Add Forgejo namespace workflow stack

Scripts/check-forge-host.sh

@@ -0,0 +1,143 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+
+usage() {
+  cat <<'EOF'
+Usage: Scripts/check-forge-host.sh [options]
+
+Run a post-boot verification pass against the Burrow forge host.
+
+Options:
+  --host <user@host>    SSH target (default: root@git.burrow.net)
+  --ssh-key <path>      SSH private key (default: intake/agent_at_burrow_net_ed25519)
+  --expect-nsc          Fail if forgejo-nsc services are not active
+  -h, --help            Show this help text
+EOF
+}
+
+HOST="${BURROW_FORGE_HOST:-root@git.burrow.net}"
+SSH_KEY="${BURROW_FORGE_SSH_KEY:-${REPO_ROOT}/intake/agent_at_burrow_net_ed25519}"
+KNOWN_HOSTS_FILE="${BURROW_FORGE_KNOWN_HOSTS_FILE:-${HOME}/.cache/burrow/forge-known_hosts}"
+EXPECT_NSC=0
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --host)
+      HOST="${2:?missing value for --host}"
+      shift 2
+      ;;
+    --ssh-key)
+      SSH_KEY="${2:?missing value for --ssh-key}"
+      shift 2
+      ;;
+    --expect-nsc)
+      EXPECT_NSC=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "unknown option: $1" >&2
+      usage >&2
+      exit 64
+      ;;
+  esac
+done
+
+mkdir -p "$(dirname "${KNOWN_HOSTS_FILE}")"
+
+if [[ ! -f "${SSH_KEY}" ]]; then
+  echo "forge SSH key not found: ${SSH_KEY}" >&2
+  exit 1
+fi
+
+ssh \
+  -i "${SSH_KEY}" \
+  -o IdentitiesOnly=yes \
+  -o UserKnownHostsFile="${KNOWN_HOSTS_FILE}" \
+  -o StrictHostKeyChecking=accept-new \
+  "${HOST}" \
+  EXPECT_NSC="${EXPECT_NSC}" \
+  'bash -s' <<'EOF'
+set -euo pipefail
+
+base_services=(
+  forgejo.service
+  caddy.service
+  burrow-forgejo-bootstrap.service
+  burrow-forgejo-runner-bootstrap.service
+  burrow-forgejo-runner.service
+)
+
+nsc_services=(
+  forgejo-nsc-dispatcher.service
+  forgejo-nsc-autoscaler.service
+)
+
+show_service() {
+  local service="$1"
+  systemctl show \
+    --no-pager \
+    --property Id \
+    --property LoadState \
+    --property UnitFileState \
+    --property ActiveState \
+    --property SubState \
+    --property Result \
+    "${service}"
+}
+
+service_is_healthy() {
+  local service="$1"
+  local active_state
+  local result
+  local unit_type
+
+  active_state="$(systemctl show --property ActiveState --value "${service}")"
+  result="$(systemctl show --property Result --value "${service}")"
+  unit_type="$(systemctl show --property Type --value "${service}")"
+
+  if [[ "${active_state}" == "active" ]]; then
+    return 0
+  fi
+
+  if [[ "${unit_type}" == "oneshot" && "${active_state}" == "inactive" && "${result}" == "success" ]]; then
+    return 0
+  fi
+
+  return 1
+}
+
+for service in "${base_services[@]}"; do
+  echo "== ${service} =="
+  show_service "${service}"
+  if ! service_is_healthy "${service}"; then
+    echo "required service is not active: ${service}" >&2
+    exit 1
+  fi
+done
+
+for service in "${nsc_services[@]}"; do
+  echo "== ${service} =="
+  show_service "${service}" || true
+  if [[ "${EXPECT_NSC}" == "1" && "$(systemctl is-active "${service}" 2>/dev/null || true)" != "active" ]]; then
+    echo "required NSC service is not active: ${service}" >&2
+    exit 1
+  fi
+done
+
+echo "== intake =="
+ls -l /var/lib/burrow/intake || true
+
+if command -v curl >/dev/null 2>&1; then
+  echo "== http-local =="
+  curl -fsS -o /dev/null -w 'forgejo_login %{http_code}\n' http://127.0.0.1:3000/user/login
+  curl -fsS -o /dev/null -H 'Host: burrow.net' -w 'burrow_root %{http_code}\n' http://127.0.0.1/
+  curl -fsS -o /dev/null -H 'Host: git.burrow.net' -w 'git_login %{http_code}\n' http://127.0.0.1/user/login
+fi
+EOF