Provision systemd auth env file during install

deploy/README.md

@@ -38,6 +38,7 @@ This creates:
 - `/home/bestmidi/chgrid/server/.venv`
 - `/home/bestmidi/chgrid/server/config.toml` (if missing)
 - `/home/bestmidi/chgrid/server/.env` with `CHGRID_AUTH_SECRET` (if missing)
+- `/etc/sysconfig/chat-grid` with `CHGRID_AUTH_SECRET` for systemd (created/updated automatically)
 - On first run only, if no admin exists, it prompts to create one immediately.
 
 Edit `/home/bestmidi/chgrid/server/config.toml`:
@@ -86,6 +87,10 @@ cd /home/bestmidi/chgrid
 ./deploy/scripts/install_service.sh /home/bestmidi/chgrid
 ```
 
+Notes:
+- `install_service.sh` creates a systemd drop-in at `/etc/systemd/system/chat-grid.service.d/env.conf`
+  pointing `EnvironmentFile` to `/etc/sysconfig/chat-grid`.
+
 Logs:
 
 ```bash

deploy/scripts/install_server.sh

@@ -4,6 +4,7 @@ set -euo pipefail
 REPO_ROOT="${1:-/home/bestmidi/chgrid}"
 SERVER_DIR="$REPO_ROOT/server"
 PYTHON_SPEC="${PYTHON_SPEC:-3.13}"
+SYS_ENV_FILE="${CHGRID_SYSTEM_ENV_FILE:-/etc/sysconfig/chat-grid}"
 
 if ! command -v uv >/dev/null 2>&1; then
   echo "error: uv is required but not found in PATH" >&2
@@ -61,6 +62,21 @@ PY
   echo "created $SERVER_DIR/.env with CHGRID_AUTH_SECRET"
 fi
 
+# Ensure a systemd-friendly env file exists for service startup.
+if [[ -z "${CHGRID_AUTH_SECRET:-}" && -f .env ]]; then
+  set -a
+  # shellcheck disable=SC1091
+  source .env
+  set +a
+fi
+if [[ -n "${CHGRID_AUTH_SECRET:-}" ]]; then
+  sudo install -d -m 755 /etc/sysconfig
+  sudo sh -c "printf 'CHGRID_AUTH_SECRET=%s\n' \"\$1\" > \"\$2\"" _ "$CHGRID_AUTH_SECRET" "$SYS_ENV_FILE"
+  sudo chmod 600 "$SYS_ENV_FILE"
+  sudo chown root:root "$SYS_ENV_FILE"
+  echo "ensured system env file for service: $SYS_ENV_FILE"
+fi
+
 # Load generated/shared auth secret for bootstrap checks.
 if [[ -f .env ]]; then
   set -a

deploy/scripts/install_service.sh

@@ -5,6 +5,10 @@ REPO_ROOT="${1:-/home/bestmidi/chgrid}"
 UNIT_NAME="${2:-chat-grid.service}"
 SRC_UNIT="$REPO_ROOT/deploy/systemd/$UNIT_NAME"
 DST_UNIT="/etc/systemd/system/$UNIT_NAME"
+SERVER_ENV_FILE="$REPO_ROOT/server/.env"
+SYS_ENV_FILE="${CHGRID_SYSTEM_ENV_FILE:-/etc/sysconfig/chat-grid}"
+DROPIN_DIR="/etc/systemd/system/$UNIT_NAME.d"
+DROPIN_FILE="$DROPIN_DIR/env.conf"
 
 if [[ ! -f "$SRC_UNIT" ]]; then
   echo "error: unit file not found: $SRC_UNIT" >&2
@@ -12,6 +16,21 @@ if [[ ! -f "$SRC_UNIT" ]]; then
 fi
 
 sudo cp "$SRC_UNIT" "$DST_UNIT"
+if [[ -f "$SERVER_ENV_FILE" ]]; then
+  SECRET_LINE="$(grep -m1 '^CHGRID_AUTH_SECRET=' "$SERVER_ENV_FILE" || true)"
+  if [[ -n "$SECRET_LINE" ]]; then
+    sudo install -d -m 755 /etc/sysconfig
+    sudo sh -c "printf '%s\n' \"\$1\" > \"\$2\"" _ "$SECRET_LINE" "$SYS_ENV_FILE"
+    sudo chmod 600 "$SYS_ENV_FILE"
+    sudo chown root:root "$SYS_ENV_FILE"
+  fi
+fi
+sudo install -d -m 755 "$DROPIN_DIR"
+sudo tee "$DROPIN_FILE" >/dev/null <<EOF
+[Service]
+EnvironmentFile=
+EnvironmentFile=-$SYS_ENV_FILE
+EOF
 sudo install -d -m 0755 -o bestmidi -g bestmidi "$REPO_ROOT/server/runtime"
 sudo touch "$REPO_ROOT/server/runtime/server.log"
 sudo chown bestmidi:bestmidi "$REPO_ROOT/server/runtime/server.log"

deploy/systemd/chat-grid.service

@@ -8,6 +8,7 @@ User=bestmidi
 Group=bestmidi
 WorkingDirectory=/home/bestmidi/chgrid/server
 Environment=PATH=/home/bestmidi/chgrid/server/.venv/bin:/usr/bin:/bin
+EnvironmentFile=-/etc/sysconfig/chat-grid
 EnvironmentFile=-/home/bestmidi/chgrid/server/.env
 ExecStartPre=/usr/bin/mkdir -p /home/bestmidi/chgrid/server/runtime
 ExecStart=/home/bestmidi/chgrid/server/.venv/bin/python main.py --config /home/bestmidi/chgrid/server/config.toml