eblume/hephaestus
1
0
Fork 0
generated from eblume/project-template
Code Issues Pull requests Projects Releases 10 Packages Wiki Activity Actions
hephaestus/docs/how-to/self-update/service-env-forge-access.md
Erich Blume 240c8a9f68 C2(hephd-self-update): close service-env-forge-access 
Public repo => anonymous HTTPS clone, no credentials (the SSH/canonical
premise was wrong: that was the access-restricted cargo registry, not git
clone). Install URL points at the canonical public host (verified end to
end); the service template bakes cargo onto PATH. Card rewritten to
reflect what actually happened.
2026-06-04 14:47:05 -07:00

1.8 KiB
Raw Blame History

title modified tags requires
Service env forge access 2026-06-04
how-to

Service env forge access

The runtime-environment prerequisite for the apply path: a hephd started by launchd/systemd runs with a minimal environment, so it must be able to find cargo and fetch the repo when it runs cargo install.

Resolved (and how the original premise was wrong)

This card was first written assuming self-update needed forge SSH credentials for a headless service — because the install how-to uses ssh://forgejo@forge.ops.eblu.me:2222/…. That premise was wrong:

  • hephaestus is a public repo, and cargo install --git is a plain anonymous git clone — not the Forgejo cargo registry (the registry is access-restricted and is the thing that required forge.ops.eblu.me; it is unrelated to git clone). So no credentials, no SSH, no deploy key.
  • Verified end-to-end: cargo install --git https://forge.eblu.me/eblume/hephaestus.git --tag v1.0.3 hephd builds a working binary anonymously. Self-update uses that canonical public HTTPS URL (INSTALL_GIT_URL), and the release poll uses the same host.

So the only real requirement was the environment, handled in crates/heph/src/service.rs: heph daemon start --self-update generates a launchd/systemd service that passes --self-update and bakes a PATH (including ~/.cargo/bin) + HOME so the minimal service env can find cargo and the toolchain. restart preserves the setting. Default services are unchanged.

Remaining (owner)

The Rust toolchain must be installed for the service user (cargo builds from source), and a real on-device run — enable --self-update, then confirm a live upgrade when the next release lands — is the final end-to-end check. See hephd-self-update.