disinto-admin/disinto
1
0
Fork 0
Code Issues 17 Pull requests 1 Projects Releases Packages Wiki Activity Actions
disinto/lib/init/nomad
History
Claude 0b994d5d6f
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/push/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/nomad-validate Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details
fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912) 
Post-Step-2 verification on a fresh LXC uncovered 4 stacked bugs blocking
the `disinto init --backend=nomad --import-env ... --with forgejo` hero
command. Root cause is #1; #2-#4 surface as the operator walks past each.

1. kv/ secret engine never enabled — every policy, role, import write,
   and template read references kv/disinto/* and 403s without the mount.
   Adds lib/init/nomad/vault-engines.sh (idempotent POST sys/mounts/kv)
   wired into `_disinto_init_nomad` before vault-apply-policies.sh.

2. VAULT_ADDR/VAULT_TOKEN not exported in the init process. Extracts the
   5-line default-and-resolve block into `_hvault_default_env` in
   lib/hvault.sh and sources it from vault-engines.sh, vault-nomad-auth.sh,
   vault-apply-policies.sh, vault-apply-roles.sh, and vault-import.sh. One
   definition, zero copies — avoids the 5-line sliding-window duplicate
   gate that failed PRs #917/#918.

3. vault-import.sh required --sops; spec (#880) says --env alone must
   succeed. Flag validation now: --sops requires --age-key, --age-key
   requires --sops, --env alone imports only the plaintext half.

4. forgejo.hcl template blocks forever when kv/disinto/shared/forgejo is
   absent or missing a key. Adds `error_on_missing_key = false` so the
   existing `with ... else ...` fallback emits placeholders instead of
   hanging on template-pending.

vault-engines.sh parser uses a while/shift shape distinct from
vault-apply-policies.sh (flat case) and vault-apply-roles.sh (if/elif
ladder) so the three sibling flag parsers hash differently under the
repo-wide duplicate detector.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-16 21:10:59 +00:00
..
cluster-up.sh fix: [nomad-step-0] S0.2-fix — install.sh must also install docker daemon (block step 1 placement) (#871) 2026-04-16 14:05:24 +00:00
deploy.sh fix: [nomad-step-1] deploy.sh-fix — correct jq selectors for deployment status; add deployment ID retry 2026-04-16 15:43:07 +00:00
install.sh fix: [nomad-step-0] S0.2-fix — install.sh must also install docker daemon (block step 1 placement) (#871) 2026-04-16 14:05:24 +00:00
lib-systemd.sh fix: [nomad-step-0] S0.3 — install vault + systemd auto-unseal + vault-init.sh (dev-persisted seal) (#823) 2026-04-16 06:53:27 +00:00
systemd-nomad.sh fix: [nomad-step-0] S0.3 — install vault + systemd auto-unseal + vault-init.sh (dev-persisted seal) (#823) 2026-04-16 06:53:27 +00:00
systemd-vault.sh fix: [nomad-step-0] S0.3 — install vault + systemd auto-unseal + vault-init.sh (dev-persisted seal) (#823) 2026-04-16 06:53:27 +00:00
vault-engines.sh fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912) 2026-04-16 21:10:59 +00:00
vault-init.sh fix: [nomad-step-0] S0.3 — install vault + systemd auto-unseal + vault-init.sh (dev-persisted seal) (#823) 2026-04-16 06:53:27 +00:00
vault-nomad-auth.sh fix: [nomad-step-2] S2-fix — 4 bugs block Step 2 verification: kv/ mount missing, VAULT_ADDR, --sops required, template fallback (#912) 2026-04-16 21:10:59 +00:00