From a60cc249147e938263063d0371bd12db51ef87c1 Mon Sep 17 00:00:00 2001 From: tegwick Date: Sat, 2 May 2026 17:45:59 +0200 Subject: [PATCH] fix(deploy): remove broken init container, document registry push workaround MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Helm init container used /bin/RunProdServer which doesn't exist in IHP's Nix Docker image (binary is at a Nix store path). Additionally, IHP v1.5's RunProdServer starts the server after migrating — it never exits — so init containers are the wrong pattern. IHP applies schema changes on startup. Changes: - Remove initContainers block from deployment.yaml entirely - Set runMigrations: false as default in values.yaml - Update RUNBOOK.md with correct skopeo push procedure (pre-fetch bearer token to work around Gitea's misconfigured token realm URL: port 80 vs actual 32166) - Add note that the Nix image has no /bin/sh or /bin/RunProdServer wrapper k3s registry auth: credentials added to /etc/rancher/k3s/registries.yaml and iptables DNAT rule added on Railiance01 (92.205.130.254:80 → 32166) so the ACME token realm redirect works. hub.coulomb.social DNS A record still needed. Co-Authored-By: Claude Sonnet 4.6 --- .../helm/inter-hub/templates/deployment.yaml | 9 ------ deploy/helm/inter-hub/values.yaml | 2 +- deploy/railiance/RUNBOOK.md | 28 ++++++++++++++----- 3 files changed, 22 insertions(+), 17 deletions(-) diff --git a/deploy/helm/inter-hub/templates/deployment.yaml b/deploy/helm/inter-hub/templates/deployment.yaml index 5cce236..feef8ab 100644 --- a/deploy/helm/inter-hub/templates/deployment.yaml +++ b/deploy/helm/inter-hub/templates/deployment.yaml @@ -15,15 +15,6 @@ spec: labels: app: {{ .Release.Name }} spec: - initContainers: - {{- if .Values.runMigrations }} - - name: migrate - image: {{ .Values.image.repository }}:{{ .Values.image.tag }} - command: ["/bin/RunProdServer", "migrate"] - envFrom: - - secretRef: - name: {{ .Values.envFrom.secretRef }} - {{- end }} containers: - name: inter-hub image: {{ .Values.image.repository }}:{{ .Values.image.tag }} diff --git a/deploy/helm/inter-hub/values.yaml b/deploy/helm/inter-hub/values.yaml index 1d25474..78e1d03 100644 --- a/deploy/helm/inter-hub/values.yaml +++ b/deploy/helm/inter-hub/values.yaml @@ -30,4 +30,4 @@ resources: envFrom: secretRef: inter-hub-env -runMigrations: true +runMigrations: false diff --git a/deploy/railiance/RUNBOOK.md b/deploy/railiance/RUNBOOK.md index 5a11e90..5a23ce5 100644 --- a/deploy/railiance/RUNBOOK.md +++ b/deploy/railiance/RUNBOOK.md @@ -25,15 +25,29 @@ helm upgrade --install inter-hub deploy/helm/inter-hub \ ```bash ssh root@192.168.178.135 cd /root/inter-hub -git pull # (requires Gitea auth — see Gitea credentials section) -nix build .#docker --accept-flake-config --option lazy-trees false -# Push to Gitea registry: -skopeo copy docker-archive:result \ - docker://92.205.130.254:32166/coulomb/inter-hub: \ - --dest-creds "tegwick:" \ - --dest-tls-verify=false +# Build: +nix build .#docker --log-format raw > /tmp/build.log 2>&1 + +# Push — Gitea registry token realm points to gitea.coulomb.social:80 but Gitea +# only listens on port 32166; skopeo must use a pre-fetched token: +SHA=$(git rev-parse --short HEAD) +SKOPEO=/nix/store/fwdagky9lfsyrgzxiq14zijcziazfdsn-skopeo-1.22.2/bin/skopeo +TOKEN=$(curl -s \ + "http://92.205.130.254:32166/v2/token?service=container_registry&scope=repository:coulomb/inter-hub:push,pull" \ + -u 'tegwick:' | awk -F'"' '/token/{print $4}') +$SKOPEO copy --insecure-policy --dest-tls-verify=false \ + --dest-registry-token "$TOKEN" \ + docker-archive:result \ + docker://92.205.130.254:32166/coulomb/inter-hub:$SHA ``` +**Notes:** +- `skopeo` is in the Nix profile but not on PATH — use the full store path above. +- The IHP Nix Docker image has NO `/bin/RunProdServer` symlink. The binary lives at + `/nix/store/-inter-hub/bin/RunProdServer` (hash changes per build). + Use `kubectl exec deploy/inter-hub -- /nix/store/*-inter-hub/bin/RunProdServer ` + if a shell is not available (the Nix image has no `/bin/sh`). + ## Gitea Registry Credentials The Gitea token for registry push is stored in `~/.config/tea/config.yml` on the