disinto-admin/disinto
1
0
Fork 0
Code Issues 17 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-3] S3-fix-2 — wp-oauth REPO_ROOT still wrong + seed/deploy must interleave (#948) #949

Merged
dev-qwen merged 1 commit from fix/issue-948 into main 2026-04-17 08:38:57 +00:00
Conversation 2 Commits 1 Files changed 2 +31 -60
2 changed files with 31 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

71
bin/disinto
View file

@ -923,42 +923,29 @@ _disinto_init_nomad() {
echo "[import] no --import-env/--import-sops — skipping; set them or seed kv/disinto/* manually before deploying secret-dependent services" echo "[import] no --import-env/--import-sops — skipping; set them or seed kv/disinto/* manually before deploying secret-dependent services"
fi fi
# Seed Vault for services that ship their own seeder (S2.6, #928). # Interleaved seed/deploy per service (S2.6, #928, #948).
# Convention: tools/vault-seed-<svc>.sh — auto-invoked when --with <svc> # We interleave seed + deploy per service (not batch all seeds then all deploys)
# is requested. Runs AFTER vault-import so that real imported values # so that OAuth-dependent services can reach their dependencies during seeding.
# win over generated seeds when both are present; each seeder is # E.g., seed-forgejo → deploy-forgejo → seed-woodpecker (OAuth can now reach
# idempotent on a per-key basis (see vault-seed-forgejo.sh's # running forgejo) → deploy-woodpecker.
# "missing → generate, present → unchanged" contract), so re-running
# init does not rotate existing keys. Services without a seeder are
# silently skipped — keeps this loop forward-compatible with Step 3+
# services that may ship their own seeder without touching bin/disinto.
#
# VAULT_ADDR is passed explicitly because cluster-up.sh writes the
# profile.d export *during* this same init run, so the current shell
# hasn't sourced it yet; sibling vault-* scripts (engines/policies/
# auth/import) default VAULT_ADDR internally via _hvault_default_env,
# but vault-seed-forgejo.sh requires the caller to set it.
#
# The non-root branch invokes the seeder as `sudo -n -- env VAR=val
# script` rather than `sudo -n VAR=val -- script`: sudo treats bare
# `VAR=val` args as sudoers env-assignments, which the default
# `env_reset=on` policy silently discards unless the variable is in
# `env_keep` (VAULT_ADDR is not). Using `env` as the actual command
# sets VAULT_ADDR in the child process regardless of sudoers policy.
if [ -n "$with_services" ]; then if [ -n "$with_services" ]; then
local vault_addr="${VAULT_ADDR:-http://127.0.0.1:8200}" local vault_addr="${VAULT_ADDR:-http://127.0.0.1:8200}"
local _seed_seen=""
local IFS=',' # Build ordered deploy list (S3.4): forgejo → woodpecker-server → woodpecker-agent
for svc in $with_services; do local DEPLOY_ORDER=""
svc=$(echo "$svc" | xargs) # trim whitespace for ordered_svc in forgejo woodpecker-server woodpecker-agent; do
# Map sub-services to parent seed name (S3.4) if echo ",$with_services," | grep -q ",$ordered_svc,"; then
DEPLOY_ORDER="${DEPLOY_ORDER:+${DEPLOY_ORDER} }${ordered_svc}"
fi
done
local IFS=' '
for svc in $DEPLOY_ORDER; do
# Seed this service (if seed script exists)
local seed_name="$svc" local seed_name="$svc"
case "$svc" in case "$svc" in
woodpecker-server|woodpecker-agent) seed_name="woodpecker" ;; woodpecker-server|woodpecker-agent) seed_name="woodpecker" ;;
esac esac
# Deduplicate
if echo ",$_seed_seen," | grep -q ",$seed_name,"; then continue; fi
_seed_seen="${_seed_seen:+${_seed_seen},}${seed_name}"
local seed_script="${FACTORY_ROOT}/tools/vault-seed-${seed_name}.sh" local seed_script="${FACTORY_ROOT}/tools/vault-seed-${seed_name}.sh"
if [ -x "$seed_script" ]; then if [ -x "$seed_script" ]; then
echo "" echo ""
@ -973,34 +960,17 @@ _disinto_init_nomad() {
sudo -n -- env "VAULT_ADDR=$vault_addr" "$seed_script" || exit $? sudo -n -- env "VAULT_ADDR=$vault_addr" "$seed_script" || exit $?
fi fi
fi fi
done
fi
# Deploy services if requested # Deploy this service
if [ -n "$with_services" ]; then
echo "" echo ""
echo "── Deploying services ─────────────────────────────────" echo "── Deploying ${svc} ───────────────────────────────────────"
# Build ordered deploy list (S3.4): forgejo → woodpecker-server → woodpecker-agent
local DEPLOY_ORDER=""
for ordered_svc in forgejo woodpecker-server woodpecker-agent; do
if echo ",$with_services," | grep -q ",$ordered_svc,"; then
DEPLOY_ORDER="${DEPLOY_ORDER:+${DEPLOY_ORDER} }${ordered_svc}"
fi
done
local -a deploy_cmd=("$deploy_sh")
local IFS=' '
for svc in $DEPLOY_ORDER; do
# Check jobspec exists
local jobspec_path="${FACTORY_ROOT}/nomad/jobs/${svc}.hcl" local jobspec_path="${FACTORY_ROOT}/nomad/jobs/${svc}.hcl"
if [ ! -f "$jobspec_path" ]; then if [ ! -f "$jobspec_path" ]; then
echo "Error: jobspec not found: ${jobspec_path}" >&2 echo "Error: jobspec not found: ${jobspec_path}" >&2
exit 1 exit 1
fi fi
deploy_cmd+=("$svc")
done
local -a deploy_cmd=("$deploy_sh" "$svc")
if [ "$(id -u)" -eq 0 ]; then if [ "$(id -u)" -eq 0 ]; then
"${deploy_cmd[@]}" || exit $? "${deploy_cmd[@]}" || exit $?
else else
@ -1010,6 +980,7 @@ _disinto_init_nomad() {
fi fi
sudo -n -- "${deploy_cmd[@]}" || exit $? sudo -n -- "${deploy_cmd[@]}" || exit $?
fi fi
done
# Print final summary # Print final summary
echo "" echo ""

2
lib/init/nomad/wp-oauth-register.sh
View file

@ -43,7 +43,7 @@ set -euo pipefail
# Source the hvault module for Vault helpers # Source the hvault module for Vault helpers
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)" REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"
# shellcheck source=../../../lib/hvault.sh # shellcheck source=../../../lib/hvault.sh
source "${REPO_ROOT}/lib/hvault.sh" source "${REPO_ROOT}/lib/hvault.sh"