feat: Create authenticated Iroh flavoured bootstrap deployment for Unyt

[ThetaSinner]

Deployed at https://hc-auth-iroh-unyt.holochain.org/

Closes #14

Summary by CodeRabbit

• New Features

  • Introduces an Iroh-flavored auth bootstrap service with GitHub OAuth support, session secret handling, and API token support; deploys as a Podman-based multi-service stack.

• Documentation

  • Adds a deployment guide for OAuth setup, session secret generation, API token creation, and configuration steps.

• Chores

  • Bumps Go toolchain and updates CI action versions.

• Maintenance

  • Replaces legacy dev-test provisioning with a templated provisioning flow.

[coderabbitai]

Warning

Rate limit exceeded

@ThetaSinner has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 21 minutes and 7 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 31e29e96-3c6f-4987-99da-a203a820e36a

📥 Commits

Reviewing files that changed from the base of the PR and between a46f60a and 74f313f.

📒 Files selected for processing (1)

• hc-auth-iroh-unyt/cloud-init.yaml.tmpl

Walkthrough

Replaces dev-test bootstrap artifacts with a new template-driven hc-auth-iroh-unyt deployment: adds Pulumi config entries for GitHub/OAuth and API tokens, introduces a cloud-init Podman/docker-compose template, updates Pulumi provisioning in main.go to use the template, removes dev-test cloud-init/docker-compose files, updates go.mod, and adds README docs.

Changes

Cohort / File(s)	Summary
Pulumi configuration Pulumi.network-services.yaml	Adds secure config keys for hc-auth-iroh-unyt: api-tokens, github-client-id, github-client-secret, session-secret (retains existing DO token).
Cloud-init template & assets hc-auth-iroh-unyt/cloud-init.yaml.tmpl	New cloud-init template that installs podman/podman-compose, writes Podman/docker-compose stack (services: bootstrap, auth, db, caddy), Caddyfile, and auth.env with OAuth/API placeholders; sets file permissions.
Main provisioning logic main.go	Replaces dev-test flow with template-driven provisioning: parses hc-auth-iroh-unyt/cloud-init.yaml.tmpl, reads Pulumi secrets, generates UserData via template and ApplyT, and adds configureHcAuthIrohUnyt(ctx, cloudInitTmpl) which creates the hc-auth-iroh-unyt Droplet.
Removed dev-test artifacts dev-test-auth/cloud-init.yaml, dev-test-auth/docker-compose.yaml, dev-test-iroh-relay/cloud-init.yaml, dev-test-iroh-relay/docker-compose.yaml	Deletes previous dev-test cloud-init and docker-compose definitions for bootstrap and iroh-relay.
CI workflows .github/workflows/...	Bumps actions versions (checkout v4→v6, setup-go v5→v6) and updates lint step to reference the new cloud-init template path.
Documentation README.md	Adds documentation covering hc-auth-iroh-unyt bootstrap, OAuth app configuration, Pulumi config keys, session secret generation, and API token handling.
Go module go.mod	Updates Go toolchain from 1.23.6 to 1.24.6 and adds indirect require github.com/spf13/cast v1.4.1.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat: add bootstrap-iroh-relay deployment #11: Related templatization and replacement of earlier cloud-init/docker-compose bootstrap + iroh-relay deployments; closely connected to the provisioning/template changes in this PR.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title accurately describes the main change: creating an authenticated Iroh flavoured bootstrap deployment for Unyt, which is the primary objective.
Linked Issues check	✅ Passed	The pull request implements the key coding requirements from issue #14: production-ready deployment of bootstrap+Iroh relay with auth service, OAuth configuration via Pulumi secrets, and decommissioning dev-test services.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #14 objectives: new deployment configuration (Pulumi config, cloud-init template, main.go refactoring), removal of superseded dev-test services, and workflow updates for the new deployment.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch create-auth-iroh-unyt-deploy

📝 Coding Plan for PR comments

• Generate coding plan

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[holochain-release-automation2]

🍹 preview on network-services/holochain/network-services

Pulumi report

View in Pulumi Cloud

  Previewing update (holochain/network-services)

View Live: https://app.pulumi.com/holochain/network-services/network-services/previews/67813c99-1f6e-4901-99f0-ee1c97aa988f

pulumi:pulumi:Stack: (same)
  [urn=urn:pulumi:network-services::network-services::pulumi:pulumi:Stack::network-services-network-services]
Resources:
  3 unchanged
  

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

main.go (1)

116-125: Extract SSH fingerprint lookup into a shared helper.

This block duplicates logic already present in other deploy functions and repeats the same API call pattern.

♻️ Suggested refactor shape

+func getSshFingerprints(ctx *pulumi.Context) ([]string, error) {
+	getSshKeysResult, err := digitalocean.GetSshKeys(ctx, &digitalocean.GetSshKeysArgs{}, nil)
+	if err != nil {
+		return nil, err
+	}
+	sshFingerprints := make([]string, 0, len(getSshKeysResult.SshKeys))
+	for _, key := range getSshKeysResult.SshKeys {
+		sshFingerprints = append(sshFingerprints, key.Fingerprint)
+	}
+	return sshFingerprints, nil
+}
+
 func configureHcAuthIrohUnyt(ctx *pulumi.Context, cloudInitTmpl *template.Template) error {
-	getSshKeysResult, err := digitalocean.GetSshKeys(ctx, &digitalocean.GetSshKeysArgs{}, nil)
-	if err != nil {
-		return err
-	}
-
-	var sshFingerprints []string
-	for _, key := range getSshKeysResult.SshKeys {
-		sshFingerprints = append(sshFingerprints, key.Fingerprint)
-	}
+	sshFingerprints, err := getSshFingerprints(ctx)
+	if err != nil {
+		return err
+	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@main.go` around lines 116 - 125, The SSH fingerprint collection logic in
configureHcAuthIrohUnyt duplicates a pattern (digitalocean.GetSshKeys -> iterate
getSshKeysResult.SshKeys -> collect key.Fingerprint) used elsewhere; refactor by
extracting this into a shared helper (e.g., GetAllSshFingerprints or
fetchSshFingerprints) that accepts the Pulumi context and returns ([]string,
error), replace the inline block in configureHcAuthIrohUnyt and other deploy
functions with calls to that helper, and ensure callers handle the returned
error instead of repeating
digitalocean.GetSshKeys/getSshKeysResult/sshFingerprints logic.

hc-auth-iroh-unyt/cloud-init.yaml.tmpl (1)

14-14: Pin container images by digest for reproducible, safer deploys.

Using mutable tags allows unexpected image drift across deployments.

Also applies to: 32-32, 43-43, 56-56

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@hc-auth-iroh-unyt/cloud-init.yaml.tmpl` at line 14, Replace mutable image
tags with immutable digests to pin container images; locate each occurrence of
the image reference "ghcr.io/holochain/kitsune2_bootstrap_srv:v0.4.0-dev.3" (and
the two other occurrences noted) in the cloud-init template and change them to
the corresponding SHA256 digest form (e.g.
ghcr.io/holochain/kitsune2_bootstrap_srv@sha256:...) by pulling the correct
digest from the registry and updating the template, then run the
deployment/image pull verification requested to confirm the digest resolves
correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@hc-auth-iroh-unyt/cloud-init.yaml.tmpl`:
- Around line 37-38: The template currently publishes internal service ports
(e.g., the ports mapping "- \"3000:3000\"" for the auth service and similar for
db:6379), which exposes internal services to the host; change these to not be
host-published by removing the host:container "ports" mappings and instead use
internal-only publication (e.g., replace the ports entries for the auth and db
services with "expose: - '3000'" and "expose: - '6379'" or remove the mappings
entirely), or bind them to localhost only if host access is required
(127.0.0.1:3000), so that the auth (service name "auth"/ports mapping) and db
(service name "db"/ports mapping) are only reachable via the internal
network/reverse proxy.

In `@README.md`:
- Around line 191-203: Fix the README command formatting and typo: wrap the
pulumi config examples and the two shell pipelines in fenced shell blocks,
correct "set is as a secret" to "set it as a secret", and ensure the three
referenced config keys (hc-auth-iroh-unyt:github-client-id,
hc-auth-iroh-unyt:github-client-secret, hc-auth-iroh-unyt:session-secret) and
the api-tokens pipeline (uuidgen | tee api-token.txt | pulumi config set
--secret hc-auth-iroh-unyt:api-tokens) are shown inside ```sh ... ``` blocks for
copy-paste reliability.

---

Nitpick comments:
In `@hc-auth-iroh-unyt/cloud-init.yaml.tmpl`:
- Line 14: Replace mutable image tags with immutable digests to pin container
images; locate each occurrence of the image reference
"ghcr.io/holochain/kitsune2_bootstrap_srv:v0.4.0-dev.3" (and the two other
occurrences noted) in the cloud-init template and change them to the
corresponding SHA256 digest form (e.g.
ghcr.io/holochain/kitsune2_bootstrap_srv@sha256:...) by pulling the correct
digest from the registry and updating the template, then run the
deployment/image pull verification requested to confirm the digest resolves
correctly.

In `@main.go`:
- Around line 116-125: The SSH fingerprint collection logic in
configureHcAuthIrohUnyt duplicates a pattern (digitalocean.GetSshKeys -> iterate
getSshKeysResult.SshKeys -> collect key.Fingerprint) used elsewhere; refactor by
extracting this into a shared helper (e.g., GetAllSshFingerprints or
fetchSshFingerprints) that accepts the Pulumi context and returns ([]string,
error), replace the inline block in configureHcAuthIrohUnyt and other deploy
functions with calls to that helper, and ensure callers handle the returned
error instead of repeating
digitalocean.GetSshKeys/getSshKeysResult/sshFingerprints logic.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between dce4e1c and 427b02d.

⛔ Files ignored due to path filters (2)

• flake.lock is excluded by !**/*.lock
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• Pulumi.network-services.yaml
• README.md
• go.mod
• hc-auth-iroh-unyt/cloud-init.yaml.tmpl
• main.go

[coderabbitai]

🧹 Nitpick comments (1)

main.go (1)

24-27: Consider adding missingkey=error option for defensive template handling.

The template currently renders without errors because all required placeholders (GithubClientId, GithubClientSecret, SessionSecret, ApiTokens) are provided in the data map. However, adding Option("missingkey=error") would cause template execution to fail fast if a placeholder is added to the template without corresponding data, preventing silently-rendered empty values in cloud-init configuration.

Suggested improvement

-hcAuthIrohUnytCloudInitTmpl, err := template.New("hc-auth-iroh-unyt-cloud-init").Parse(string(hcAuthIrohUnytCloudInitBytes))
+hcAuthIrohUnytCloudInitTmpl, err := template.New("hc-auth-iroh-unyt-cloud-init").
+	Option("missingkey=error").
+	Parse(string(hcAuthIrohUnytCloudInitBytes))

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@main.go` around lines 24 - 27, The parsed template
hcAuthIrohUnytCloudInitTmpl should be created with the missingkey=error option
to fail fast on missing placeholders; update the template creation call that
currently uses template.New("hc-auth-iroh-unyt-cloud-init").Parse(...) so it
calls
template.New("hc-auth-iroh-unyt-cloud-init").Option("missingkey=error").Parse(...)
(referencing hcAuthIrohUnytCloudInitTmpl and the template.New/...Parse chain) to
ensure execution errors if any template key is missing.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@main.go`:
- Around line 24-27: The parsed template hcAuthIrohUnytCloudInitTmpl should be
created with the missingkey=error option to fail fast on missing placeholders;
update the template creation call that currently uses
template.New("hc-auth-iroh-unyt-cloud-init").Parse(...) so it calls
template.New("hc-auth-iroh-unyt-cloud-init").Option("missingkey=error").Parse(...)
(referencing hcAuthIrohUnytCloudInitTmpl and the template.New/...Parse chain) to
ensure execution errors if any template key is missing.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 427b02d and 42ce99c.

⛔ Files ignored due to path filters (2)

• flake.lock is excluded by !**/*.lock
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (9)

• Pulumi.network-services.yaml
• README.md
• dev-test-auth/cloud-init.yaml
• dev-test-auth/docker-compose.yaml
• dev-test-iroh-relay/cloud-init.yaml
• dev-test-iroh-relay/docker-compose.yaml
• go.mod
• hc-auth-iroh-unyt/cloud-init.yaml.tmpl
• main.go

💤 Files with no reviewable changes (4)

• dev-test-auth/docker-compose.yaml
• dev-test-auth/cloud-init.yaml
• dev-test-iroh-relay/docker-compose.yaml
• dev-test-iroh-relay/cloud-init.yaml

🚧 Files skipped from review as they are similar to previous changes (3)

• go.mod
• README.md
• hc-auth-iroh-unyt/cloud-init.yaml.tmpl

[coderabbitai]

🧹 Nitpick comments (1)

README.md (1)

186-186: Use imperative wording for setup instructions.

Line 186 reads like a completed action. For operator docs, use imperative voice for clarity.

✏️ Suggested docs tweak

-Configured an OAuth application as directed by the [hc-auth-iroh-unyt README](https://github.com/holochain/hc-auth-server).
+Configure an OAuth application as directed by the [hc-auth-iroh-unyt README](https://github.com/holochain/hc-auth-server).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 186, Change the sentence "Configured an OAuth application
as directed by the [hc-auth-iroh-unyt
README](https://github.com/holochain/hc-auth-server)." to an imperative
instruction, e.g., "Configure an OAuth application as directed by the
[hc-auth-iroh-unyt README](https://github.com/holochain/hc-auth-server)." so the
setup step uses imperative voice for operators.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@README.md`:
- Line 186: Change the sentence "Configured an OAuth application as directed by
the [hc-auth-iroh-unyt README](https://github.com/holochain/hc-auth-server)." to
an imperative instruction, e.g., "Configure an OAuth application as directed by
the [hc-auth-iroh-unyt README](https://github.com/holochain/hc-auth-server)." so
the setup step uses imperative voice for operators.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6c0e028c-f12f-4f1e-9d03-8e8c5c05ec2f

📥 Commits

Reviewing files that changed from the base of the PR and between 42ce99c and a4d63ff.

📒 Files selected for processing (3)

• Pulumi.network-services.yaml
• README.md
• hc-auth-iroh-unyt/cloud-init.yaml.tmpl

🚧 Files skipped from review as they are similar to previous changes (2)

• hc-auth-iroh-unyt/cloud-init.yaml.tmpl
• Pulumi.network-services.yaml

[jost-s]

Maybe we can deploy our test relay as well some day, with or without auth.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

main.go (1)

24-24: Fail fast on missing template variables.

text/template does not error on a missing map key by default; it keeps rendering and will emit <no value>. For deployment user-data, that turns a key mismatch between hc-auth-iroh-unyt/cloud-init.yaml.tmpl and data into a broken droplet config instead of a failed preview/apply. Parsing with Option("missingkey=error") would make this safer. (pkg.go.dev)

Suggested change

-hcAuthIrohUnytCloudInitTmpl, err := template.New("hc-auth-iroh-unyt-cloud-init").Parse(string(hcAuthIrohUnytCloudInitBytes))
+hcAuthIrohUnytCloudInitTmpl, err := template.New("hc-auth-iroh-unyt-cloud-init").
+	Option("missingkey=error").
+	Parse(string(hcAuthIrohUnytCloudInitBytes))

Also applies to: 87-100

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@main.go` at line 24, The template creation for hcAuthIrohUnytCloudInitTmpl
currently parses without failing on missing map keys; change the creation to
enable strict missing-key handling by calling
template.New("hc-auth-iroh-unyt-cloud-init").Option("missingkey=error") before
Parse so template.New(...).Option("missingkey=error").Parse(...) is used; apply
the same change to the other template.New(...).Parse(...) calls in this file
(the other cloud-init/template variables around the same area) so any missing
template variables cause immediate errors rather than rendering "<no value>".

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/deploy.yaml:
- Around line 13-14: Replace the mutable tags for the GitHub Actions with
immutable commit SHAs: change uses: actions/checkout@v6 to the corresponding
full commit SHA (e.g., actions/checkout@<commit-sha>) and uses:
actions/setup-go@v6 to its full commit SHA (e.g.,
actions/setup-go@<commit-sha>), and add an explicit job-level permissions block
with contents: read to limit access to repository contents; update the two uses
entries (actions/checkout and actions/setup-go) and add permissions: contents:
read in the workflow job definition.

In @.github/workflows/preview.yaml:
- Line 11: Replace the mutable action tags with full commit SHAs for every
third-party action usage noted (actions/checkout, actions/setup-go,
pulumi/actions, re-actors/alls-green) so the workflow uses immutable references;
locate the occurrences where the workflow currently uses short tags like
actions/checkout@v6, actions/setup-go@v4 (and the pulumi/actions and
re-actors/alls-green references) and update each to the corresponding
full-length commit SHA for the exact release you intend to pin, keeping the rest
of the step configuration unchanged.

---

Nitpick comments:
In `@main.go`:
- Line 24: The template creation for hcAuthIrohUnytCloudInitTmpl currently
parses without failing on missing map keys; change the creation to enable strict
missing-key handling by calling
template.New("hc-auth-iroh-unyt-cloud-init").Option("missingkey=error") before
Parse so template.New(...).Option("missingkey=error").Parse(...) is used; apply
the same change to the other template.New(...).Parse(...) calls in this file
(the other cloud-init/template variables around the same area) so any missing
template variables cause immediate errors rather than rendering "<no value>".

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 275b4f35-d437-4c12-9da0-a522016ce1bd

📥 Commits

Reviewing files that changed from the base of the PR and between a4d63ff and a46f60a.

⛔ Files ignored due to path filters (2)

• flake.lock is excluded by !**/*.lock
• go.sum is excluded by !**/*.sum

📒 Files selected for processing (11)

• .github/workflows/deploy.yaml
• .github/workflows/preview.yaml
• Pulumi.network-services.yaml
• README.md
• dev-test-auth/cloud-init.yaml
• dev-test-auth/docker-compose.yaml
• dev-test-iroh-relay/cloud-init.yaml
• dev-test-iroh-relay/docker-compose.yaml
• go.mod
• hc-auth-iroh-unyt/cloud-init.yaml.tmpl
• main.go

💤 Files with no reviewable changes (4)

• dev-test-iroh-relay/cloud-init.yaml
• dev-test-iroh-relay/docker-compose.yaml
• dev-test-auth/docker-compose.yaml
• dev-test-auth/cloud-init.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• README.md
• hc-auth-iroh-unyt/cloud-init.yaml.tmpl

[cocogitto-bot]

✔️ 1cdc0e2...74f313f - Conventional commits check succeeded.