Post-repair hardware validation pipeline for Proxmox cluster hosts. Go orchestrator + in-image agent + mkosi live image + bundled dnsmasq PXE + SQLite + HTMX/SSE UI + notify registry + janitor + full docs.
This commit is contained in:
@@ -0,0 +1,136 @@
|
||||
#!/usr/bin/env bash
|
||||
# install.sh — one-shot installer for the vetting orchestrator on a
|
||||
# Proxmox LXC (or any Debian/Ubuntu host).
|
||||
#
|
||||
# What it does:
|
||||
# 1. apt-installs runtime dependencies (dnsmasq, iperf3, ca-certs).
|
||||
# 2. Creates the `vetting` system user with /var/lib/vetting homedir.
|
||||
# 3. Copies the pre-built `vetting` binary into /usr/local/bin.
|
||||
# 4. Drops the systemd unit and example config into /etc/vetting.
|
||||
# 5. Reminds the operator to edit the config and set a bcrypt
|
||||
# password before enabling the service — we don't auto-start
|
||||
# because a placeholder password would just refuse to boot.
|
||||
#
|
||||
# What it deliberately does NOT do:
|
||||
# - Build the orchestrator (this script assumes you ran
|
||||
# `make orchestrator-linux` beforehand and that bin/vetting-linux-amd64
|
||||
# exists alongside this script, or pass --binary to locate it).
|
||||
# - Install the live image or TFTP payloads — those are separate,
|
||||
# since most operators want to build them from a pinned CI artifact
|
||||
# rather than on the LXC itself.
|
||||
#
|
||||
# Usage:
|
||||
# sudo ./install.sh [--binary PATH] [--config-dir /etc/vetting]
|
||||
#
|
||||
set -euo pipefail
|
||||
|
||||
BINARY=""
|
||||
CONFIG_DIR="/etc/vetting"
|
||||
STATE_DIR="/var/lib/vetting"
|
||||
LOG_DIR="/var/log/vetting"
|
||||
SERVICE_USER="vetting"
|
||||
|
||||
usage() {
|
||||
cat <<EOF
|
||||
Usage: $0 [--binary PATH] [--config-dir DIR]
|
||||
|
||||
--binary PATH Path to a pre-built vetting binary (default:
|
||||
auto-detect ../bin/vetting-linux-amd64 relative to
|
||||
this script).
|
||||
--config-dir DIR Where to install vetting.yaml + systemd unit drop
|
||||
(default: /etc/vetting).
|
||||
-h, --help Print this message.
|
||||
EOF
|
||||
}
|
||||
|
||||
while [[ $# -gt 0 ]]; do
|
||||
case "$1" in
|
||||
--binary) BINARY="$2"; shift 2 ;;
|
||||
--config-dir) CONFIG_DIR="$2"; shift 2 ;;
|
||||
-h|--help) usage; exit 0 ;;
|
||||
*) echo "unknown arg: $1" >&2; usage; exit 2 ;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [[ $EUID -ne 0 ]]; then
|
||||
echo "install.sh must be run as root (try: sudo $0)" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
||||
REPO_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
|
||||
|
||||
if [[ -z "${BINARY}" ]]; then
|
||||
for cand in \
|
||||
"${REPO_ROOT}/bin/vetting-linux-amd64" \
|
||||
"${REPO_ROOT}/bin/vetting" \
|
||||
"${SCRIPT_DIR}/vetting"; do
|
||||
if [[ -x "${cand}" ]]; then BINARY="${cand}"; break; fi
|
||||
done
|
||||
fi
|
||||
if [[ -z "${BINARY}" || ! -x "${BINARY}" ]]; then
|
||||
echo "could not find a vetting binary to install; pass --binary PATH or run 'make orchestrator-linux' first" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "==> installing runtime dependencies"
|
||||
export DEBIAN_FRONTEND=noninteractive
|
||||
apt-get update -qq
|
||||
apt-get install -y --no-install-recommends \
|
||||
ca-certificates dnsmasq iperf3
|
||||
|
||||
echo "==> creating ${SERVICE_USER} user"
|
||||
if ! id -u "${SERVICE_USER}" >/dev/null 2>&1; then
|
||||
useradd --system \
|
||||
--home-dir "${STATE_DIR}" \
|
||||
--shell /usr/sbin/nologin \
|
||||
"${SERVICE_USER}"
|
||||
fi
|
||||
|
||||
echo "==> preparing directories"
|
||||
install -d -m 0755 -o "${SERVICE_USER}" -g "${SERVICE_USER}" "${STATE_DIR}"
|
||||
install -d -m 0755 -o "${SERVICE_USER}" -g "${SERVICE_USER}" "${LOG_DIR}"
|
||||
install -d -m 0755 "${CONFIG_DIR}"
|
||||
|
||||
echo "==> installing binary"
|
||||
install -m 0755 "${BINARY}" /usr/local/bin/vetting
|
||||
|
||||
echo "==> installing config and systemd unit"
|
||||
if [[ ! -f "${CONFIG_DIR}/vetting.yaml" ]]; then
|
||||
install -m 0640 -o root -g "${SERVICE_USER}" \
|
||||
"${SCRIPT_DIR}/vetting.example.yaml" \
|
||||
"${CONFIG_DIR}/vetting.yaml"
|
||||
echo " -> installed default config at ${CONFIG_DIR}/vetting.yaml"
|
||||
else
|
||||
echo " -> preserving existing ${CONFIG_DIR}/vetting.yaml"
|
||||
fi
|
||||
install -m 0644 "${SCRIPT_DIR}/vetting.service" /etc/systemd/system/vetting.service
|
||||
|
||||
# Disable the distro's dnsmasq so only the orchestrator-supervised
|
||||
# instance owns DHCP/TFTP. Operators who want to keep dnsmasq for
|
||||
# something else can re-enable it after configuring a disjoint listen
|
||||
# address.
|
||||
if systemctl is-enabled --quiet dnsmasq 2>/dev/null; then
|
||||
echo "==> disabling distro dnsmasq (orchestrator supervises its own)"
|
||||
systemctl disable --now dnsmasq
|
||||
fi
|
||||
|
||||
systemctl daemon-reload
|
||||
|
||||
cat <<EOF
|
||||
|
||||
vetting is installed but not yet enabled.
|
||||
|
||||
Next steps:
|
||||
1. Edit ${CONFIG_DIR}/vetting.yaml and set:
|
||||
- auth.admin_password_bcrypt (run: vetting gen-admin-password YOURPW)
|
||||
- auth.session_secret_hex (run: openssl rand -hex 32)
|
||||
- server.public_url (the URL you'll browse to)
|
||||
- pxe.* if you want PXE boot support
|
||||
- notifiers + routes (optional)
|
||||
2. Start the service:
|
||||
systemctl enable --now vetting
|
||||
3. Watch the logs:
|
||||
journalctl -fu vetting
|
||||
|
||||
EOF
|
||||
Reference in New Issue
Block a user