From a8fc3f22987eb584b7aa28779e5d04f11d68b20d Mon Sep 17 00:00:00 2001
From: CroneKorkN <i@ckn.li>
Date: Sun, 10 May 2026 18:05:38 +0200
Subject: [PATCH] left4me: fix bundle defects surfaced by real-node validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three issues caught once `bw test ovh.left4me` ran with the bundle
actually attached (vs. the earlier `bw test` with no node opting in,
which only checks parsing):

1. systemd_services + nftables_output reactors didn't read any metadata.
   bw rejects this with "did not request any metadata, you might want
   to use defaults instead". Both contributions are static, so they
   belong in `defaults` — moved.

2. git_deploy:/opt/left4me/src triggered action:left4me_create_venv,
   but create_venv lacked `triggered: True`. bw enforces that any
   action in a triggers list must be `triggered: True`. Removed
   create_venv from the trigger list — it's gated by `unless` for
   idempotency and doesn't need to refire on git updates anyway
   (the venv persists). pip_install stays in triggers so editable
   installs pick up new code.
---
 bundles/left4me/items.py    |  5 ++-
 bundles/left4me/metadata.py | 72 +++++++++++++++----------------------
 2 files changed, 32 insertions(+), 45 deletions(-)

diff --git a/bundles/left4me/items.py b/bundles/left4me/items.py
index 773fde8..c4d8595 100644
--- a/bundles/left4me/items.py
+++ b/bundles/left4me/items.py
@@ -126,7 +126,10 @@ git_deploy = {
         'repo': node.metadata.get('left4me/git_url'),
         'rev': node.metadata.get('left4me/git_branch'),
         'triggers': [
-            'action:left4me_create_venv',
+            # create_venv is gated by `unless` for idempotency and doesn't
+            # need to refire on git updates — once the venv exists, it
+            # persists. pip_install IS retriggered so editable installs
+            # pick up the new code.
             'action:left4me_pip_install',
         ],
     },
diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py
index f3bdef7..d589ced 100644
--- a/bundles/left4me/metadata.py
+++ b/bundles/left4me/metadata.py
@@ -19,6 +19,34 @@ defaults = {
             'python3-dev': {},
         },
     },
+    'nftables': {
+        # Match deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft.
+        # Mark srcds UDP egress (uid left4me) with DSCP EF + skb priority 6
+        # so CAKE classifies it into the priority tin.
+        'output': {
+            'meta skuid "left4me" meta l4proto udp ip dscp set ef meta priority set 0006:0000',
+            'meta skuid "left4me" meta l4proto udp ip6 dscp set ef meta priority set 0006:0000',
+        },
+    },
+    'systemd': {
+        'services': {
+            'left4me-web.service': {
+                'enabled': True,
+                'running': True,
+                'needs': [
+                    'action:left4me_alembic_upgrade',
+                    'file:/etc/left4me/host.env',
+                    'file:/etc/left4me/web.env',
+                ],
+            },
+            # Note: left4me-server@.service is a TEMPLATE — instances are
+            # started on-demand by the web app via the left4me-systemctl
+            # helper. Don't enable/start it from here.
+            # The slices are installed (file present) but don't need
+            # enable/start — they're activated implicitly when a unit
+            # uses Slice=.
+        },
+    },
 }
 
 
@@ -155,47 +183,3 @@ def systemd_units(metadata):
             },
         },
     }
-
-
-@metadata_reactor.provides(
-    'systemd/services',
-)
-def systemd_services(metadata):
-    return {
-        'systemd': {
-            'services': {
-                'left4me-web.service': {
-                    'enabled': True,
-                    'running': True,
-                    'needs': [
-                        'action:left4me_alembic_upgrade',
-                        'file:/etc/left4me/host.env',
-                        'file:/etc/left4me/web.env',
-                    ],
-                },
-                # Note: left4me-server@.service is a TEMPLATE — instances are
-                # started on-demand by the web app via the left4me-systemctl
-                # helper. Don't enable/start it from here.
-                # The slices are installed (file present) but don't need
-                # enable/start — they're activated implicitly when a unit
-                # uses Slice=.
-            },
-        },
-    }
-
-
-@metadata_reactor.provides(
-    'nftables/output',
-)
-def nftables_output(metadata):
-    # Match deploy/files/usr/local/lib/left4me/nft/left4me-mark.nft.
-    # Mark srcds UDP egress (uid left4me) with DSCP EF + skb priority 6
-    # so CAKE classifies it into the priority tin.
-    return {
-        'nftables': {
-            'output': {
-                'meta skuid "left4me" meta l4proto udp ip dscp set ef meta priority set 0006:0000',
-                'meta skuid "left4me" meta l4proto udp ip6 dscp set ef meta priority set 0006:0000',
-            },
-        },
-    }