eblume/hephaestus
1
0
Fork 0
generated from eblume/project-template
Code Issues Pull requests Projects Releases 10 Packages Wiki Activity Actions
hephaestus/docs/how-to/self-update/service-env-forge-access.md
Erich Blume e6524fddbb
All checks were successful
Build / validate (pull_request) Successful in 5m23s
Details
C2(hephd-self-update): plan add goal + prerequisite cards for hephd self-update 
Kick off the C2 Mikado chain for an opt-in (default-off) hephd
self-update mode (forge-poll -> cargo install from tag -> self-restart).
Goal card plus eight prerequisite cards, indexed from how-to.md:

  release-poll-version-check, self-update-opt-in-flag (leaves)
    -> self-update-poll-loop                 (notify-only core)
  service-env-forge-access (leaf, the cargo/forge blocker)
    + self-update-poll-loop -> cargo-install-from-tag
  service-respawn-on-clean-exit (leaf, systemd Restart=always)
    + cargo-install-from-tag -> self-restart-after-update
  verify-hub-dropout-resilience (leaf, lock in the base-case guarantee)

Grounded in research of hephd's sync loop, daemon lifecycle, the
launchd/systemd service templates, and the forge releases API.
Captured from Hephaestus task 01KTA2NSNRYT902HC3VRW00S1J.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-04 13:20:46 -07:00

1.6 KiB
Raw Blame History

title modified tags status requires
Service env forge access 2026-06-04
how-to
active

Service env forge access

The known blocker. cargo install --git ssh://forgejo@forge.ops.eblu.me:2222/… works from an interactive shell (it has an SSH agent/key and cargo on PATH) — but the daemon runs under launchd/systemd, whose environment likely has neither. Self-update via cargo can't work until the service context can reach the forge and run cargo.

What to establish

  • cargo + toolchain on the service PATH. launchd/systemd start with a minimal env; ~/.cargo/bin and rustup's toolchain must be discoverable. Likely bake PATH/EnvironmentFile into the generated plist/unit (crates/heph/src/service.rs).
  • Forge SSH auth without an interactive agent. Options to evaluate: a dedicated read-only deploy key referenced via GIT_SSH_COMMAND/an SSH config entry, or SSH_AUTH_SOCK exported to the service. Must work headless.
  • The canonical-host caveat. Owner note: cargo rejects forge.ops.eblu.me over HTTPS because the forge advertises forge.eblu.me as canonical; the SSH URL on port 2222 sidesteps this and is the proven path (used by the install how-to and the v1.0.3 redeploy). Pin self-update to the SSH URL; capture any insteadOf/known_hosts setup needed headlessly.

Done when

A hephd running as the installed service can, in its own environment, complete cargo install --locked --git ssh://… --tag <known-good> hephd non-interactively. Unblocks cargo-install-from-tag. Part of hephd-self-update.