till/managarten
1
0
Fork 0
mirror of https://github.com/Memo-2023/mana-monorepo.git synced 2026-05-14 20:01:09 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

chore(infra): unify prod deploy on .env.macmini + document missing keys

Browse source 
Two pieces of the same cleanup:

1. build-app.sh now passes `--env-file .env.macmini` explicitly via a
   shared COMPOSE_ARGS array. Without it, docker compose silently fell
   back to `.env` in the project root — a separate file that happened
   to hold MANA_AUTH_KEK and other secrets that `.env.macmini` lacked.
   deploy.sh, restart.sh, and the CD workflow already used the flag;
   this aligns build-app.sh with the rest. Server-side .env.macmini
   was reconciled 2026-04-23 with the union of both files, so the
   duplicate `.env` is no longer needed.

2. .env.macmini.example now documents 7 keys the prod stack actually
   depends on but that had never been listed: GOOGLE_GEMINI_API_KEY /
   GOOGLE_GENAI_API_KEY (SDK aliases for Deep-Research + mana-ai),
   MANA_AI_PRIVATE_KEY_PEM / MANA_AI_PUBLIC_KEY_PEM (Mission-Grant
   keypair), MANA_AI_DEEP_RESEARCH_ENABLED + PUBLIC_AI_MISSION_GRANTS
   (feature flags), MANA_CORE_SERVICE_KEY (legacy alias), and the STT/
   TTS internal shared secrets.

Matrix-bot tokens deliberately left undocumented — no Matrix homeserver
in the current running stack.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Till JS 2026-04-23 13:01:29 +02:00
parent 5c08653b19
commit f719d1768f
2 changed files with 50 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

21
scripts/mac-mini/build-app.sh
View file

@ -14,8 +14,17 @@ set -e
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
COMPOSE_FILE="$PROJECT_ROOT/docker-compose.macmini.yml"
ENV_FILE="$PROJECT_ROOT/.env.macmini"
DOCKER="${DOCKER_CMD:-/usr/local/bin/docker}"
# Explicit --env-file flag keeps this script aligned with deploy.sh /
# restart.sh / the CD workflow (all use .env.macmini). Without it compose
# falls back to .env in the project root — which used to be a separate
# file holding a superset of secrets, and missing that file meant mana-
# auth started with an empty MANA_AUTH_KEK. Server was reconciled
# 2026-04-23; this flag keeps it that way.
COMPOSE_ARGS=(-f "$COMPOSE_FILE" --env-file "$ENV_FILE")
# Minimum free memory (in MB) needed for a Docker build
BUILD_MEM_THRESHOLD_MB=3000
@ -188,7 +197,7 @@ build_services() {
done
echo "=== Building: ${services[*]} ==="
$DOCKER compose -f "$COMPOSE_FILE" build --no-cache "${services[@]}" 2>&1
$DOCKER compose "${COMPOSE_ARGS[@]}" build --no-cache "${services[@]}" 2>&1
echo ""
echo "=== Restarting: ${services[*]} ==="
# Tear down existing containers BEFORE the up cycle. We hit "container
@ -206,13 +215,13 @@ build_services() {
# 3. `up -d --remove-orphans` then creates a clean new container
# and silences the "Found orphan containers" warning we kept
# seeing for the unrelated mana-game-whopixels leftover.
$DOCKER compose -f "$COMPOSE_FILE" rm -fs "${services[@]}" 2>&1 \
$DOCKER compose "${COMPOSE_ARGS[@]}" rm -fs "${services[@]}" 2>&1 \
| grep -v 'No stopped containers' || true
for svc in "${services[@]}"; do
# Map compose service name → container_name from the compose config.
# Falls back to the service name itself if container_name isn't set.
local cname
cname=$($DOCKER compose -f "$COMPOSE_FILE" config 2>/dev/null \
cname=$($DOCKER compose "${COMPOSE_ARGS[@]}" config 2>/dev/null \
| awk -v s="$svc:" '
$0 ~ "^ "s {found=1; next}
found && /^ [a-z]/ {found=0}
@ -228,7 +237,7 @@ build_services() {
echo "$orphans" | xargs -r $DOCKER rm -f 2>/dev/null || true
fi
done
$DOCKER compose -f "$COMPOSE_FILE" up -d --no-deps --remove-orphans "${services[@]}" 2>&1
$DOCKER compose "${COMPOSE_ARGS[@]}" up -d --no-deps --remove-orphans "${services[@]}" 2>&1
}
# --- Main ---
@ -273,7 +282,7 @@ case "$1" in
--all-web)
build_base_images
# Find all web services in compose
WEB_SERVICES=$($DOCKER compose -f "$COMPOSE_FILE" config --services 2>/dev/null | grep '\-web$' || true)
WEB_SERVICES=$($DOCKER compose "${COMPOSE_ARGS[@]}" config --services 2>/dev/null | grep '\-web$' || true)
if [ -n "$WEB_SERVICES" ]; then
build_services $WEB_SERVICES
else
@ -291,7 +300,7 @@ echo "=== Build complete ==="
# Show status of built services
for svc in "$@"; do
if [ "$svc" != "--base" ] && [ "$svc" != "--all-web" ]; then
STATUS=$($DOCKER compose -f "$COMPOSE_FILE" ps --format '{{.Name}}\t{{.Status}}' "$svc" 2>/dev/null || echo "$svc: unknown")
STATUS=$($DOCKER compose "${COMPOSE_ARGS[@]}" ps --format '{{.Name}}\t{{.Status}}' "$svc" 2>/dev/null || echo "$svc: unknown")
echo " $STATUS"
fi
done