From fce18c1ee34a7c91cb782d879f22149c610fca11 Mon Sep 17 00:00:00 2001
From: Asger Geel Weirsoee <asger@weircon.dk>
Date: Sat, 28 Feb 2026 11:31:39 +0000
Subject: [PATCH 1/2] staging: enforce MySQL and add staging env template
 (#133)

---
 .gitignore                      |  1 +
 infra/env/.env.staging.example  | 12 ++++++++++++
 infra/staging/DB_SETUP.md       |  3 +++
 infra/staging/README.md         |  3 +++
 infra/staging/deploy_staging.sh |  5 +++++
 5 files changed, 24 insertions(+)
 create mode 100644 infra/env/.env.staging.example

diff --git a/.gitignore b/.gitignore
index 28be0e6..a06f3ff 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,6 +22,7 @@ media/
 .env
 .env.*
 !.env.test.example
+!.env.staging.example
 !.env.prod.example
 
 # Editors/OS
diff --git a/infra/env/.env.staging.example b/infra/env/.env.staging.example
new file mode 100644
index 0000000..0f02781
--- /dev/null
+++ b/infra/env/.env.staging.example
@@ -0,0 +1,12 @@
+DJANGO_SECRET_KEY=change-me-staging
+DJANGO_DEBUG=false
+DJANGO_ALLOWED_HOSTS=staging.party.weircon.dk
+DB_ENGINE=django.db.backends.mysql
+DB_NAME=wpp_staging
+DB_USER=wpp_staging
+DB_PASSWORD=change-me
+DB_HOST=127.0.0.1
+DB_PORT=3306
+TEST_DB_NAME=
+CHANNEL_REDIS_HOST=127.0.0.1
+CHANNEL_REDIS_PORT=6379
diff --git a/infra/staging/DB_SETUP.md b/infra/staging/DB_SETUP.md
index a615c4c..29e0e36 100644
--- a/infra/staging/DB_SETUP.md
+++ b/infra/staging/DB_SETUP.md
@@ -4,15 +4,18 @@
 
 ## Databaser
 - `wpp_test`
+- `wpp_staging`
 - `wpp_prod`
 
 ## Brugere
 - `wpp_test_user` (least privilege på `wpp_test`)
+- `wpp_staging_user` (least privilege på `wpp_staging`)
 - `wpp_prod_user` (least privilege på `wpp_prod`)
 
 ## Secrets placering
 I Secrets-repo:
 - `wpp/wpp_test.env`
+- `wpp/wpp_staging.env`
 - `wpp/wpp_prod.env`
 
 Forventede felter:
diff --git a/infra/staging/README.md b/infra/staging/README.md
index d9f09e9..68e7824 100644
--- a/infra/staging/README.md
+++ b/infra/staging/README.md
@@ -8,6 +8,7 @@ Staging-miljø for WPP i Proxmox LXC, så release-klar kode kan deployes og smok
 - App path: /opt/wpp-staging/app
 - Service: wpp-staging.service
 - Health endpoint: GET /healthz
+- Database: MySQL (staging må ikke bruge SQLite, issue #133)
 
 ## Verifikation
 Kør fra devops-shell med Proxmox-adgang:
@@ -21,6 +22,8 @@ Forventet:
 - service er active
 - healthz returnerer JSON med ok=true
 
+Efter deploy vil scriptet også verificere at `DB_ENGINE` ikke er `django.db.backends.sqlite3` før migrations køres.
+
 ## Deploy (canonical execution context)
 Deploy skal altid køres via Proxmox host over SSH (ikke fra lokal coder-shell med direkte sudo pct).
 
diff --git a/infra/staging/deploy_staging.sh b/infra/staging/deploy_staging.sh
index b440c3c..1407797 100755
--- a/infra/staging/deploy_staging.sh
+++ b/infra/staging/deploy_staging.sh
@@ -17,10 +17,15 @@ rm -rf src && mkdir src
 tar -xzf app.tar.gz -C src --strip-components=1
 rm -rf /opt/wpp-staging/app/*
 cp -a src/. /opt/wpp-staging/app/
+# Ensure deploy artifact copied as root does not leave app tree non-writable for wpp.
+chown -R wpp:wpp /opt/wpp-staging/app
+# Staging must not run on SQLite (issue #133). Remove bundled sqlite artifact.
+rm -f /opt/wpp-staging/app/db.sqlite3
 cd /opt/wpp-staging/app
 runuser -u wpp -- python3 -m venv .venv
 runuser -u wpp -- .venv/bin/pip install -U pip >/dev/null
 runuser -u wpp -- .venv/bin/pip install -r requirements.txt >/dev/null
+runuser -u wpp -- .venv/bin/python manage.py shell -c \"from django.conf import settings; import sys; engine = settings.DATABASES['default']['ENGINE']; print(f'DB_ENGINE={engine}'); sys.exit(0 if engine != 'django.db.backends.sqlite3' else 1)\"
 runuser -u wpp -- .venv/bin/python manage.py migrate --noinput
 systemctl restart wpp-staging.service
 curl -fsS http://127.0.0.1:8000/healthz\"" 

From a36221ae4b92802cd60813600f30c51c7d255d9e Mon Sep 17 00:00:00 2001
From: Asger Geel Weirsoee <asger@weircon.dk>
Date: Sat, 28 Feb 2026 14:02:09 +0000
Subject: [PATCH 2/2] staging deploy: load env before manage.py checks

---
 infra/staging/deploy_staging.sh | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/infra/staging/deploy_staging.sh b/infra/staging/deploy_staging.sh
index 1407797..5704af1 100755
--- a/infra/staging/deploy_staging.sh
+++ b/infra/staging/deploy_staging.sh
@@ -22,6 +22,29 @@ chown -R wpp:wpp /opt/wpp-staging/app
 # Staging must not run on SQLite (issue #133). Remove bundled sqlite artifact.
 rm -f /opt/wpp-staging/app/db.sqlite3
 cd /opt/wpp-staging/app
+
+# Load staging env before any manage.py call (issue #133 follow-up).
+ENV_LOADED=0
+for ENV_FILE in \
+  /opt/wpp-staging/.env.staging \
+  /opt/wpp-staging/.env \
+  /opt/wpp-staging/env/wpp_staging.env \
+  /opt/wpp-staging/secrets/wpp_staging.env
+  do
+  if [ -f "${ENV_FILE}" ]; then
+    set -a
+    . "${ENV_FILE}"
+    set +a
+    echo "[deploy] loaded staging env: ${ENV_FILE}"
+    ENV_LOADED=1
+    break
+  fi
+done
+if [ "${ENV_LOADED}" -ne 1 ]; then
+  echo "[deploy] ERROR: no staging env file found"
+  exit 1
+fi
+
 runuser -u wpp -- python3 -m venv .venv
 runuser -u wpp -- .venv/bin/pip install -U pip >/dev/null
 runuser -u wpp -- .venv/bin/pip install -r requirements.txt >/dev/null