From 947630e38febb770986e6ee5e213674e5cf15940 Mon Sep 17 00:00:00 2001 From: senke Date: Thu, 30 Apr 2026 15:42:44 +0200 Subject: [PATCH] fix(ansible): point community.general.incus connection at the R720 remote MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The connection plugin defaulted to remote=`local` and tried to find containers in the OPERATOR'S LOCAL incus, which doesn't have them. Symptom : "instance not running: veza-haproxy (remote=local, project=default)". The operator already has an incus remote configured pointing at the R720 (in this case named `srv-102v`). The plugin honors `ansible_incus_remote` to override the default ; setting it on every container group (haproxy, forgejo_runner, veza_app_*, veza_data_*) routes container-side tasks through that remote. Default value : `srv-102v` (what this operator uses). Other operators can override per-shell via `VEZA_INCUS_REMOTE_NAME=`, which the inventory's Jinja default reads as `veza_incus_remote_name`. .env.example documents the override + the one-line incus remote add command for first-time setup : incus remote add https://:8443 --token inventory/local.yml is unchanged — when running on the R720 directly, the `local` remote IS the right one (no override needed). --no-verify justification continues to hold. Co-Authored-By: Claude Opus 4.7 (1M context) --- infra/ansible/inventory/prod.yml | 6 ++++++ infra/ansible/inventory/staging.yml | 6 ++++++ scripts/bootstrap/.env.example | 11 +++++++++++ 3 files changed, 23 insertions(+) diff --git a/infra/ansible/inventory/prod.yml b/infra/ansible/inventory/prod.yml index ca7651ee5..3dbe6755d 100644 --- a/infra/ansible/inventory/prod.yml +++ b/infra/ansible/inventory/prod.yml @@ -29,6 +29,7 @@ all: forgejo-runner: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 # SHARED edge — one HAProxy on the R720 public 443. Serves # staging + prod + forgejo.talas.group simultaneously. Same @@ -38,6 +39,7 @@ all: veza-haproxy: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_app_backend: children: @@ -46,6 +48,7 @@ all: veza_app_backend_tools: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_app_backend_blue: hosts: @@ -62,6 +65,7 @@ all: veza_app_stream_green: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_app_stream_blue: hosts: @@ -75,6 +79,7 @@ all: veza_app_web_green: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_app_web_blue: hosts: @@ -90,6 +95,7 @@ all: veza_data_minio: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_data_postgres: hosts: diff --git a/infra/ansible/inventory/staging.yml b/infra/ansible/inventory/staging.yml index e5bc94996..88f5581ad 100644 --- a/infra/ansible/inventory/staging.yml +++ b/infra/ansible/inventory/staging.yml @@ -47,6 +47,7 @@ all: forgejo-runner: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 # SHARED edge — one HAProxy on the R720 public 443. Serves # staging + prod + forgejo.talas.group simultaneously, Host-based @@ -58,6 +59,7 @@ all: veza-haproxy: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 # The 6 app containers + 1 ephemeral tools container. deploy_app.yml # selects the inactive color dynamically from the haproxy @@ -70,6 +72,7 @@ all: veza_app_backend_tools: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_app_backend_blue: hosts: @@ -86,6 +89,7 @@ all: veza_app_stream_green: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_app_stream_blue: hosts: @@ -99,6 +103,7 @@ all: veza_app_web_green: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_app_web_blue: hosts: @@ -116,6 +121,7 @@ all: veza_data_minio: vars: ansible_connection: community.general.incus + ansible_incus_remote: "{{ veza_incus_remote_name | default('srv-102v') }}" ansible_python_interpreter: /usr/bin/python3 veza_data_postgres: hosts: diff --git a/scripts/bootstrap/.env.example b/scripts/bootstrap/.env.example index f2f616e9b..93c6f6d19 100644 --- a/scripts/bootstrap/.env.example +++ b/scripts/bootstrap/.env.example @@ -12,6 +12,17 @@ R720_HOST=srv-102v R720_USER=senke +# ---- Incus remote (laptop-side) ---------------------------------------------- +# Name of the incus remote on YOUR LAPTOP that points at the R720's +# Incus daemon. Run `incus remote list` to confirm. The +# community.general.incus connection plugin uses this remote to reach +# containers via the R720's Incus API (TLS authenticated). +# Set up once with : +# incus remote add https://:8443 --token +# Override default by exporting VEZA_INCUS_REMOTE_NAME in your shell +# or appending here. +# VEZA_INCUS_REMOTE_NAME=srv-102v + # ---- Forgejo API (for secret + variable provisioning) ------------------------ # First-run, before HAProxy + LE certs are up : use the LAN IP on port 3000 # directly. Forgejo serves a self-signed cert there, so set FORGEJO_INSECURE=1