[nu-demo] hero_skills hardcodes TF Grid private IP 10.1.2.2 as default in service_onlyoffice + auth.nu — breaks nu servers #192

New issue

Closed

opened 2026-04-27 02:43:15 +00:00 by mik-tf · 1 comment

mik-tf commented 2026-04-27 02:43:15 +00:00

Owner

Copy link

Symptom

Fresh installer run on a generic Ubuntu nu server (not a TF Grid VM) leaves two modules with non-functional defaults:

1. tools/modules/services/service_onlyoffice.nu:21 — constant default OO_DEFAULT_BIND = "10.1.2.2:8088". On a host without 10.1.2.2, the OnlyOffice container is started bound to a non-existent IP — docker run succeeds, then /healthcheck curl fails forever; install hangs in oo_wait_healthy.

2. tools/modules/installers/auth.nu:126,136 — HERO_AUTH_LISTEN_ADDR and HERO_AUTH_UPSTREAM_ADDR default to "10.1.2.2". Same failure mode for nginx (bind() to 10.1.2.2 failed).

Operator must know to set ONLYOFFICE_BIND_ADDR / HERO_AUTH_*_ADDR manually, but neither the runbook nor the install messages mention this for non-TF-Grid hosts.

Root cause

These defaults were copy-pasted from the herodemo TF Grid VM (HERO_ROUTER_ADDRESS=10.1.2.2) without an env-driven fallback. The auto-detect at install.sh:468-470 correctly exports HERO_ROUTER_ADDRESS=10.1.2.2 only when 10.1.2.x is present, so on nu servers HERO_ROUTER_ADDRESS is unset and the hardcoded 10.1.2.2 constants leak into bind addresses.

Audit (read-only assessment)

Properly gated already (no fix needed):

• installers.nu install_docker_btrfs — if ("/data" | path exists) guards the btrfs//data/docker config; on nu servers Docker installs with default overlay2.
• installers.nu dockerd start + auth.nu:189-198 nginx reload — both use systemctl … || nohup … fallback.
• service_router.nu start — flag → env → mycelium → 127.0.0.1 fallback chain.
• install.sh:468-470 HERO_ROUTER_ADDRESS auto-export — gated on ip -4 a | grep '10\.1\.2\.'.

Bugs (this issue):

• service_onlyoffice.nu:21 (constant default)
• auth.nu:126,136 (env defaults)

Proper fix

Derive from HERO_ROUTER_ADDRESS (TF Grid auto-detect already sets this), fall back to 127.0.0.1:

• oo_bind precedence: ONLYOFFICE_BIND_ADDR → HERO_ROUTER_ADDRESS:8088 → 127.0.0.1:8088.
• auth.nu precedence: --listen-addr/--upstream-addr → HERO_AUTH_*_ADDR env → HERO_ROUTER_ADDRESS env → 127.0.0.1.

Result:

• nu server with no special env → 127.0.0.1 (works out of the box).
• TF Grid VM → init.sh sets HERO_ROUTER_ADDRESS=10.1.2.2 → OnlyOffice + auth derive 10.1.2.2 (preserves current TF Grid behavior).
• Either host can override via the explicit env vars or flags.

Filed 2026-04-26 during nu-server universality sweep. Signed-off-by: mik-tf

## Symptom Fresh installer run on a generic Ubuntu nu server (not a TF Grid VM) leaves two modules with non-functional defaults: 1. **`tools/modules/services/service_onlyoffice.nu:21`** — constant default `OO_DEFAULT_BIND = "10.1.2.2:8088"`. On a host without `10.1.2.2`, the OnlyOffice container is started bound to a non-existent IP — `docker run` succeeds, then `/healthcheck` curl fails forever; install hangs in `oo_wait_healthy`. 2. **`tools/modules/installers/auth.nu:126,136`** — `HERO_AUTH_LISTEN_ADDR` and `HERO_AUTH_UPSTREAM_ADDR` default to `"10.1.2.2"`. Same failure mode for nginx (`bind() to 10.1.2.2 failed`). Operator must know to set `ONLYOFFICE_BIND_ADDR` / `HERO_AUTH_*_ADDR` manually, but neither the runbook nor the install messages mention this for non-TF-Grid hosts. ## Root cause These defaults were copy-pasted from the herodemo TF Grid VM (`HERO_ROUTER_ADDRESS=10.1.2.2`) without an env-driven fallback. The auto-detect at `install.sh:468-470` correctly exports `HERO_ROUTER_ADDRESS=10.1.2.2` only when `10.1.2.x` is present, so on nu servers `HERO_ROUTER_ADDRESS` is unset and the hardcoded `10.1.2.2` constants leak into bind addresses. ## Audit (read-only assessment) Properly gated already (no fix needed): - `installers.nu install_docker_btrfs` — `if ("/data" | path exists)` guards the btrfs/`/data/docker` config; on nu servers Docker installs with default overlay2. - `installers.nu` dockerd start + `auth.nu:189-198` nginx reload — both use `systemctl … || nohup …` fallback. - `service_router.nu` start — flag → env → mycelium → `127.0.0.1` fallback chain. - `install.sh:468-470` HERO_ROUTER_ADDRESS auto-export — gated on `ip -4 a | grep '10\.1\.2\.'`. Bugs (this issue): - `service_onlyoffice.nu:21` (constant default) - `auth.nu:126,136` (env defaults) ## Proper fix Derive from `HERO_ROUTER_ADDRESS` (TF Grid auto-detect already sets this), fall back to `127.0.0.1`: - `oo_bind` precedence: `ONLYOFFICE_BIND_ADDR` → `HERO_ROUTER_ADDRESS:8088` → `127.0.0.1:8088`. - `auth.nu` precedence: `--listen-addr/--upstream-addr` → `HERO_AUTH_*_ADDR` env → `HERO_ROUTER_ADDRESS` env → `127.0.0.1`. Result: - nu server with no special env → 127.0.0.1 (works out of the box). - TF Grid VM → init.sh sets HERO_ROUTER_ADDRESS=10.1.2.2 → OnlyOffice + auth derive 10.1.2.2 (preserves current TF Grid behavior). - Either host can override via the explicit env vars or flags. Filed 2026-04-26 during nu-server universality sweep. Signed-off-by: mik-tf

mik-tf referenced this issue from a commit 2026-04-27 02:44:03 +00:00

fix(skills): degate TF Grid hardcoded defaults + close service_books parens parse error

mik-tf referenced this issue from a commit 2026-04-27 02:49:14 +00:00

fix(skills): degate TF Grid hardcoded defaults + close service_books parens parse error

mik-tf commented 2026-04-27 02:49:52 +00:00

Author

Owner

Copy link

Fixed in hero_skills commit 4b2a26c on development.

service_onlyoffice.nu:

• OO_DEFAULT_BIND changed from "10.1.2.2:8088" to "127.0.0.1:8088".
• oo_bind precedence: ONLYOFFICE_BIND_ADDR (explicit) → HERO_ROUTER_ADDRESS:8088 (TF Grid auto-detect) → OO_DEFAULT_BIND.

auth.nu basic_auth_setup:

• New router_addr_default = HERO_ROUTER_ADDRESS or "127.0.0.1".
• lst_addr / up_addr precedence: --listen-addr / --upstream-addr (flag) → HERO_AUTH_*_ADDR (env) → router_addr_default.
• Doc + flag-help strings updated to reflect new defaults.

Verification across deploy targets:

Scenario	oo_bind	auth.nu lst_addr
nu server (no env)	127.0.0.1:8088	127.0.0.1
TF Grid (HERO_ROUTER_ADDRESS=10.1.2.2 auto-set)	10.1.2.2:8088	10.1.2.2
explicit override	respected	respected

TF Grid behavior is preserved (init.sh's 10.1.2.x auto-detect at install.sh:468-470 continues to export HERO_ROUTER_ADDRESS=10.1.2.2, which the new defaults pick up).

Audit also confirmed clean (no fix needed):

• install_docker_btrfs — /data/docker config gated on ("/data" | path exists); nu servers get default overlay2.
• dockerd / nginx start — systemctl … || nohup … fallback in both modules.
• service_router.nu — flag → env → mycelium → 127.0.0.1 precedence chain.
• install.sh:468-470 — TF Grid IP auto-detect gated on ip -4 a | grep '10\.1\.2\.'.

Signed-off-by: mik-tf

Fixed in hero_skills commit `4b2a26c` on `development`. **`service_onlyoffice.nu`:** - `OO_DEFAULT_BIND` changed from `"10.1.2.2:8088"` to `"127.0.0.1:8088"`. - `oo_bind` precedence: `ONLYOFFICE_BIND_ADDR` (explicit) → `HERO_ROUTER_ADDRESS:8088` (TF Grid auto-detect) → `OO_DEFAULT_BIND`. **`auth.nu` `basic_auth_setup`:** - New `router_addr_default = HERO_ROUTER_ADDRESS or "127.0.0.1"`. - `lst_addr` / `up_addr` precedence: `--listen-addr` / `--upstream-addr` (flag) → `HERO_AUTH_*_ADDR` (env) → `router_addr_default`. - Doc + flag-help strings updated to reflect new defaults. **Verification across deploy targets:** | Scenario | `oo_bind` | `auth.nu` lst_addr | |----------|-----------|---------------------| | nu server (no env) | `127.0.0.1:8088` | `127.0.0.1` | | TF Grid (`HERO_ROUTER_ADDRESS=10.1.2.2` auto-set) | `10.1.2.2:8088` | `10.1.2.2` | | explicit override | respected | respected | TF Grid behavior is preserved (init.sh's `10.1.2.x` auto-detect at `install.sh:468-470` continues to export `HERO_ROUTER_ADDRESS=10.1.2.2`, which the new defaults pick up). **Audit also confirmed clean** (no fix needed): - `install_docker_btrfs` — `/data/docker` config gated on `("/data" | path exists)`; nu servers get default overlay2. - dockerd / nginx start — `systemctl … || nohup …` fallback in both modules. - `service_router.nu` — flag → env → mycelium → `127.0.0.1` precedence chain. - `install.sh:468-470` — TF Grid IP auto-detect gated on `ip -4 a | grep '10\.1\.2\.'`. Signed-off-by: mik-tf

mik-tf closed this issue 2026-04-27 02:49:53 +00:00

mik-tf referenced this issue from lhumina_code/hero_demo 2026-05-02 13:21:58 +00:00

[infra][P1] CI-built static-musl binaries + --from-ci install path — make deploys minutes, not hours #54

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

development

main

No results found.

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/home#192

No description provided.