fix: harden dev project-clone activation (fail-loud, fix ssh URLs, github host key) #166

Merged

dominik.polakovics merged 1 commit from fix/dev-projects-clone-robust into main

2026-06-14 23:00:59 +02:00

dominik.polakovics commented

2026-06-14 22:59:14 +02:00

Owner

Hardens the home-manager projects clone activation after a cattle-dev cloning bug (#161).

Root cause (already fixed in bulk by 1fcfcb9): the clone URLs used ssh://forgejo@git.cloonar.com:Cloonar/repo.git — in an ssh:// URL the colon is a port, so SSH tried port "Cloonar" and the clone failed instantly. On the old microvm /home was persisted so the burst only ran once and the survivors (the few already on /path) stuck; the cattle box re-runs it fresh every install, exposing it. 2>/dev/null on every clone is why it stayed invisible for hours.

This PR finishes + hardens it:

Fixes the URLs 1fcfcb9 missed: infrastructure/actions (still :), and the github/gitlab clones (ssh://git@github.com:… → scp-form git@github.com:…).
Adds the missing github.com host key (only git.cloonar.com/gitlab were ssh-keyscaned).
Routes every clone through a clone() helper: idempotent (skips existing), mkdir -ps the parent, and logs failures (projects: FAILED to clone …) instead of 2>/dev/null — so the next breakage is visible in the activation journal, not silent.

nb-safe: its repos already exist → skipped; the helper + extra host key are pure improvements.

Note: github/gitlab clones still need a github/gitlab key for dominik (dominik@dev2 is forgejo-only) — they'll now fail visibly on auth rather than silently on a bad URL. Provisioning that key (sops) is separate.

Pre-commit dry-build green for all hosts. (Eval validates the Nix; the clone runtime is verified on the box after deploy.)

Part of #161.

Hardens the home-manager `projects` clone activation after a cattle-dev cloning bug (#161). **Root cause** (already fixed in bulk by `1fcfcb9`): the clone URLs used `ssh://forgejo@git.cloonar.com:Cloonar/repo.git` — in an `ssh://` URL the colon is a **port**, so SSH tried port "Cloonar" and the clone failed instantly. On the old microvm `/home` was persisted so the burst only ran once and the survivors (the few already on `/path`) stuck; the cattle box re-runs it fresh every install, exposing it. `2>/dev/null` on every clone is why it stayed invisible for hours. **This PR finishes + hardens it:** - Fixes the URLs `1fcfcb9` missed: `infrastructure/actions` (still `:`), and the github/gitlab clones (`ssh://git@github.com:…` → scp-form `git@github.com:…`). - Adds the missing `github.com` host key (only `git.cloonar.com`/gitlab were `ssh-keyscan`ed). - Routes every clone through a `clone()` helper: idempotent (skips existing), `mkdir -p`s the parent, and **logs failures** (`projects: FAILED to clone …`) instead of `2>/dev/null` — so the next breakage is visible in the activation journal, not silent. nb-safe: its repos already exist → skipped; the helper + extra host key are pure improvements. Note: github/gitlab clones still need a github/gitlab key for dominik (`dominik@dev2` is forgejo-only) — they'll now fail *visibly* on auth rather than silently on a bad URL. Provisioning that key (sops) is separate. Pre-commit dry-build green for all hosts. (Eval validates the Nix; the clone runtime is verified on the box after deploy.) Part of #161.

dominik.polakovics added 1 commit

2026-06-14 22:59:14 +02:00

fix: harden dev project-clone activation (fail-loud, fix ssh URLs, github host key) 1884dd2092

dominik.polakovics merged commit d0aa5c5c50 into main

2026-06-14 23:00:59 +02:00

dominik.polakovics deleted branch fix/dev-projects-clone-robust

2026-06-14 23:00:59 +02:00

dominik.polakovics referenced this pull request from a commit

2026-06-14 23:01:01 +02:00

Merge pull request 'fix: harden dev project-clone activation (fail-loud, fix ssh URLs, github host key)' (#166) from fix/dev-projects-clone-robust into main