coilyco-bridge/coily
1
0
Fork 0
Code Issues 97 Pull requests Projects Releases 19 Packages Wiki Activity Actions

coily ops forgejo: wrap forgejo admin CLI verbs for the kai-server deploy #55

New issue
Open
opened 2026-05-23 20:54:03 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:03 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-05-05T10:36:44Z - https://github.com/coilysiren/coily/issues/57

Proposal

Add a `coily ops forgejo ...` verb group that wraps the in-pod `forgejo` CLI on the kai-server k3s deploy. Each leaf is a fixed-shape `k3s kubectl -n forgejo exec deploy/forgejo -- forgejo `, run through the privileged-op gate (audit + scope binding) like every other `ops` verb.

Spawned from the forgejo deploy. Pairs with #50 (the broader `coily ops ` rename) - this issue carves out the forgejo-shaped surface inside that group regardless of whether #50 lands first.

Why

Three shapes recur for managing this Forgejo instance from outside the pod:

  1. Initial bootstrap - admin user create, regenerate keys, doctor checks. One-shot, but high-friction (had to wave through the harness deny-rule on `kubectl exec` to mint the admin during the deploy).
  2. Ongoing admin - rotate user passwords, list/promote users, sync repo releases, run doctor.
  3. Backups + recovery - `forgejo dump` on a CronJob (per the deploy plan's followup) and ad-hoc dumps.

All three want the same shape: "run a fixed-shape forgejo CLI verb against the running pod, log it, no sudo, no escape hatch."

Without a wrapper each one is bare `ssh kai-server 'k3s kubectl -n forgejo exec ...'`, which (a) is gated by the harness's `kubectl exec` deny-rule (rightly), (b) leaves no audit row, (c) varies subtly per invocation and creates a documentation maintenance burden.

Verb selection (forgejo 15.0.1 `forgejo --help` survey)

Strong fit for wrapping (admin-shaped, safe, repeatable):

  • `coily ops forgejo admin user create` - mirror the rootless-image flow used in the deploy plan
  • `coily ops forgejo admin user list`
  • `coily ops forgejo admin user change-password`
  • `coily ops forgejo admin user delete`
  • `coily ops forgejo admin user must-change-password`
  • `coily ops forgejo admin regenerate hooks` / `keys`
  • `coily ops forgejo admin auth list`
  • `coily ops forgejo doctor check --run `
  • `coily ops forgejo doctor recreate-table`
  • `coily ops forgejo dump` - destination is a sibling PVC, ties into the planned backup CronJob
  • `coily ops forgejo manager flush-queues` / `logging pause` / `logging resume`
  • `coily ops forgejo actions generate-runner-token` - lines up with the deploy plan's deferred Actions-runner decision

Skip / explicit reject:

  • `forgejo serv` / `forgejo hook` / `forgejo keys` - documented as internal SSH-shell-only, do not expose
  • `forgejo migrate` - destructive enough that it should stay manual, not a coily verb
  • `forgejo migrate-storage` - same
  • `forgejo dump-repo` / `restore-repo` - operate on filesystem paths inside the pod that aren't mounted out, not useful through the wrapper

Borderline (decide during implementation):

  • `forgejo embedded` - extracts embedded resources, niche
  • `forgejo cert` - we don't run forgejo's self-signed cert path, cert-manager handles TLS at the ingress
  • `forgejo generate` - secret/key generation, but we mint these via SSM not from inside the pod

Mechanical scope

  • New `cmd/ops/forgejo/` (or wherever #50 puts the `ops` group) with one leaf per verb above. Each leaf renders a fixed remote command, runs it through the same audit + ssh path as `coily ssh kubectl` (which itself needs #56 fixed first or the same not-actually-sudo wrapper).
  • Pin the namespace (`forgejo`) and pod selector (`deploy/forgejo`) in code, not as flags. No free-form passthrough.
  • Audit-log verb names: `ops.forgejo.admin.user.create`, `ops.forgejo.dump`, etc.
  • README on the verb group: when to use it vs raw kubectl, link back to the deploy plan.

Out of scope

  • The Postgres-side admin verbs (`pg_dump` etc.) - separate issue if/when needed, different pod and different security shape.
  • A general `coily ops kubectl exec ...` allowlist - explicitly rejected by Kai during the forgejo deploy, the right unit of grouping is per-app verbs.
  • The harness deny-rule on `kubectl exec` - that one stays. `coily ops forgejo` is the affordance, not a bypass.

Dependencies

  • #56 (drop the sudo wrap on `coily ssh kubectl`) should land first or this group will hit the same sudo wall.
  • #50 (the `ops` rename) determines where this lives in the command tree but doesn't block the implementation - if #50 lands later, rename then.
_Originally filed by @coilysiren on 2026-05-05T10:36:44Z - [https://github.com/coilysiren/coily/issues/57](https://github.com/coilysiren/coily/issues/57)_ ## Proposal Add a \`coily ops forgejo ...\` verb group that wraps the in-pod \`forgejo\` CLI on the kai-server k3s deploy. Each leaf is a fixed-shape \`k3s kubectl -n forgejo exec deploy/forgejo -- forgejo <verb>\`, run through the privileged-op gate (audit + scope binding) like every other \`ops\` verb. Spawned from the [forgejo deploy](https://github.com/coilysiren/infrastructure/blob/main/docs/forgejo-deploy-plan.md). Pairs with #50 (the broader \`coily ops <tool>\` rename) - this issue carves out the forgejo-shaped surface inside that group regardless of whether #50 lands first. ## Why Three shapes recur for managing this Forgejo instance from outside the pod: 1. **Initial bootstrap** - admin user create, regenerate keys, doctor checks. One-shot, but high-friction (had to wave through the harness deny-rule on \`kubectl exec\` to mint the admin during the deploy). 2. **Ongoing admin** - rotate user passwords, list/promote users, sync repo releases, run doctor. 3. **Backups + recovery** - \`forgejo dump\` on a CronJob (per the deploy plan's followup) and ad-hoc dumps. All three want the same shape: \"run a fixed-shape forgejo CLI verb against the running pod, log it, no sudo, no escape hatch.\" Without a wrapper each one is bare \`ssh kai-server 'k3s kubectl -n forgejo exec ...'\`, which (a) is gated by the harness's \`kubectl exec\` deny-rule (rightly), (b) leaves no audit row, (c) varies subtly per invocation and creates a documentation maintenance burden. ## Verb selection (forgejo 15.0.1 \`forgejo --help\` survey) Strong fit for wrapping (admin-shaped, safe, repeatable): - \`coily ops forgejo admin user create\` - mirror the rootless-image flow used in the deploy plan - \`coily ops forgejo admin user list\` - \`coily ops forgejo admin user change-password\` - \`coily ops forgejo admin user delete\` - \`coily ops forgejo admin user must-change-password\` - \`coily ops forgejo admin regenerate hooks\` / \`keys\` - \`coily ops forgejo admin auth list\` - \`coily ops forgejo doctor check --run <name>\` - \`coily ops forgejo doctor recreate-table\` - \`coily ops forgejo dump\` - destination is a sibling PVC, ties into the planned backup CronJob - \`coily ops forgejo manager flush-queues\` / \`logging pause\` / \`logging resume\` - \`coily ops forgejo actions generate-runner-token\` - lines up with the deploy plan's deferred Actions-runner decision Skip / explicit reject: - \`forgejo serv\` / \`forgejo hook\` / \`forgejo keys\` - documented as internal SSH-shell-only, do not expose - \`forgejo migrate\` - destructive enough that it should stay manual, not a coily verb - \`forgejo migrate-storage\` - same - \`forgejo dump-repo\` / \`restore-repo\` - operate on filesystem paths inside the pod that aren't mounted out, not useful through the wrapper Borderline (decide during implementation): - \`forgejo embedded\` - extracts embedded resources, niche - \`forgejo cert\` - we don't run forgejo's self-signed cert path, cert-manager handles TLS at the ingress - \`forgejo generate\` - secret/key generation, but we mint these via SSM not from inside the pod ## Mechanical scope - New \`cmd/ops/forgejo/\` (or wherever #50 puts the \`ops\` group) with one leaf per verb above. Each leaf renders a fixed remote command, runs it through the same audit + ssh path as \`coily ssh kubectl\` (which itself needs #56 fixed first or the same not-actually-sudo wrapper). - Pin the namespace (\`forgejo\`) and pod selector (\`deploy/forgejo\`) in code, not as flags. No free-form passthrough. - Audit-log verb names: \`ops.forgejo.admin.user.create\`, \`ops.forgejo.dump\`, etc. - README on the verb group: when to use it vs raw kubectl, link back to the deploy plan. ## Out of scope - The Postgres-side admin verbs (\`pg_dump\` etc.) - separate issue if/when needed, different pod and different security shape. - A general \`coily ops kubectl exec ...\` allowlist - explicitly rejected by Kai during the forgejo deploy, the right unit of grouping is per-app verbs. - The harness deny-rule on \`kubectl exec\` - that one stays. \`coily ops forgejo\` is the affordance, not a bypass. ## Dependencies - #56 (drop the sudo wrap on \`coily ssh kubectl\`) should land first or this group will hit the same sudo wall. - #50 (the \`ops\` rename) determines where this lives in the command tree but doesn't block the implementation - if #50 lands later, rename then.
coilysiren added
P4
 and removed
P3
 labels 2026-05-31 06:59:48 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dispatch/issue-306
args-file-mcporter
claude/coily-docker-image-FF2Rw
claude/busy-almeida-0168e4
v2.50.0
v2.49.1
v2.49.0
v2.48.0
v2.47.0
v2.46.0
v2.45.0
v2.44.1
v2.44.0
v2.43.2
v2.43.1
v2.43.0
v2.42.0
v2.41.0
v2.40.2
v2.40.1
v2.40.0
v2.39.0
v2.37.2
v2.38.0
v2.23.0
v2.37.1
v2.37.0
v2.36.0
v2.35.0
v2.34.0
v2.33.0
v2.32.0
v2.31.0
v2.30.0
v2.29.2
v2.29.1
v2.29.0
v2.28.0
v2.27.0
v2.26.0
v2.25.0
v2.24.0
v2.22.0
v2.21.0
v2.20.0
v2.19.0
v2.18.1
v2.18.0
v2.17.0
v2.16.0
v2.15.2
v2.15.1
v2.15.0
v2.14.0
v2.13.1
v2.13.0
v2.12.0
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.0
v2.8.0
v2.7.1
v2.7.0
v2.6.0
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.0
v2.1.0
v2.0.1
v2.0.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.0
v1.13.0
v1.12.0
v1.11.0
v1.10.0
v1.9.6
v1.9.5
v1.9.4
v1.9.3
v1.9.2
v1.9.1
v1.9.0
v1.8.8
v1.8.7
v1.8.6
v1.8.5
v1.8.4
v1.8.3
v1.8.2
v1.8.1
v1.8.0
v1.7.8
v1.7.7
v1.7.6
v1.7.5
v1.7.4
v1.7.3
v1.7.2
v1.7.1
v1.7.0
v1.6.0
v1.5.123
v1.5.122
v1.5.121
v1.5.120
v1.5.119
v1.5.118
v1.5.117
v1.5.116
v1.5.115
v1.5.114
v1.5.113
v1.5.112
v1.5.111
v1.5.110
v1.5.109
v1.5.108
v1.5.107
v1.5.106
v1.5.105
v1.5.104
v1.5.103
v1.5.102
v1.5.101
v1.5.100
v1.5.99
v1.5.98
v1.5.97
v1.5.96
v1.5.95
v1.5.94
v1.5.93
v1.5.92
v1.5.91
v1.5.90
v1.5.89
v1.5.88
v1.5.87
v1.5.86
v1.5.85
v1.5.84
v1.5.83
v1.5.82
v1.5.81
v1.5.80
v1.5.79
v1.5.78
v1.5.77
v1.5.76
v1.5.75
v1.5.74
v1.5.73
v1.5.72
v1.5.71
v1.5.70
v1.5.69
v1.5.68
v1.5.67
v1.5.66
v1.5.65
v1.5.64
v1.5.63
v1.5.62
v1.5.61
v1.5.60
v1.5.59
v1.5.58
v1.5.57
v1.5.56
v1.5.55
v1.5.54
v1.5.53
v1.5.52
v1.5.51
v1.5.50
v1.5.49
v1.5.48
v1.5.47
v1.5.46
v1.5.45
v1.5.44
v1.5.43
v1.5.42
v1.5.41
v1.5.40
v1.5.39
v1.5.38
v1.5.37
v1.5.36
v1.5.35
v1.5.34
v1.5.33
v1.5.32
v1.5.31
v1.5.30
v1.5.29
v1.5.28
v1.5.27
v1.5.26
v1.5.25
v1.5.24
v1.5.23
v1.5.22
v1.5.21
v1.5.20
v1.5.19
v1.5.18
v1.5.17
v1.5.16
v1.5.15
v1.5.14
v1.5.13
v1.5.12
v1.5.11
v1.5.10
v1.5.9
v1.5.8
v1.5.7
v1.5.6
v1.5.5
v1.5.4
v1.5.3
v1.5.2
v1.5.1
v1.5.0
v1.4.1
v1.4.0
v1.3.0
v1.2.4
v1.2.3
v1.2.2
v1.2.1
v1.2.0
v1.1.3
v1.1.2
v1.1.1
v1.1.0
v1.0.1
v1.0.0
v0.5.3
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.2
v0.3.1
v0.3.0
v0.2.0
v0.1.0
v0.0.38
v0.0.37
v0.0.36
v0.0.35
v0.0.34
v0.0.33
v0.0.32
v0.0.31
v0.0.30
v0.0.29
v0.0.28
v0.0.27
v0.0.26
v0.0.25
v0.0.24
v0.0.23
v0.0.22
v0.0.21
v0.0.20
v0.0.19
v0.0.18
v0.0.17
v0.0.16
v0.0.15
v0.0.14
v0.0.13
v0.0.12
v0.0.11
v0.0.10
v0.0.9
v0.0.8
v0.0.7
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
tools-latest
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-bridge/coily#55
No description provided.