diff --git a/deploy/README.md b/deploy/README.md index 7b83a77..b5c0c83 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -1,30 +1,32 @@ -# left4me Deployment — Historical Reference +# left4me Deployment -> **Status: superseded.** Production provisioning of left4me on `ovh.left4me` -> is now driven by [ckn-bw](https://git.sublimity.de/cronekorkn/ckn-bw) -> (`bundles/left4me/`, attached via `groups/applications/left4me.py`). Run -> `bw apply ovh.left4me` from the ckn-bw repo to deploy. +> Production provisioning of left4me on `ovh.left4me` is driven by +> [ckn-bw](https://git.sublimity.de/cronekorkn/ckn-bw) +> (`bundles/left4me/`, attached via `groups/applications/left4me.py`). +> Run `bw apply ovh.left4me` from the ckn-bw repo to deploy. > -> The contents of this directory are kept as deployment-knowledge reference: -> what was configured, what each unit/helper does, why the privileged -> boundaries are drawn the way they are. Some files are now obsolete in the -> ckn-bw architecture (CAKE moved to systemd-networkd via -> `network//cake` metadata; nft marking moved into the central -> `nftables/output` set; the systemd units are emitted by the bundle's -> `systemd/units` reactor instead of being shipped as static files). The -> obsolete bits are kept here intact so the original choices and tradeoffs -> remain greppable. +> **What's canonical in this directory** (`deploy/files/`, `deploy/templates/`, +> `deploy/tests/`): the actual file payload ckn-bw deploys. ckn-bw fetches +> the left4me repo via `git_deploy` to `/opt/left4me/src/` and `install`s +> the privileged scripts from `deploy/files/usr/local/{libexec,sbin}/` +> directly onto the target. Sudoers, sysctl, and env-template content +> ships from `deploy/files/etc/` and `deploy/templates/etc/`. **Edit +> these files here; ckn-bw picks them up on the next apply.** No +> duplicate copy of the file content lives in ckn-bw. > -> **Don't run `deploy-test-server.sh` against an ovh.left4me node managed by -> ckn-bw** — the two would fight over file ownership, sudoers, and unit -> definitions. The script remains useful as concrete documentation of the -> install steps the bundle now performs declaratively. +> **What's superseded**: the `deploy-test-server.sh` script — an older +> one-shot bash deploy that ckn-bw replaced. It's kept as a readable +> description of the install steps the bundle now performs declaratively. +> Don't run it against an ovh.left4me node managed by ckn-bw; the two +> would fight over file ownership. > -> **Verbatim-shipped files**: when a row in the table below says "shipped -> verbatim by the bundle," the only deploy step for changes to that file is -> to re-sync the matching path in `ckn-bw/bundles/left4me/files/…` and run -> `bw apply ovh.left4me`. No new group / user / unit work needed unless the -> change itself introduces one. +> **What's obsolete** (kept for greppability, not currently used): CAKE +> traffic shaping (now in systemd-networkd via `network//cake` +> metadata in ckn-bw), nft marking (now in the central `nftables/output` +> set), and the systemd unit files under `files/usr/local/lib/systemd/system/` +> (emitted by the bundle's `systemd_units` reactor instead of being shipped +> as static files). The obsolete bits stay here intact so the original +> choices and tradeoffs remain greppable. ## What lives here (and what corresponds to it in ckn-bw) @@ -34,7 +36,8 @@ | `files/etc/sudoers.d/left4me` | shipped verbatim by `bundles/left4me/files/etc/sudoers.d/left4me` (validated with `visudo -cf` via `test_with`) | | `files/etc/sysctl.d/99-left4me.conf` | shipped verbatim by the bundle | | `files/etc/left4me/sandbox-resolv.conf` | shipped verbatim by the bundle | -| `files/usr/local/libexec/left4me/{left4me-systemctl,journalctl,overlay,script-sandbox}` | shipped verbatim by the bundle | +| `files/usr/local/libexec/left4me/{left4me-systemctl,journalctl,overlay,script-sandbox}` | installed onto the target by the `install_left4me_scripts` action in `bundles/left4me/items.py`, reading directly from `/opt/left4me/src/deploy/files/usr/local/libexec/left4me/` after `git_deploy`. The bundle does **not** carry a duplicate copy. | +| `files/usr/local/sbin/left4me` | same install action; admin CLI wrapper (`sudo left4me `) | | `files/usr/local/lib/systemd/system/left4me-web.service` | emitted by `systemd_units` reactor in `bundles/left4me/metadata.py` (intentional change: `--bind 0.0.0.0:8000` → `127.0.0.1:8000` because nginx now terminates TLS) | | `files/usr/local/lib/systemd/system/left4me-server@.service` | emitted by the same reactor | | `files/usr/local/lib/systemd/system/{l4d2-game,l4d2-build}.slice` | emitted by the same reactor | diff --git a/deploy/deploy-test-server.sh b/deploy/deploy-test-server.sh index c26dbc5..ae2a8cf 100755 --- a/deploy/deploy-test-server.sh +++ b/deploy/deploy-test-server.sh @@ -182,7 +182,8 @@ $sudo_cmd cp /opt/left4me/deploy/files/usr/local/libexec/left4me/left4me-journal $sudo_cmd cp /opt/left4me/deploy/files/usr/local/libexec/left4me/left4me-overlay /usr/local/libexec/left4me/left4me-overlay $sudo_cmd cp /opt/left4me/deploy/files/usr/local/libexec/left4me/left4me-script-sandbox /usr/local/libexec/left4me/left4me-script-sandbox $sudo_cmd cp /opt/left4me/deploy/files/usr/local/libexec/left4me/left4me-apply-cake /usr/local/libexec/left4me/left4me-apply-cake -$sudo_cmd chmod 0755 /usr/local/libexec/left4me/left4me-systemctl /usr/local/libexec/left4me/left4me-journalctl /usr/local/libexec/left4me/left4me-overlay /usr/local/libexec/left4me/left4me-script-sandbox /usr/local/libexec/left4me/left4me-apply-cake +$sudo_cmd cp /opt/left4me/deploy/files/usr/local/sbin/left4me /usr/local/sbin/left4me +$sudo_cmd chmod 0755 /usr/local/libexec/left4me/left4me-systemctl /usr/local/libexec/left4me/left4me-journalctl /usr/local/libexec/left4me/left4me-overlay /usr/local/libexec/left4me/left4me-script-sandbox /usr/local/libexec/left4me/left4me-apply-cake /usr/local/sbin/left4me $sudo_cmd cp /opt/left4me/deploy/files/etc/sudoers.d/left4me /etc/sudoers.d/left4me $sudo_cmd chmod 0440 /etc/sudoers.d/left4me $sudo_cmd visudo -cf /etc/sudoers.d/left4me diff --git a/deploy/files/usr/local/sbin/left4me b/deploy/files/usr/local/sbin/left4me new file mode 100755 index 0000000..7a106d3 --- /dev/null +++ b/deploy/files/usr/local/sbin/left4me @@ -0,0 +1,17 @@ +#!/bin/sh +# Run l4d2web flask CLI commands as the left4me user with the deploy env loaded. +# Usage: left4me [args...] +# Examples: +# left4me create-user alice --admin +# left4me seed-script-overlays /opt/left4me/src/examples/script-overlays +# left4me routes +set -eu +exec sudo -u left4me sh -c ' + set -a + . /etc/left4me/host.env + . /etc/left4me/web.env + set +a + export JOB_WORKER_ENABLED=false + export PYTHONPATH=/opt/left4me/src + exec /opt/left4me/.venv/bin/flask --app l4d2web.app:create_app "$@" +' sh "$@"