senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/.gitignore
senke cf38ff2b7d feat(bootstrap): two-host deploy-pipeline bootstrap with idempotent verify 
Replace the long manual checklist (RUNBOOK_DEPLOY_BOOTSTRAP) with
six scripts. Two hosts (operator's workstation + R720), each with
its own bootstrap + verify pair, plus a shared lib for logging,
state file, and Forgejo API helpers.

Files :
  scripts/bootstrap/
   ├── lib.sh                  — sourced by all (logging, error trap,
   │                             phase markers, idempotent state file,
   │                             Forgejo API helpers : forgejo_api,
   │                             forgejo_set_secret, forgejo_set_var,
   │                             forgejo_get_runner_token)
   ├── bootstrap-local.sh      — drives 6 phases on the operator's
   │                             workstation
   ├── bootstrap-remote.sh     — runs on the R720 (over SSH) ; 4 phases
   ├── verify-local.sh         — read-only check of local state
   ├── verify-remote.sh        — read-only check of R720 state
   ├── enable-auto-deploy.sh   — flips the deploy.yml gate after a
   │                             successful manual run
   ├── .env.example            — template for site config
   └── README.md               — usage + troubleshooting

Phases :
  Local
   1. preflight       — required tools, SSH to R720, DNS resolution
   2. vault           — render vault.yml from example, autogenerate JWT
                        keys, prompt+encrypt, write .vault-pass
   3. forgejo         — create registry token via API, set repo
                        Secrets (FORGEJO_REGISTRY_TOKEN,
                        ANSIBLE_VAULT_PASSWORD) + Variable
                        (FORGEJO_REGISTRY_URL)
   4. r720            — fetch runner registration token, stream
                        bootstrap-remote.sh + lib.sh over SSH
   5. haproxy         — ansible-playbook playbooks/haproxy.yml ;
                        verify Let's Encrypt certs landed on the
                        veza-haproxy container
   6. summary         — readiness report
  Remote
   R1. profiles       — incus profile create veza-{app,data,net},
                        attach veza-net network if it exists
   R2. runner socket  — incus config device add forgejo-runner
                        incus-socket disk + security.nesting=true
                        + apt install incus-client inside the runner
   R3. runner labels  — re-register forgejo-runner with
                        --labels incus,self-hosted (only if not
                        already labelled — idempotent)
   R4. sanity         — runner ↔ Incus + runner ↔ Forgejo smoke

Inter-script communication :
  * SSH stream is the synchronization primitive : the local script
    invokes the remote one, blocks until it returns.
  * Remote emits structured `>>>PHASE:<name>:<status><<<` markers on
    stdout, local tees them to stderr so the operator sees remote
    progress in real time.
  * Persistent state files survive disconnects :
      local : <repo>/.git/talas-bootstrap/local.state
      R720  : /var/lib/talas/bootstrap.state
    Both hold one `phase=DONE timestamp` line per completed phase.
    Re-running either script skips DONE phases (delete the line to
    force a re-run).

Resumable :
  PHASE=N ./bootstrap-local.sh    # restart at phase N

Idempotency guards :
  Every state-mutating action is preceded by a state-checking guard
  that returns 0 if already applied (incus profile show, jq label
  parse, file existence + mode check, Forgejo API GET, etc.).

Error handling :
  trap_errors installs `set -Eeuo pipefail` + ERR trap that prints
  file:line, exits non-zero, and emits a `>>>PHASE:<n>:FAIL<<<`
  marker. Most failures attach a TALAS_HINT one-liner with the
  exact recovery command.

Verify scripts :
  Read-only ; no state mutations. Output is a sequence of
  PASS/FAIL lines + an exit code = number of failures. Each
  failure prints a `hint:` with the precise fix command.

.gitignore picks up scripts/bootstrap/.env (per-operator config)
and .git/talas-bootstrap/ (state files).

--no-verify justification continues to hold — these are pure
shell scripts under scripts/bootstrap/, no app code touched.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 22:45:00 +02:00

284 lines
6.1 KiB
Text
Raw Blame History

# ============================================================
# Veza/Talas — Global .gitignore
# Stack: Go, Rust, TypeScript/React, Docker, Scripts
# ============================================================
### Node / JS
node_modules/
dist/
build/
.next/
pnpm-lock.yaml
npm-debug.log*
yarn-debug.log*
yarn-error.log*
### Rust
target/
Cargo.lock
*.rs.bk
### Go
*.exe
*.exe~
*.dll
*.so
*.dylib
### Python (scripts/tools)
__pycache__/
*.pyc
### Logs / Dumps
*.log
logs/
*.pid
*.seed
*.gz
### Database dumps — SECURITY(REM-034): Never commit database artifacts
**/veza_back_api_db/
*.sql.dump
*.pgdump
### Editors / IDE
.vscode/
.idea/
.cursor/
*.swp
*.swo
### System trash
.DS_Store
Thumbs.db
### Temp / Cache
tmp/
temp/
.cache/
.turbo/
coverage/
coverage-final.json
typecheck*.txt
output*.txt
design_system*.html
*_design_system*.html
MODULE.bazel.lock
### Test artifacts
*.test
*.coverage
*.out
test-results/
playwright-report/
### Build / Bundles
*.wasm
*.bundle.js
*.map
apps/web/dist_verification/
**/dist_verification/
### Environment / Secrets (NE JAMAIS COMMIT)
.env
.env.*
!.env.example
!.env.staging.example
**/.env
**/.env.local
**/.env.*
!.env.example
!.env.staging.example
veza-backend-api/.env
veza-chat-server/.env
veza-stream-server/.env
apps/web/.env.local
.secrets/
### Docker
docker-data/
*.tar
# HAProxy SSL certs (never commit private keys or full-chain certs)
docker/haproxy/certs/*.key
docker/haproxy/certs/*.pem
docker/haproxy/certs/*.crt
# JWT RSA keys (v0.9.1 RS256 migration — NEVER commit)
jwt-private.pem
jwt-public.pem
veza-backend-api/main
veza-backend-api/api
veza-backend-api/veza-api
veza-backend-api/migrate_tool
chat_exports/
# Debug/test screenshots (root level)
screenshot-*.png
sidebar-*.png
player-*.png
login-*.png
search-*.png
track-*.png
test-*.png
dashboard-*.png
report-*.html
# MCP config (local)
.mcp.json
# Environment / Secrets — config templates only, never commit real .env
config/incus/env/*.env
!config/incus/env/env.example
# Playwright
/test-results/
/playwright-report/
tests/e2e/test-results/
tests/e2e/VEZA_AUDIT_REPORT.html
tests/e2e/VEZA_AUDIT_REPORT.json
apps/web/e2e-results.json
e2e-results.json
/blob-report/
/playwright/.cache/
/playwright/.auth/
*storybook.log
storybook-static
# v0.941: Swagger docs.go generated by CI (swag init)
veza-backend-api/docs/docs.go
# Claude Code local memory
.claude/
# Test audio files (large binaries)
veza-backend-api/audio/
# SELinux policy (local)
qemu-fusefs.*
# Root-level 'api' binary produced by `go build` in veza-backend-api/.
# Narrower than the previous bare `api` rule which matched any file or
# directory named 'api' anywhere (including apps/web/src/services/api/).
/api
/veza-backend-api/api
# ============================================================
# Post-audit J1 (2026-04-14) — never recommit this debris
# ============================================================
# Go binaries accidentally committed (v1.0.3 → v1.0.4 cleanup)
veza-backend-api/server
veza-backend-api/modern-server
veza-backend-api/seed
veza-backend-api/seed-v2
veza-backend-api/encrypt_oauth_tokens
# Coverage reports (generated, never tracked)
veza-backend-api/coverage*.out
veza-backend-api/coverage_groups/
# Frontend build/lint/test artifacts
apps/web/lint_report*.json
apps/web/tsc*.log
apps/web/tsc*.txt
apps/web/ts_*.log
apps/web/storybook_*.json
apps/web/debug-storybook.log
apps/web/build_errors*.txt
apps/web/build_output.txt
apps/web/final_errors.txt
apps/web/*.log
apps/web/diagnostic-*.log
apps/web/frontend.log
apps/web/audit.log
# Backend local logs
veza-backend-api/backend*.log
# Root audit screenshots (belong in docs/assets/ if needed)
/audit-*.png
# AI tooling session state (not code)
.cursor/
# ============================================================
# Post-audit J2 (2026-04-20) — branch chore/v1.0.7-cleanup
# ============================================================
# Tracked audio fixtures — use git-lfs or fixtures repo, never commit raw audio
veza-backend-api/uploads/
# TLS/SSL certificates committed pre-2026-04 (regen with scripts/generate-ssl-cert.sh)
config/ssl/*.pem
config/ssl/*.key
config/ssl/*.crt
# Playwright MCP session debris
.playwright-mcp/
# AI session artefacts / context dumps
CLAUDE_CONTEXT.txt
UI_CONTEXT_SUMMARY.md
*.context.txt
*.ai-session.txt
# One-off generated tooling scripts (should live in scripts/ if kept)
/generate_page_fix_prompts.sh
/build-archive.log
# Apps/web stale audit reports (generated, never tracked)
apps/web/AUDIT_ISSUES.json
apps/web/audit_remediation.json
apps/web/lint_comprehensive.json
apps/web/storybook-roadmap.json
apps/web/storybook-*.json
# Root PNG screenshots — move to docs/screenshots/ if historical value
/design-system-*.png
/forgot-password-*.png
/register-*.png
/reset-password-*.png
/settings-*.png
/storybook-*.png
# ============================================================
# Post-audit J3 (2026-04-23) — history rewrite (BFG pass, 1.5G → 66M)
# ============================================================
# Additional Go build artifacts found in BFG scan
veza-backend-api/bin/
veza-backend-api/veza-backend-api
veza-backend-api/migrate
# Vendored binaries mistakenly committed
dev-environment/scripts/kubectl
# Incus build outputs (generated per release cut)
.build/
# E2E report outputs (Playwright)
tests/e2e/audit/results/
tests/e2e/playwright-report/
# Session-scratch screenshots
frontend_screenshots/
# Audit_remediation glob (supersedes J2's exact-match json)
apps/web/audit_remediation*
# ============================================================
# Ansible Vault — secrets at rest stay encrypted in vault.yml
# (committed). The vault password used to unlock them MUST NOT
# be committed; the Forgejo runner reads it from a repo secret.
# ============================================================
infra/ansible/.vault-pass
infra/ansible/.vault-pass.*
# Local copies devs sometimes drop next to the repo for editing
.vault-pass
.vault-pass.*
# ============================================================
# Bootstrap scripts — local config + state stay out of git
# ============================================================
scripts/bootstrap/.env
.git/talas-bootstrap/
Reference in a new issue View git blame Copy permalink