feat(init): persist DECNET-service api-user/api-group to decnet.ini

DEBT-035 step 1. The composer needs to know which uid/gid to inject into each compose fragment's `user:` directive at deploy time. Today the resolved `--user` / `--group` values reach systemd unit rendering (init.py:349–354) but are not persisted anywhere the composer can read them. Persist as **names** (not numeric ids) under `[decnet] api-user` / `api-group` in the rendered decnet.ini placeholder. Resolution to uid/gid happens at deploy time on whichever host runs the deploy, via `pwd.getpwnam(...)` / `grp.getgrnam(...)` — so the same user name can have different uids on master vs agents (heterogeneous /etc/passwd) without breaking artifact ownership. The existing config_ini auto-translates kebab→DECNET_API_USER / DECNET_API_GROUP at load time; no domain-map changes needed. Two new tests: one asserting the rendered ini carries the `api-user` / `api-group` keys for the values passed to `--user` / `--group`; one round-tripping through `load_ini_config` to confirm the env vars land in `os.environ` for the composer to pick up.
2026-05-02 19:33:53 -04:00
parent b3ea3fa925
commit 39a298f685
2 changed files with 65 additions and 3 deletions
--- a/decnet/cli/init.py
+++ b/decnet/cli/init.py
@@ -44,6 +44,12 @@ _CONFIG_PLACEHOLDER = """\
 # EnvironmentFile= — never in a group-readable INI.

 [decnet]
+# DECNET-service user/group as configured at `decnet init` time.
+# Resolved to a uid/gid on each host at deploy time via pwd.getpwnam,
+# so the same user name can have different numeric uids on master vs
+# agents without breaking artifact ownership.
+api-user = {api_user}
+api-group = {api_group}
 # mode = master                          # or "agent"

 # [api]
@@ -198,14 +204,17 @@ def _ensure_dir(
    return f"skip: {path} already present" if existed else "ok"


-def _ensure_config(path: Path, group: str, *, dry_run: bool) -> str:
+def _ensure_config(
+    path: Path, group: str, *, user: str, dry_run: bool,
+) -> str:
    if path.exists():
        return f"skip: {path} already present"
    if dry_run:
        console.print(f"  [dim]would write:[/] {path}")
        return "ok"
    path.parent.mkdir(parents=True, exist_ok=True)
-    path.write_text(_CONFIG_PLACEHOLDER)
+    rendered = _CONFIG_PLACEHOLDER.format(api_user=user, api_group=group)
+    path.write_text(rendered)
    try:
        os.chmod(path, 0o640)
        gid = grp.getgrnam(group).gr_gid
@@ -781,7 +790,10 @@ def register(app: typer.Typer) -> None:
            )
        _step(
            f"write {etc_decnet / 'decnet.ini'}",
-            lambda: _ensure_config(etc_decnet / "decnet.ini", group, dry_run=dry_run),
+            lambda: _ensure_config(
+                etc_decnet / "decnet.ini", group,
+                user=user, dry_run=dry_run,
+            ),
        )
        _step(
            "install systemd units",