From 0811d22c44be50bc9b2e226a9b30cd1d06830ad5 Mon Sep 17 00:00:00 2001 From: mwiegand Date: Sun, 10 May 2026 18:25:23 +0200 Subject: [PATCH] deploy/README: mark as historical reference, point at ckn-bw MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ovh.left4me is now provisioned by the ckn-bw bundle bundles/left4me/ (attached via groups/applications/left4me.py); run `bw apply ovh.left4me` from there. Keep this directory verbatim as deployment-knowledge reference: what was configured, what each unit/helper does, why the privileged boundaries are drawn the way they are. Add a top-of-README correspondence table marking which files migrated 1:1 vs. which are obsolete in the new architecture (CAKE moved to systemd-networkd; nft marking moved into the central nftables bundle; systemd units are emitted by a metadata reactor; CPU isolation drop-ins are no longer managed declaratively). The deploy-test-server.sh stays here too — useful as a concrete walk- through of the install steps the bundle now performs declaratively. Just don't run it against an ovh.left4me node managed by ckn-bw; the two would fight over file ownership, sudoers, and unit definitions. --- deploy/README.md | 48 +++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 47 insertions(+), 1 deletion(-) diff --git a/deploy/README.md b/deploy/README.md index 78b678e..9c371c1 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -1,4 +1,50 @@ -# left4me Deployment +# left4me Deployment — Historical Reference + +> **Status: superseded.** Production provisioning of left4me on `ovh.left4me` +> is now driven by [ckn-bw](https://git.sublimity.de/cronekorkn/ckn-bw) +> (`bundles/left4me/`, attached via `groups/applications/left4me.py`). Run +> `bw apply ovh.left4me` from the ckn-bw repo to deploy. +> +> The contents of this directory are kept as deployment-knowledge reference: +> what was configured, what each unit/helper does, why the privileged +> boundaries are drawn the way they are. Some files are now obsolete in the +> ckn-bw architecture (CAKE moved to systemd-networkd via +> `network//cake` metadata; nft marking moved into the central +> `nftables/output` set; the systemd units are emitted by the bundle's +> `systemd/units` reactor instead of being shipped as static files). The +> obsolete bits are kept here intact so the original choices and tradeoffs +> remain greppable. +> +> **Don't run `deploy-test-server.sh` against an ovh.left4me node managed by +> ckn-bw** — the two would fight over file ownership, sudoers, and unit +> definitions. The script remains useful as concrete documentation of the +> install steps the bundle now performs declaratively. + +## What lives here (and what corresponds to it in ckn-bw) + +| Path here | Status under ckn-bw | +|---|---| +| `deploy-test-server.sh` | replaced by `bw apply` | +| `files/etc/sudoers.d/left4me` | shipped verbatim by `bundles/left4me/files/etc/sudoers.d/left4me` (validated with `visudo -cf` via `test_with`) | +| `files/etc/sysctl.d/99-left4me.conf` | shipped verbatim by the bundle | +| `files/etc/left4me/sandbox-resolv.conf` | shipped verbatim by the bundle | +| `files/usr/local/libexec/left4me/{left4me-systemctl,journalctl,overlay,script-sandbox}` | shipped verbatim by the bundle | +| `files/usr/local/lib/systemd/system/left4me-web.service` | emitted by `systemd_units` reactor in `bundles/left4me/metadata.py` (intentional change: `--bind 0.0.0.0:8000` → `127.0.0.1:8000` because nginx now terminates TLS) | +| `files/usr/local/lib/systemd/system/left4me-server@.service` | emitted by the same reactor | +| `files/usr/local/lib/systemd/system/{l4d2-game,l4d2-build}.slice` | emitted by the same reactor | +| `files/usr/local/lib/systemd/system/left4me-cake.service` | **obsolete** — CAKE applied via systemd-networkd (`network//cake` metadata in `bundles/network/`) | +| `files/usr/local/libexec/left4me/left4me-apply-cake` | **obsolete** — same as above | +| `files/etc/left4me/cake.env` | **obsolete** — bandwidth lives in node metadata under `network/external/cake/Bandwidth` | +| `files/usr/local/lib/systemd/system/left4me-nft-mark.service` | **obsolete** — central `bundles/nftables/` consumes the rules from `bundles/left4me/`'s defaults | +| `files/usr/local/lib/left4me/nft/left4me-mark.nft` | **obsolete** — same as above | +| `templates/etc/left4me/host.env` | rendered as Mako by `bundles/left4me/files/etc/left4me/host.env.mako` | +| `templates/etc/left4me/web.env.template` | rendered as Mako by `bundles/left4me/files/etc/left4me/web.env.mako` (intentional change: `SESSION_COOKIE_SECURE=false` → `true`, plus `LEFT4ME_PORT_RANGE_*` are now wired through) | +| First-run admin bootstrap (`flask create-user … --admin` near the end of `deploy-test-server.sh`) | manual one-time step after `bw apply`; the bundle deliberately doesn't seed an admin to keep credentials out of the metadata pipeline | +| CPU isolation drop-ins (`/etc/systemd/system/{system,user,l4d2-game,l4d2-build}.slice.d/99-left4me-cpuset.conf`) | **not managed by the bundle** — generated dynamically based on `nproc --all` in the script; that logic doesn't fit static bundle metadata, apply manually post-deploy if needed | + +--- + +## Original notes (still accurate as a description of the install steps) This directory contains the production-like test deployment for a Linux server. It installs the repository into a fixed host layout, configures a dedicated runtime user, installs systemd units, and wires the web app to host operations through privileged helper commands.