From f188c7add40a1a407c2177d3cdd9b58f2a3ee8dc Mon Sep 17 00:00:00 2001 From: josh Date: Sat, 18 Apr 2026 02:16:02 -0400 Subject: [PATCH] proxmox-install: fetch prebuilt bundle from Gitea package registry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Drops the per-install Go toolchain dance + source build. The installer now just curls the bundle from ${REGISTRY_URL}/api/packages/${PACKAGE_OWNER}/generic/vetting/${VETTING_VERSION}/vetting-bundle.tar.gz, extracts it, and hands off to the bundled install.sh with explicit --binary / --agent-binary paths so the in-bundle layout is picked up. Default version is `latest` (rolling alias, overwritten by release.yml on each push to main). Pin via `VETTING_VERSION=sha-abc1234 curl ... | bash` when rolling back or testing a specific commit. Removes the `apt install build-essential git` + Go toolchain download + templ install + `make orchestrator-linux agent-linux` path — the CI workflow already produced all of that. Install time on a cold LXC drops from minutes to under a minute, and live-image kernel/initrd now arrive with every install instead of requiring a separate WSL build. Also rewrites docs/operations.md's install section around the one-liner, keeps the `make release` + scp path as the offline fallback, and swaps the upgrade section to just "rerun the one-liner." Co-Authored-By: Claude Opus 4.7 --- deploy/proxmox-install.sh | 122 +++++++++++++++++--------------------- docs/operations.md | 75 ++++++++++++++--------- 2 files changed, 101 insertions(+), 96 deletions(-) diff --git a/deploy/proxmox-install.sh b/deploy/proxmox-install.sh index eb6ff74..8b09b71 100644 --- a/deploy/proxmox-install.sh +++ b/deploy/proxmox-install.sh @@ -1,93 +1,79 @@ #!/usr/bin/env bash -# proxmox-install.sh — one-shot fetch + build + install for a fresh -# Proxmox LXC (or any Debian/Ubuntu host). Designed to be piped -# straight from the repo: +# proxmox-install.sh — one-shot installer for a fresh Proxmox LXC (or +# any Debian/Ubuntu host). Fetches a prebuilt release bundle from the +# Gitea package registry, extracts it, and hands off to install.sh. # +# Usage: # curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy/proxmox-install.sh | sudo bash # -# What it does: -# 1. apt-installs build prereqs (git, curl, build-essential). -# 2. Drops Go into /usr/local/go if a recent enough toolchain isn't -# already present. -# 3. Clones the repo to /opt/vetting-src (or pulls latest if already -# there), then `make orchestrator-linux agent-linux`. The agent -# binary isn't run on the LXC — it's only built so the LXC can -# serve it at /assets/vetting-agent-linux-amd64 for target hosts -# to fetch via the quick-register one-liner. -# 4. Hands off to deploy/install.sh to lay down the orchestrator -# binary, the agent binary (into /var/lib/vetting/assets for -# serving), the systemd unit, the example config, and the -# vetting user. +# To pin a specific build instead of "latest": +# VETTING_VERSION=sha-abc1234 curl -fsSL .../proxmox-install.sh | sudo bash # -# Override via env: GO_VERSION, TEMPL_VERSION, SRC_DIR, BRANCH, REPO_URL. +# Env overrides: +# REGISTRY_URL base URL of the Gitea instance hosting the package +# registry (default: https://gitea.thewrightserver.net) +# PACKAGE_OWNER Gitea owner who owns the `vetting` package +# (default: josh) +# VETTING_VERSION package version — either "latest" (rolling) or +# "sha-" (immutable). Default: "latest". set -euo pipefail -GO_VERSION="${GO_VERSION:-1.23.4}" -TEMPL_VERSION="${TEMPL_VERSION:-v0.3.1001}" -SRC_DIR="${SRC_DIR:-/opt/vetting-src}" -BRANCH="${BRANCH:-main}" -REPO_URL="${REPO_URL:-https://gitea.thewrightserver.net/josh/Vetting.git}" +REGISTRY_URL="${REGISTRY_URL:-https://gitea.thewrightserver.net}" +PACKAGE_OWNER="${PACKAGE_OWNER:-josh}" +VETTING_VERSION="${VETTING_VERSION:-latest}" + +BUNDLE_URL="${REGISTRY_URL}/api/packages/${PACKAGE_OWNER}/generic/vetting/${VETTING_VERSION}/vetting-bundle.tar.gz" if [[ $EUID -ne 0 ]]; then echo "proxmox-install.sh must be run as root (try: sudo bash)" >&2 exit 1 fi -echo "==> installing build prerequisites" +echo "==> installing prerequisites" export DEBIAN_FRONTEND=noninteractive apt-get update -qq apt-get install -y --no-install-recommends \ - git curl ca-certificates build-essential + curl ca-certificates -need_go=1 -if command -v go >/dev/null 2>&1; then - have="$(go env GOVERSION 2>/dev/null || true)" - # Accept any go1.23+ toolchain already on the host. - if [[ "${have}" =~ ^go1\.(2[3-9]|[3-9][0-9]) ]]; then - echo "==> using existing ${have}" - need_go=0 - fi -fi -if [[ ${need_go} -eq 1 ]]; then - echo "==> installing Go ${GO_VERSION} into /usr/local/go" - tmp="$(mktemp -d)" - curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" -o "${tmp}/go.tgz" - rm -rf /usr/local/go - tar -C /usr/local -xzf "${tmp}/go.tgz" - rm -rf "${tmp}" - ln -sf /usr/local/go/bin/go /usr/local/bin/go +tmp="$(mktemp -d)" +trap 'rm -rf "${tmp}"' EXIT + +echo "==> fetching bundle (${VETTING_VERSION}) from ${BUNDLE_URL}" +curl -fsSL "${BUNDLE_URL}" -o "${tmp}/vetting-bundle.tar.gz" + +echo "==> extracting" +tar -C "${tmp}" -xzf "${tmp}/vetting-bundle.tar.gz" + +# Bundle extracts to vetting-bundle-/; glob-match the single +# top-level directory. +shopt -s nullglob +candidates=( "${tmp}"/vetting-bundle-* ) +shopt -u nullglob +if [[ ${#candidates[@]} -ne 1 || ! -d "${candidates[0]}" ]]; then + echo "unexpected bundle layout: expected exactly one vetting-bundle-*/ dir" >&2 + exit 1 fi +bundle_dir="${candidates[0]}" -echo "==> fetching source into ${SRC_DIR}" -if [[ -d "${SRC_DIR}/.git" ]]; then - git -C "${SRC_DIR}" fetch --depth=1 origin "${BRANCH}" - # Discard any local mods — the previous build leaves regenerated - # _templ.go files with build-dir-dependent strings in them, and - # those block a plain checkout. /opt/vetting-src is managed entirely - # by this script, so there's nothing here worth preserving. - git -C "${SRC_DIR}" reset --hard "origin/${BRANCH}" -else - install -d -m 0755 "$(dirname "${SRC_DIR}")" - git clone --depth=1 --branch "${BRANCH}" "${REPO_URL}" "${SRC_DIR}" -fi - -echo "==> installing templ ${TEMPL_VERSION}" -GOBIN=/usr/local/bin go install "github.com/a-h/templ/cmd/templ@${TEMPL_VERSION}" - -echo "==> building orchestrator + agent (make orchestrator-linux agent-linux)" -cd "${SRC_DIR}" -make orchestrator-linux agent-linux - -echo "==> running deploy/install.sh" -bash deploy/install.sh --binary "bin/vetting-linux-amd64" +echo "==> handing off to install.sh (bundle ${bundle_dir##*/})" +cd "${bundle_dir}" +bash install.sh \ + --binary "${bundle_dir}/bin/vetting-linux-amd64" \ + --agent-binary "${bundle_dir}/bin/vetting-agent.linux-amd64" cat </dev/null || echo unknown). -To upgrade later, rerun this one-liner, or from the source dir: - cd ${SRC_DIR} && git pull && make orchestrator-linux agent-linux \\ - && sudo ./deploy/install.sh --binary bin/vetting-linux-amd64 \\ - && sudo systemctl restart vetting +To upgrade later, just rerun this one-liner; it always pulls "latest" +unless VETTING_VERSION is set. + +To pin a specific build: + VETTING_VERSION=sha-abc1234 curl -fsSL \\ + ${REGISTRY_URL}/${PACKAGE_OWNER}/Vetting/raw/branch/main/deploy/proxmox-install.sh \\ + | sudo bash + +For PXE support, the bundle also ships deploy/pxe-setup.sh — see +docs/operations.md for the flow. EOF diff --git a/docs/operations.md b/docs/operations.md index fa4e604..8dc6d2f 100644 --- a/docs/operations.md +++ b/docs/operations.md @@ -11,32 +11,50 @@ Target: a Debian/Ubuntu LXC on the Proxmox host that holds the cluster you're vetting for. The LXC must be on the same L2 segment as the repaired nodes so DHCP and WoL work. -### One-shot release bundle (recommended) +### One-liner install (recommended) -On your dev workstation (Linux, or WSL on Windows): +Every push to `main` kicks off a Gitea Actions run that builds a full +release bundle (orchestrator + agent + live image + install scripts + +pinned iPXE SHAs) and publishes it to the Gitea package registry. The +LXC installer fetches the prebuilt tarball — no source clone, no Go +toolchain, no `make`, no WSL. + +On the LXC: ``` -make release +curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy/proxmox-install.sh \ + | sudo bash ``` -Produces `bin/vetting-bundle-.tar.gz` containing the orchestrator -binary, agent binary, live image (`vmlinuz` + `initrd.img`), install -scripts, `vetting.service`, the production yaml, and the pinned iPXE -SHA256 file. - -Ship it to the LXC: +To pin a specific build instead of the rolling `latest`: ``` +VETTING_VERSION=sha-abc1234 curl -fsSL .../proxmox-install.sh | sudo bash +``` + +`proxmox-install.sh` curls the bundle from +`${REGISTRY_URL}/api/packages/${PACKAGE_OWNER}/generic/vetting/${VETTING_VERSION}/vetting-bundle.tar.gz`, +extracts it, and hands off to the bundled `install.sh` for the base +install (user, binaries, config, systemd unit). + +If you don't need PXE (e.g. host-mode reporter only, no automated +live-boots), you can stop here — edit `/etc/vetting/vetting.yaml` to +tune `server.bind` / `public_url`, then +`sudo systemctl enable --now vetting`. + +### Offline / air-gapped install + +If the LXC can't reach the registry, build the tarball locally and +`scp` it across: + +``` +make release # on a Linux/WSL workstation scp bin/vetting-bundle-.tar.gz lxc:/tmp/ -ssh lxc 'cd /tmp && tar xzf vetting-bundle-*.tar.gz' -ssh lxc 'cd /tmp/vetting-bundle- && sudo ./install.sh' +ssh lxc 'cd /tmp && tar xzf vetting-bundle-*.tar.gz \ + && cd vetting-bundle-* && sudo ./install.sh' ``` -`install.sh` does the base install (user, binaries, config, systemd -unit). If you don't need PXE (e.g. host-mode reporter only, no -automated live-boots), you can stop here — edit -`/etc/vetting/vetting.yaml` to tune `server.bind` / `public_url`, -then `sudo systemctl enable --now vetting`. +Same bundle layout either way. ### PXE enablement @@ -90,9 +108,9 @@ silently when a host first PXE-boots. `pxe-setup.sh` is idempotent — safe to re-run. Pass `--force` to overwrite a hand-edited `pxe:` block. -### Manual install (no release tarball) +### Dev-loop install (from a source checkout) -For dev-loop iteration on the LXC itself: +For iterating on the orchestrator without waiting for a CI publish: 1. On your workstation: `make orchestrator-linux && make agent-linux` 2. Copy the repo tree (or just `bin/` + `deploy/`) onto the LXC @@ -197,14 +215,15 @@ auth is independent and keeps working either way. ## Upgrading -1. `make orchestrator-linux` on your workstation. -2. `scp bin/vetting-linux-amd64 lxc:/tmp/vetting.new` -3. On the LXC: - ``` - sudo systemctl stop vetting - sudo install -m 0755 /tmp/vetting.new /usr/local/bin/vetting - sudo systemctl start vetting - ``` +Rerun the registry-fetch one-liner on the LXC: -The DB migration runs at startup and is append-only — no manual schema -work unless a release's notes call it out. +``` +curl -fsSL https://gitea.thewrightserver.net/josh/Vetting/raw/branch/main/deploy/proxmox-install.sh \ + | sudo bash +sudo systemctl restart vetting +``` + +Pin to a specific build with `VETTING_VERSION=sha-abc1234` if you +need to roll back or test a commit. The DB migration runs at startup +and is append-only — no manual schema work unless a release's notes +call it out.