senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/infra/ansible/playbooks/bootstrap_runner.yml

303 lines
12 KiB
YAML
Raw Normal View History

refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
# bootstrap_runner.yml — one-time setup of the deploy pipeline's
# infrastructure on the Incus host. Runs BEFORE haproxy.yml /
# deploy_data.yml / deploy_app.yml the first time, then idempotent
# on every subsequent run.
#
# Phases (each idempotent, each guarded by a state check) :
# 1. Incus profiles (veza-app, veza-data ; drop legacy veza-net)
# 2. forgejo-runner has Incus socket + nesting + incus binary
# 3. forgejo-runner registered with the `incus` label
#
# Required extra-vars (passed by the wrapping bootstrap script) :
# forgejo_registration_token short-lived runner registration token
# (fetched from Forgejo API by the wrapper)
# forgejo_api_url full URL to the Forgejo instance
# (used inside the runner container)
#
# Usage from the operator's laptop :
# ansible-playbook -i inventory/staging.yml playbooks/bootstrap_runner.yml \
# --ask-become-pass \
# --vault-password-file .vault-pass \
# -e forgejo_registration_token=$TOKEN \
# -e forgejo_api_url=https://10.0.20.105:3000
#
# Usage directly on the R720 :
# ansible-playbook -i inventory/local.yml playbooks/bootstrap_runner.yml \
# --vault-password-file /etc/talas/vault-pass \
# -e forgejo_registration_token=$TOKEN \
# -e forgejo_api_url=https://10.0.20.105:3000
---
- name: Validate inputs
hosts: incus_hosts
become: true
gather_facts: false
tasks:
- name: Assert required extra-vars
ansible.builtin.assert:
that:
- forgejo_registration_token is defined
- forgejo_registration_token | length > 10
- forgejo_api_url is defined
- forgejo_api_url | length > 0
fail_msg: >-
bootstrap_runner.yml requires forgejo_registration_token
(fetched from $FORGEJO_API/api/v1/repos/$OWNER/$REPO/actions/runners/registration-token)
and forgejo_api_url (e.g. https://10.0.20.105:3000) ;
pass them via -e on the command line.
quiet: true
# =====================================================================
# Phase 1 — Incus profiles
# =====================================================================
- name: Phase 1 — Incus profiles
hosts: incus_hosts
become: true
gather_facts: true
tasks:
fix(ansible): detect storage pool from forgejo's root device, not first listed The previous detect picked the first row of `incus storage list -f csv`, which on the user's R720 returned `default` — but `default` is not usable on this server (`Storage pool is unavailable on this server` when launching). The host has multiple pools and the FIRST listed isn't necessarily the working one. New detect strategy (most-reliable first) : 1. `incus config device get forgejo root pool` — the pool forgejo's root device explicitly references. 2. `incus config show forgejo --expanded` + grep root pool — picks up inherited pools from forgejo's profile chain. 3. Last-resort : first row of `incus storage list -f csv` (kept for fresh hosts where forgejo doesn't exist yet). Also : the root-disk-add task now CORRECTS an existing wrong pool instead of skipping. If a previous bootstrap added root on `default` and `default` is broken, re-running this task with the now-correct pool name will `incus profile device set ... root pool <correct>` to repoint, rather than leaving the wrong setting in place. Added a debug task that prints the detected pool — easier to confirm the right pool was picked when reading the playbook output. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:34:50 +00:00
- name: Detect Incus storage pool actually used by forgejo
fix(ansible): bootstrap_runner — add root disk to veza-{app,data} profiles `incus launch ... --profile veza-app` failed with : Failed initializing instance: Invalid devices: Failed detecting root disk device: No root device could be found Cause : the profiles were created empty. Incus needs a root disk device referencing a storage pool to actually launch a container ; the `default` profile carries one implicitly but custom profiles need it added explicitly OR the launch must combine `default` + custom profile. Fix : phase 1 of bootstrap_runner.yml now : 1. Detects the first available storage pool (`incus storage list`). 2. After creating each profile, adds a root disk device pointing at that pool : `incus profile device add veza-app root disk path=/ pool=<detected>`. Idempotent : the add-root step is guarded by `incus profile device show veza-app | grep -q '^root:'` ; re-runs are no-ops. Storage pool autodetect picks the first row of `incus storage list` — typically `default`, but accepts custom names (`local`, `data`, etc.) without operator intervention. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:32:00 +00:00
# Containers need a root disk device that references a storage pool.
fix(ansible): detect storage pool from forgejo's root device, not first listed The previous detect picked the first row of `incus storage list -f csv`, which on the user's R720 returned `default` — but `default` is not usable on this server (`Storage pool is unavailable on this server` when launching). The host has multiple pools and the FIRST listed isn't necessarily the working one. New detect strategy (most-reliable first) : 1. `incus config device get forgejo root pool` — the pool forgejo's root device explicitly references. 2. `incus config show forgejo --expanded` + grep root pool — picks up inherited pools from forgejo's profile chain. 3. Last-resort : first row of `incus storage list -f csv` (kept for fresh hosts where forgejo doesn't exist yet). Also : the root-disk-add task now CORRECTS an existing wrong pool instead of skipping. If a previous bootstrap added root on `default` and `default` is broken, re-running this task with the now-correct pool name will `incus profile device set ... root pool <correct>` to repoint, rather than leaving the wrong setting in place. Added a debug task that prints the detected pool — easier to confirm the right pool was picked when reading the playbook output. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:34:50 +00:00
# The host may have multiple pools, some of which are stale or
# unavailable. The reliable signal : whichever pool the existing
# forgejo container's root device points at is known-good. Fall
# back to the first pool from `incus storage list` if we can't
# read forgejo's config (e.g. fresh host without forgejo yet).
fix(ansible): bootstrap_runner — add root disk to veza-{app,data} profiles `incus launch ... --profile veza-app` failed with : Failed initializing instance: Invalid devices: Failed detecting root disk device: No root device could be found Cause : the profiles were created empty. Incus needs a root disk device referencing a storage pool to actually launch a container ; the `default` profile carries one implicitly but custom profiles need it added explicitly OR the launch must combine `default` + custom profile. Fix : phase 1 of bootstrap_runner.yml now : 1. Detects the first available storage pool (`incus storage list`). 2. After creating each profile, adds a root disk device pointing at that pool : `incus profile device add veza-app root disk path=/ pool=<detected>`. Idempotent : the add-root step is guarded by `incus profile device show veza-app | grep -q '^root:'` ; re-runs are no-ops. Storage pool autodetect picks the first row of `incus storage list` — typically `default`, but accepts custom names (`local`, `data`, etc.) without operator intervention. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:32:00 +00:00
ansible.builtin.shell: |
fix(ansible): detect storage pool from forgejo's root device, not first listed The previous detect picked the first row of `incus storage list -f csv`, which on the user's R720 returned `default` — but `default` is not usable on this server (`Storage pool is unavailable on this server` when launching). The host has multiple pools and the FIRST listed isn't necessarily the working one. New detect strategy (most-reliable first) : 1. `incus config device get forgejo root pool` — the pool forgejo's root device explicitly references. 2. `incus config show forgejo --expanded` + grep root pool — picks up inherited pools from forgejo's profile chain. 3. Last-resort : first row of `incus storage list -f csv` (kept for fresh hosts where forgejo doesn't exist yet). Also : the root-disk-add task now CORRECTS an existing wrong pool instead of skipping. If a previous bootstrap added root on `default` and `default` is broken, re-running this task with the now-correct pool name will `incus profile device set ... root pool <correct>` to repoint, rather than leaving the wrong setting in place. Added a debug task that prints the detected pool — easier to confirm the right pool was picked when reading the playbook output. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:34:50 +00:00
forgejo_pool=$(incus config device get forgejo root pool 2>/dev/null \
|| incus config device get forgejo eth0 pool 2>/dev/null \
|| true)
if [ -n "$forgejo_pool" ] && [ "$forgejo_pool" != "None" ]; then
echo "$forgejo_pool"
exit 0
fi
# No forgejo or no pool on its root → expand profile inheritance.
# `incus config show forgejo --expanded` includes inherited devices.
forgejo_pool=$(incus config show forgejo --expanded 2>/dev/null \
| awk '/^ root:/{flag=1} flag && /^ pool:/{print $2; exit}' \
|| true)
if [ -n "$forgejo_pool" ]; then
echo "$forgejo_pool"
exit 0
fi
# Last resort : first pool from `incus storage list`.
fix(ansible): bootstrap_runner — add root disk to veza-{app,data} profiles `incus launch ... --profile veza-app` failed with : Failed initializing instance: Invalid devices: Failed detecting root disk device: No root device could be found Cause : the profiles were created empty. Incus needs a root disk device referencing a storage pool to actually launch a container ; the `default` profile carries one implicitly but custom profiles need it added explicitly OR the launch must combine `default` + custom profile. Fix : phase 1 of bootstrap_runner.yml now : 1. Detects the first available storage pool (`incus storage list`). 2. After creating each profile, adds a root disk device pointing at that pool : `incus profile device add veza-app root disk path=/ pool=<detected>`. Idempotent : the add-root step is guarded by `incus profile device show veza-app | grep -q '^root:'` ; re-runs are no-ops. Storage pool autodetect picks the first row of `incus storage list` — typically `default`, but accepts custom names (`local`, `data`, etc.) without operator intervention. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:32:00 +00:00
incus storage list -f csv 2>/dev/null | awk -F, 'NR==1{print $1; exit}'
register: storage_pool
changed_when: false
failed_when: storage_pool.stdout | trim == ""
fix(ansible): detect storage pool from forgejo's root device, not first listed The previous detect picked the first row of `incus storage list -f csv`, which on the user's R720 returned `default` — but `default` is not usable on this server (`Storage pool is unavailable on this server` when launching). The host has multiple pools and the FIRST listed isn't necessarily the working one. New detect strategy (most-reliable first) : 1. `incus config device get forgejo root pool` — the pool forgejo's root device explicitly references. 2. `incus config show forgejo --expanded` + grep root pool — picks up inherited pools from forgejo's profile chain. 3. Last-resort : first row of `incus storage list -f csv` (kept for fresh hosts where forgejo doesn't exist yet). Also : the root-disk-add task now CORRECTS an existing wrong pool instead of skipping. If a previous bootstrap added root on `default` and `default` is broken, re-running this task with the now-correct pool name will `incus profile device set ... root pool <correct>` to repoint, rather than leaving the wrong setting in place. Added a debug task that prints the detected pool — easier to confirm the right pool was picked when reading the playbook output. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:34:50 +00:00
- name: Show detected storage pool
ansible.builtin.debug:
msg: "Storage pool : {{ storage_pool.stdout | trim }}"
fix(ansible): bootstrap_runner — add root disk to veza-{app,data} profiles `incus launch ... --profile veza-app` failed with : Failed initializing instance: Invalid devices: Failed detecting root disk device: No root device could be found Cause : the profiles were created empty. Incus needs a root disk device referencing a storage pool to actually launch a container ; the `default` profile carries one implicitly but custom profiles need it added explicitly OR the launch must combine `default` + custom profile. Fix : phase 1 of bootstrap_runner.yml now : 1. Detects the first available storage pool (`incus storage list`). 2. After creating each profile, adds a root disk device pointing at that pool : `incus profile device add veza-app root disk path=/ pool=<detected>`. Idempotent : the add-root step is guarded by `incus profile device show veza-app | grep -q '^root:'` ; re-runs are no-ops. Storage pool autodetect picks the first row of `incus storage list` — typically `default`, but accepts custom names (`local`, `data`, etc.) without operator intervention. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:32:00 +00:00
- name: Ensure veza-{app,data} profiles exist
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
ansible.builtin.command: incus profile create {{ item }}
register: profile_create
failed_when: profile_create.rc != 0 and 'already exists' not in profile_create.stderr
changed_when: profile_create.rc == 0
loop:
- veza-app
- veza-data
fix(ansible): detect storage pool from forgejo's root device, not first listed The previous detect picked the first row of `incus storage list -f csv`, which on the user's R720 returned `default` — but `default` is not usable on this server (`Storage pool is unavailable on this server` when launching). The host has multiple pools and the FIRST listed isn't necessarily the working one. New detect strategy (most-reliable first) : 1. `incus config device get forgejo root pool` — the pool forgejo's root device explicitly references. 2. `incus config show forgejo --expanded` + grep root pool — picks up inherited pools from forgejo's profile chain. 3. Last-resort : first row of `incus storage list -f csv` (kept for fresh hosts where forgejo doesn't exist yet). Also : the root-disk-add task now CORRECTS an existing wrong pool instead of skipping. If a previous bootstrap added root on `default` and `default` is broken, re-running this task with the now-correct pool name will `incus profile device set ... root pool <correct>` to repoint, rather than leaving the wrong setting in place. Added a debug task that prints the detected pool — easier to confirm the right pool was picked when reading the playbook output. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:34:50 +00:00
- name: Ensure each profile's root disk points at pool={{ storage_pool.stdout | trim }}
# If a root device already exists but on the WRONG pool (e.g. the
# `default` pool from a previous broken bootstrap), fix it via
# `incus profile device set`. Else add fresh.
fix(ansible): bootstrap_runner — add root disk to veza-{app,data} profiles `incus launch ... --profile veza-app` failed with : Failed initializing instance: Invalid devices: Failed detecting root disk device: No root device could be found Cause : the profiles were created empty. Incus needs a root disk device referencing a storage pool to actually launch a container ; the `default` profile carries one implicitly but custom profiles need it added explicitly OR the launch must combine `default` + custom profile. Fix : phase 1 of bootstrap_runner.yml now : 1. Detects the first available storage pool (`incus storage list`). 2. After creating each profile, adds a root disk device pointing at that pool : `incus profile device add veza-app root disk path=/ pool=<detected>`. Idempotent : the add-root step is guarded by `incus profile device show veza-app | grep -q '^root:'` ; re-runs are no-ops. Storage pool autodetect picks the first row of `incus storage list` — typically `default`, but accepts custom names (`local`, `data`, etc.) without operator intervention. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:32:00 +00:00
ansible.builtin.shell: |
fix(ansible): detect storage pool from forgejo's root device, not first listed The previous detect picked the first row of `incus storage list -f csv`, which on the user's R720 returned `default` — but `default` is not usable on this server (`Storage pool is unavailable on this server` when launching). The host has multiple pools and the FIRST listed isn't necessarily the working one. New detect strategy (most-reliable first) : 1. `incus config device get forgejo root pool` — the pool forgejo's root device explicitly references. 2. `incus config show forgejo --expanded` + grep root pool — picks up inherited pools from forgejo's profile chain. 3. Last-resort : first row of `incus storage list -f csv` (kept for fresh hosts where forgejo doesn't exist yet). Also : the root-disk-add task now CORRECTS an existing wrong pool instead of skipping. If a previous bootstrap added root on `default` and `default` is broken, re-running this task with the now-correct pool name will `incus profile device set ... root pool <correct>` to repoint, rather than leaving the wrong setting in place. Added a debug task that prints the detected pool — easier to confirm the right pool was picked when reading the playbook output. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:34:50 +00:00
POOL="{{ storage_pool.stdout | trim }}"
existing=$(incus profile device get {{ item }} root pool 2>/dev/null || true)
if [ "$existing" = "$POOL" ]; then
echo "root device on $POOL already"
fix(ansible): bootstrap_runner — add root disk to veza-{app,data} profiles `incus launch ... --profile veza-app` failed with : Failed initializing instance: Invalid devices: Failed detecting root disk device: No root device could be found Cause : the profiles were created empty. Incus needs a root disk device referencing a storage pool to actually launch a container ; the `default` profile carries one implicitly but custom profiles need it added explicitly OR the launch must combine `default` + custom profile. Fix : phase 1 of bootstrap_runner.yml now : 1. Detects the first available storage pool (`incus storage list`). 2. After creating each profile, adds a root disk device pointing at that pool : `incus profile device add veza-app root disk path=/ pool=<detected>`. Idempotent : the add-root step is guarded by `incus profile device show veza-app | grep -q '^root:'` ; re-runs are no-ops. Storage pool autodetect picks the first row of `incus storage list` — typically `default`, but accepts custom names (`local`, `data`, etc.) without operator intervention. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:32:00 +00:00
exit 0
fi
fix(ansible): detect storage pool from forgejo's root device, not first listed The previous detect picked the first row of `incus storage list -f csv`, which on the user's R720 returned `default` — but `default` is not usable on this server (`Storage pool is unavailable on this server` when launching). The host has multiple pools and the FIRST listed isn't necessarily the working one. New detect strategy (most-reliable first) : 1. `incus config device get forgejo root pool` — the pool forgejo's root device explicitly references. 2. `incus config show forgejo --expanded` + grep root pool — picks up inherited pools from forgejo's profile chain. 3. Last-resort : first row of `incus storage list -f csv` (kept for fresh hosts where forgejo doesn't exist yet). Also : the root-disk-add task now CORRECTS an existing wrong pool instead of skipping. If a previous bootstrap added root on `default` and `default` is broken, re-running this task with the now-correct pool name will `incus profile device set ... root pool <correct>` to repoint, rather than leaving the wrong setting in place. Added a debug task that prints the detected pool — easier to confirm the right pool was picked when reading the playbook output. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:34:50 +00:00
if [ -n "$existing" ]; then
# Device exists with wrong pool — correct it.
incus profile device set {{ item }} root pool "$POOL"
echo "root device repointed to $POOL"
else
incus profile device add {{ item }} root disk path=/ pool="$POOL"
echo "root device added on $POOL"
fi
fix(ansible): bootstrap_runner — add root disk to veza-{app,data} profiles `incus launch ... --profile veza-app` failed with : Failed initializing instance: Invalid devices: Failed detecting root disk device: No root device could be found Cause : the profiles were created empty. Incus needs a root disk device referencing a storage pool to actually launch a container ; the `default` profile carries one implicitly but custom profiles need it added explicitly OR the launch must combine `default` + custom profile. Fix : phase 1 of bootstrap_runner.yml now : 1. Detects the first available storage pool (`incus storage list`). 2. After creating each profile, adds a root disk device pointing at that pool : `incus profile device add veza-app root disk path=/ pool=<detected>`. Idempotent : the add-root step is guarded by `incus profile device show veza-app | grep -q '^root:'` ; re-runs are no-ops. Storage pool autodetect picks the first row of `incus storage list` — typically `default`, but accepts custom names (`local`, `data`, etc.) without operator intervention. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:32:00 +00:00
register: profile_root
fix(ansible): detect storage pool from forgejo's root device, not first listed The previous detect picked the first row of `incus storage list -f csv`, which on the user's R720 returned `default` — but `default` is not usable on this server (`Storage pool is unavailable on this server` when launching). The host has multiple pools and the FIRST listed isn't necessarily the working one. New detect strategy (most-reliable first) : 1. `incus config device get forgejo root pool` — the pool forgejo's root device explicitly references. 2. `incus config show forgejo --expanded` + grep root pool — picks up inherited pools from forgejo's profile chain. 3. Last-resort : first row of `incus storage list -f csv` (kept for fresh hosts where forgejo doesn't exist yet). Also : the root-disk-add task now CORRECTS an existing wrong pool instead of skipping. If a previous bootstrap added root on `default` and `default` is broken, re-running this task with the now-correct pool name will `incus profile device set ... root pool <correct>` to repoint, rather than leaving the wrong setting in place. Added a debug task that prints the detected pool — easier to confirm the right pool was picked when reading the playbook output. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:34:50 +00:00
changed_when: "'already' not in profile_root.stdout"
fix(ansible): bootstrap_runner — add root disk to veza-{app,data} profiles `incus launch ... --profile veza-app` failed with : Failed initializing instance: Invalid devices: Failed detecting root disk device: No root device could be found Cause : the profiles were created empty. Incus needs a root disk device referencing a storage pool to actually launch a container ; the `default` profile carries one implicitly but custom profiles need it added explicitly OR the launch must combine `default` + custom profile. Fix : phase 1 of bootstrap_runner.yml now : 1. Detects the first available storage pool (`incus storage list`). 2. After creating each profile, adds a root disk device pointing at that pool : `incus profile device add veza-app root disk path=/ pool=<detected>`. Idempotent : the add-root step is guarded by `incus profile device show veza-app | grep -q '^root:'` ; re-runs are no-ops. Storage pool autodetect picks the first row of `incus storage list` — typically `default`, but accepts custom names (`local`, `data`, etc.) without operator intervention. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:32:00 +00:00
loop:
- veza-app
- veza-data
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
- name: Detect legacy empty veza-net profile
ansible.builtin.command: incus profile show veza-net
register: vnet_show
failed_when: false
changed_when: false
- name: Drop legacy veza-net profile if it exists and has no devices
ansible.builtin.command: incus profile delete veza-net
when:
- vnet_show.rc == 0
- "'devices: {}' in vnet_show.stdout"
changed_when: true
# =====================================================================
# Phase 2 — forgejo-runner gets Incus socket + nesting + binary
# =====================================================================
- name: Phase 2 — forgejo-runner Incus access
hosts: incus_hosts
become: true
gather_facts: false
tasks:
- name: Verify forgejo-runner container exists
ansible.builtin.command: incus info forgejo-runner
register: runner_info
failed_when: runner_info.rc != 0
changed_when: false
- name: Check if incus-socket device is already attached
ansible.builtin.shell: |
incus config device show forgejo-runner | grep -q '^incus-socket:'
register: socket_attached
failed_when: false
changed_when: false
- name: Attach /var/lib/incus/unix.socket as a disk device
ansible.builtin.command: >-
incus config device add forgejo-runner incus-socket disk
source=/var/lib/incus/unix.socket
path=/var/lib/incus/unix.socket
when: socket_attached.rc != 0
register: device_attached
- name: Read current security.nesting setting
ansible.builtin.command: incus config get forgejo-runner security.nesting
register: nesting_val
changed_when: false
- name: Enable security.nesting=true
ansible.builtin.command: incus config set forgejo-runner security.nesting=true
when: nesting_val.stdout | trim != "true"
register: nesting_set
- name: Restart forgejo-runner if device or nesting changed
ansible.builtin.command: incus restart forgejo-runner
when:
- device_attached.changed | default(false) or nesting_set.changed | default(false)
- name: Wait for forgejo-runner to be reachable after restart
ansible.builtin.command: incus exec forgejo-runner -- /bin/true
register: runner_ready
until: runner_ready.rc == 0
retries: 30
delay: 1
changed_when: false
- name: Check whether incus binary is already in the runner
ansible.builtin.command: incus exec forgejo-runner -- test -x /usr/local/bin/incus
register: binary_present
failed_when: false
changed_when: false
- name: Push host's /usr/bin/incus into runner:/usr/local/bin/incus
ansible.builtin.command: >-
incus file push /usr/bin/incus
forgejo-runner/usr/local/bin/incus
--mode 0755
when: binary_present.rc != 0
- name: Smoke-test runner can reach Incus socket
ansible.builtin.command: incus exec forgejo-runner -- /usr/local/bin/incus list
register: smoketest
failed_when: false
changed_when: false
- name: Warn if smoke-test failed (non-fatal — depends on runner user perms)
ansible.builtin.debug:
msg: >-
forgejo-runner cannot list Incus from its default user (rc={{ smoketest.rc }}).
This is OK if the systemd unit runs as root inside the container ;
if not, the runner user needs gid alignment with the host's incus-admin group.
when: smoketest.rc != 0
# =====================================================================
# Phase 3 — forgejo-runner registered with `incus` label
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
#
# Runs on the Incus HOST and reaches the runner container via
# `incus exec forgejo-runner -- ...`. This avoids the
# community.general.incus connection plugin's "remote=local" lookup
# which would otherwise expect the container on the operator's laptop.
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
# =====================================================================
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
- name: Phase 3 — forgejo-runner labels
hosts: incus_hosts
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
become: true
gather_facts: false
tasks:
- name: Locate the runner config file
ansible.builtin.shell: |
for f in /etc/forgejo-runner/.runner /var/lib/forgejo-runner/.runner /opt/forgejo-runner/.runner; do
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
if incus exec forgejo-runner -- test -f "$f" 2>/dev/null; then
echo "$f"
exit 0
fi
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
done
exit 1
register: runner_cfg_path
failed_when: false
changed_when: false
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
- name: Read existing labels (if config file exists)
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
ansible.builtin.shell: |
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
incus exec forgejo-runner -- bash -c "
jq -r '.labels[]?' '{{ runner_cfg_path.stdout }}' 2>/dev/null \
|| grep -oE '\"labels\":\[[^]]+\]' '{{ runner_cfg_path.stdout }}' 2>/dev/null \
|| echo ''
"
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
register: existing_labels
when: runner_cfg_path.rc == 0
changed_when: false
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
failed_when: false
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
- name: Stop here if 'incus' label is already present
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
ansible.builtin.meta: end_play
when:
- runner_cfg_path.rc == 0
- existing_labels.stdout is defined
- "'incus' in existing_labels.stdout"
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
- name: Detect runner binary inside the container
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
ansible.builtin.shell: |
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
incus exec forgejo-runner -- bash -c "
for b in forgejo-runner act_runner; do
command -v \$b >/dev/null 2>&1 && echo \$b && exit 0
done
exit 1
"
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
register: runner_bin
changed_when: false
failed_when: runner_bin.rc != 0
- name: Stop the runner systemd unit
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
ansible.builtin.command: >-
incus exec forgejo-runner -- systemctl stop {{ runner_bin.stdout }}.service
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
register: stop_unit
failed_when: false
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
changed_when: stop_unit.rc == 0
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
- name: Remove old .runner config to force re-registration
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
ansible.builtin.command: >-
incus exec forgejo-runner -- rm -f {{ runner_cfg_path.stdout }}
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
when: runner_cfg_path.rc == 0
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
changed_when: true
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
- name: Re-register runner with --labels incus,self-hosted
ansible.builtin.command: >-
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
incus exec forgejo-runner --
{{ runner_bin.stdout }} register
--no-interactive
--instance {{ forgejo_api_url }}
--token {{ forgejo_registration_token }}
--name r720-incus
--labels incus,self-hosted
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
no_log: true # token is sensitive
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
changed_when: true
refactor(bootstrap): everything via Ansible — no NOPASSWD, no SSH plumbing Rearchitecture after operator pushback : the previous design did too much in bash (SSH-streaming script chunks, manual sudo dance, NOPASSWD requirement). Ansible is the right tool. The shell scripts are now thin orchestrators handling the chicken-and-egg of vault + Forgejo CI provisioning, then calling ansible-playbook. Key principles : 1. NO NOPASSWD sudo on the R720. --ask-become-pass interactive, password held in ansible memory only for the run. 2. Two parallel scripts — one per host, fully self-contained. 3. Both run the SAME Ansible playbooks (bootstrap_runner.yml + haproxy.yml). Difference is the inventory. Files (new + replaced) : ansible.cfg pipelining=True → False. Required for --ask-become-pass to work reliably ; the previous setting raced sudo's prompt and timed out at 12s. playbooks/bootstrap_runner.yml (new) The Incus-host-side bootstrap, ported from the old scripts/bootstrap/bootstrap-remote.sh. Three plays : Phase 1 : ensure veza-app + veza-data profiles exist ; drop legacy empty veza-net profile. Phase 2 : forgejo-runner gets /var/lib/incus/unix.socket attached as a disk device, security.nesting=true, /usr/bin/incus pushed in as /usr/local/bin/incus, smoke-tested. Phase 3 : forgejo-runner registered with `incus,self-hosted` label (idempotent — skips if already labelled). Each task uses Ansible idioms (`incus_profile`, `incus_command` where they exist, `command:` with `failed_when` and explicit state-checking elsewhere). no_log on the registration token. inventory/local.yml (new) Inventory for `bootstrap-r720.sh` — connection: local instead of SSH+become. Same group structure as staging.yml ; container groups use community.general.incus connection plugin (the local incus binary, no remote). inventory/{staging,prod}.yml (modified) Added `forgejo_runner` group (target of bootstrap_runner.yml phase 3, reached via community.general.incus from the host). scripts/bootstrap/bootstrap-local.sh (rewritten) Five phases : preflight, vault, forgejo, ansible, summary. Phase 4 calls a single `ansible-playbook` with both bootstrap_runner.yml + haproxy.yml in sequence. --ask-become-pass : ansible prompts ONCE for sudo, holds in memory, reuses for every become: true task. scripts/bootstrap/bootstrap-r720.sh (new) Symmetric to bootstrap-local.sh but runs as root on the R720. No SSH preflight, no --ask-become-pass (already root). Same Ansible playbooks, inventory/local.yml. scripts/bootstrap/verify-r720.sh (new — replaces verify-remote) Read-only checks of R720 state. Run as root locally on the R720. scripts/bootstrap/verify-local.sh (modified) Cross-host SSH check now fits the env-var-driven SSH_TARGET pattern (R720_USER may be empty if the alias has User=). scripts/bootstrap/{bootstrap-remote.sh, verify-remote.sh, verify-remote-ssh.sh} (DELETED) Replaced by playbooks/bootstrap_runner.yml + verify-r720.sh. README.md (rewritten) Documents the parallel-script architecture, the no-NOPASSWD-sudo design choice (--ask-become-pass), each phase's needs, and a refreshed troubleshooting list. State files unchanged in shape : laptop : .git/talas-bootstrap/local.state R720 : /var/lib/talas/r720-bootstrap.state --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:12:26 +00:00
fix(ansible): bootstrap_runner phase 3 uses incus exec from host (not community.general.incus) Previous play targeted `forgejo_runner` group with `ansible_connection: community.general.incus`. The plugin runs LOCALLY (on whichever host invokes ansible-playbook) and looks up the container in the local incus instance — which on the operator's laptop doesn't have a `forgejo-runner` container. Result : fatal: [forgejo-runner]: UNREACHABLE! "instance not found: forgejo-runner (remote=local, project=default)" Fix : run phase 3 on `incus_hosts` (the R720) and reach into the container via `incus exec forgejo-runner -- <cmd>`. Same shape the working bootstrap-remote.sh used before this commit series. No connection-plugin remoting needed, no `incus remote` config required on the operator's laptop. Side effects : `forgejo_runner` group in inventory/{staging,prod}.yml is now unused but harmless ; left in place for any future task that might want it back. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 13:16:04 +00:00
- name: Start (and enable) the runner systemd unit
ansible.builtin.command: >-
incus exec forgejo-runner -- systemctl enable --now {{ runner_bin.stdout }}.service
changed_when: true
Reference in a new issue Copy permalink