Turso locks the datastore exclusively, so a separate `buh-cli sweep` (and the
shipped systemd sweep timer) cannot open the DB while the daemon holds it — they
fail with a file-locking error. Move the sweep into the daemon as a periodic
in-process task (`[relay].sweep_interval_seconds`, default 3600s), running in
both plain and PQ-mTLS modes.
Remove asset/systemd/buh-node-sweep.{service,timer} and update deploy.sh,
manifest.yml, the config template, and the readme accordingly. The readme also
notes the broader constraint: CLI trust/admin commands cannot run against a live
daemon's datastore — a daemon-side admin path is the next step.
cargo check/fmt/clippy(--all-features) clean; in-daemon sweep verified live.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01EB3LjarCdXxqrJ4tFLn8LB
2.6 KiB
2.6 KiB
buh deployment assets
Ops files for running a buh node on a real host. Not CI-tested — kept minimal and honest. A buh node runs on an untrusted, third-party machine, so these assets assume no central control plane, no shared database, and no central PKI:
manifest.yml— per-node deployment descriptor (relay + optional blob role, PQ-mTLS settings) for theprodanddevenvironments. It is a descriptor, not a fleet topology.config/config.toml.tmpl— the renderedbuh-api/buh-cliconfig. No secrets: the datastore is an embedded Turso file and the node generates its own CA.systemd/buh-node.service— hardened unit (generic.md§8). No*.pathcert-reload unit: the node is its own CA and rotates its TLS leaf in process — that is the decentralised-CA deviation. Nothing external watches or reloads a certificate. The TTL sweep also runs in process ([relay].sweep_interval_seconds), because Turso locks the datastore exclusively — a separatebuh-cli sweepcannot open the DB while the daemon holds it.systemd/buh.sysusers.conf— the unprivilegedbuhservice account.firewalld/buh-node.xml— opensBUH_NODE_PORT(8443), the single PQ-mTLS ingress port. The plain loopback health port is never exposed.deploy.sh— installs the above on the local host, renders the config, has the node generate its CA, and prints the CA fingerprint to share with peers.
Quick start (on the target node, as root)
# build + install the binaries first
cargo build --release --features s3 # drop --features s3 for an fs-only blob node
install -m0755 target/release/buh-api target/release/buh-cli /usr/local/bin/
# then deploy (override any value via the environment — see deploy.sh DEFAULTS)
sudo PKI_SANS='["node1.example.com"]' ./asset/deploy.sh
Trust between nodes
Each node pins peers by CA fingerprint — there is no shared root.
Note (PoC limitation): Turso locks the datastore exclusively, so these CLI commands cannot run while this host's
buh-apidaemon is up. Stop the service to change trust (systemctl stop buh-node→ edit trust →systemctl start buh-node), or run them from an operator workstation against a copy. A daemon-side admin path that removes this constraint is the next planned step.
buh-cli ca show # print my fingerprint to hand to a peer
buh-cli peer trust <their-ca-fp> # accept that peer over PQ-mTLS
buh-cli peer distrust <their-ca-fp> # refuse them on the next handshake
buh-cli peer list # who I currently trust