From 9b523f1ce306360e5652c59c0fbc1d231f2e1fa9 Mon Sep 17 00:00:00 2001 From: waffle2k Date: Mon, 6 Jul 2026 13:59:27 -0700 Subject: [PATCH] Update CLAUDE.md: admin.yttrx.com is a plain directory now, not a git checkout Deploy target was cleaned up to just docker-compose.yml + .env (+ .env.bak-* snapshots) after switching to registry-pulled images. Fixes references to git pull, chown waffles, and app/main.py.bak rollback that no longer apply. --- CLAUDE.md | 85 ++++++++++++++++++++++++++++++------------------------- 1 file changed, 47 insertions(+), 38 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index aa9d1e5..98716d3 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -29,7 +29,7 @@ follows within `SUSPICIOUS_GRACE_HOURS` of going live. See README.md's |---|---| | Workstation | Source of truth: `~/yttrx-welcomebot/` (this repo) | | `git.blairhaus.net/yttrx-welcomebot.git` | `origin` remote (HTTP Basic Auth, `GIT_AUTH_USER`/`GIT_AUTH_PASS` in `~/docker/.env` on admin — same shared cred as every other git.blairhaus.net repo, embedded in the remote URL). `.gitea/workflows/docker-build-push.yml` runs on every push to `main` (added 2026-07-06): builds the image and pushes `gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` + `:` to the Gitea container registry. | -| `admin.yttrx.com` | Deploy target: `/root/yttrx-welcomebot/` is a **git checkout** of the above (converted from an rsync-deployed tree 2026-07-02), Docker container `yttrx-welcomebot` on `127.0.0.1:8087`, nginx site `hooks` → `hooks.yttrx.com`. `ssh admin.yttrx.com` logs in as **root**. Compose is **`docker-compose` v1.29.2** (hyphenated, not `docker compose`). `docker-compose.yml` now pulls `image: gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` (switched from `build: .` 2026-07-06) — `root`'s `~/.docker/config.json` on this box holds a read-only (`read:package`) Gitea PAT for the pull; deploy is still `git pull` (picks up compose/`.env`-var changes) but the image itself now comes from the registry, not a local build. | +| `admin.yttrx.com` | Deploy target: `/root/yttrx-welcomebot/` is now a **plain directory** (converted from a git checkout 2026-07-06, which itself replaced an rsync-deployed tree 2026-07-02) containing *only* `docker-compose.yml`, `.env`, and dated `.env.bak-*` snapshots — no source tree, no `.git`. Docker container `yttrx-welcomebot` on `127.0.0.1:8087`, nginx site `hooks` → `hooks.yttrx.com`. `ssh admin.yttrx.com` logs in as **root**. Compose is **`docker-compose` v1.29.2** (hyphenated, not `docker compose`). `docker-compose.yml` pulls `image: gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` (switched from `build: .` 2026-07-06) — `root`'s `~/.docker/config.json` on this box holds a read-only (`read:package`) Gitea PAT for the pull. Deploy is now purely `docker-compose pull && docker-compose up -d`, no `git pull` involved at all — there's nothing left there to pull. A full tar of the old git checkout is kept at `/root/yttrx-welcomebot.pre-cleanup-20260706.tar.gz` on the box as a one-time rollback net. | | `mammut` (`ssh mammut`) | The Mastodon instance. `tootctl`/Rails run inside the `live-web-1` container. Bot accounts + tokens live here. | Full ops history is in secondbrain `yttrx-documentation/changelog.md`; the @@ -38,20 +38,18 @@ user-memory note `project_welcomebot` has the current state. ## HARD RULES - **Never overwrite the `.env` on `admin.yttrx.com`.** It holds the live - `WEBHOOK_SECRET`, `BOT_ACCESS_TOKEN`, and `ABUSE_BOT_TOKEN`. It is untracked - (gitignored) in the deploy checkout — `git pull`/`git reset` never touch it. - Edit it in place for new vars. -- **Never commit secrets.** `.env` is git- and docker-ignored. Tokens/passwords - must not land in this repo, the changelog, or CLAUDE.md. + `WEBHOOK_SECRET`, `BOT_ACCESS_TOKEN`, and `ABUSE_BOT_TOKEN`. Edit it in place + for new vars. +- **Never commit secrets.** `.env` is git- and docker-ignored on the workstation + repo. Tokens/passwords must not land in this repo, the changelog, or + CLAUDE.md. - The bot **silences** (reversible), it does not suspend by default (`ABUSE_ACTION=silence`). It applies the action **without** `report_id` so the report stays open for human review. -- **`git` commands on admin.yttrx.com run as root** against a repo whose files - are `chown`ed to `waffles` (see below) — root's global config there already - has `safe.directory /root/yttrx-welcomebot` set to avoid the "dubious - ownership" error; don't need to re-add it, but if the repo is ever - reconstructed at that path from scratch, re-run - `git config --global --add safe.directory /root/yttrx-welcomebot`. +- **`admin.yttrx.com`'s `/root/yttrx-welcomebot/` is not a git repo any more** + (cleaned up 2026-07-06). Don't `git init`/clone it back into place — the + registry image + `docker-compose.yml`/`.env` is the whole deploy surface now. + All source lives in the workstation repo / Gitea only. ## Deploy procedure (workstation → admin.yttrx.com) @@ -61,34 +59,32 @@ cd ~/yttrx-welcomebot python3 -m venv .venv && . .venv/bin/activate && pip install -q -r requirements.txt WEBHOOK_SECRET=testsecret BOT_ACCESS_TOKEN=x python test_local.py # -> ALL TESTS PASSED -# 2. Commit + push to origin (git.blairhaus.net) +# 2. Commit + push to origin (git.blairhaus.net) — this fires +# .gitea/workflows/docker-build-push.yml, which builds and pushes +# gitea.blairhaus.net/pmb/yttrx-welcomebot:latest + : git add -A && git commit -m "..." git push origin main -# 3. Pull on admin.yttrx.com (.env is gitignored — untouched by pull/reset) -ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && git pull origin main' +# 3. Wait for the CI run to succeed (Gitea UI, or the Actions API), then pull +# the freshly-built image on admin.yttrx.com and restart. No git anywhere +# on this box any more — it's just docker-compose.yml + .env. Named volume +# welcomebot-data persists the dedup db across this. +ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d' -# 4. Re-normalise ownership if new files were added (chown is not tracked by git) -ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && chown -R waffles:waffles . && \ - chown root:root .env; chmod 600 .env' - -# 5. If new env vars were added this release, set them IN PLACE on the box, e.g. +# 4. If new env vars were added this release, set them IN PLACE on the box, e.g. ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \ grep -q "^NEW_VAR=" .env || echo "NEW_VAR=value" >> .env' - -# 6. Pull the freshly-CI-built image and restart (named volume welcomebot-data -# persists the dedup db; the volume name is derived from the directory -# basename, which is unchanged, so it survived the rsync -> git-checkout -# conversion). Wait for the .gitea/workflows/docker-build-push.yml run to -# finish first (push -> CI builds+pushes :latest) or this just re-pulls the -# previous tag. -ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d' ``` -Rollback is now `git checkout -- .` (or `git revert`) instead of -restoring `.bak` files. `.env.bak-*` snapshots from past deploys remain on the box; the -full pre-git-conversion tree (`/root/yttrx-welcomebot.pre-git-*/`) was removed -2026-07-02 once the git checkout was verified identical. +Rollback: revert/checkout the previous commit on the workstation repo and push +(or manually retag/push an older image to `:latest`), wait for CI, then re-run +step 3. There's no local `.bak` source tree on admin.yttrx.com to fall back to +any more — the workstation repo / Gitea history is the only source of truth. +`.env.bak-*` snapshots from past deploys remain on the box for env-var +rollback specifically. A full tar of the pre-cleanup git checkout is at +`/root/yttrx-welcomebot.pre-cleanup-20260706.tar.gz` if source-level history +from that tree is ever needed (it shouldn't be — everything in it is also in +git history). ### Verify @@ -133,22 +129,35 @@ ssh admin.yttrx.com welcomebot-signups -a someuser ssh admin.yttrx.com welcomebot-signups -n all ``` -Both CLIs are just files tracked in this repo now — after editing either one, -reinstall with: +Both CLIs are tracked in this repo (`bin/welcomebot-logs`, `bin/welcomebot-signups`) +but **not** deployed via git any more — `admin.yttrx.com` has no checkout of this +repo since the 2026-07-06 cleanup. After editing either one, reinstall by copying +directly from the workstation: ```bash -ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && git pull origin main && \ - install -m755 bin/welcomebot-logs bin/welcomebot-signups /root/bin/' +scp bin/welcomebot-logs bin/welcomebot-signups admin.yttrx.com:/root/bin/ +ssh admin.yttrx.com 'chmod 755 /root/bin/welcomebot-logs /root/bin/welcomebot-signups' # /usr/local/bin/welcomebot-{logs,signups} are symlinks to /root/bin — no # need to touch them again once created. ``` ### Rollback +There's no `app/main.py.bak-*` on `admin.yttrx.com` any more — the deploy +directory holds only `docker-compose.yml` + `.env`. To roll back the app code, +revert/retag on the workstation repo, get a rolled-back image into the registry +(push an older commit and let CI rebuild, or manually `docker build`/`push` an +old checkout), then: + +```bash +ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d' +``` + +For `.env`-only rollback, `.env.bak-*` snapshots remain on the box: + ```bash ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \ - cp app/main.py.bak-YYYYMMDD app/main.py && cp .env.bak-YYYYMMDD .env && \ - docker-compose up -d --build' + cp .env.bak-YYYYMMDD .env && docker-compose up -d' ``` ## Rollout safety: dry-run