Harden launcher-only NAS deploy path

2026-05-24 10:28:17 +03:00 · 2026-05-24 10:28:17 +03:00 · e9def6672c
parent 8c8a5b5975
commit e9def6672c
3 changed files with 40 additions and 9 deletions
--- a/docs/CURRENT_INFRA_HANDOFF.md
+++ b/docs/CURRENT_INFRA_HANDOFF.md
@ -251,7 +251,7 @@ GATEWAY_REPO=/Users/dcconstructions/Downloads/mnt/data/NODEDC_TASKMANAGER_CODEXA
 ./infra/synology/deploy-current.sh
 ```

-The script syncs platform deploy files plus optional Launcher, Tasker, and Ops Agents Gateway source copies. It prints the Docker commands that must be run on Synology, because Docker there requires interactive `sudo`.
+The script syncs platform deploy files plus optional Launcher, Tasker, and Ops Agents Gateway source copies. Authentik custom templates are not synced by default; set `SYNC_AUTHENTIK_TEMPLATES=1` only for a deliberate Authentik UI/theme rollout. The script prints the Docker commands that must be run on Synology, because Docker there requires interactive `sudo`.

 Tasker full source sync over SMB is intentionally not the default. Use `TASKER_CHANGED_BASE=<commit>` for normal deploys, or `TASKER_SYNC_SOURCE=1` only when a full source refresh is required.

@ -278,7 +278,7 @@ The platform Authentik service exposes a stable identity-network alias in the Sy
 nodedc-platform-authentik-server
 ```

-When changing this alias or Authentik env wiring, recreate `authentik-server`, `authentik-worker`, and `launcher` together. A freshly recreated Authentik server can temporarily return `503 Service Unavailable` until the worker/bootstrap path is ready, so verify with retry from inside the launcher container.
+When changing this alias or Authentik env wiring, recreate `authentik-server`, `authentik-worker`, and `launcher` together. A freshly recreated Authentik server can temporarily return `503 Service Unavailable` until the worker/bootstrap path is ready, so verify with retry from inside the launcher container. For Launcher-only BFF/frontend fixes, rebuild `nodedc/launcher:local` and recreate only `launcher`.

 Launcher image build is done from the Launcher repo when frontend/backend code changes:

--- a/infra/synology/README.md
+++ b/infra/synology/README.md
@ -44,7 +44,7 @@ http://task.nas.nodedc:18090

 - `docker-compose.platform-http.yml` поднимает новый Authentik, Launcher и Caddy edge.
 - `Caddyfile.http` маршрутизирует локальные `auth/launcher/task.nas.nodedc` и внешние `id/hub/ops.nodedc.ru`.
- `deploy-current.sh` синхронизирует compose, Caddyfile, Authentik templates и опционально Launcher source в NAS mount.
+- `deploy-current.sh` синхронизирует compose, Caddyfile и опционально Launcher source в NAS mount. Authentik templates синхронизируются только при явном `SYNC_AUTHENTIK_TEMPLATES=1`.
 - `backup-current.sh` делает snapshot Launcher runtime/uploads/Auth templates/config и готовит команду `pg_dump` для Authentik Postgres.
 - Tasker поднимается отдельным compose из `NODEDC_TASKMANAGER/plane-app/docker-compose.yaml` на порту `18090`.
 - Ops Agents Gateway поднимается отдельным compose из `NODEDC_TASKMANAGER_CODEXAPI/docker-compose.synology.yml` на `172.22.0.222:18190`; Synology reverse proxy должен вести `ops-agents.nodedc.ru` на этот порт, а не на `18090`.
@ -108,7 +108,8 @@ GATEWAY_REPO=/Users/dcconstructions/Downloads/mnt/data/NODEDC_TASKMANAGER_CODEXA

 Что синхронизируется:

- Platform compose/Caddy/Auth templates.
+- Platform compose/Caddy.
+- Authentik templates только при `SYNC_AUTHENTIK_TEMPLATES=1`; по умолчанию они не трогаются, чтобы лёгкий Hub deploy не уносил экспериментальную тему/брендинг в prod.
 - Launcher source в `/volume1/docker/nodedc-platform/launcher/source`.
 - Tasker `plane-app/docker-compose.yaml` и, если задан `TASKER_CHANGED_BASE`, только изменённые source-файлы из диапазона `TASKER_CHANGED_BASE..HEAD`.
 - Ops Agents Gateway source в `/volume1/docker/nodedc-platform/ops-agents`.
@ -127,6 +128,23 @@ TASKER_SYNC_SOURCE=1 ./infra/synology/deploy-current.sh

 Если emergency-fix был сделан прямо на Synology в этих env-файлах, перенести sanitized-значение в `.env.synology.example`/docs, а секрет оставить только в live env.

+## Лёгкое обновление Hub / Launcher
+
+Для правок только в Launcher/BFF не пересоздавать Authentik, reverse-proxy, Tasker и Ops Agents:
+
+```bash
+cd /volume1/docker/nodedc-platform/launcher/source
+sudo /usr/local/bin/docker build -t nodedc/launcher:local .
+
+cd /volume1/docker/nodedc-platform/platform
+sudo /usr/local/bin/docker compose \
+  --env-file /volume1/docker/nodedc-platform/platform/.env.synology \
+  -f /volume1/docker/nodedc-platform/platform/docker-compose.platform-http.yml \
+  up -d --force-recreate --no-deps launcher
+```
+
+После такого deploy проверить `healthz`, запись в launcher storage/uploads и сценарий пользователя без аппрува: сохранение аватара не должно показывать экран `Заявка ожидает подтверждения`.
+
 ## Backup текущего состояния

 С Mac, при смонтированном `/Volumes/docker`:
--- a/infra/synology/deploy-current.sh
+++ b/infra/synology/deploy-current.sh
@ -9,6 +9,7 @@ TASKER_REPO="${TASKER_REPO:-}"
 TASKER_SYNC_SOURCE="${TASKER_SYNC_SOURCE:-0}"
 TASKER_CHANGED_BASE="${TASKER_CHANGED_BASE:-}"
 GATEWAY_REPO="${GATEWAY_REPO:-}"
+SYNC_AUTHENTIK_TEMPLATES="${SYNC_AUTHENTIK_TEMPLATES:-0}"

 if [[ ! -d "${NAS_ROOT}" ]]; then
  echo "NAS_ROOT not found: ${NAS_ROOT}" >&2
@ -16,7 +17,7 @@ if [[ ! -d "${NAS_ROOT}" ]]; then
  exit 1
 fi

-mkdir -p "${NAS_ROOT}/platform" "${NAS_ROOT}/authentik/custom-templates"
+mkdir -p "${NAS_ROOT}/platform"

 rsync -av \
  "${PLATFORM_REPO}/infra/synology/docker-compose.platform-http.yml" \
@ -31,9 +32,14 @@ rsync -av \
  "${PLATFORM_REPO}/infra/synology/backup-current.sh" \
  "${NAS_ROOT}/platform/"

+if [[ "${SYNC_AUTHENTIK_TEMPLATES}" == "1" ]]; then
+  mkdir -p "${NAS_ROOT}/authentik/custom-templates"
  rsync -av --delete \
    "${PLATFORM_REPO}/infra/authentik/custom-templates/" \
    "${NAS_ROOT}/authentik/custom-templates/"
+else
+  echo "SYNC_AUTHENTIK_TEMPLATES=0; Authentik custom templates were not synced."
+fi

 if [[ -n "${LAUNCHER_REPO}" ]]; then
  if [[ ! -d "${LAUNCHER_REPO}" ]]; then
@ -166,7 +172,14 @@ cd /volume1/docker/nodedc-platform/platform
 sudo /usr/local/bin/docker compose \
  --env-file /volume1/docker/nodedc-platform/platform/.env.synology \
  -f /volume1/docker/nodedc-platform/platform/docker-compose.platform-http.yml \
-  up -d --force-recreate launcher reverse-proxy authentik-server authentik-worker
+  up -d --force-recreate --no-deps launcher
+
+Optional Platform/Auth infra apply, only after deliberate compose/proxy/Auth templates changes:
+
+sudo /usr/local/bin/docker compose \
+  --env-file /volume1/docker/nodedc-platform/platform/.env.synology \
+  -f /volume1/docker/nodedc-platform/platform/docker-compose.platform-http.yml \
+  up -d --force-recreate --no-deps reverse-proxy authentik-server authentik-worker launcher

 Verify: