coulomb/ihp-railiance-probe
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: document Gitea registry token workaround

Browse Source 
Gitea's registry token realm is misconfigured — it points to
gitea.coulomb.social:80 but Gitea only listens on port 32166. iptables
is not available on haskelseed (Alpine). Workaround: pre-fetch the bearer
token via curl against port 32166 and pass it to skopeo with
--dest-registry-token, bypassing the broken token service URL entirely.

Validated with inter-hub:11ff61c on 2026-05-02.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-05-02 17:09:48 +02:00
parent 004b419e30
commit b818866c7f
2 changed files with 34 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
DeploymentBlueprint.md
View File

@@ -72,8 +72,16 @@ each node.
│ → builds inter-hub-binaries
│ → assembles OCI tarball (result → /root/ihp-railiance-probe/result)
skopeo copy docker-archive:result
docker://92.205.130.254:32166/coulomb/ihp-railiance-probe:<SHA>
# Gitea's registry token realm points to port 80; skopeo must use a
# pre-fetched token to avoid following that misconfigured URL.
│ TOKEN=$(curl -s \
│ "http://92.205.130.254:32166/v2/token?service=container_registry\
│&scope=repository:coulomb/<APP>:push,pull" \
│ -u 'tegwick:<GITEA_API_KEY>' | awk -F'"' '/token/{print $4}')
│ skopeo copy --insecure-policy --dest-tls-verify=false \
│ --dest-registry-token "$TOKEN" \
│ docker-archive:result \
│ docker://92.205.130.254:32166/coulomb/<APP>:<SHA>
[CoulombCore — Registry]
│ image stored as coulomb/ihp-railiance-probe:<SHA>
@@ -131,6 +139,7 @@ each node.
| GHC 9.10.3 `.hi` overflow (>274 MB) | Crash after all modules compile | ActualTypes postUnpack overlay in flake.nix |
| GHC 9.10.3 `libHSghc.a` truncated | Crash at position 287,686,318 | Direct archive patch on haskelseed (one-time; check after flake lock update) |
| Registry on HTTP (no TLS) | k3s defaults to HTTPS for pulls | Configure k3s `registries.yaml` with mirror entry for `92.205.130.254:32166` |
| Gitea registry token realm misconfigured | `Bearer realm` points to `gitea.coulomb.social:80` but Gitea is on port 32166; skopeo follows the realm URL and gets 404 | Pre-fetch token via `curl` against port 32166 and pass with `--dest-registry-token`; do NOT rely on skopeo's automatic token fetch |
| No CI runner yet | Manual build + push | Phase 6 of workplan adds Gitea Actions runner on haskelseed |
---

31
workplans/IRP-WP-0001-pipeline-validation.md
View File

@@ -231,19 +231,34 @@ priority: medium
state_hub_task_id: "24b892fa-2a81-4606-b7a8-20e493c89441"
```
Push the built image to the Gitea container registry:
Push the built image to the Gitea container registry.
**Note:** Gitea's registry token realm is misconfigured — it points to
`gitea.coulomb.social:80` but Gitea runs on port 32166. Pre-fetch the token
manually and pass it with `--dest-registry-token` to bypass the broken token
dance (no `iptables` on haskelseed's Alpine to redirect ports):
```bash
sshpass -p 'hcs26!x' ssh root@192.168.178.135 \
'cd /root/ihp-railiance-probe && \
SHA=$(git rev-parse --short HEAD) && \
skopeo copy docker-archive:result \
docker://92.205.130.254:32166/coulomb/ihp-railiance-probe:$SHA'
sshpass -p 'hcs26!x' ssh root@192.168.178.135 bash <<'EOF'
cd /root/ihp-railiance-probe
SHA=$(git rev-parse --short HEAD)
SKOPEO=/nix/store/fwdagky9lfsyrgzxiq14zijcziazfdsn-skopeo-1.22.2/bin/skopeo
TOKEN=$(curl -s \
"http://92.205.130.254:32166/v2/token?service=container_registry&scope=repository:coulomb/ihp-railiance-probe:push,pull" \
-u 'tegwick:<GITEA_API_KEY>' | awk -F'"' '/token/{print $4}')
$SKOPEO copy --insecure-policy --dest-tls-verify=false \
--dest-registry-token "$TOKEN" \
docker-archive:result \
docker://92.205.130.254:32166/coulomb/ihp-railiance-probe:$SHA
EOF
```
Verify:
Verify via the registry API:
```bash
skopeo inspect docker://92.205.130.254:32166/coulomb/ihp-railiance-probe:<SHA>
TOKEN=$(curl -s "http://92.205.130.254:32166/v2/token?service=container_registry&scope=repository:coulomb/ihp-railiance-probe:pull" \
-u 'tegwick:<GITEA_API_KEY>' | awk -F'"' '/token/{print $4}')
curl -s -H "Authorization: Bearer $TOKEN" \
"http://92.205.130.254:32166/v2/coulomb/ihp-railiance-probe/tags/list"
```
**Exit criteria:** `skopeo inspect` succeeds; image visible in Gitea Packages UI.