recipe-maintainers/recipe-maintainer
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
460eba090ba6765b05a929d32d16ca984cf66e5a
recipe-maintainer/.claude/commands/sync-secrets.md
autonomic-bot f283a371bb recipe-maintainer: public snapshot (secrets + deployment plans removed, single commit) 
Sanitized single-commit public mirror of recipe-maintainer.
- Removed test-ssh/.testenv (live creds); added test-ssh/.testenv.example placeholders.
- Removed plans/ and planned-updates/ (deployment-planning docs) so no client/
  deployment domains appear in the public repo.
- All other secret stores were already gitignored.
- docs.coopcloud.tech retained as a submodule (public upstream).
2026-06-16 20:18:24 +00:00

72 lines
3.2 KiB
Markdown
Raw Blame History

---
description: Sync Docker secrets from the test server into recipe-info/testsecrets/
argument-hint: [recipe-name]
allowed-tools: [Bash, Read, Grep, Glob]
---
# Sync Secrets
Deploy each app on the current test instance one at a time, read its Docker secrets from the running containers, update the local `recipe-info/testsecrets/` file, then undeploy the app before moving on to the next.
The optional recipe name is: $ARGUMENTS
Read and follow the instructions in `.claude/commands/includes/logging.md`.
## Background
Each recipe's Docker secrets are mounted at `/run/secrets/` inside containers. The `recipe-info/testsecrets/<domain>` files store these values locally so that setup scripts (via `lib/secrets.py`) can look them up dynamically. When secrets are regenerated on the server or you switch test instances, the local files become stale — this skill re-syncs them by deploying each app temporarily to read its secrets.
## Steps
1. **Check prerequisites**:
- Read `settings.toml` to confirm the active test instance (or run `python3 scripts/get_test_instance.py` to check).
- Verify SSH connectivity to the server: `ssh <server> echo ok`
- Ensure the ssh-agent has the key loaded. If SSH fails, run:
```bash
eval "$(ssh-agent -s)" && ssh-add /workspace/test-ssh/test-ssh-keys/nptest
```
2. **Build the recipe list**:
- If a recipe name was provided in `$ARGUMENTS`, use only that recipe.
- Otherwise, find all recipes that have a `recipe-info/<recipe>/recipe.toml` file.
- Get the domain for each recipe by running: `python3 scripts/get_test_instance.py --recipe <recipe>`
3. **Check which apps are already running** — run:
```bash
abra app ls --server <instance>.commoninternet.net -S -m
```
Parse the output to build a list of apps that are already deployed. These will NOT be undeployed after syncing (we leave them as we found them).
4. **For each recipe, sequentially**:
a. **Deploy** the app (if not already running):
```bash
abra app deploy <domain> --chaos --force --no-input
```
Wait for it to converge. If the deploy fails, log the error, skip this recipe, and continue to the next.
b. **Wait for containers** — give services a moment to start (10-15 seconds), then verify at least one container is running:
```bash
ssh <server> "docker ps -q --filter 'name=<stack>_' | head -1"
```
The stack name is the domain with dots replaced by underscores (e.g. `<recipe>.<DOMAIN_SUFFIX>` → `<recipe>_<DOMAIN_SUFFIX_WITH_UNDERSCORES>`).
c. **Read secrets** — run the sync script for this recipe:
```bash
python3 scripts/sync_secrets.py --recipe <recipe>
```
d. **Undeploy** (only if the app was NOT already running before step 3):
```bash
abra app undeploy <domain> --no-input
```
e. Log the result for this recipe before moving to the next.
5. **Verify** — spot-check one or two updated testsecrets files by reading them and confirming the values look like real secrets (not empty or error messages).
6. **Summarise** — tell the user:
- Which instance was synced (`<instance>.commoninternet.net`).
- How many recipes were synced vs failed.
- Which apps were left running (because they were already deployed before the sync).
Reference in New Issue View Git Blame Copy Permalink