SILVER
/
NODEDC_PLATFORM
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Harden launcher-only NAS deploy path

This commit is contained in:
Codex 2026-05-24 10:28:17 +03:00
parent 8c8a5b5975
commit e9def6672c
3 changed files with 40 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
docs/CURRENT_INFRA_HANDOFF.md
View File

@ -251,7 +251,7 @@ GATEWAY_REPO=/Users/dcconstructions/Downloads/mnt/data/NODEDC_TASKMANAGER_CODEXA
./infra/synology/deploy-current.sh ./infra/synology/deploy-current.sh
``` ```
The script syncs platform deploy files plus optional Launcher, Tasker, and Ops Agents Gateway source copies. It prints the Docker commands that must be run on Synology, because Docker there requires interactive `sudo`. The script syncs platform deploy files plus optional Launcher, Tasker, and Ops Agents Gateway source copies. Authentik custom templates are not synced by default; set `SYNC_AUTHENTIK_TEMPLATES=1` only for a deliberate Authentik UI/theme rollout. The script prints the Docker commands that must be run on Synology, because Docker there requires interactive `sudo`.
Tasker full source sync over SMB is intentionally not the default. Use `TASKER_CHANGED_BASE=<commit>` for normal deploys, or `TASKER_SYNC_SOURCE=1` only when a full source refresh is required. Tasker full source sync over SMB is intentionally not the default. Use `TASKER_CHANGED_BASE=<commit>` for normal deploys, or `TASKER_SYNC_SOURCE=1` only when a full source refresh is required.
@ -278,7 +278,7 @@ The platform Authentik service exposes a stable identity-network alias in the Sy
nodedc-platform-authentik-server nodedc-platform-authentik-server
``` ```
When changing this alias or Authentik env wiring, recreate `authentik-server`, `authentik-worker`, and `launcher` together. A freshly recreated Authentik server can temporarily return `503 Service Unavailable` until the worker/bootstrap path is ready, so verify with retry from inside the launcher container. When changing this alias or Authentik env wiring, recreate `authentik-server`, `authentik-worker`, and `launcher` together. A freshly recreated Authentik server can temporarily return `503 Service Unavailable` until the worker/bootstrap path is ready, so verify with retry from inside the launcher container. For Launcher-only BFF/frontend fixes, rebuild `nodedc/launcher:local` and recreate only `launcher`.
Launcher image build is done from the Launcher repo when frontend/backend code changes: Launcher image build is done from the Launcher repo when frontend/backend code changes:

22
infra/synology/README.md
View File

@ -44,7 +44,7 @@ http://task.nas.nodedc:18090
- `docker-compose.platform-http.yml` поднимает новый Authentik, Launcher и Caddy edge. - `docker-compose.platform-http.yml` поднимает новый Authentik, Launcher и Caddy edge.
- `Caddyfile.http` маршрутизирует локальные `auth/launcher/task.nas.nodedc` и внешние `id/hub/ops.nodedc.ru`. - `Caddyfile.http` маршрутизирует локальные `auth/launcher/task.nas.nodedc` и внешние `id/hub/ops.nodedc.ru`.
- `deploy-current.sh` синхронизирует compose, Caddyfile, Authentik templates и опционально Launcher source в NAS mount. - `deploy-current.sh` синхронизирует compose, Caddyfile и опционально Launcher source в NAS mount. Authentik templates синхронизируются только при явном `SYNC_AUTHENTIK_TEMPLATES=1`.
- `backup-current.sh` делает snapshot Launcher runtime/uploads/Auth templates/config и готовит команду `pg_dump` для Authentik Postgres. - `backup-current.sh` делает snapshot Launcher runtime/uploads/Auth templates/config и готовит команду `pg_dump` для Authentik Postgres.
- Tasker поднимается отдельным compose из `NODEDC_TASKMANAGER/plane-app/docker-compose.yaml` на порту `18090`. - Tasker поднимается отдельным compose из `NODEDC_TASKMANAGER/plane-app/docker-compose.yaml` на порту `18090`.
- Ops Agents Gateway поднимается отдельным compose из `NODEDC_TASKMANAGER_CODEXAPI/docker-compose.synology.yml` на `172.22.0.222:18190`; Synology reverse proxy должен вести `ops-agents.nodedc.ru` на этот порт, а не на `18090`. - Ops Agents Gateway поднимается отдельным compose из `NODEDC_TASKMANAGER_CODEXAPI/docker-compose.synology.yml` на `172.22.0.222:18190`; Synology reverse proxy должен вести `ops-agents.nodedc.ru` на этот порт, а не на `18090`.
@ -108,7 +108,8 @@ GATEWAY_REPO=/Users/dcconstructions/Downloads/mnt/data/NODEDC_TASKMANAGER_CODEXA
Что синхронизируется: Что синхронизируется:
- Platform compose/Caddy/Auth templates. - Platform compose/Caddy.
- Authentik templates только при `SYNC_AUTHENTIK_TEMPLATES=1`; по умолчанию они не трогаются, чтобы лёгкий Hub deploy не уносил экспериментальную тему/брендинг в prod.
- Launcher source в `/volume1/docker/nodedc-platform/launcher/source`. - Launcher source в `/volume1/docker/nodedc-platform/launcher/source`.
- Tasker `plane-app/docker-compose.yaml` и, если задан `TASKER_CHANGED_BASE`, только изменённые source-файлы из диапазона `TASKER_CHANGED_BASE..HEAD`. - Tasker `plane-app/docker-compose.yaml` и, если задан `TASKER_CHANGED_BASE`, только изменённые source-файлы из диапазона `TASKER_CHANGED_BASE..HEAD`.
- Ops Agents Gateway source в `/volume1/docker/nodedc-platform/ops-agents`. - Ops Agents Gateway source в `/volume1/docker/nodedc-platform/ops-agents`.
@ -127,6 +128,23 @@ TASKER_SYNC_SOURCE=1 ./infra/synology/deploy-current.sh
Если emergency-fix был сделан прямо на Synology в этих env-файлах, перенести sanitized-значение в `.env.synology.example`/docs, а секрет оставить только в live env. Если emergency-fix был сделан прямо на Synology в этих env-файлах, перенести sanitized-значение в `.env.synology.example`/docs, а секрет оставить только в live env.
## Лёгкое обновление Hub / Launcher
Для правок только в Launcher/BFF не пересоздавать Authentik, reverse-proxy, Tasker и Ops Agents:
```bash
cd /volume1/docker/nodedc-platform/launcher/source
sudo /usr/local/bin/docker build -t nodedc/launcher:local .
cd /volume1/docker/nodedc-platform/platform
sudo /usr/local/bin/docker compose \
--env-file /volume1/docker/nodedc-platform/platform/.env.synology \
-f /volume1/docker/nodedc-platform/platform/docker-compose.platform-http.yml \
up -d --force-recreate --no-deps launcher
```
После такого deploy проверить `healthz`, запись в launcher storage/uploads и сценарий пользователя без аппрува: сохранение аватара не должно показывать экран `Заявка ожидает подтверждения`.
## Backup текущего состояния ## Backup текущего состояния
С Mac, при смонтированном `/Volumes/docker`: С Mac, при смонтированном `/Volumes/docker`:

19
infra/synology/deploy-current.sh
View File

@ -9,6 +9,7 @@ TASKER_REPO="${TASKER_REPO:-}"
TASKER_SYNC_SOURCE="${TASKER_SYNC_SOURCE:-0}" TASKER_SYNC_SOURCE="${TASKER_SYNC_SOURCE:-0}"
TASKER_CHANGED_BASE="${TASKER_CHANGED_BASE:-}" TASKER_CHANGED_BASE="${TASKER_CHANGED_BASE:-}"
GATEWAY_REPO="${GATEWAY_REPO:-}" GATEWAY_REPO="${GATEWAY_REPO:-}"
SYNC_AUTHENTIK_TEMPLATES="${SYNC_AUTHENTIK_TEMPLATES:-0}"
if [[ ! -d "${NAS_ROOT}" ]]; then if [[ ! -d "${NAS_ROOT}" ]]; then
echo "NAS_ROOT not found: ${NAS_ROOT}" >&2 echo "NAS_ROOT not found: ${NAS_ROOT}" >&2
@ -16,7 +17,7 @@ if [[ ! -d "${NAS_ROOT}" ]]; then
exit 1 exit 1
fi fi
mkdir -p "${NAS_ROOT}/platform" "${NAS_ROOT}/authentik/custom-templates" mkdir -p "${NAS_ROOT}/platform"
rsync -av \ rsync -av \
"${PLATFORM_REPO}/infra/synology/docker-compose.platform-http.yml" \ "${PLATFORM_REPO}/infra/synology/docker-compose.platform-http.yml" \
@ -31,9 +32,14 @@ rsync -av \
"${PLATFORM_REPO}/infra/synology/backup-current.sh" \ "${PLATFORM_REPO}/infra/synology/backup-current.sh" \
"${NAS_ROOT}/platform/" "${NAS_ROOT}/platform/"
rsync -av --delete \ if [[ "${SYNC_AUTHENTIK_TEMPLATES}" == "1" ]]; then
mkdir -p "${NAS_ROOT}/authentik/custom-templates"
rsync -av --delete \
"${PLATFORM_REPO}/infra/authentik/custom-templates/" \ "${PLATFORM_REPO}/infra/authentik/custom-templates/" \
"${NAS_ROOT}/authentik/custom-templates/" "${NAS_ROOT}/authentik/custom-templates/"
else
echo "SYNC_AUTHENTIK_TEMPLATES=0; Authentik custom templates were not synced."
fi
if [[ -n "${LAUNCHER_REPO}" ]]; then if [[ -n "${LAUNCHER_REPO}" ]]; then
if [[ ! -d "${LAUNCHER_REPO}" ]]; then if [[ ! -d "${LAUNCHER_REPO}" ]]; then
@ -166,7 +172,14 @@ cd /volume1/docker/nodedc-platform/platform
sudo /usr/local/bin/docker compose \ sudo /usr/local/bin/docker compose \
--env-file /volume1/docker/nodedc-platform/platform/.env.synology \ --env-file /volume1/docker/nodedc-platform/platform/.env.synology \
-f /volume1/docker/nodedc-platform/platform/docker-compose.platform-http.yml \ -f /volume1/docker/nodedc-platform/platform/docker-compose.platform-http.yml \
up -d --force-recreate launcher reverse-proxy authentik-server authentik-worker up -d --force-recreate --no-deps launcher
Optional Platform/Auth infra apply, only after deliberate compose/proxy/Auth templates changes:
sudo /usr/local/bin/docker compose \
--env-file /volume1/docker/nodedc-platform/platform/.env.synology \
-f /volume1/docker/nodedc-platform/platform/docker-compose.platform-http.yml \
up -d --force-recreate --no-deps reverse-proxy authentik-server authentik-worker launcher
Verify: Verify: