Update CLAUDE.md: admin.yttrx.com is a plain directory now, not a git checkout
docker-build-push / build-push (push) Successful in 5s

Deploy target was cleaned up to just docker-compose.yml + .env (+ .env.bak-*
snapshots) after switching to registry-pulled images. Fixes references to
git pull, chown waffles, and app/main.py.bak rollback that no longer apply.
This commit is contained in:
2026-07-06 13:59:27 -07:00
parent 5dad3f99dd
commit 9b523f1ce3
+47 -38
View File
@@ -29,7 +29,7 @@ follows within `SUSPICIOUS_GRACE_HOURS` of going live. See README.md's
|---|---| |---|---|
| Workstation | Source of truth: `~/yttrx-welcomebot/` (this repo) | | Workstation | Source of truth: `~/yttrx-welcomebot/` (this repo) |
| `git.blairhaus.net/yttrx-welcomebot.git` | `origin` remote (HTTP Basic Auth, `GIT_AUTH_USER`/`GIT_AUTH_PASS` in `~/docker/.env` on admin — same shared cred as every other git.blairhaus.net repo, embedded in the remote URL). `.gitea/workflows/docker-build-push.yml` runs on every push to `main` (added 2026-07-06): builds the image and pushes `gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` + `:<sha>` to the Gitea container registry. | | `git.blairhaus.net/yttrx-welcomebot.git` | `origin` remote (HTTP Basic Auth, `GIT_AUTH_USER`/`GIT_AUTH_PASS` in `~/docker/.env` on admin — same shared cred as every other git.blairhaus.net repo, embedded in the remote URL). `.gitea/workflows/docker-build-push.yml` runs on every push to `main` (added 2026-07-06): builds the image and pushes `gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` + `:<sha>` to the Gitea container registry. |
| `admin.yttrx.com` | Deploy target: `/root/yttrx-welcomebot/` is a **git checkout** of the above (converted from an rsync-deployed tree 2026-07-02), Docker container `yttrx-welcomebot` on `127.0.0.1:8087`, nginx site `hooks``hooks.yttrx.com`. `ssh admin.yttrx.com` logs in as **root**. Compose is **`docker-compose` v1.29.2** (hyphenated, not `docker compose`). `docker-compose.yml` now pulls `image: gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` (switched from `build: .` 2026-07-06) — `root`'s `~/.docker/config.json` on this box holds a read-only (`read:package`) Gitea PAT for the pull; deploy is still `git pull` (picks up compose/`.env`-var changes) but the image itself now comes from the registry, not a local build. | | `admin.yttrx.com` | Deploy target: `/root/yttrx-welcomebot/` is now a **plain directory** (converted from a git checkout 2026-07-06, which itself replaced an rsync-deployed tree 2026-07-02) containing *only* `docker-compose.yml`, `.env`, and dated `.env.bak-*` snapshots — no source tree, no `.git`. Docker container `yttrx-welcomebot` on `127.0.0.1:8087`, nginx site `hooks``hooks.yttrx.com`. `ssh admin.yttrx.com` logs in as **root**. Compose is **`docker-compose` v1.29.2** (hyphenated, not `docker compose`). `docker-compose.yml` pulls `image: gitea.blairhaus.net/pmb/yttrx-welcomebot:latest` (switched from `build: .` 2026-07-06) — `root`'s `~/.docker/config.json` on this box holds a read-only (`read:package`) Gitea PAT for the pull. Deploy is now purely `docker-compose pull && docker-compose up -d`, no `git pull` involved at all — there's nothing left there to pull. A full tar of the old git checkout is kept at `/root/yttrx-welcomebot.pre-cleanup-20260706.tar.gz` on the box as a one-time rollback net. |
| `mammut` (`ssh mammut`) | The Mastodon instance. `tootctl`/Rails run inside the `live-web-1` container. Bot accounts + tokens live here. | | `mammut` (`ssh mammut`) | The Mastodon instance. `tootctl`/Rails run inside the `live-web-1` container. Bot accounts + tokens live here. |
Full ops history is in secondbrain `yttrx-documentation/changelog.md`; the Full ops history is in secondbrain `yttrx-documentation/changelog.md`; the
@@ -38,20 +38,18 @@ user-memory note `project_welcomebot` has the current state.
## HARD RULES ## HARD RULES
- **Never overwrite the `.env` on `admin.yttrx.com`.** It holds the live - **Never overwrite the `.env` on `admin.yttrx.com`.** It holds the live
`WEBHOOK_SECRET`, `BOT_ACCESS_TOKEN`, and `ABUSE_BOT_TOKEN`. It is untracked `WEBHOOK_SECRET`, `BOT_ACCESS_TOKEN`, and `ABUSE_BOT_TOKEN`. Edit it in place
(gitignored) in the deploy checkout — `git pull`/`git reset` never touch it. for new vars.
Edit it in place for new vars. - **Never commit secrets.** `.env` is git- and docker-ignored on the workstation
- **Never commit secrets.** `.env` is git- and docker-ignored. Tokens/passwords repo. Tokens/passwords must not land in this repo, the changelog, or
must not land in this repo, the changelog, or CLAUDE.md. CLAUDE.md.
- The bot **silences** (reversible), it does not suspend by default - The bot **silences** (reversible), it does not suspend by default
(`ABUSE_ACTION=silence`). It applies the action **without** `report_id` so the (`ABUSE_ACTION=silence`). It applies the action **without** `report_id` so the
report stays open for human review. report stays open for human review.
- **`git` commands on admin.yttrx.com run as root** against a repo whose files - **`admin.yttrx.com`'s `/root/yttrx-welcomebot/` is not a git repo any more**
are `chown`ed to `waffles` (see below) — root's global config there already (cleaned up 2026-07-06). Don't `git init`/clone it back into place — the
has `safe.directory /root/yttrx-welcomebot` set to avoid the "dubious registry image + `docker-compose.yml`/`.env` is the whole deploy surface now.
ownership" error; don't need to re-add it, but if the repo is ever All source lives in the workstation repo / Gitea only.
reconstructed at that path from scratch, re-run
`git config --global --add safe.directory /root/yttrx-welcomebot`.
## Deploy procedure (workstation → admin.yttrx.com) ## Deploy procedure (workstation → admin.yttrx.com)
@@ -61,34 +59,32 @@ cd ~/yttrx-welcomebot
python3 -m venv .venv && . .venv/bin/activate && pip install -q -r requirements.txt python3 -m venv .venv && . .venv/bin/activate && pip install -q -r requirements.txt
WEBHOOK_SECRET=testsecret BOT_ACCESS_TOKEN=x python test_local.py # -> ALL TESTS PASSED WEBHOOK_SECRET=testsecret BOT_ACCESS_TOKEN=x python test_local.py # -> ALL TESTS PASSED
# 2. Commit + push to origin (git.blairhaus.net) # 2. Commit + push to origin (git.blairhaus.net) — this fires
# .gitea/workflows/docker-build-push.yml, which builds and pushes
# gitea.blairhaus.net/pmb/yttrx-welcomebot:latest + :<sha>
git add -A && git commit -m "..." git add -A && git commit -m "..."
git push origin main git push origin main
# 3. Pull on admin.yttrx.com (.env is gitignored — untouched by pull/reset) # 3. Wait for the CI run to succeed (Gitea UI, or the Actions API), then pull
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && git pull origin main' # the freshly-built image on admin.yttrx.com and restart. No git anywhere
# on this box any more — it's just docker-compose.yml + .env. Named volume
# welcomebot-data persists the dedup db across this.
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d'
# 4. Re-normalise ownership if new files were added (chown is not tracked by git) # 4. If new env vars were added this release, set them IN PLACE on the box, e.g.
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && chown -R waffles:waffles . && \
chown root:root .env; chmod 600 .env'
# 5. If new env vars were added this release, set them IN PLACE on the box, e.g.
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \ ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \
grep -q "^NEW_VAR=" .env || echo "NEW_VAR=value" >> .env' grep -q "^NEW_VAR=" .env || echo "NEW_VAR=value" >> .env'
# 6. Pull the freshly-CI-built image and restart (named volume welcomebot-data
# persists the dedup db; the volume name is derived from the directory
# basename, which is unchanged, so it survived the rsync -> git-checkout
# conversion). Wait for the .gitea/workflows/docker-build-push.yml run to
# finish first (push -> CI builds+pushes :latest) or this just re-pulls the
# previous tag.
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d'
``` ```
Rollback is now `git checkout <previous-sha> -- .` (or `git revert`) instead of Rollback: revert/checkout the previous commit on the workstation repo and push
restoring `.bak` files. `.env.bak-*` snapshots from past deploys remain on the box; the (or manually retag/push an older image to `:latest`), wait for CI, then re-run
full pre-git-conversion tree (`/root/yttrx-welcomebot.pre-git-*/`) was removed step 3. There's no local `.bak` source tree on admin.yttrx.com to fall back to
2026-07-02 once the git checkout was verified identical. any more — the workstation repo / Gitea history is the only source of truth.
`.env.bak-*` snapshots from past deploys remain on the box for env-var
rollback specifically. A full tar of the pre-cleanup git checkout is at
`/root/yttrx-welcomebot.pre-cleanup-20260706.tar.gz` if source-level history
from that tree is ever needed (it shouldn't be — everything in it is also in
git history).
### Verify ### Verify
@@ -133,22 +129,35 @@ ssh admin.yttrx.com welcomebot-signups -a someuser
ssh admin.yttrx.com welcomebot-signups -n all ssh admin.yttrx.com welcomebot-signups -n all
``` ```
Both CLIs are just files tracked in this repo now — after editing either one, Both CLIs are tracked in this repo (`bin/welcomebot-logs`, `bin/welcomebot-signups`)
reinstall with: but **not** deployed via git any more — `admin.yttrx.com` has no checkout of this
repo since the 2026-07-06 cleanup. After editing either one, reinstall by copying
directly from the workstation:
```bash ```bash
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && git pull origin main && \ scp bin/welcomebot-logs bin/welcomebot-signups admin.yttrx.com:/root/bin/
install -m755 bin/welcomebot-logs bin/welcomebot-signups /root/bin/' ssh admin.yttrx.com 'chmod 755 /root/bin/welcomebot-logs /root/bin/welcomebot-signups'
# /usr/local/bin/welcomebot-{logs,signups} are symlinks to /root/bin — no # /usr/local/bin/welcomebot-{logs,signups} are symlinks to /root/bin — no
# need to touch them again once created. # need to touch them again once created.
``` ```
### Rollback ### Rollback
There's no `app/main.py.bak-*` on `admin.yttrx.com` any more — the deploy
directory holds only `docker-compose.yml` + `.env`. To roll back the app code,
revert/retag on the workstation repo, get a rolled-back image into the registry
(push an older commit and let CI rebuild, or manually `docker build`/`push` an
old checkout), then:
```bash
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && docker-compose pull && docker-compose up -d'
```
For `.env`-only rollback, `.env.bak-*` snapshots remain on the box:
```bash ```bash
ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \ ssh admin.yttrx.com 'cd /root/yttrx-welcomebot && \
cp app/main.py.bak-YYYYMMDD app/main.py && cp .env.bak-YYYYMMDD .env && \ cp .env.bak-YYYYMMDD .env && docker-compose up -d'
docker-compose up -d --build'
``` ```
## Rollout safety: dry-run ## Rollout safety: dry-run