vinzenz/hyperhive
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

harness: install tea + auto-login from /state/forge-token

Browse source 
agents get `pkgs.tea` (gitea/forgejo CLI) and a tea-login oneshot
that runs `tea login add --url <hyperhive.forge.url> --token
$(cat /state/forge-token)` before the harness starts. idempotent:
exits 0 when the token file is absent (hive-forge not on) or when
~/.config/tea/config.yml already exists. new
`hyperhive.forge.url` option (default http://localhost:3000) so
operators can point at a non-default forge port. claude can now
shell out to `tea repos create`, `tea pulls create`, etc.
This commit is contained in:
müde 2026-05-16 23:35:28 +02:00
parent dccbd99b0c
commit 787c058c71
1 changed files with 53 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

53
nix/templates/harness-base.nix
View file

@ -82,6 +82,20 @@
''; '';
}; };
options.hyperhive.forge.url = lib.mkOption {
type = lib.types.str;
default = "http://localhost:3000";
example = "http://forge.internal:3000";
description = ''
Base URL of the hyperhive-managed Forgejo. Used at container
boot by a oneshot systemd unit that calls
`tea login add --url <this> --token "$(cat /state/forge-token)"`
so the agent's claude can shell out to `tea` without an extra
auth dance. No-op when `/state/forge-token` is missing (i.e.
hive-forge isn't running on the host).
'';
};
options.hyperhive.claudePlugins = lib.mkOption { options.hyperhive.claudePlugins = lib.mkOption {
type = lib.types.listOf lib.types.str; type = lib.types.listOf lib.types.str;
default = [ ]; default = [ ];
@ -124,8 +138,47 @@
# procps for pkill — used by the web UI's /api/cancel to SIGINT the # procps for pkill — used by the web UI's /api/cancel to SIGINT the
# in-flight claude turn. # in-flight claude turn.
procps procps
# tea: gitea/forgejo CLI client. Configured at boot by the
# tea-login oneshot below if /state/forge-token is present, so
# claude can `tea repos create`, `tea pulls create`, etc.
tea
]; ];
# One-shot: configure tea with the agent's forge token if
# hive-c0re seeded one and tea hasn't been configured yet.
# Runs before the harness service so the first turn can already
# `tea repos create`. Idempotent — exits 0 if config already
# exists, exits 0 if no token file (hive-forge not enabled).
systemd.services.tea-login = {
description = "configure tea CLI from /state/forge-token";
wantedBy = [ "multi-user.target" ];
after = [ "local-fs.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
path = [ pkgs.tea pkgs.coreutils ];
script = ''
set -eu
TOKEN_FILE=/state/forge-token
CONFIG=/root/.config/tea/config.yml
if [ ! -f "$TOKEN_FILE" ]; then
echo "tea-login: no $TOKEN_FILE (hive-forge not seeded); skipping"
exit 0
fi
if [ -f "$CONFIG" ]; then
echo "tea-login: $CONFIG already present; skipping"
exit 0
fi
mkdir -p "$(dirname "$CONFIG")"
tea login add \
--name forge \
--url ${lib.escapeShellArg config.hyperhive.forge.url} \
--token "$(cat "$TOKEN_FILE")"
echo "tea-login: configured for ${config.hyperhive.forge.url}"
'';
};
# Git is needed by claude's Bash tool (for the agent <-> manager config # Git is needed by claude's Bash tool (for the agent <-> manager config
# request flow) and by hive-c0re's own setup_applied / setup_proposed. # request flow) and by hive-c0re's own setup_applied / setup_proposed.
# The per-agent `applied/<name>/flake.nix` overrides `user.name` and # The per-agent `applied/<name>/flake.nix` overrides `user.name` and