vinzenz/hyperhive
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tea-login: never fail switch-to-configuration

Browse source 
a failed tea-login oneshot used to abort `nixos-container update`
(switch-to-configuration exits 4), which blocked every rebuild
whether the agent needed tea or not. drop `set -e`, exit 0 on
every failure path (mkdir, tea login add, missing forge). also fix
the unit description, which hardcoded /state (manager-only) — sub-
agents have /agents/<name>/state.
This commit is contained in:
müde 2026-05-17 02:58:39 +02:00
parent 600ed509f4
commit 6652ae90ab
1 changed files with 22 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

37
nix/templates/harness-base.nix
View file

@ -186,10 +186,10 @@
# One-shot: configure tea with the agent's forge token if # One-shot: configure tea with the agent's forge token if
# hive-c0re seeded one and tea hasn't been configured yet. # hive-c0re seeded one and tea hasn't been configured yet.
# Runs before the harness service so the first turn can already # Runs before the harness service so the first turn can already
# `tea repos create`. Idempotent — exits 0 if config already # `tea repos create`. *Always* exits 0 — never fail a NixOS
# exists, exits 0 if no token file (hive-forge not enabled). # switch-to-configuration over a missing/temperamental forge.
systemd.services.tea-login = { systemd.services.tea-login = {
description = "configure tea CLI from /state/forge-token"; description = "configure tea CLI from hive-forge token (best-effort)";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "local-fs.target" ]; after = [ "local-fs.target" ];
serviceConfig = { serviceConfig = {
@ -201,16 +201,20 @@
pkgs.coreutils pkgs.coreutils
]; ];
script = '' script = ''
set -eu # No `set -e`: any subshell failure here (tea exit, mkdir,
# missing forge) must not propagate. A failed unit aborts
# `nixos-container update`, which would block every rebuild.
CONFIG=/root/.config/tea/config.yml CONFIG=/root/.config/tea/config.yml
# Manager keeps the legacy /state bind; sub-agents have # Manager bind-mounts state at /state; sub-agents at
# /agents/<name>/state. Glob covers both — there's exactly one # /agents/<name>/state. Glob both — each container only sees
# hit either way (manager: /state, sub-agent: its own # its own mount, so there's exactly one hit either way (or
# /agents/* mount), since each container only sees its own # zero, when the forge hasn't been seeded yet).
# state dir.
TOKEN_FILE="" TOKEN_FILE=""
for f in /state/forge-token /agents/*/state/forge-token; do for f in /state/forge-token /agents/*/state/forge-token; do
[ -f "$f" ] && TOKEN_FILE="$f" && break if [ -f "$f" ]; then
TOKEN_FILE="$f"
break
fi
done done
if [ -z "$TOKEN_FILE" ]; then if [ -z "$TOKEN_FILE" ]; then
echo "tea-login: no forge-token (hive-forge not seeded); skipping" echo "tea-login: no forge-token (hive-forge not seeded); skipping"
@ -220,11 +224,14 @@
echo "tea-login: $CONFIG already present; skipping" echo "tea-login: $CONFIG already present; skipping"
exit 0 exit 0
fi fi
mkdir -p "$(dirname "$CONFIG")" mkdir -p "$(dirname "$CONFIG")" || true
tea login add \ if ! tea login add \
--name forge \ --name forge \
--url ${lib.escapeShellArg config.hyperhive.forge.url} \ --url ${lib.escapeShellArg config.hyperhive.forge.url} \
--token "$(cat "$TOKEN_FILE")" --token "$(cat "$TOKEN_FILE")"; then
echo "tea-login: tea login add failed; continuing without tea"
exit 0
fi
echo "tea-login: configured for ${config.hyperhive.forge.url} from $TOKEN_FILE" echo "tea-login: configured for ${config.hyperhive.forge.url} from $TOKEN_FILE"
''; '';
}; };