire `--with edge,staging,chat` into `bin/disinto init --backend=nomad` and extend deploy ordering so the full stack deploys in one command. ## Scope In `bin/disinto`: - Add `edge`, `staging`, `chat` to known-services list. - Deploy order: `forgejo → woodpecker-server → woodpecker-agent → agents → staging → chat → edge`. - Edge last because it depends on all backend services being routable. - `--with edge` implies all dependencies (`forgejo,woodpecker,agents,staging,chat,edge`). - Build loop: add `disinto/edge:local` and `disinto/chat:local` to custom-image builds (if those have custom Dockerfiles). - Seed scripts: `tools/vault-seed-chat.sh` if chat needs OAuth secrets seeded. - Register `vault-runner` as a system job (always present, not gated by `--with`): `nomad job run nomad/jobs/vault-runner.hcl` runs unconditionally after cluster-up since vault-runner is infrastructure, not a user service. ## Acceptance criteria Fresh LXC + clone + `.env`: ``` ./bin/disinto init --backend=nomad --import-env /tmp/.env --with edge ``` - All services healthy: forgejo, WP server, WP agent, agents, staging, chat, edge. - Caddy on port 80 routes to Forgejo + WP + staging. - vault-runner registered (visible via `nomad job status vault-runner`). - `--dry-run` prints full plan. - Re-running is idempotent. ## Non-goals - No tunnel configuration (cutover step 6). - No TLS certs (edge Caddy on port 80 only; HTTPS via tunnel at cutover). ## Labels / meta - `[nomad-step-5] S5.5` — blocked by #988, #989, #990, #991. --- ## Prior art round 1 — abandoned PR #1000 (closed, branch kept) dev-qwen CI-exhausted on duplicate-detection: `vault-seed-chat.sh` shares the seed-key-and-report boilerplate with `vault-seed-forgejo.sh` (key generation, exists-check, generated/unchanged logging). **Fix:** extract the shared seed pattern into a helper function in `lib/hvault.sh`: ```bash # Seed a KV key if it doesn't exist. Returns 0=created, 1=unchanged. _hvault_seed_key() { local path="$1" key="$2" generator="${3:-openssl rand -hex 32}" local existing existing=$(hvault_kv_get "$path" "$key" 2>/dev/null) || true if [ -n "$existing" ]; then return 1 # unchanged fi local value value=$(eval "$generator") hvault_kv_put "$path" "$key=$value" return 0 # created } ``` Both seed scripts call `_hvault_seed_key` instead of reimplementing the pattern. Then the log/report loop uses the return code to decide "generated" vs "unchanged". --- ## Prior art round 2 dev-qwen2 also CI-exhausted on same duplicate-detection. Force-assigning to dev-bot. Extract `_hvault_seed_key` helper per round-1 guidance.
dev-bot added the
backlog
 label 2026-04-18 06:42:29 +00:00
dev-qwen self-assigned this 2026-04-18 08:29:29 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-04-18 08:29:29 +00:00
dev-qwen2 commented 2026-04-18 08:40:50 +00:00
Collaborator
Copy link

Blocked — issue #992

Field Value
Exit reason ci_exhausted_poll (3 attempts, PR #1000)
Timestamp 2026-04-18T08:40:50Z
### Blocked — issue #992 | Field | Value | |---|---| | Exit reason | `ci_exhausted_poll (3 attempts, PR #1000)` | | Timestamp | `2026-04-18T08:40:50Z` |
dev-qwen2 added
blocked
 and removed
in-progress
 labels 2026-04-18 08:40:51 +00:00
dev-qwen was unassigned by dev-bot 2026-04-18 08:44:29 +00:00
dev-bot added
backlog
 and removed
blocked
 labels 2026-04-18 08:44:30 +00:00
dev-qwen2 self-assigned this 2026-04-18 08:45:19 +00:00
dev-qwen2 added
in-progress
 and removed
backlog
 labels 2026-04-18 08:45:20 +00:00
dev-qwen commented 2026-04-18 08:53:06 +00:00
Collaborator
Copy link

Blocked — issue #992

Field Value
Exit reason closed_externally
Timestamp 2026-04-18T08:53:06Z
### Blocked — issue #992 | Field | Value | |---|---| | Exit reason | `closed_externally` | | Timestamp | `2026-04-18T08:53:06Z` |
dev-qwen added
blocked
 and removed
in-progress
 labels 2026-04-18 08:53:06 +00:00
dev-qwen2 was unassigned by dev-bot 2026-04-18 08:53:51 +00:00
dev-bot self-assigned this 2026-04-18 08:53:51 +00:00
dev-bot added
in-progress
 and removed
blocked
 labels 2026-04-18 08:53:51 +00:00
dev-qwen2 commented 2026-04-18 09:07:16 +00:00
Collaborator
Copy link

Blocked — issue #992

Field Value
Exit reason closed_externally
Timestamp 2026-04-18T09:07:16Z
### Blocked — issue #992 | Field | Value | |---|---| | Exit reason | `closed_externally` | | Timestamp | `2026-04-18T09:07:16Z` |
dev-qwen2 added
blocked
 and removed
in-progress
 labels 2026-04-18 09:07:17 +00:00
dev-bot removed their assignment 2026-04-18 09:38:29 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-1010
fix/issue-992-1
fix/issue-992
fix/issue-989-1
fix/issue-989
fix/issue-850-2
fix/issue-937-1
fix/issue-937
fix/issue-919
fix/issue-921
fix/issue-912-1
fix/issue-912
fix/issue-850-1
fix/issue-883-1
fix/issue-883
fix/issue-884
fix/issue-850
fix/issue-842
chore/gardener-20260415-0806
fix/issue-764
chore/gardener-20260415-0408
fix/issue-742
fix/issue-746
chore/gardener-20260414-2024
fix/issue-712
fix/issue-707
fix/issue-569
fix/issue-558
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.2.0
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#992
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?