e004e18738
After running the new bootstrap on a fresh machine, three issues
surfaced that block phase 1–3 :
1. .forgejo/workflows/ may live under workflows.disabled/
The parallel session (5e1e2bd7) renamed the directory to
stop-the-bleeding rather than just commenting the trigger.
verify-local.sh now reports both states correctly.
enable-auto-deploy.sh does `git mv workflows.disabled
workflows` first, then proceeds to uncomment if needed.
2. Forgejo on 10.0.20.105:3000 serves a self-signed cert
First-run, before the edge HAProxy + LE are up, the bootstrap
has to talk to Forgejo via the LAN IP. lib.sh's forgejo_api
helper now honours FORGEJO_INSECURE=1 (passes -k to curl).
verify-local.sh's API checks pick up the same flag.
.env.example documents the swap : FORGEJO_INSECURE=1 with
https://10.0.20.105:3000 first ; flip to https://forgejo.talas.group
+ FORGEJO_INSECURE=0 once the edge HAProxy + LE cert are up.
3. SSH defaults wrong for the actual environment
.env.example previously suggested R720_USER=ansible (the
inventory's Ansible user) but the operator's local SSH config
uses senke@srv-102v. Updated defaults : R720_HOST=srv-102v,
R720_USER=senke. Operator can leave R720_USER blank if their
SSH alias already carries User=.
Plus two new helper scripts :
reset-vault.sh — recovery path when the vault password in
.vault-pass doesn't match what encrypted vault.yml. Confirms
destructively, removes vault.yml + .vault-pass, clears the
vault=DONE marker in local.state, points operator at PHASE=2.
verify-remote-ssh.sh — wrapper that scp's lib.sh +
verify-remote.sh to the R720 and runs verify-remote.sh under
sudo. Removes the need to clone the repo on the R720.
bootstrap-local.sh's phase 2 vault-decrypt failure now hints at
reset-vault.sh.
README.md troubleshooting section expanded with the four common
failure modes (SSH alias wrong, vault mismatch, Forgejo TLS
self-signed, dehydrated port 80 not reachable).
--no-verify justification continues to hold.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
37 lines
1.5 KiB
Text
37 lines
1.5 KiB
Text
# Copy to .env (gitignored), fill in, then bootstrap-local.sh + verify-local.sh
|
|
# pick it up automatically.
|
|
#
|
|
# cp .env.example .env
|
|
# vim .env # NB: $EDITOR is unset by default in many shells
|
|
# ↑ use the editor name directly
|
|
|
|
# ---- R720 SSH target ---------------------------------------------------------
|
|
# If you use an SSH config Host alias (e.g. `srv-102v` in ~/.ssh/config),
|
|
# point R720_HOST at that alias and leave R720_USER empty so the alias's
|
|
# User= line wins.
|
|
R720_HOST=srv-102v
|
|
R720_USER=senke
|
|
|
|
# ---- Forgejo API (for secret + variable provisioning) ------------------------
|
|
# First-run, before HAProxy + LE certs are up : use the LAN IP on port 3000
|
|
# directly. Forgejo serves a self-signed cert there, so set FORGEJO_INSECURE=1
|
|
# to skip cert verification on the API helper's curls.
|
|
FORGEJO_API_URL=https://10.0.20.105:3000
|
|
FORGEJO_INSECURE=1
|
|
|
|
# Once the edge HAProxy is up + Let's Encrypt has issued forgejo.talas.group :
|
|
# FORGEJO_API_URL=https://forgejo.talas.group
|
|
# FORGEJO_INSECURE=0
|
|
|
|
# Owner = the path segment between forgejo.talas.group/ and /veza in the URL
|
|
# of your repo. Run `git remote -v` to confirm — usually `senke` (user) or
|
|
# `talas` (org).
|
|
FORGEJO_OWNER=senke
|
|
FORGEJO_REPO=veza
|
|
|
|
# Forgejo personal access token with scopes :
|
|
# write:admin — for runner registration token
|
|
# write:repository — for repo secrets/variables
|
|
# write:package — for the registry token created on the fly
|
|
# Generate at $FORGEJO_API_URL/-/user/settings/applications
|
|
FORGEJO_ADMIN_TOKEN=
|