Update CLAUDE.md: admin.yttrx.com is a plain directory now, not a git checkout
docker-build-push / build-push (push) Successful in 5s
docker-build-push / build-push (push) Successful in 5s
Deploy target was cleaned up to just docker-compose.yml + .env (+ .env.bak-* snapshots) after switching to registry-pulled images. Fixes references to git pull, chown waffles, and app/main.py.bak rollback that no longer apply.
This commit is contained in:
@@ -29,7 +29,7 @@ follows within `SUSPICIOUS_GRACE_HOURS` of going live. See README.md's
|
|||||||
|---|---|
|
|---|---|
|
||||||
| Workstation | Source of truth: `~/yttrx-welcomebot/` (this repo) |
|
| Workstation | Source of truth: `~/yttrx-welcomebot/` (this repo) |
|
||||||
| `git.blairhaus.net/yttrx-welcomebot.git` | `origin` remote (HTTP Basic Auth, `GIT_AUTH_USER`/`GIT_AUTH_PASS` in `~/docker/.env` on admin — same shared cred as every other git.blairhaus.net repo, embedded in the remote URL). `.gitea/workflows/docker-build-push.yml` runs on every push to `main` (added 2026-07-06): builds the image and pushes `gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` + `:<sha>` to the Gitea container registry. |
|
| `git.blairhaus.net/yttrx-welcomebot.git` | `origin` remote (HTTP Basic Auth, `GIT_AUTH_USER`/`GIT_AUTH_PASS` in `~/docker/.env` on admin — same shared cred as every other git.blairhaus.net repo, embedded in the remote URL). `.gitea/workflows/docker-build-push.yml` runs on every push to `main` (added 2026-07-06): builds the image and pushes `gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` + `:<sha>` to the Gitea container registry. |
|
||||||
| `admin.yttrx.com` | Deploy target: `/root/yttrx-welcomebot/` is a **git checkout** of the above (converted from an rsync-deployed tree 2026-07-02), Docker container `yttrx-welcomebot` on `127.0.0.1:8087`, nginx site `hooks` → `hooks.yttrx.com`. `ssh admin.yttrx.com` logs in as **root**. Compose is **`docker-compose` v1.29.2** (hyphenated, not `docker compose`). `docker-compose.yml` now pulls `image: gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` (switched from `build: .` 2026-07-06) — `root`'s `~/.docker/config.json` on this box holds a read-only (`read:package`) Gitea PAT for the pull; deploy is still `git pull` (picks up compose/`.env`-var changes) but the image itself now comes from the registry, not a local build. |
|
| `admin.yttrx.com` | Deploy target: `/root/yttrx-welcomebot/` is now a **plain directory** (converted from a git checkout 2026-07-06, which itself replaced an rsync-deployed tree 2026-07-02) containing *only* `docker-compose.yml`, `.env`, and dated `.env.bak-*` snapshots — no source tree, no `.git`. Docker container `yttrx-welcomebot` on `127.0.0.1:8087`, nginx site `hooks` → `hooks.yttrx.com`. `ssh admin.yttrx.com` logs in as **root**. Compose is **`docker-compose` v1.29.2** (hyphenated, not `docker compose`). `docker-compose.yml` pulls `image: gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` (switched from `build: .` 2026-07-06) — `root`'s `~/.docker/config.json` on this box holds a read-only (`read:package`) Gitea PAT for the pull. Deploy is now purely `docker-compose pull && docker-compose up -d`, no `git pull` involved at all — there's nothing left there to pull. A full tar of the old git checkout is kept at `/root/yttrx-welcomebot.pre-cleanup-20260706.tar.gz` on the box as a one-time rollback net. |
|
||||||
| `mammut` (`ssh mammut`) | The Mastodon instance. `tootctl`/Rails run inside the `live-web-1` container. Bot accounts + tokens live here. |
|
| `mammut` (`ssh mammut`) | The Mastodon instance. `tootctl`/Rails run inside the `live-web-1` container. Bot accounts + tokens live here. |
|
||||||
|
|
||||||
Full ops history is in secondbrain `yttrx-documentation/changelog.md`; the
|
Full ops history is in secondbrain `yttrx-documentation/changelog.md`; the
|
||||||
@@ -38,20 +38,18 @@ user-memory note `project_welcomebot` has the current state.
|
|||||||
## HARD RULES
|
## HARD RULES
|
||||||
|
|
||||||
- **Never overwrite the `.env` on `admin.yttrx.com`.** It holds the live
|
- **Never overwrite the `.env` on `admin.yttrx.com`.** It holds the live
|
||||||
`WEBHOOK_SECRET`, `BOT_ACCESS_TOKEN`, and `ABUSE_BOT_TOKEN`. It is untracked
|
`WEBHOOK_SECRET`, `BOT_ACCESS_TOKEN`, and `ABUSE_BOT_TOKEN`. Edit it in place
|
||||||
(gitignored) in the deploy checkout — `git pull`/`git reset` never touch it.
|
for new vars.
|
||||||
Edit it in place for new vars.
|
- **Never commit secrets.** `.env` is git- and docker-ignored on the workstation
|
||||||
- **Never commit secrets.** `.env` is git- and docker-ignored. Tokens/passwords
|
repo. Tokens/passwords must not land in this repo, the changelog, or
|
||||||
must not land in this repo, the changelog, or CLAUDE.md.
|
CLAUDE.md.
|
||||||
- The bot **silences** (reversible), it does not suspend by default
|
- The bot **silences** (reversible), it does not suspend by default
|
||||||
(`ABUSE_ACTION=silence`). It applies the action **without** `report_id` so the
|
(`ABUSE_ACTION=silence`). It applies the action **without** `report_id` so the
|
||||||
report stays open for human review.
|
report stays open for human review.
|
||||||
- **`git` commands on admin.yttrx.com run as root** against a repo whose files
|
- **`admin.yttrx.com`'s `/root/yttrx-welcomebot/` is not a git repo any more**
|
||||||
are `chown`ed to `waffles` (see below) — root's global config there already
|
(cleaned up 2026-07-06). Don't `git init`/clone it back into place — the
|
||||||
has `safe.directory /root/yttrx-welcomebot` set to avoid the "dubious
|
registry image + `docker-compose.yml`/`.env` is the whole deploy surface now.
|
||||||
ownership" error; don't need to re-add it, but if the repo is ever
|
All source lives in the workstation repo / Gitea only.
|
||||||
reconstructed at that path from scratch, re-run
|
|
||||||
`git config --global --add safe.directory /root/yttrx-welcomebot`.
|
|
||||||
|
|
||||||
## Deploy procedure (workstation → admin.yttrx.com)
|
## Deploy procedure (workstation → admin.yttrx.com)
|
||||||
|
|
||||||
@@ -61,34 +59,32 @@ cd ~/yttrx-welcomebot
|
|||||||
python3 -m venv .venv && . .venv/bin/activate && pip install -q -r requirements.txt
|
python3 -m venv .venv && . .venv/bin/activate && pip install -q -r requirements.txt
|
||||||
WEBHOOK_SECRET=testsecret BOT_ACCESS_TOKEN=x python test_local.py # -> ALL TESTS PASSED
|
WEBHOOK_SECRET=testsecret BOT_ACCESS_TOKEN=x python test_local.py # -> ALL TESTS PASSED
|
||||||
|
|
||||||
# 2. Commit + push to origin (git.blairhaus.net)
|
# 2. Commit + push to origin (git.blairhaus.net) — this fires
|
||||||
|
# .gitea/workflows/docker-build-push.yml, which builds and pushes
|
||||||
|
# gitea.blairhaus.net/pmb/yttrx-welcomebot:latest + :<sha>
|
||||||
git add -A && git commit -m "..."
|
git add -A && git commit -m "..."
|
||||||
git push origin main
|
git push origin main
|
||||||
|
|
||||||
# 3. Pull on admin.yttrx.com (.env is gitignored — untouched by pull/reset)
|
# 3. Wait for the CI run to succeed (Gitea UI, or the Actions API), then pull
|
||||||
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && git pull origin main'
|
# the freshly-built image on admin.yttrx.com and restart. No git anywhere
|
||||||
|
# on this box any more — it's just docker-compose.yml + .env. Named volume
|
||||||
|
# welcomebot-data persists the dedup db across this.
|
||||||
|
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d'
|
||||||
|
|
||||||
# 4. Re-normalise ownership if new files were added (chown is not tracked by git)
|
# 4. If new env vars were added this release, set them IN PLACE on the box, e.g.
|
||||||
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && chown -R waffles:waffles . && \
|
|
||||||
chown root:root .env; chmod 600 .env'
|
|
||||||
|
|
||||||
# 5. If new env vars were added this release, set them IN PLACE on the box, e.g.
|
|
||||||
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \
|
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \
|
||||||
grep -q "^NEW_VAR=" .env || echo "NEW_VAR=value" >> .env'
|
grep -q "^NEW_VAR=" .env || echo "NEW_VAR=value" >> .env'
|
||||||
|
|
||||||
# 6. Pull the freshly-CI-built image and restart (named volume welcomebot-data
|
|
||||||
# persists the dedup db; the volume name is derived from the directory
|
|
||||||
# basename, which is unchanged, so it survived the rsync -> git-checkout
|
|
||||||
# conversion). Wait for the .gitea/workflows/docker-build-push.yml run to
|
|
||||||
# finish first (push -> CI builds+pushes :latest) or this just re-pulls the
|
|
||||||
# previous tag.
|
|
||||||
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d'
|
|
||||||
```
|
```
|
||||||
|
|
||||||
Rollback is now `git checkout <previous-sha> -- .` (or `git revert`) instead of
|
Rollback: revert/checkout the previous commit on the workstation repo and push
|
||||||
restoring `.bak` files. `.env.bak-*` snapshots from past deploys remain on the box; the
|
(or manually retag/push an older image to `:latest`), wait for CI, then re-run
|
||||||
full pre-git-conversion tree (`/root/yttrx-welcomebot.pre-git-*/`) was removed
|
step 3. There's no local `.bak` source tree on admin.yttrx.com to fall back to
|
||||||
2026-07-02 once the git checkout was verified identical.
|
any more — the workstation repo / Gitea history is the only source of truth.
|
||||||
|
`.env.bak-*` snapshots from past deploys remain on the box for env-var
|
||||||
|
rollback specifically. A full tar of the pre-cleanup git checkout is at
|
||||||
|
`/root/yttrx-welcomebot.pre-cleanup-20260706.tar.gz` if source-level history
|
||||||
|
from that tree is ever needed (it shouldn't be — everything in it is also in
|
||||||
|
git history).
|
||||||
|
|
||||||
### Verify
|
### Verify
|
||||||
|
|
||||||
@@ -133,22 +129,35 @@ ssh admin.yttrx.com welcomebot-signups -a someuser
|
|||||||
ssh admin.yttrx.com welcomebot-signups -n all
|
ssh admin.yttrx.com welcomebot-signups -n all
|
||||||
```
|
```
|
||||||
|
|
||||||
Both CLIs are just files tracked in this repo now — after editing either one,
|
Both CLIs are tracked in this repo (`bin/welcomebot-logs`, `bin/welcomebot-signups`)
|
||||||
reinstall with:
|
but **not** deployed via git any more — `admin.yttrx.com` has no checkout of this
|
||||||
|
repo since the 2026-07-06 cleanup. After editing either one, reinstall by copying
|
||||||
|
directly from the workstation:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && git pull origin main && \
|
scp bin/welcomebot-logs bin/welcomebot-signups admin.yttrx.com:/root/bin/
|
||||||
install -m755 bin/welcomebot-logs bin/welcomebot-signups /root/bin/'
|
ssh admin.yttrx.com 'chmod 755 /root/bin/welcomebot-logs /root/bin/welcomebot-signups'
|
||||||
# /usr/local/bin/welcomebot-{logs,signups} are symlinks to /root/bin — no
|
# /usr/local/bin/welcomebot-{logs,signups} are symlinks to /root/bin — no
|
||||||
# need to touch them again once created.
|
# need to touch them again once created.
|
||||||
```
|
```
|
||||||
|
|
||||||
### Rollback
|
### Rollback
|
||||||
|
|
||||||
|
There's no `app/main.py.bak-*` on `admin.yttrx.com` any more — the deploy
|
||||||
|
directory holds only `docker-compose.yml` + `.env`. To roll back the app code,
|
||||||
|
revert/retag on the workstation repo, get a rolled-back image into the registry
|
||||||
|
(push an older commit and let CI rebuild, or manually `docker build`/`push` an
|
||||||
|
old checkout), then:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d'
|
||||||
|
```
|
||||||
|
|
||||||
|
For `.env`-only rollback, `.env.bak-*` snapshots remain on the box:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \
|
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \
|
||||||
cp app/main.py.bak-YYYYMMDD app/main.py && cp .env.bak-YYYYMMDD .env && \
|
cp .env.bak-YYYYMMDD .env && docker-compose up -d'
|
||||||
docker-compose up -d --build'
|
|
||||||
```
|
```
|
||||||
|
|
||||||
## Rollout safety: dry-run
|
## Rollout safety: dry-run
|
||||||
|
|||||||
Reference in New Issue
Block a user