fix: make sendmail target idempotent, guard mariadb secure install#17
Merged
teodesian merged 1 commit intoApr 26, 2026
Merged
Conversation
sendmail: missing touch $@ meant systemctl restart sendmail fired on every make invocation. Also defer restart via queue_postrun_task so it runs after all recipes complete, consistent with other service starts. mariadb: secure_installation.sql (which contains the root password) was run on every deploy. Guard with .secured state file so the DB is only secured once; rm -f cleans up from both staging dir and /opt/mysql regardless of which path was taken. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
troglodyne
deleted the
koan.trogbot/fix-sendmail-idempotency-and-mariadb-secure
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Two independent idempotency gaps not covered by any of PRs #5–#16.
Why
sendmail target (
makefile.tt): had notouch $@, so Make never considered the target "done" —systemctl restart sendmailfired on everymakeinvocation (every redeploy, test run, or manual make call). On a shared system this causes needless service churn. Also, the restart was inline rather than deferred.mariadb secure installation (
mariadb.tt):secure_installation.sql(which contains the root password in plaintext) was rendered, copied to/opt/mysql, executed, and deleted on every deploy. While the SQL itself is idempotent, writing credentials to disk and re-running the secure-install block on every redeploy is unnecessary and slightly risky.How
makefile.tt: defersystemctl restart sendmailviaqueue_postrun_task(consistent with every other service restart in the codebase); addtouch $@so the target is stamped done after first successful run.mariadb.tt: guard the secure-install block with[ -f /opt/mysql/.secured ] ||; touch the marker on success; userm -fto clean up from both the staging dir and/opt/mysqlregardless of which path was taken.Testing
No automated test suite. Verified diff against all open PRs — no overlap on these specific changes. Patterns follow established guards from the codebase (queue_postrun_task, state file guards).
Note: this PR modifies
makefile.tt(also touched by PR #7) andmariadb.tt(also touched by PR #6) — different lines, minor conflict to resolve at merge time.