From de68f537acb39fb88923729ca222d2e9c9804338 Mon Sep 17 00:00:00 2001
From: admin <admin@gitea.pressmess.duckdns.org>
Date: Sun, 24 Aug 2025 18:11:58 -0400
Subject: [PATCH] Add non-deploy tooling: validate stacks, print plan, Makefile
 targets (bootstrap|validate|plan)

---
 Makefile                   | 12 ++++++++++
 stacks/scripts/plan.sh     | 36 ++++++++++++++++++++++++++++
 stacks/scripts/validate.sh | 49 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 97 insertions(+)
 create mode 100644 Makefile
 create mode 100755 stacks/scripts/plan.sh
 create mode 100755 stacks/scripts/validate.sh

diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..768cf06
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,12 @@
+SHELL := /usr/bin/bash
+
+.PHONY: bootstrap validate plan
+
+bootstrap:
+	bash stacks/scripts/bootstrap.sh
+
+validate:
+	bash stacks/scripts/validate.sh
+
+plan:
+	bash stacks/scripts/plan.sh
diff --git a/stacks/scripts/plan.sh b/stacks/scripts/plan.sh
new file mode 100755
index 0000000..55383f7
--- /dev/null
+++ b/stacks/scripts/plan.sh
@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+printf "Planned deployment order (no actions performed):\n\n"
+cat <<ORDER
+1) Core
+   - stacks/core/traefik.yml
+   - stacks/databases/postgresql-primary.yml
+   - stacks/databases/mariadb-primary.yml
+   - stacks/databases/redis-cluster.yml
+
+2) Monitoring
+   - stacks/monitoring/netdata.yml
+
+3) Apps (wave 1)
+   - stacks/apps/homeassistant.yml
+   - stacks/apps/immich.yml
+   - stacks/apps/nextcloud.yml
+   - stacks/apps/paperless.yml
+   - stacks/apps/jellyfin.yml
+
+4) Apps (wave 2)
+   - stacks/apps/gitea.yml
+   - stacks/apps/appflowy.yml
+   - stacks/apps/vaultwarden.yml
+   - stacks/apps/adguard.yml
+
+5) Native/web
+   - stacks/web/caddy.yml
+   - stacks/ai/ollama.yml
+
+Safety:
+- Use blue/green: keep legacy running until switchover verified.
+- DB: prefer replication options documented in WORLD_CLASS_MIGRATION_TODO.md.
+- DNS: lower TTL 48h before each cutover.
+ORDER
diff --git a/stacks/scripts/validate.sh b/stacks/scripts/validate.sh
new file mode 100755
index 0000000..0b2daf4
--- /dev/null
+++ b/stacks/scripts/validate.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+red() { printf "\033[31m%s\033[0m\n" "$*"; }
+grn() { printf "\033[32m%s\033[0m\n" "$*"; }
+yel() { printf "\033[33m%s\033[0m\n" "$*"; }
+
+ROOT_DIR=$(cd "$(dirname "$0")/../.." && pwd)
+cd "$ROOT_DIR"
+
+fail=0
+
+# Validate YAML via docker stack config
+while IFS= read -r -d '' file; do
+  yel "Validating: $file"
+  if docker stack config -c "$file" >/dev/null 2>&1; then
+    grn "OK: $file"
+  else
+    red "ERROR: docker stack config failed for $file"
+    fail=1
+  fi
+
+  # Check external networks referenced exist
+  nets=$(awk '/networks:/,/^$/' "$file" | awk '/external: true/{print prev}{prev=$1}' | sed 's/://g' | sed 's/^[[:space:]]*//g' | sort -u || true)
+  for n in $nets; do
+    if docker network inspect "$n" >/dev/null 2>&1; then
+      grn "  network OK: $n"
+    else
+      yel "  network MISSING: $n"
+    fi
+  done
+
+  # Check external secrets referenced exist
+  secs=$(awk '/secrets:/,/^$/' "$file" | awk '/external: true/{print prev}{prev=$1}' | sed 's/://g' | sed 's/^[[:space:]]*//g' | sort -u || true)
+  for s in $secs; do
+    if docker secret inspect "$s" >/dev/null 2>&1; then
+      grn "  secret OK: $s"
+    else
+      yel "  secret MISSING: $s"
+    fi
+  done
+
+done < <(find stacks -type f -name "*.yml" -print0 | sort -z)
+
+# List NFS volumes for operator verification
+yel "NFS volumes referenced (verify exports exist on omv800.local):"
+grep -R "device: :/export/" -n stacks || true
+
+exit $fail