deploy/README: mark as historical reference, point at ckn-bw
ovh.left4me is now provisioned by the ckn-bw bundle bundles/left4me/ (attached via groups/applications/left4me.py); run `bw apply ovh.left4me` from there. Keep this directory verbatim as deployment-knowledge reference: what was configured, what each unit/helper does, why the privileged boundaries are drawn the way they are. Add a top-of-README correspondence table marking which files migrated 1:1 vs. which are obsolete in the new architecture (CAKE moved to systemd-networkd; nft marking moved into the central nftables bundle; systemd units are emitted by a metadata reactor; CPU isolation drop-ins are no longer managed declaratively). The deploy-test-server.sh stays here too — useful as a concrete walk- through of the install steps the bundle now performs declaratively. Just don't run it against an ovh.left4me node managed by ckn-bw; the two would fight over file ownership, sudoers, and unit definitions.
This commit is contained in:
mwiegand
parent
a987304358
commit
0811d22c44
1 changed files with 47 additions and 1 deletions
|
|
@ -1,4 +1,50 @@
|
|||
# left4me Deployment
|
||||
# left4me Deployment — Historical Reference
|
||||
|
||||
> **Status: superseded.** Production provisioning of left4me on `ovh.left4me`
|
||||
> is now driven by [ckn-bw](https://git.sublimity.de/cronekorkn/ckn-bw)
|
||||
> (`bundles/left4me/`, attached via `groups/applications/left4me.py`). Run
|
||||
> `bw apply ovh.left4me` from the ckn-bw repo to deploy.
|
||||
>
|
||||
> The contents of this directory are kept as deployment-knowledge reference:
|
||||
> what was configured, what each unit/helper does, why the privileged
|
||||
> boundaries are drawn the way they are. Some files are now obsolete in the
|
||||
> ckn-bw architecture (CAKE moved to systemd-networkd via
|
||||
> `network/<iface>/cake` metadata; nft marking moved into the central
|
||||
> `nftables/output` set; the systemd units are emitted by the bundle's
|
||||
> `systemd/units` reactor instead of being shipped as static files). The
|
||||
> obsolete bits are kept here intact so the original choices and tradeoffs
|
||||
> remain greppable.
|
||||
>
|
||||
> **Don't run `deploy-test-server.sh` against an ovh.left4me node managed by
|
||||
> ckn-bw** — the two would fight over file ownership, sudoers, and unit
|
||||
> definitions. The script remains useful as concrete documentation of the
|
||||
> install steps the bundle now performs declaratively.
|
||||
|
||||
## What lives here (and what corresponds to it in ckn-bw)
|
||||
|
||||
| Path here | Status under ckn-bw |
|
||||
|---|---|
|
||||
| `deploy-test-server.sh` | replaced by `bw apply` |
|
||||
| `files/etc/sudoers.d/left4me` | shipped verbatim by `bundles/left4me/files/etc/sudoers.d/left4me` (validated with `visudo -cf` via `test_with`) |
|
||||
| `files/etc/sysctl.d/99-left4me.conf` | shipped verbatim by the bundle |
|
||||
| `files/etc/left4me/sandbox-resolv.conf` | shipped verbatim by the bundle |
|
||||
| `files/usr/local/libexec/left4me/{left4me-systemctl,journalctl,overlay,script-sandbox}` | shipped verbatim by the bundle |
|
||||
| `files/usr/local/lib/systemd/system/left4me-web.service` | emitted by `systemd_units` reactor in `bundles/left4me/metadata.py` (intentional change: `--bind 0.0.0.0:8000` → `127.0.0.1:8000` because nginx now terminates TLS) |
|
||||
| `files/usr/local/lib/systemd/system/left4me-server@.service` | emitted by the same reactor |
|
||||
| `files/usr/local/lib/systemd/system/{l4d2-game,l4d2-build}.slice` | emitted by the same reactor |
|
||||
| `files/usr/local/lib/systemd/system/left4me-cake.service` | **obsolete** — CAKE applied via systemd-networkd (`network/<iface>/cake` metadata in `bundles/network/`) |
|
||||
| `files/usr/local/libexec/left4me/left4me-apply-cake` | **obsolete** — same as above |
|
||||
| `files/etc/left4me/cake.env` | **obsolete** — bandwidth lives in node metadata under `network/external/cake/Bandwidth` |
|
||||
| `files/usr/local/lib/systemd/system/left4me-nft-mark.service` | **obsolete** — central `bundles/nftables/` consumes the rules from `bundles/left4me/`'s defaults |
|
||||
| `files/usr/local/lib/left4me/nft/left4me-mark.nft` | **obsolete** — same as above |
|
||||
| `templates/etc/left4me/host.env` | rendered as Mako by `bundles/left4me/files/etc/left4me/host.env.mako` |
|
||||
| `templates/etc/left4me/web.env.template` | rendered as Mako by `bundles/left4me/files/etc/left4me/web.env.mako` (intentional change: `SESSION_COOKIE_SECURE=false` → `true`, plus `LEFT4ME_PORT_RANGE_*` are now wired through) |
|
||||
| First-run admin bootstrap (`flask create-user … --admin` near the end of `deploy-test-server.sh`) | manual one-time step after `bw apply`; the bundle deliberately doesn't seed an admin to keep credentials out of the metadata pipeline |
|
||||
| CPU isolation drop-ins (`/etc/systemd/system/{system,user,l4d2-game,l4d2-build}.slice.d/99-left4me-cpuset.conf`) | **not managed by the bundle** — generated dynamically based on `nproc --all` in the script; that logic doesn't fit static bundle metadata, apply manually post-deploy if needed |
|
||||
|
||||
---
|
||||
|
||||
## Original notes (still accurate as a description of the install steps)
|
||||
|
||||
This directory contains the production-like test deployment for a Linux server. It installs the repository into a fixed host layout, configures a dedicated runtime user, installs systemd units, and wires the web app to host operations through privileged helper commands.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue