From 64acb970739163e32f222a33730282c3eb644bef Mon Sep 17 00:00:00 2001
From: josh <josh@thewrightserver.net>
Date: Fri, 17 Apr 2026 21:39:47 -0400
Subject: [PATCH] Add one-liner Proxmox LXC installer

deploy/proxmox-install.sh bootstraps a fresh LXC end-to-end: apt
prereqs, Go toolchain (if missing), git clone, build, then hands off
to deploy/install.sh. README documents the curl|bash invocation.
---
 README.md                 | 20 +++++++++-
 deploy/proxmox-install.sh | 84 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 103 insertions(+), 1 deletion(-)
 create mode 100644 deploy/proxmox-install.sh

diff --git a/README.md b/README.md
index 5c93db0..3b0d2b0 100644
--- a/README.md
+++ b/README.md
@@ -41,11 +41,29 @@ PXE boot), see [docs/operations.md § First vetting run](docs/operations.md#firs
 
 ## Production install (Proxmox LXC)
 
+On a fresh Debian/Ubuntu LXC, as root:
+
+```bash
+curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy/proxmox-install.sh | bash
+```
+
+That installs Go (if missing), clones the repo to `/opt/vetting-src`,
+builds `vetting-linux-amd64`, and hands off to `deploy/install.sh` —
+which lays down the binary, systemd unit, example config, and
+`vetting` service user. Then:
+
+```bash
+# Edit /etc/vetting/vetting.yaml (bcrypt password, session secret, public URL)
+sudo systemctl enable --now vetting
+journalctl -fu vetting
+```
+
+Prefer to build yourself? The manual path:
+
 ```bash
 make orchestrator-linux
 scp -r bin deploy lxc:/opt/vetting/
 ssh lxc "cd /opt/vetting && sudo ./deploy/install.sh"
-# Edit /etc/vetting/vetting.yaml, then:
 ssh lxc "sudo systemctl enable --now vetting"
 ```
 
diff --git a/deploy/proxmox-install.sh b/deploy/proxmox-install.sh
new file mode 100644
index 0000000..bfcf3a1
--- /dev/null
+++ b/deploy/proxmox-install.sh
@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+# proxmox-install.sh — one-shot fetch + build + install for a fresh
+# Proxmox LXC (or any Debian/Ubuntu host). Designed to be piped
+# straight from the repo:
+#
+#   curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy/proxmox-install.sh | sudo bash
+#
+# What it does:
+#   1. apt-installs build prereqs (git, curl, build-essential).
+#   2. Drops Go into /usr/local/go if a recent enough toolchain isn't
+#      already present.
+#   3. Clones the repo to /opt/vetting-src (or pulls latest if already
+#      there), then `make orchestrator-linux`.
+#   4. Hands off to deploy/install.sh to lay down the binary, the
+#      systemd unit, the example config, and the vetting user.
+#
+# Override via env: GO_VERSION, TEMPL_VERSION, SRC_DIR, BRANCH, REPO_URL.
+set -euo pipefail
+
+GO_VERSION="${GO_VERSION:-1.23.4}"
+TEMPL_VERSION="${TEMPL_VERSION:-v0.3.1001}"
+SRC_DIR="${SRC_DIR:-/opt/vetting-src}"
+BRANCH="${BRANCH:-main}"
+REPO_URL="${REPO_URL:-https://gitea.thewrightserver.net/josh/Vetting.git}"
+
+if [[ $EUID -ne 0 ]]; then
+    echo "proxmox-install.sh must be run as root (try: sudo bash)" >&2
+    exit 1
+fi
+
+echo "==> installing build prerequisites"
+export DEBIAN_FRONTEND=noninteractive
+apt-get update -qq
+apt-get install -y --no-install-recommends \
+    git curl ca-certificates build-essential
+
+need_go=1
+if command -v go >/dev/null 2>&1; then
+    have="$(go env GOVERSION 2>/dev/null || true)"
+    # Accept any go1.23+ toolchain already on the host.
+    if [[ "${have}" =~ ^go1\.(2[3-9]|[3-9][0-9]) ]]; then
+        echo "==> using existing ${have}"
+        need_go=0
+    fi
+fi
+if [[ ${need_go} -eq 1 ]]; then
+    echo "==> installing Go ${GO_VERSION} into /usr/local/go"
+    tmp="$(mktemp -d)"
+    curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -o "${tmp}/go.tgz"
+    rm -rf /usr/local/go
+    tar -C /usr/local -xzf "${tmp}/go.tgz"
+    rm -rf "${tmp}"
+    ln -sf /usr/local/go/bin/go /usr/local/bin/go
+fi
+
+echo "==> fetching source into ${SRC_DIR}"
+if [[ -d "${SRC_DIR}/.git" ]]; then
+    git -C "${SRC_DIR}" fetch --depth=1 origin "${BRANCH}"
+    git -C "${SRC_DIR}" checkout -B "${BRANCH}" "origin/${BRANCH}"
+else
+    install -d -m 0755 "$(dirname "${SRC_DIR}")"
+    git clone --depth=1 --branch "${BRANCH}" "${REPO_URL}" "${SRC_DIR}"
+fi
+
+echo "==> installing templ ${TEMPL_VERSION}"
+GOBIN=/usr/local/bin go install "github.com/a-h/templ/cmd/templ@${TEMPL_VERSION}"
+
+echo "==> building orchestrator (make orchestrator-linux)"
+cd "${SRC_DIR}"
+make orchestrator-linux
+
+echo "==> running deploy/install.sh"
+bash deploy/install.sh --binary "bin/vetting-linux-amd64"
+
+cat <<EOF
+
+vetting source is at ${SRC_DIR}.
+
+To upgrade later, rerun this one-liner, or from the source dir:
+    cd ${SRC_DIR} && git pull && make orchestrator-linux \\
+        && sudo ./deploy/install.sh --binary bin/vetting-linux-amd64 \\
+        && sudo systemctl restart vetting
+
+EOF