fix(bootstrap): phase 5 auto-detects Incus network from forgejo container

The playbook hardcoded `--network "veza-net"` (matching the group_vars default) but the operator's R720 doesn't have a network with that name — Forgejo lives on whatever managed bridge the host was originally set up with. Result : `incus launch` fails with `Failed loading network "veza-net": Network not found`. Phase 5 now probes : 1. `incus config device get forgejo eth0 network` — the network the existing forgejo container is on. Most reliable. 2. Fallback : first managed bridge from `incus network list`. The detected name is passed to ansible-playbook as `--extra-vars veza_incus_network=<name>`, overriding the group_vars default for this run only (no file changes). If detection fails entirely (no forgejo container, no managed bridge), the playbook falls through to the group_vars default and the failure surface is the same as before — but with a clearer hint mentioning network mismatch. --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-30 14:54:52 +02:00 · 2026-04-30 14:54:52 +02:00 · 7ca9c15514
commit 7ca9c15514
parent f615a50c42
1 changed files with 27 additions and 2 deletions
--- a/scripts/bootstrap/bootstrap-local.sh
+++ b/scripts/bootstrap/bootstrap-local.sh
@ -441,11 +441,36 @@ phase_5_haproxy() {
        become_flag=(--ask-become-pass)
    fi

+    # Detect the Incus network actually present on the R720. The
+    # group_vars default is `veza-net` but the operator's R720 may
+    # already have a different bridge name (e.g. `incusbr0`). Probe
+    # via the existing forgejo container (whose network we know
+    # works) and fall back to `incus network list`.
+    info "detecting Incus network on R720"
+    local detected_net=""
+    detected_net=$(ssh "$ssh_target" \
+        "sudo incus config device get forgejo eth0 network 2>/dev/null" \
+        | tr -d '[:space:]' || true)
+    if [[ -z "$detected_net" || "$detected_net" == "None" ]]; then
+        # Pick the first managed bridge that incus knows about.
+        detected_net=$(ssh "$ssh_target" \
+            "sudo incus network list -f csv 2>/dev/null | awk -F, '\$2==\"bridge\" && \$3==\"YES\" {print \$1; exit}'" \
+            | tr -d '[:space:]' || true)
+    fi
+    local extra_vars=()
+    if [[ -n "$detected_net" ]]; then
+        ok "Incus network detected : $detected_net"
+        extra_vars+=("--extra-vars" "veza_incus_network=$detected_net")
+    else
+        warn "could not auto-detect Incus network ; playbook will use the group_vars default"
+    fi
+
    info "running ansible-playbook playbooks/haproxy.yml (5–10 min)"
    if ! ansible-playbook -i inventory/staging.yml playbooks/haproxy.yml \
            --vault-password-file .vault-pass \
-            "${become_flag[@]}"; then
-        TALAS_HINT="check the ansible output above ; common issues : Incus profile missing, port 80 blocked from Internet, DNS not yet propagated, sudo password rejected"
+            "${become_flag[@]}" \
+            "${extra_vars[@]}"; then
+        TALAS_HINT="check the ansible output above ; common issues : Incus network mismatch, port 80 blocked from Internet, DNS not yet propagated, sudo password rejected"
        die "ansible-playbook haproxy.yml failed"
    fi