rob thijssen
60a1640327
Unit files now use the direct mTLS connection string (no password) and deploy script no longer extracts or injects a database password. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
255 lines
8.3 KiB
Bash
Executable File
255 lines
8.3 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
postgres_host=gramathea.kosherinata.internal
|
|
api_host=gramathea.kosherinata.internal
|
|
index_host=gramathea.kosherinata.internal
|
|
ui_host=gramathea.kosherinata.internal
|
|
caption_host=quadbrat.hanzalova.internal
|
|
|
|
deploy_db() {
|
|
if rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
asset/quadlet/postgres.container \
|
|
${postgres_host}:/etc/containers/systemd/rbv-postgres.container \
|
|
&& rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
--chmod 644 \
|
|
asset/quadlet/.env \
|
|
${postgres_host}:/tank/containers/rbv/.env \
|
|
&& ssh ${postgres_host} sudo systemctl daemon-reload \
|
|
&& ssh ${postgres_host} sudo systemctl restart rbv-postgres; then
|
|
echo "postgres quadlet deployed successfully"
|
|
else
|
|
echo "Failed to deploy postgres quadlet"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
deploy_index() {
|
|
cargo build --release
|
|
|
|
for unit in rbv-{index@vault,cluster}.service; do
|
|
state=$(ssh ${index_host} "systemctl is-active ${unit} 2>/dev/null")
|
|
if [[ ${state} == "active" || ${state} == "activating" ]]; then
|
|
if ssh ${index_host} sudo systemctl stop ${unit}; then
|
|
echo "${unit} stopped successfully"
|
|
else
|
|
echo "failed to stop ${unit}"
|
|
exit 1
|
|
fi
|
|
fi
|
|
done
|
|
if rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
--chmod '+x' \
|
|
target/release/rbv \
|
|
${index_host}:/usr/local/bin/rbv \
|
|
&& rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
asset/systemd/rbv-index@.service \
|
|
${index_host}:/etc/systemd/system/rbv-index@.service \
|
|
&& rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
asset/systemd/rbv-cluster.service \
|
|
${index_host}:/etc/systemd/system/rbv-cluster.service \
|
|
&& ssh ${index_host} sudo systemctl daemon-reload \
|
|
&& ssh ${index_host} sudo systemctl start --no-block rbv-index@vault.service \
|
|
&& ssh ${index_host} '(systemctl is-enabled --quiet rbv-index@vault.service || sudo systemctl enable rbv-index@vault.service)'; then
|
|
echo "rbv index deployed successfully"
|
|
else
|
|
echo "failed to deploy rbv index"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
deploy_api() {
|
|
cargo build --release
|
|
|
|
ssh ${api_host} "systemctl is-active --quiet rbv-api.service && sudo systemctl stop rbv-api.service"
|
|
if rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
--chmod '+x' \
|
|
target/release/rbv-api \
|
|
${api_host}:/usr/local/bin/rbv-api \
|
|
&& rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
asset/systemd/rbv-api.service \
|
|
${api_host}:/etc/systemd/system/rbv-api.service \
|
|
&& ssh ${api_host} sudo systemctl daemon-reload \
|
|
&& ssh ${api_host} sudo systemctl start rbv-api.service \
|
|
&& ssh ${index_host} '(systemctl is-enabled --quiet rbv-api.service || sudo systemctl enable rbv-api.service)'; then
|
|
echo "rbv api deployed successfully"
|
|
else
|
|
echo "failed to deploy rbv api"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
deploy_caption() {
|
|
cargo build --release -p rbv-caption
|
|
|
|
for unit in rbv-caption@{florence-2-base,florence-2-base-ocr,vit-gpt2}.service; do
|
|
state=$(ssh ${caption_host} "systemctl is-active ${unit} 2>/dev/null")
|
|
if [[ ${state} == "active" || ${state} == "activating" ]]; then
|
|
if ssh ${caption_host} sudo systemctl stop ${unit}; then
|
|
echo "${unit} stopped successfully"
|
|
else
|
|
echo "failed to stop ${unit}"
|
|
exit 1
|
|
fi
|
|
fi
|
|
done
|
|
if rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
--chmod '+x' \
|
|
target/release/rbv-caption \
|
|
${caption_host}:/usr/local/bin/rbv-caption \
|
|
&& rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
asset/systemd/rbv-caption@.service \
|
|
${caption_host}:/etc/systemd/system/rbv-caption@.service \
|
|
&& ssh ${caption_host} sudo systemctl daemon-reload \
|
|
&& ssh ${caption_host} sudo systemctl start --no-block rbv-caption@florence-2-base.service \
|
|
&& ssh ${caption_host} sudo systemctl start --no-block rbv-caption@florence-2-base-ocr.service \
|
|
&& ssh ${caption_host} sudo systemctl start --no-block rbv-caption@vit-gpt2.service; then
|
|
echo "rbv caption deployed successfully"
|
|
else
|
|
echo "failed to deploy rbv caption"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
deploy_ui() {
|
|
if ssh ${ui_host} sudo step certificate verify \
|
|
/etc/nginx/tls/rbv/rbv.pem \
|
|
--roots /etc/pki/ca-trust/source/anchors/root-internal.pem; then
|
|
echo 'valid cert observed'
|
|
elif rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chmod 600 \
|
|
--chown root:root \
|
|
~/.step/secrets/provisioner \
|
|
${ui_host}:/tmp/provisioner \
|
|
&& ssh ${ui_host} sudo mkdir -p /etc/nginx/tls/rbv \
|
|
&& ssh ${ui_host} sudo step ca certificate \
|
|
--force \
|
|
--provisioner lair \
|
|
--provisioner-password-file /tmp/provisioner \
|
|
--ca-url https://ca.internal \
|
|
--root /etc/pki/ca-trust/source/anchors/root-internal.pem \
|
|
--san rbv.internal \
|
|
rbv.internal \
|
|
/etc/nginx/tls/rbv/rbv.pem \
|
|
/etc/nginx/tls/rbv/key.pem \
|
|
&& ssh ${ui_host} sudo rm -f /tmp/provisioner; then
|
|
echo 'cert acquired'
|
|
else
|
|
echo 'failed to acquire cert'
|
|
exit 1
|
|
fi
|
|
|
|
for unit in step@.{service,timer}; do
|
|
if rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
asset/systemd/${unit} \
|
|
${ui_host}:/etc/systemd/system/${unit}; then
|
|
echo "${unit} deployed successfully"
|
|
else
|
|
echo "failed to deploy ${unit}"
|
|
exit 1
|
|
fi
|
|
done
|
|
ssh ${ui_host} "
|
|
sudo systemctl daemon-reload
|
|
if ! systemctl is-enabled --quiet step@rbv.timer; then
|
|
if sudo systemctl enable step@rbv.timer; then
|
|
echo 'step@rbv.timer enabled'
|
|
else
|
|
echo 'failed to enable step@rbv.timer'
|
|
fi
|
|
fi
|
|
if ! systemctl is-active --quiet step@rbv.timer; then
|
|
if sudo systemctl start step@rbv.timer; then
|
|
echo 'step@rbv.timer started'
|
|
else
|
|
echo 'failed to start step@rbv.timer'
|
|
fi
|
|
fi
|
|
"
|
|
|
|
(cd ui && npm run build)
|
|
if ssh ${ui_host} sudo mkdir -p /usr/share/nginx/rbv \
|
|
&& rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
dist/ui/ \
|
|
${ui_host}:/usr/share/nginx/rbv/ \
|
|
&& rsync \
|
|
--archive \
|
|
--compress \
|
|
--rsync-path 'sudo rsync' \
|
|
--chown root:root \
|
|
asset/nginx/rbv.conf \
|
|
${ui_host}:/etc/nginx/sites-available/rbv.internal.conf \
|
|
&& ssh ${ui_host} sudo ln -sf /etc/nginx/sites-available/rbv.internal.conf /etc/nginx/sites-enabled/rbv.internal.conf \
|
|
&& ssh ${ui_host} sudo nginx -t \
|
|
&& ssh ${ui_host} sudo systemctl reload nginx; then
|
|
echo "rbv ui deployed successfully"
|
|
else
|
|
echo "failed to deploy rbv ui"
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
components=("${@}")
|
|
if [ ${#components[@]} -eq 0 ]; then
|
|
components=(api ui)
|
|
elif [ "${components[0]}" = "all" ]; then
|
|
components=(db index api ui caption)
|
|
fi
|
|
|
|
for component in "${components[@]}"; do
|
|
case ${component} in
|
|
db) deploy_db ;;
|
|
index) deploy_index ;;
|
|
api) deploy_api ;;
|
|
ui) deploy_ui ;;
|
|
caption) deploy_caption ;;
|
|
*) echo "unknown component: ${component}"; exit 1 ;;
|
|
esac
|
|
done
|