From a26bb9f04b7d318550050d49ebbb02c209774f40 Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Tue, 2 Jun 2026 16:48:56 +0300
Subject: [PATCH] feat(deploy): capture service startup journal after each
 restart

After both `Start cortex.service` and `Start neuron.service`, sleep 10s
and run `journalctl --unit <unit> -I --no-pager` to record the latest
invocation's log in the workflow output. Step is guarded by
`if: always()` so a failed start still leaves a usable trace.

infra-setup.sh now adds gitea_ci to the systemd-journal group during
user provisioning, so `journalctl` works without a sudoers entry.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/deploy.yml | 20 ++++++++++++++++++++
 script/infra-setup.sh       |  5 +++++
 2 files changed, 25 insertions(+)

diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index 33062e9..8ee7255 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -70,6 +70,16 @@ jobs:
             sudo /usr/bin/systemctl daemon-reload
             sudo /usr/bin/systemctl start cortex.service'
 
+      # Wait for the service to either come up or wedge, then capture
+      # the latest-invocation journal. Runs even on prior failure so a
+      # failed start step still leaves a usable record in the deploy log.
+      - name: Capture cortex.service startup journal
+        if: always()
+        run: |
+          sleep 10
+          ssh gitea_ci@hanzalova.internal \
+              'journalctl --unit cortex.service -I --no-pager'
+
   deploy-neurons:
     needs: [deploy-cortex]
     runs-on: fedora-43
@@ -124,3 +134,13 @@ jobs:
           ssh gitea_ci@${{ matrix.host }} '
             sudo /usr/bin/systemctl daemon-reload
             sudo /usr/bin/systemctl start neuron.service'
+
+      # Wait for the service to either come up or wedge, then capture
+      # the latest-invocation journal. Runs even on prior failure so a
+      # failed start step still leaves a usable record in the deploy log.
+      - name: Capture neuron.service startup journal
+        if: always()
+        run: |
+          sleep 10
+          ssh gitea_ci@${{ matrix.host }} \
+              'journalctl --unit neuron.service -I --no-pager'
diff --git a/script/infra-setup.sh b/script/infra-setup.sh
index a9afda1..0b8f20a 100755
--- a/script/infra-setup.sh
+++ b/script/infra-setup.sh
@@ -53,6 +53,11 @@ for host in "${cortex_host}" "${neuron_hosts[@]}"; do
         # own fresh lookup.
         sudo install -d -o gitea_ci -g gitea_ci -m 0700 \
             /var/lib/gitea_ci/.ssh
+        # Grant journal read access so the deploy workflow can capture
+        # `journalctl -u <unit> -I` after a service start without
+        # needing a sudoers entry. Idempotent — usermod -aG on an
+        # already-member is a no-op.
+        sudo usermod -aG systemd-journal gitea_ci
     '; then
         echo "  failed to provision gitea_ci — skipping ${host}"
         continue