deploy: claim /usr/local/sbin/left4me admin CLI in deploy/files

ckn-bw was shipping the admin CLI wrapper (sudo left4me <flask subcommand>) verbatim from its own bundle copy. Move ownership of the file into left4me so ckn-bw's upcoming install-action approach can deploy it from deploy/files/usr/local/sbin/left4me on the deployed git checkout, eliminating the cross-repo duplication that masked the idmap helper update earlier. Also re-frame deploy/README.md: deploy/files/, deploy/templates/, and deploy/tests/ are now genuinely canonical (read by ckn-bw via git_deploy). Only deploy-test-server.sh remains a superseded artifact. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-15 00:41:06 +02:00 · 2026-05-15 00:41:06 +02:00 · f5e36eef79
commit f5e36eef79
parent f231ebcb0d
3 changed files with 46 additions and 25 deletions
--- a/deploy/README.md
+++ b/deploy/README.md
@ -1,30 +1,32 @@
-# left4me Deployment — Historical Reference
+# left4me Deployment

-> **Status: superseded.** Production provisioning of left4me on `ovh.left4me`
-> is now driven by [ckn-bw](https://git.sublimity.de/cronekorkn/ckn-bw)
-> (`bundles/left4me/`, attached via `groups/applications/left4me.py`). Run
-> `bw apply ovh.left4me` from the ckn-bw repo to deploy.
+> Production provisioning of left4me on `ovh.left4me` is driven by
+> [ckn-bw](https://git.sublimity.de/cronekorkn/ckn-bw)
+> (`bundles/left4me/`, attached via `groups/applications/left4me.py`).
+> Run `bw apply ovh.left4me` from the ckn-bw repo to deploy.
 >
-> The contents of this directory are kept as deployment-knowledge reference:
-> what was configured, what each unit/helper does, why the privileged
-> boundaries are drawn the way they are. Some files are now obsolete in the
-> ckn-bw architecture (CAKE moved to systemd-networkd via
-> `network/<iface>/cake` metadata; nft marking moved into the central
-> `nftables/output` set; the systemd units are emitted by the bundle's
-> `systemd/units` reactor instead of being shipped as static files). The
-> obsolete bits are kept here intact so the original choices and tradeoffs
-> remain greppable.
+> **What's canonical in this directory** (`deploy/files/`, `deploy/templates/`,
+> `deploy/tests/`): the actual file payload ckn-bw deploys. ckn-bw fetches
+> the left4me repo via `git_deploy` to `/opt/left4me/src/` and `install`s
+> the privileged scripts from `deploy/files/usr/local/{libexec,sbin}/`
+> directly onto the target. Sudoers, sysctl, and env-template content
+> ships from `deploy/files/etc/` and `deploy/templates/etc/`. **Edit
+> these files here; ckn-bw picks them up on the next apply.** No
+> duplicate copy of the file content lives in ckn-bw.
 >
-> **Don't run `deploy-test-server.sh` against an ovh.left4me node managed by
-> ckn-bw** — the two would fight over file ownership, sudoers, and unit
-> definitions. The script remains useful as concrete documentation of the
-> install steps the bundle now performs declaratively.
+> **What's superseded**: the `deploy-test-server.sh` script — an older
+> one-shot bash deploy that ckn-bw replaced. It's kept as a readable
+> description of the install steps the bundle now performs declaratively.
+> Don't run it against an ovh.left4me node managed by ckn-bw; the two
+> would fight over file ownership.
 >
-> **Verbatim-shipped files**: when a row in the table below says "shipped
-> verbatim by the bundle," the only deploy step for changes to that file is
-> to re-sync the matching path in `ckn-bw/bundles/left4me/files/…` and run
-> `bw apply ovh.left4me`. No new group / user / unit work needed unless the
-> change itself introduces one.
+> **What's obsolete** (kept for greppability, not currently used): CAKE
+> traffic shaping (now in systemd-networkd via `network/<iface>/cake`
+> metadata in ckn-bw), nft marking (now in the central `nftables/output`
+> set), and the systemd unit files under `files/usr/local/lib/systemd/system/`
+> (emitted by the bundle's `systemd_units` reactor instead of being shipped
+> as static files). The obsolete bits stay here intact so the original
+> choices and tradeoffs remain greppable.

 ## What lives here (and what corresponds to it in ckn-bw)

@ -34,7 +36,8 @@
 | `files/etc/sudoers.d/left4me` | shipped verbatim by `bundles/left4me/files/etc/sudoers.d/left4me` (validated with `visudo -cf` via `test_with`) |
 | `files/etc/sysctl.d/99-left4me.conf` | shipped verbatim by the bundle |
 | `files/etc/left4me/sandbox-resolv.conf` | shipped verbatim by the bundle |
-| `files/usr/local/libexec/left4me/{left4me-systemctl,journalctl,overlay,script-sandbox}` | shipped verbatim by the bundle |
+| `files/usr/local/libexec/left4me/{left4me-systemctl,journalctl,overlay,script-sandbox}` | installed onto the target by the `install_left4me_scripts` action in `bundles/left4me/items.py`, reading directly from `/opt/left4me/src/deploy/files/usr/local/libexec/left4me/` after `git_deploy`. The bundle does **not** carry a duplicate copy. |
+| `files/usr/local/sbin/left4me` | same install action; admin CLI wrapper (`sudo left4me <flask-subcommand>`) |
 | `files/usr/local/lib/systemd/system/left4me-web.service` | emitted by `systemd_units` reactor in `bundles/left4me/metadata.py` (intentional change: `--bind 0.0.0.0:8000` → `127.0.0.1:8000` because nginx now terminates TLS) |
 | `files/usr/local/lib/systemd/system/left4me-server@.service` | emitted by the same reactor |
 | `files/usr/local/lib/systemd/system/{l4d2-game,l4d2-build}.slice` | emitted by the same reactor |
--- a/deploy/deploy-test-server.sh
+++ b/deploy/deploy-test-server.sh
@ -182,7 +182,8 @@ $sudo_cmd cp /opt/left4me/deploy/files/usr/local/libexec/left4me/left4me-journal
 $sudo_cmd cp /opt/left4me/deploy/files/usr/local/libexec/left4me/left4me-overlay /usr/local/libexec/left4me/left4me-overlay
 $sudo_cmd cp /opt/left4me/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox /usr/local/libexec/left4me/left4me-script-sandbox
 $sudo_cmd cp /opt/left4me/deploy/files/usr/local/libexec/left4me/left4me-apply-cake /usr/local/libexec/left4me/left4me-apply-cake
-$sudo_cmd chmod 0755 /usr/local/libexec/left4me/left4me-systemctl /usr/local/libexec/left4me/left4me-journalctl /usr/local/libexec/left4me/left4me-overlay /usr/local/libexec/left4me/left4me-script-sandbox /usr/local/libexec/left4me/left4me-apply-cake
+$sudo_cmd cp /opt/left4me/deploy/files/usr/local/sbin/left4me /usr/local/sbin/left4me
+$sudo_cmd chmod 0755 /usr/local/libexec/left4me/left4me-systemctl /usr/local/libexec/left4me/left4me-journalctl /usr/local/libexec/left4me/left4me-overlay /usr/local/libexec/left4me/left4me-script-sandbox /usr/local/libexec/left4me/left4me-apply-cake /usr/local/sbin/left4me
 $sudo_cmd cp /opt/left4me/deploy/files/etc/sudoers.d/left4me /etc/sudoers.d/left4me
 $sudo_cmd chmod 0440 /etc/sudoers.d/left4me
 $sudo_cmd visudo -cf /etc/sudoers.d/left4me
--- a/deploy/files/usr/local/sbin/left4me
+++ b/deploy/files/usr/local/sbin/left4me
@ -0,0 +1,17 @@
+#!/bin/sh
+# Run l4d2web flask CLI commands as the left4me user with the deploy env loaded.
+# Usage: left4me <flask-subcommand> [args...]
+# Examples:
+#   left4me create-user alice --admin
+#   left4me seed-script-overlays /opt/left4me/src/examples/script-overlays
+#   left4me routes
+set -eu
+exec sudo -u left4me sh -c '
+    set -a
+    . /etc/left4me/host.env
+    . /etc/left4me/web.env
+    set +a
+    export JOB_WORKER_ENABLED=false
+    export PYTHONPATH=/opt/left4me/src
+    exec /opt/left4me/.venv/bin/flask --app l4d2web.app:create_app "$@"
+' sh "$@"