Merge pull request 'fix(staging): canonical deploy context via proxmox SSH wrapper' (#28) from fix/staging-deploy-canonical-context into main

infra/staging/README.md

@@ -4,38 +4,40 @@
 Staging-miljø for WPP i Proxmox LXC, så release-klar kode kan deployes og smoke-testes sikkert.
 
 ## Miljø
-- LXC: `CT 143` (`wpp-staging`)
-- App path: `/opt/wpp-staging/app`
-- Service: `wpp-staging.service`
-- Health endpoint: `GET /healthz`
+- LXC: CT 143 (wpp-staging)
+- App path: /opt/wpp-staging/app
+- Service: wpp-staging.service
+- Health endpoint: GET /healthz
 
 ## Verifikation
 Kør fra devops-shell med Proxmox-adgang:
 
-```bash
-ssh proxmox-lan "sudo -n pct status 143"
-ssh proxmox-lan "sudo -n pct exec 143 -- systemctl is-active wpp-staging.service"
-ssh proxmox-lan "sudo -n pct exec 143 -- curl -fsS http://127.0.0.1:8000/healthz"
-```
+    ssh proxmox-lan "sudo -n pct status 143"
+    ssh proxmox-lan "sudo -n pct exec 143 -- systemctl is-active wpp-staging.service"
+    ssh proxmox-lan "sudo -n pct exec 143 -- curl -fsS http://127.0.0.1:8000/healthz"
 
 Forventet:
-- CT er `running`
-- service er `active`
-- healthz returnerer JSON med `ok: true`
+- CT er running
+- service er active
+- healthz returnerer JSON med ok=true
 
-## Deploy
-Script: `infra/staging/deploy_staging.sh`
+## Deploy (canonical execution context)
+Deploy skal altid køres via Proxmox host over SSH (ikke fra lokal coder-shell med direkte sudo pct).
 
-```bash
-# deploy main
-./infra/staging/deploy_staging.sh
+Officiel kommando:
 
-# deploy bestemt tag/branch
-./infra/staging/deploy_staging.sh v0.3.0
-```
+    ./infra/staging/deploy_staging.sh [ref]
+
+Scriptet bruger default PROXMOX_HOST=proxmox-lan og kører sudo -n pct exec på hosten.
+
+Eksempler:
+
+    ./infra/staging/deploy_staging.sh
+    ./infra/staging/deploy_staging.sh v0.3.0
+    PROXMOX_HOST=proxmox-prod ./infra/staging/deploy_staging.sh main
 
 ## Policy-kobling
 Før deploy:
-1. Bekræft at tester **ikke** er aktiv (ingen aktiv smoke-run).
+1. Bekræft at tester ikke er aktiv (ingen aktiv smoke-run).
 2. Deploy til staging skal lykkes.
-3. Først derefter må release-tag oprettes (se `docs/RELEASE_POLICY.md`).
+3. Først derefter må release-tag oprettes (se docs/RELEASE_POLICY.md).

infra/staging/deploy_staging.sh

@@ -4,14 +4,15 @@ set -euo pipefail
 CT_ID="${CT_ID:-143}"
 REF_NAME="${1:-main}"
 ARCHIVE_URL="https://gitea.weircon.dk/wpp/weirsoe-party-protocol/archive/${REF_NAME}.tar.gz"
+PROXMOX_HOST="${PROXMOX_HOST:-proxmox-lan}"
 
-echo "[deploy] CT_ID=${CT_ID} REF=${REF_NAME}"
+echo "[deploy] host=${PROXMOX_HOST} CT_ID=${CT_ID} REF=${REF_NAME}"
 
 echo "[deploy] extracting source + installing deps + migrate + restart"
-sudo -n pct exec "${CT_ID}" -- bash -lc "set -euo pipefail
+ssh "${PROXMOX_HOST}" "sudo -n /usr/sbin/pct exec ${CT_ID} -- bash -lc \"set -euo pipefail
 mkdir -p /opt/wpp-staging/releases/src
 cd /opt/wpp-staging/releases
-curl -fsSL "${ARCHIVE_URL}" -o app.tar.gz
+curl -fsSL \\\"${ARCHIVE_URL}\\\" -o app.tar.gz
 rm -rf src && mkdir src
 tar -xzf app.tar.gz -C src --strip-components=1
 rm -rf /opt/wpp-staging/app/*
@@ -22,7 +23,6 @@ runuser -u wpp -- .venv/bin/pip install -U pip >/dev/null
 runuser -u wpp -- .venv/bin/pip install -r requirements.txt >/dev/null
 runuser -u wpp -- .venv/bin/python manage.py migrate --noinput
 systemctl restart wpp-staging.service
-curl -fsS http://127.0.0.1:8000/healthz
-"
+curl -fsS http://127.0.0.1:8000/healthz\"" 
 
 echo "[deploy] OK: staging deploy complete for CT ${CT_ID} (${REF_NAME})"