diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml index a374642..5001e66 100644 --- a/.forgejo/workflows/deploy.yml +++ b/.forgejo/workflows/deploy.yml @@ -78,40 +78,49 @@ jobs: ssh -i ~/.ssh/id_ed25519 "$SERVICE_USER@$SERVICE_HOST" /bin/sh -lc "set -euo pipefail - sudo mkdir -p /opt/infra-controller /etc/infra-controller /var/lib/infra-controller /var/log/infra-controller + if ! command -v sudo >/dev/null 2>&1; then + echo 'ERROR: sudo not installed on services server' >&2 + exit 1 + fi + if ! sudo -n true 2>/dev/null; then + echo 'ERROR: passwordless sudo is required for CI deploy (configure NOPASSWD for this SSH user)' >&2 + exit 1 + fi + + sudo -n mkdir -p /opt/infra-controller /etc/infra-controller /var/lib/infra-controller /var/log/infra-controller if [ ! -d /opt/infra-controller/.git ]; then - sudo rm -rf /opt/infra-controller/* - sudo git clone '$REPO_URL' /opt/infra-controller + sudo -n rm -rf /opt/infra-controller/* + sudo -n git clone '$REPO_URL' /opt/infra-controller fi cd /opt/infra-controller - sudo git fetch --all --prune - sudo git checkout -f '$GIT_SHA' + sudo -n git fetch --all --prune + sudo -n git checkout -f '$GIT_SHA' if [ ! -d /opt/infra-controller/venv ]; then - sudo python3 -m venv /opt/infra-controller/venv + sudo -n python3 -m venv /opt/infra-controller/venv fi - sudo /opt/infra-controller/venv/bin/pip install --upgrade pip - sudo /opt/infra-controller/venv/bin/pip install -e . + sudo -n /opt/infra-controller/venv/bin/pip install --upgrade pip + sudo -n /opt/infra-controller/venv/bin/pip install -e . if [ ! -f /etc/infra-controller/config.toml ]; then - sudo cp config/controller.toml.example /etc/infra-controller/config.toml + sudo -n cp config/controller.toml.example /etc/infra-controller/config.toml fi if [ ! -f /etc/infra-controller/controller.env ]; then - sudo cp systemd/infra-controller.env /etc/infra-controller/controller.env + sudo -n cp systemd/infra-controller.env /etc/infra-controller/controller.env fi - sudo cp systemd/infra-controller.service /etc/systemd/system/ - sudo cp systemd/infra-controller-once.service /etc/systemd/system/ - sudo cp systemd/infra-controller-watch.service /etc/systemd/system/ - sudo systemctl daemon-reload + sudo -n cp systemd/infra-controller.service /etc/systemd/system/ + sudo -n cp systemd/infra-controller-once.service /etc/systemd/system/ + sudo -n cp systemd/infra-controller-watch.service /etc/systemd/system/ + sudo -n systemctl daemon-reload - sudo systemctl disable --now infra-controller.path 2>/dev/null || true - sudo systemctl enable --now infra-controller-watch.service - sudo systemctl restart infra-controller-watch.service + sudo -n systemctl disable --now infra-controller.path 2>/dev/null || true + sudo -n systemctl enable --now infra-controller-watch.service + sudo -n systemctl restart infra-controller-watch.service - sudo chown -R infractl:infractl /opt/infra-controller /var/lib/infra-controller /var/log/infra-controller || true + sudo -n chown -R infractl:infractl /opt/infra-controller /var/lib/infra-controller /var/log/infra-controller || true /opt/infra-controller/venv/bin/infra-controller --once "