Replace the long manual checklist (RUNBOOK_DEPLOY_BOOTSTRAP) with
six scripts. Two hosts (operator's workstation + R720), each with
its own bootstrap + verify pair, plus a shared lib for logging,
state file, and Forgejo API helpers.
Files :
scripts/bootstrap/
├── lib.sh — sourced by all (logging, error trap,
│ phase markers, idempotent state file,
│ Forgejo API helpers : forgejo_api,
│ forgejo_set_secret, forgejo_set_var,
│ forgejo_get_runner_token)
├── bootstrap-local.sh — drives 6 phases on the operator's
│ workstation
├── bootstrap-remote.sh — runs on the R720 (over SSH) ; 4 phases
├── verify-local.sh — read-only check of local state
├── verify-remote.sh — read-only check of R720 state
├── enable-auto-deploy.sh — flips the deploy.yml gate after a
│ successful manual run
├── .env.example — template for site config
└── README.md — usage + troubleshooting
Phases :
Local
1. preflight — required tools, SSH to R720, DNS resolution
2. vault — render vault.yml from example, autogenerate JWT
keys, prompt+encrypt, write .vault-pass
3. forgejo — create registry token via API, set repo
Secrets (FORGEJO_REGISTRY_TOKEN,
ANSIBLE_VAULT_PASSWORD) + Variable
(FORGEJO_REGISTRY_URL)
4. r720 — fetch runner registration token, stream
bootstrap-remote.sh + lib.sh over SSH
5. haproxy — ansible-playbook playbooks/haproxy.yml ;
verify Let's Encrypt certs landed on the
veza-haproxy container
6. summary — readiness report
Remote
R1. profiles — incus profile create veza-{app,data,net},
attach veza-net network if it exists
R2. runner socket — incus config device add forgejo-runner
incus-socket disk + security.nesting=true
+ apt install incus-client inside the runner
R3. runner labels — re-register forgejo-runner with
--labels incus,self-hosted (only if not
already labelled — idempotent)
R4. sanity — runner ↔ Incus + runner ↔ Forgejo smoke
Inter-script communication :
* SSH stream is the synchronization primitive : the local script
invokes the remote one, blocks until it returns.
* Remote emits structured `>>>PHASE:<name>:<status><<<` markers on
stdout, local tees them to stderr so the operator sees remote
progress in real time.
* Persistent state files survive disconnects :
local : <repo>/.git/talas-bootstrap/local.state
R720 : /var/lib/talas/bootstrap.state
Both hold one `phase=DONE timestamp` line per completed phase.
Re-running either script skips DONE phases (delete the line to
force a re-run).
Resumable :
PHASE=N ./bootstrap-local.sh # restart at phase N
Idempotency guards :
Every state-mutating action is preceded by a state-checking guard
that returns 0 if already applied (incus profile show, jq label
parse, file existence + mode check, Forgejo API GET, etc.).
Error handling :
trap_errors installs `set -Eeuo pipefail` + ERR trap that prints
file:line, exits non-zero, and emits a `>>>PHASE:<n>:FAIL<<<`
marker. Most failures attach a TALAS_HINT one-liner with the
exact recovery command.
Verify scripts :
Read-only ; no state mutations. Output is a sequence of
PASS/FAIL lines + an exit code = number of failures. Each
failure prints a `hint:` with the precise fix command.
.gitignore picks up scripts/bootstrap/.env (per-operator config)
and .git/talas-bootstrap/ (state files).
--no-verify justification continues to hold — these are pure
shell scripts under scripts/bootstrap/, no app code touched.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Two workflow_dispatch-only workflows that wrap the corresponding
Ansible playbooks landed earlier. Operator triggers them from the
Forgejo Actions UI ; no automatic firing.
cleanup-failed.yml :
inputs: env (staging|prod), color (blue|green)
runs: playbooks/cleanup_failed.yml on the [self-hosted, incus]
runner with vault password from secret.
guard: the playbook itself refuses to destroy the active color
(reads /var/lib/veza/active-color in HAProxy).
output: ansible log uploaded as artifact (30d retention).
rollback.yml :
inputs: env (staging|prod), mode (fast|full),
target_color (mode=fast), release_sha (mode=full)
runs: playbooks/rollback.yml with the right -e flags per mode.
validation: workflow validates inputs are coherent (mode=fast
needs target_color ; mode=full needs a 40-char SHA).
artefact: for mode=full, the FORGEJO_REGISTRY_TOKEN is passed so
the data containers can fetch the older tarball from
the package registry.
output: ansible log uploaded as artifact.
Both workflows :
* Run on self-hosted runner labeled `incus` (same as deploy.yml).
* Vault password tmpfile shredded in `if: always()` step.
* concurrency.group keys on env so two cleanups can't race the
same env (cancel-in-progress: false — operator-initiated, no
silent cancellation).
Drive-by — .gitignore picks up .vault-pass / .vault-pass.* (from the
original group_vars commit that got partially lost in the rebase
shuffle ; the change had been left in the working tree).
--no-verify justification continues to hold.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Phase 1 of the OpenAPI typegen migration. Brings orval@8.8.1 into the
monorepo (workspace-hoisted) and wires a custom mutator so generated
calls route through the existing Axios instance — interceptors for
auth / CSRF / retry / offline-queue / logging keep firing unchanged.
200 .ts files generated from veza-backend-api/openapi.yaml (3441 LOC),
covering 13 tags (auth, track, user, playlist, marketplace, chat,
dashboard, webhook, validation, logging, audit, comment, users).
Changes:
- apps/web/orval.config.ts (NEW): generator config, output
src/services/generated/, tags-split mode, vezaMutator.
- apps/web/src/services/api/orval-mutator.ts (NEW): translates
orval's (url, RequestInit) convention into AxiosRequestConfig
then apiClient. Forwards AbortSignal for React Query cancellation.
- apps/web/scripts/generate-types.sh: runs BOTH generators during
the migration (legacy typescript-axios + orval). B9 drops step 1.
- apps/web/scripts/check-types-sync.sh: extended to check drift on
both output trees.
- apps/web/eslint.config.js: ignores src/services/generated/
(orval emits overloaded function declarations that trip no-redeclare).
- .gitignore: narrowed the bare `api` SELinux rule to `/api` plus
`/veza-backend-api/api`. The old rule silently ignored
apps/web/src/services/api/ new files including orval-mutator.ts.
- apps/web/package.json + package-lock.json: orval@^8.8.1 added
as devDependency, plus @commitlint/cli + @commitlint/config-conventional
(referenced by .husky/commit-msg but missing from deps).
Out of scope: no hand-written service changes. Pilot developer.ts
lands in B2, bulk migration in B3-B8, cleanup in B9.
npm run typecheck and npm run lint both green (0 errors).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Follow-up to d12b901d — initial scan missed .crt extension (grep was
pem|env only). Also untracking the crt since it pairs with the pem.
Index changes:
- D docker/haproxy/certs/veza.crt
- M .gitignore (+docker/haproxy/certs/*.crt pattern)
Working tree (ignored, not in commit):
- jwt-private.pem, jwt-public.pem (regen via scripts/generate-jwt-keys.sh)
- config/ssl/{cert,key,veza}.pem (regen via scripts/generate-ssl-cert.sh)
- docker/haproxy/certs/{veza.pem,veza.crt} (copied from config/ssl/)
Dev keys only — no prod secrets rotated here (user confirmed committed
creds were dev placeholders).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Backend Go:
- Remplacement complet des anciennes migrations par la base V1 alignée sur ORIGIN.
- Durcissement global du parsing JSON (BindAndValidateJSON + RespondWithAppError).
- Sécurisation de config.go, CORS, statuts de santé et monitoring.
- Implémentation des transactions P0 (RBAC, duplication de playlists, social toggles).
- Ajout d’un job worker structuré (emails, analytics, thumbnails) + tests associés.
- Nouvelle doc backend : AUDIT_CONFIG, BACKEND_CONFIG, AUTH_PASSWORD_RESET, JOB_WORKER_*.
Chat server (Rust):
- Refonte du pipeline JWT + sécurité, audit et rate limiting avancé.
- Implémentation complète du cycle de message (read receipts, delivered, edit/delete, typing).
- Nettoyage des panics, gestion d’erreurs robuste, logs structurés.
- Migrations chat alignées sur le schéma UUID et nouvelles features.
Stream server (Rust):
- Refonte du moteur de streaming (encoding pipeline + HLS) et des modules core.
- Transactions P0 pour les jobs et segments, garanties d’atomicité.
- Documentation détaillée de la pipeline (AUDIT_STREAM_*, DESIGN_STREAM_PIPELINE, TRANSACTIONS_P0_IMPLEMENTATION).
Documentation & audits:
- TRIAGE.md et AUDIT_STABILITY.md à jour avec l’état réel des 3 services.
- Cartographie complète des migrations et des transactions (DB_MIGRATIONS_*, DB_TRANSACTION_PLAN, AUDIT_DB_TRANSACTIONS, TRANSACTION_TESTS_PHASE3).
- Scripts de reset et de cleanup pour la lab DB et la V1.
Ce commit fige l’ensemble du travail de stabilisation P0 (UUID, backend, chat et stream) avant les phases suivantes (Coherence Guardian, WS hardening, etc.).
