Skip to main content

max / makenotwork

sando: bootstrap ensures SANDO_API_TOKEN on a pre-existing sando.env The token was only written when creating sando.env fresh (`if [[ ! -f ]]`), so a host whose env file already existed with just SANDO_DAEMON never got a token — and a non-loopback `listen` makes sandod refuse to start without one (CF2), crash-looping on the next restart. Now the file and the token are ensured separately: append SANDO_API_TOKEN whenever it's absent, regardless of whether the file existed. Surfaced live bootstrapping sandod 0.2.1 on fw13. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Author: Max Johnson <me@maxj.phd> · 2026-06-12 22:07 UTC
Commit: 89486d01867a251dcc455af841249e33417e58a1
Parent: 20cf471
1 file changed, +13 insertions, -8 deletions
M sando/deploy/bootstrap-sandod-host.sh +13 -8
@@ -213,16 +213,21 @@ install -m 0644 -o root -g root \
213 213 # by sandod, the post-receive hook, and the backup-fetch timer. A token is
214 214 # generated per host so a fresh install is authenticated by default — required
215 215 # once the daemon binds a non-loopback address (it refuses to start otherwise).
216 - # 0640 root:sando keeps it readable by the daemon + hook, not world. Only write
217 - # if missing — operator may have customized.
216 + # 0640 root:sando keeps it readable by the daemon + hook, not world.
217 + #
218 + # Ensure the file AND a token, separately. An earlier install (or an operator)
219 + # may have created sando.env with only SANDO_DAEMON; without the per-key check
220 + # the token would never be added and the daemon would crash-loop on a
221 + # non-loopback bind ("SANDO_API_TOKEN is unset ... refusing to start").
218 222 if [[ ! -f /etc/sando/sando.env ]]; then
219 - {
220 - echo "SANDO_DAEMON=$SANDO_DAEMON_URL"
221 - echo "SANDO_API_TOKEN=$(openssl rand -hex 32)"
222 - } > /etc/sando/sando.env
223 - chown root:"$SANDO_USER" /etc/sando/sando.env
224 - chmod 0640 /etc/sando/sando.env
223 + echo "SANDO_DAEMON=$SANDO_DAEMON_URL" > /etc/sando/sando.env
224 + fi
225 + if ! grep -q '^SANDO_API_TOKEN=' /etc/sando/sando.env; then
226 + echo "SANDO_API_TOKEN=$(openssl rand -hex 32)" >> /etc/sando/sando.env
227 + log " generated SANDO_API_TOKEN in /etc/sando/sando.env"
225 228 fi
229 + chown root:"$SANDO_USER" /etc/sando/sando.env
230 + chmod 0640 /etc/sando/sando.env
226 231
227 232 log "11/13 systemd units"
228 233 install -m 0644 -o root -g root \